New Snatch Ransomware Variant Exploits Windows Safe Mode to Evade Detection
Cybersecurity researchers have detected a sophisticated new variant of the Snatch ransomware, which employs an unusual tactic to infiltrate Windows computers—first rebooting the affected system into Safe Mode before initiating file encryption. This method significantly reduces the likelihood of detection by traditional antivirus software, which may not operate in this minimal driver mode.
The Snatch ransomware has been prevalent since at least mid-2018, but experts from SophosLabs recently observed this Safe Mode exploitation during their investigations into a range of recent cyberattacks targeting various organizations. According to the researchers, the ransomware is executed as a Windows service called “SuperBackupMan,” enabling it to run during Safe Mode boot-ups. Upon reboot, the malware halts this service and erases all Volume Shadow Copies via the Windows utility vssadmin.exe, effectively preventing any forensic recovery of the encrypted files.
What sets this ransomware apart is its dual functionality; alongside encryption, Snatch possesses a data-stealing capability. This allows attackers to extract significant amounts of sensitive information from compromised entities, enhancing the threat it poses. Despite being coded in Go—a programming language preferred for its versatility—this specific variant is crafted solely for the Windows environment. Notably, the ransomware appears compatible with numerous Windows versions, from 7 to 10, across both 32-bit and 64-bit architectures.
The methodologies employed by operatives behind Snatch are particularly concerning. After breaching a company’s internal network, usually via stolen credentials or brute force, attackers utilize a suite of legitimate system administration and penetration testing tools—such as Process Hacker and PsExec—to navigate the network undetected. This approach aligns with MITRE ATT&CK techniques for initial access and persistence, enabling them to disable antivirus solutions without triggering alerts.
Furthermore, the threat actors involved in Snatch are reportedly open to collaborations with other malicious entities, offering opportunities to those with insider access to corporate networks. This indicates a possible expansion of the ransomware’s operational capabilities, as they seek affiliate partners with knowledge of remote access protocols.
Sophos Labs, referencing negotiations conducted by Coveware—the firm specializing in ransom negotiations—reported dealings with Snatch perpetrators on multiple occasions, with ransoms varying widely from $2,000 to $35,000 in Bitcoin. These transactions underline the critical need for organizations to enhance their cybersecurity postures, namely by minimizing exposure of crucial services to the public internet and adopting robust, multi-factor authentication protocols.
In conclusion, the emergence of this enhanced Snatch ransomware variant serves as a cautionary tale for businesses, particularly those in the United States. As cyber threats continue to evolve, staying informed and fortifying defenses against advanced tactics is essential for safeguarding sensitive data and maintaining operational integrity in the increasingly perilous digital landscape.
