It seems like crimeware developers never sleep as defenses rise. They're always on the lookout for different ways of honing their weapons of attack. One of the most recent techniques is a ransomware strain that can force a Windows device to reboot into Safe Mode right before encryption begins, intending to get around endpoint protection.
This particular strain is known as Snatch owing to its authors, who refer to themselves as the Snatch Team. It was discovered by Sophos Labs researchers, who outlined their discovery together with insights into how such gangs break into enterprises and other entities on their hit list.
Were going to explain what Snatch ransomware is, how it works, and how you can remove it from your devices.
Snatch is a fresh ransomware variant whose executable forces Windows devices to reboot to Safe Mode even before the encryption process begins in a bid to bypass endpoint protection that often doesnt run in this mode.
Discovered by SophosLabs researchers and Sophos Managed Threat Response team, the snatch ransomware is among multiple malware constellation components being used in an ongoing series of carefully orchestrated attacks featuring extensive data collection.
The new strain of the ransomware uses a unique infection method that applies sophisticated AES encryption so that users whose machines are infected cant access their files.
Snatch ransomware was first noticeably active in April 2019, but it was released end of 2018. However, the spike in encrypted files and ransom notes led to its discovery and follow up by the team of researchers at Sophos.
Its crypto-virus form attacks high profile targets, but this new strain, created using Google Go program, comprises a collection of tools including a data stealer and ransomware feature. Plus, it has a Cobalt Strike reverse-shell and other tools used by penetration testers and system administrators.
Note: The variant Sophos discovered is only able to run on Windows in 32-bit and 64-bit editions from version 7 through 10.
As a file locking virus, Snatch ransomware has no connections with other strains. Still, its developers released nine variants of the threat, which append different extensions after data is encrypted with AES cipher.
The trick is to reboot machines into Safe Mode, and then the ransomware restricts access to your data by encrypting your files. After that, the hackers try to extort money from you by soliciting ransoms in the form of Bitcoin in exchange for unlocking your files and giving back data access.
Theres a reason why their trick works. Some antivirus software dont start in Safe Mode, and the developers discovered they could easily modify a Windows registry key and just boot your machine into Safe Mode. Thus the ransomware runs undetected by your security software.
The first time its installed on your device, it comes through SuperBackupMan, a Windows service, and sets up right before your computer starts rebooting so you cant stop it in time.
Once installed, the attackers use admin access to run BCDEDIT, a Windows command-line tool, to force your computer to reboot in Safe Mode immediately.
It then creates a random named executable in your %AppData% or %LocalAppData% folder, which will be launched and starts scanning your computers drive letters for files to encrypt.
There are specific file extensions it encrypts, including .doc, .docx, .pdf, .xls, and many others, which it infects and changes their extensions to Snatch so you cant open them again.
The ransomware leaves a Readme_Restore_Files.txt text file note, demanding anything between one and five Bitcoin in exchange for a decryption key, with information on how to communicate with the hackers to get your data files back.
After the ransomware scans your computer completely, it uses vssadmin.exe, a Windows command to delete all Shadow Volume Copies on it so you cant recover and use them to restore encrypted data files. The final step is to encrypt any data files on your hard drive.
Currently, infected files arent decryptable owing to the sophisticated nature of the AES encryption used. However, you still have a lifeline if your computer is infected by restoring your files from the most recent backup.
Snatch ransomware has been targeting regular users via spam emails. But today, the main targets are corporations. By paying such criminals, you not only lose money and have no guarantee that theyll send the decryption key to you, but it also encourages them to continue with their cyber criminality.
If you dont have an updated backup, theres not much else you can do other than wait until security experts come up with a Snatch ransomware decrypter. That could take a long time, but there are other ways you can protect yourself from such attacks.
One of the best ways to remove Snatch ransomware and other malware is to install good antivirus security software such as Malwarebytes or SpyHunter that can scan, detect, and eliminate the threat. Not all antivirus engines can catch it because its an entirely new malware, so its good to scan using several programs.
You can protect yourself and your devices against ransomware attacks by taking simple steps such as downloading software from trusted sources, and avoid opening email attachments from untrusted sources.
Other ways you can protect yourself and your organization from Snatch and other types of ransomware include:
Snatch ransomware may sound almost life-threatening in how it works to paralyze your files and devices. Before you think of paying that ransom, try the steps above to remove the threat and always take preventive measures to ensure this and such threats don't show up on your computer or network.
Next up: If you suspect your phone is infected with ransomware, check our next article to find out how to detect that and remove it.
Last updated on 18 Dec, 2019
Read this article:
What Is Snatch Ransomware and How to Remove It - Guiding Tech
- Why the US government is questioning WhatsApp's encryption - CNBC - February 25th, 2020
- No Backdoor on Human Rights: Why Encryption Cannot Be Compromised - Bitcoin News - February 25th, 2020
- Backdoor to encryption back on agenda in absurdly named bill - 9to5Mac - February 25th, 2020
- Signal is the European Union's encrypted messaging app of choice - Cult of Mac - February 25th, 2020
- cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud - ZDNet - February 25th, 2020
- ASIO: Relentless advance of technology was outstripping our capabilities - ZDNet - February 25th, 2020
- Cygilant to Highlight the Need for Encrypted Traffic Visibility at RSA Conference 2020 - Business Wire - February 25th, 2020
- Encryption Software Market 2020 Emerging Trends, Growing Demand, Leading Companies, Applications, Overview and Regional Analysis 2026 - News Times - February 25th, 2020
- US bill seen threatening encryption on tech platforms - EJ Insight - February 25th, 2020
- AES Encryption Software Market to Witness Increased Incremental Dollar Opportunity During the Forecast Period 2020 2026 | Dell, Eset, Gemalto, IBM,... - February 25th, 2020
- Malware and HTTPS a growing love affair - Naked Security - February 25th, 2020
- Hardware-based Full Disk Encryption Market To Witness Growth Acceleration During 2020-2026 | Western Digital Corp, Samsung Electronics, Toshiba,... - February 25th, 2020
- Encryption Software Market are anticipated to lucrative growth opportunities in the future by Product Type, Structure, End-user and Geography to 2027... - February 25th, 2020
- Proposed Bill Could Threaten Apple, Facebook Messaging Platforms - MSSP Alert - February 25th, 2020
- Zettaset to Participate in Cybersecurity Forum at Annual HIMSS 2020 Conference - Business Wire - February 25th, 2020
- Cloud Encryption Technology Market Analysis with Key Players, Applications, Trends and Forecasts to 2025 | Gemalto, Sophos, Symantec - Nyse Nasdaq... - February 25th, 2020
- US legislation to fend off end-to-end encryption of Facebook, Google and others - Financial World - February 25th, 2020
- Encryption on Facebook, Google, others threatened by planned new bill - Reuters - February 22nd, 2020
- What Is an Encryption Backdoor? - How-To Geek - February 22nd, 2020
- Sophos Takes On Encrypted Network Traffic With New XG Firewall 18 - CRN: Technology news for channel partners and solution providers - February 22nd, 2020
- Last Week In Venture: Eyes As A Service, Environmental Notes And Homomorphic Encryption - Crunchbase News - February 22nd, 2020
- CIA Encryption Meddling and Chinese Espionage Allegations Make It Clear: We All Need Strong Data Protection - Reason - February 12th, 2020
- Congress, Not the Attorney General, Should Decide the Future of Encryption - Lawfare - February 12th, 2020
- The code breakers: This vault is the epicenter in law enforcement's battle to unlock encrypted smartphones - USA TODAY - February 12th, 2020
- Enea Announces New Smart Tools to Identify Encrypted and Evasive Network Traffic - Yahoo Finance - February 12th, 2020
- Encryption Vs. Decryption: What's the Difference? - Techopedia - February 12th, 2020
- Labor Bill to fix Australian encryption laws it voted for hits second debate - ZDNet - February 12th, 2020
- Encryption Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - News Parents - February 12th, 2020
- Mobile Encryption Market to Grow Massively (2020-2025) By Size, Share, Price, Trend and Forecast | Blackberry, T-Systems International, ESET, Sophos,... - February 12th, 2020
- Child-Welfare Activists Attack Facebook Over Encryption Plans - The New York Times - February 9th, 2020
- How Attorney General Barr's War On Encryption Will Harm Our Military - Techdirt - February 9th, 2020
- Strong Opinions on Whether Police Calls Should be Encrypted - Government Technology - February 9th, 2020
- The EARN IT Act is the latest clueless attack on encryption, do not fall for it - Privacy News Online - February 9th, 2020
- Republican Senator Lindsey Graham introduces bill that threatens end-to-end encryption - World Socialist Web Site - February 9th, 2020
- Activists write to Facebook against encryption, says it will dent bid to curb child pornography - Hindustan Times - February 9th, 2020
- BBB Offers the Following Tips for National Clean Out Your Computer and Safer Internet Day WKTN- A division of Home Town Media - WKTN Radio - February 9th, 2020
- Optical Encryption Market Booming by Size, Revenue, Trends and Top Growing Companies 2026 - Instant Tech News - February 9th, 2020
- Federal government warning of voter coercion, foreign election interference through private messaging services - CBC.ca - February 9th, 2020
- Mobile Encryption Market 2020 Recent Industry Developments and Growth Strategies Adopted by Top Key Players Worldwide and Assessment to 2025 -... - February 9th, 2020
- Well-meaning charities urge Facebook to halt encryption plan to protect kids - 9to5Mac - February 6th, 2020
- How the B-Team watches over Australia's encryption laws and cybersecurity - ZDNet - February 6th, 2020
- Kids Need End-to-End Encryption for Protection Against Corporations - The Mac Observer - February 6th, 2020
- Encryption Backdoors: The Achilles Heel to Cybersecurity? - Techopedia - February 6th, 2020
- US Lawmakers Seeking to Ban Companies From Using End-to-End Encryption With a New Draft Bill - Bitcoin Exchange Guide - February 6th, 2020
- United States: a invoice towards end-to-end encryption? - Sahiwal Tv - February 6th, 2020
- TLS 1.0/1.1 end-of-life countdown heads into the danger zone - The Daily Swig - February 6th, 2020
- How Would a US Ban on End to End Encryption Affect Cryptocurrency? - Bitcoinist - February 5th, 2020
- Officials Ask Public to Weigh in on Encrypting Police Calls - Government Technology - February 5th, 2020
- Bluefin and FroogalPay Partner to Provide PCI-Validated Point-to-Point Encryption (P2PE) - Benzinga - February 5th, 2020
- Facebook to allow parents to monitor their kids' chat messages - Sussex Express - February 5th, 2020
- Hardware-based Full Disk Encryption Market To Boom In Near Future By 2027 With Industry Key Players - Science of Change - February 5th, 2020
- New ransomware with '.SaveTheQueen' extension discovered by Varonis - Information Age - February 5th, 2020
- The Best Encryption Software for 2020 | PCMag - February 2nd, 2020
- Encryption - What It Is, Types, Algorithms, & More ... - February 2nd, 2020
- A Beginner's Guide to Encryption: What It Is and How to ... - February 2nd, 2020
- Encryption | Internet Society - February 2nd, 2020
- Best encryption software tools of 2020: Keep your data ... - February 2nd, 2020
- What is 256-bit Encryption? How long would it take to crack? - February 2nd, 2020
- A new bill could punish web platforms for using end-to-end encryption - The Verge - February 2nd, 2020
- How to encrypt email (Gmail, Outlook iOS, OSX, Android ... - February 2nd, 2020
- Researchers showcase all-optical encryption tech to keep data hidden and safe - The Times of Israel - February 2nd, 2020
- The U.S. government's been trying to stop encryption for 25 years. Will it win this time? - Tom's Guide - February 2nd, 2020
- Apple's end-to-end encryption threatened by new proposed bill - AppleInsider - February 2nd, 2020
- With Streaming Becoming More Prevalent in 2020, it would be better to connect to the Internet with a VPN - gotech daily - February 2nd, 2020
- nCipher Security: More Americans trust encryption than know what it is - Security Boulevard - January 30th, 2020
- Encryption Software Market 2020 Analysis by Current Industry Status, Key Manufacturers, Industry Drivers and Forecast to 2024 Dagoretti News -... - January 30th, 2020
- Emerging Opportunities in Hardware-based Full Disk Encryption Market with Current Trends Analysis - Dagoretti News - January 30th, 2020
- Scientists from Israel have developed the worlds first optical encryption technology Stealth - The Times Hub - January 30th, 2020
- Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors - VICE - January 30th, 2020
- How to Get the Most Out of Your Smartphone's Encryption - WIRED - January 30th, 2020
- Forensics detective says Android phones are now harder to crack than iPhones - Android Authority - January 30th, 2020
- Options to End the End to End Encryption Debate - Infosecurity Magazine - January 30th, 2020
- Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates - The Register - January 30th, 2020
- Why Public Wi-Fi is a Lot Safer Than You Think - EFF - January 30th, 2020
- There is no legislation mandating encryption of private information - Kamloops This Week - January 30th, 2020
- Apple Watch rewards, iCloud encryption, and WhatsApp hacks on the AppleInsider Podcast - AppleInsider - January 30th, 2020
- Apple Wanted the iPhone to Have End-to-End Encryption. Then the FBI Stepped In - Popular Mechanics - January 27th, 2020
- Amazon Engineer Leaked Private Encryption Keys. Outside Analysts Discovered Them in Minutes - Gizmodo - January 27th, 2020
- Deployed 82nd Airborne unit told to use these encrypted messaging apps on government cell phones - Military Times - January 27th, 2020
- The FBI doesn't need Apple to give it a backdoor to encryption, because it already has all the access it needs - Boing Boing - January 27th, 2020