Cloud Hosting

It seems like crimeware developers never sleep as defenses rise. They're always on the lookout for different ways of honing their weapons of attack. One of the most recent techniques is a ransomware strain that can force a Windows device to reboot into Safe Mode right before encryption begins, intending to get around endpoint protection.

This particular strain is known as Snatch owing to its authors, who refer to themselves as the Snatch Team. It was discovered by Sophos Labs researchers, who outlined their discovery together with insights into how such gangs break into enterprises and other entities on their hit list.

Were going to explain what Snatch ransomware is, how it works, and how you can remove it from your devices.

Snatch is a fresh ransomware variant whose executable forces Windows devices to reboot to Safe Mode even before the encryption process begins in a bid to bypass endpoint protection that often doesnt run in this mode.

Discovered by SophosLabs researchers and Sophos Managed Threat Response team, the snatch ransomware is among multiple malware constellation components being used in an ongoing series of carefully orchestrated attacks featuring extensive data collection.

The new strain of the ransomware uses a unique infection method that applies sophisticated AES encryption so that users whose machines are infected cant access their files.

Snatch ransomware was first noticeably active in April 2019, but it was released end of 2018. However, the spike in encrypted files and ransom notes led to its discovery and follow up by the team of researchers at Sophos.

Its crypto-virus form attacks high profile targets, but this new strain, created using Google Go program, comprises a collection of tools including a data stealer and ransomware feature. Plus, it has a Cobalt Strike reverse-shell and other tools used by penetration testers and system administrators.

Note: The variant Sophos discovered is only able to run on Windows in 32-bit and 64-bit editions from version 7 through 10.

As a file locking virus, Snatch ransomware has no connections with other strains. Still, its developers released nine variants of the threat, which append different extensions after data is encrypted with AES cipher.

The trick is to reboot machines into Safe Mode, and then the ransomware restricts access to your data by encrypting your files. After that, the hackers try to extort money from you by soliciting ransoms in the form of Bitcoin in exchange for unlocking your files and giving back data access.

Theres a reason why their trick works. Some antivirus software dont start in Safe Mode, and the developers discovered they could easily modify a Windows registry key and just boot your machine into Safe Mode. Thus the ransomware runs undetected by your security software.

The first time its installed on your device, it comes through SuperBackupMan, a Windows service, and sets up right before your computer starts rebooting so you cant stop it in time.

Once installed, the attackers use admin access to run BCDEDIT, a Windows command-line tool, to force your computer to reboot in Safe Mode immediately.

It then creates a random named executable in your %AppData% or %LocalAppData% folder, which will be launched and starts scanning your computers drive letters for files to encrypt.

There are specific file extensions it encrypts, including .doc, .docx, .pdf, .xls, and many others, which it infects and changes their extensions to Snatch so you cant open them again.

The ransomware leaves a Readme_Restore_Files.txt text file note, demanding anything between one and five Bitcoin in exchange for a decryption key, with information on how to communicate with the hackers to get your data files back.

After the ransomware scans your computer completely, it uses vssadmin.exe, a Windows command to delete all Shadow Volume Copies on it so you cant recover and use them to restore encrypted data files. The final step is to encrypt any data files on your hard drive.

Currently, infected files arent decryptable owing to the sophisticated nature of the AES encryption used. However, you still have a lifeline if your computer is infected by restoring your files from the most recent backup.

Snatch ransomware has been targeting regular users via spam emails. But today, the main targets are corporations. By paying such criminals, you not only lose money and have no guarantee that theyll send the decryption key to you, but it also encourages them to continue with their cyber criminality.

If you dont have an updated backup, theres not much else you can do other than wait until security experts come up with a Snatch ransomware decrypter. That could take a long time, but there are other ways you can protect yourself from such attacks.

One of the best ways to remove Snatch ransomware and other malware is to install good antivirus security software such as Malwarebytes or SpyHunter that can scan, detect, and eliminate the threat. Not all antivirus engines can catch it because its an entirely new malware, so its good to scan using several programs.

You can protect yourself and your devices against ransomware attacks by taking simple steps such as downloading software from trusted sources, and avoid opening email attachments from untrusted sources.

Other ways you can protect yourself and your organization from Snatch and other types of ransomware include:

Snatch ransomware may sound almost life-threatening in how it works to paralyze your files and devices. Before you think of paying that ransom, try the steps above to remove the threat and always take preventive measures to ensure this and such threats don't show up on your computer or network.

Next up: If you suspect your phone is infected with ransomware, check our next article to find out how to detect that and remove it.

Last updated on 18 Dec, 2019

Read this article:
What Is Snatch Ransomware and How to Remove It - Guiding Tech