Snatch ransomware uses Safe Mode to evade anti-malware detection

Snatch malware reboots in Safe Mode before encrypting hard drives and files

A new version of Snatch boots the machine in Safe Mode before encrypting the user's hard drive and files

A new version of Snatch ransomware has been found rebooting Windows computers in Safe Mode to avoid antivirus detection.^[1] Different from other file-locking malware, this variant firstly reboots the machine and only then encrypts the user's files.

The Safe Mode appears to be very advantageous for the ransomware virus as, when the computer is rebooted by using this particular option, the system runs only a few services, excluding antivirus programs:^[2]

It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.

Snatch has been active since summer 2018 and has been targetting Windows users using Windows 7, 8, or 10. Once files are locked with the AES cipher, their filenames end up with the .snatch, .FileSlack, .jimm, .hceem, and other types of appendixes.^[3] Afterward, the malware provides ransom notes with payment demands in exchange for the decryption key that vary between 1 to 5 Bitcoins.

Snatch also destroys Shadow Volume Copies of encrypted data

SophosLabs were the ones who made a thorough research on Snatch ransomware's ability to boot up in Safe Mode. These discoveries are very recent measuring with the amount of time that the malware was active.

To run in the Safe Mode boot process properly, Snatch virus includes itself as the SuperBackupMan process via Windows Registry. Afterward, the SuperBackupMan service gets forbidden by net.exe and the virus starts deleting Shadow Copies.^[4]

The ransomware then employs the vssadmin.exe process to eliminate the Shadow Copies of all encrypted files. This way, the victims will have a harder time recovering data on their own.

Data stealing is another feature included in the parasite's module

Snatch holds a more complex module than it could be thought from the first view. This malicious string also acts as a data-stealing threat that gives criminals access to private data from various users or even major organizations:

What we refer to as Snatch malware comprises a collection of tooling, which include a ransomware component and a separate data stealer, both apparently built by the criminals who operate the malware; a Cobalt Strike reverse-shell; and several publicly-available tools that aren’t inherently malicious, but used more conventionally by penetration testers, system administrators, or technicians.

Nevertheless, Snatch developers have been looking for new team members that could help them to distribute the ransomware virus even further. Such offers are being provided to other hackers and random people from worldwide companies who have access to TeamViewer, WebShell, VNC, RDP, and SQL injection. Then, the crooks can remotely connect to the targeted computer systems by inserting stolen credentials or forcibly and start compromising devices.

SophosLabs also discovered that criminals employ legitimate software such as Process Hacker, IObit Uninstaller, PowerTool, and PsExec. They launch these products on targeted machines to deactivate antivirus programs.

Since now, Snatch ransomware was never a very popular or well-known ransomware virus. However, it appears that things might change. Regarding past events, this malicious infection was only recognized while hitting the Major ASP.NET hosting provider.^[5]