Snatch ransomware reboots PCs in Windows Safe Mode to bypass antivirus apps

Unlike most ransomware strains, the Snatch ransomware also steals files from infected networks.

The authors of the Snatch ransomware are using a never-before-seen trick to bypass antivirus software and encrypt victims' files without being detected.

The trick relies on rebooting an infected computer into Safe Mode, and running the ransomware's file encryption process from there.

The reason for this step is that most antivirus software does not start in Windows Safe Mode, a Windows state meant for debugging and recovering a corrupt operating system.

However, the Snatch crew discovered that they could use a Windows registry key to schedule a Windows service to start in Safe Mode. This service would run their ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped.

The Safe Mode trick was discovered by the incident response team at Sophos Labs, who were called in to investigate a ransomware infection in the past few weeks. Its research team says this is a big deal, and a trick that could be rapidly adopted by other ransomware crews as well.

"SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users," Andrew Brandt, a malware researcher and network forensicator at Sophos said in a report pubished today.

Snatch, another big-game hunter

Sophos researchers say this is the Snatch crew's latest trick, but not its first. This particular ransomware gang has been operating since the summer of 2018, but to this day, very few have heard of this strain.

This happened because the Snatch crew never targeted home users nor did it ever use mass-distribution methods like email spam campaigns or browser-based exploit kits -- two distribution channels that tend to get a lot of attention from cyber-security firms.

Instead, the Snatch crew went only after a small list of carefully selected targets, such as companies and public or government organizations.

This type of targeting and methodology is known in the cyber-security field as "big-game hunting" and is a strategy that's been widely adopted by multiple ransomware crews today.

The idea behind big-game hunting is that instead of going after the small ransom fees malware authors can extract from home users, crooks go after large corporations and government organizations, from where they can ask for ransom fees that are hundreds of thousands of times bigger.

Ransomware like Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga are your typicl big-game hunters.

Snatch team seen recruiting hackers on hacking forums

All the ransomware gangs listed above have their own methodology for breaching their respective targets' networks, and so does Snatch.

According to Sophos, the group buys their way into a company's network. Researchers say they tracked down ads the Snatch team has posted on hacking forums, ads meant to recruit partners for their scheme.

According to a translation of the ad, the Snatch team was "looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies."

snatch-forum-ad.png

Image: Sophos

The Sophos team says the Snatch team would buy access to a hacked network, or work with another hacker to breach a desired company.

Once in, they rarely moved in right away to install the ransomware and encrypt files right away. Instead, the Snatch team lingered inside a hacked company for days, or even weeks.

The hackers would bide their time and slowly escalate access to internal domain controllers, from where they'd spread to as many computers on an internal network as possible.

To do this, the Snatch crew used legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products failed to raise any alarms.

Once the Snatch gang has all the access they need, they add the registry key and Windows service that starts Snatch in Safe Mode on all infected hosts, and force a reboot of all workstations -- reboot that begins the file encryption process.

Stealing customer data

Furthermore, Sophos says that unlike most ransomware gangs who are primarily focused on encrypting files and asking for ransoms, they also found evidence the Snatch crew also enganged in data theft.

This makes the Snatch crew unique and highly dangerous, as companies also stand to lose from their data being sold or leaked online at a later date, even if they paid the ransom fee and decrypted their files.

This type of behavior is highly unusual and is likely to push Snatch at the top of many lists of today's most dangerous ransomware strains.

But combing a company's internal network for files to steal takes time, and a reason why Snatch has not made the same amount of victims as other "big game hunting" strains/gangs. The number of Snatch victims is very small.

Coverware, a company that specializes in extortion negotiations between ransomware victims and attackers, told Sophos they've privately handled ransom payments for Snatch ransomware infections on 12 occasions between July and October 2019. The payments ranged from $2,000 to $35,000, Coverware said.

Until today, the only known public case of a Snatch ransomware infection was SmarterASP.NET, a web hosting company that boasted to have around 440,000 customers.

Sophos recommends that companies secure ports and services that are exposed on the internet with either strong passwords or with multi-factor authentication.

Since the Snatch crew is also interested in experimenting with VNC, TeamViewer, or SQL injections, securing a company's network for these attack points is also a must.