• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Snatch Ransomware force systems to Windows Safe Mode to bypass security solutions

Snatch Ransomware force systems to Windows Safe Mode to bypass security solutions

Pierluigi Paganini December 10, 2019

Experts spotted a new piece of the Snatch ransomware that reboots computers it infects into Safe Mode to bypass resident security solutions.

Researchers discovered a new strain of the Snatch ransomware that reboots computers it infects into Safe Mode to bypass resident security solutions and encrypt files on the system.

The malware attempts to exploit the fact that many security tools are automatically disabled when Windows machines run in Safe Mode.

“The Sophos Managed Threat Response (MTR) team and SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process.” reads an analysis published by Sophos. “The attackers may be using this technique to circumvent endpoint protection, which often won’t run in Safe Mode.”

In mid-October, experts from the Sophos MTR team investigated a targeted ransomware attack against an organization.

The threat actors behind the Snatch ransomware (so-called “Snatch Team”) are adopting an active automated attack model to compromise the target networks. The attackers launched automated brute-force attacks against exposed services and then leverage that foothold for lateral movements through manual operation conducted by its members.

One of the alleged members of the Snatch Team was observed by Sophos’ researchers while “looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores, and other companies.” The members of the gang has been observed recruiting hackers on hacking forums.

“Later in the same message thread, this user offers to (at no charge) train others in the use of the malware, allow prospective criminal partners to use their infrastructure, provide “the best students” with a customized server running Metasploit, and then says “we are looking for capable people to join our team.” continues the analysis.

Snatch ransomware runs on almost any versions of Windows, from 7 through 10, for both 32- and 64-bit versions. The malware samples analyzed by the experts were also packed with the open-source packer UPX to obfuscate their contents.

The analysis of the logs of a targeted organization confirmed that the threat actors carried out a brute-forcing attack against a server’s Microsoft Azure admin account, then logged in via Remote Desktop (RDP).

Hunting the attackers, the experts noticed they used the same collection of tools in other opportunistic attacks against organizations worldwide, including the United States, Canada, and several European countries.

All the target organizations have one or more computers with RDP exposed online.

The attackers once compromised the target network log into the domain controller (DC) machine using the same admin account and maintain access, monitor the activity on the network and exfiltrate information.

Experts found surveillance software on around 5% of all machines on the network (roughly 200 computers).

The Snatch team has also been observed while dropping a series of legitimate tools including Process Hacker, IObit Uninstaller, PowerTool, and PsExec that were used to disable AV solutions.

The Snatch ransomware is dropped on the compromised network following a seemingly random timeline, that could last for a few days to weeks.

To encrypt files while the systems run in Safe Mode, the Snatch ransomware component installs itself as a Windows service dubbed SuperBackupMan that could run in Safe Mode and that can’t be stopped or paused.

“When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware. reads the analysis.

net stop SuperBackupMan
vssadmin delete shadows /all /quiet

“The ransomware then begins encrypting documents on the infected machine’s local hard drive.”

Below a video PoC of the Snatch ransomware attack, is shows the malware rebooting an infected system and encrypting files once the victim’s machine is in Windows Safe Mode.

Additional technical details, including indicators of compromise (IOCs) are reported in the analysis published by Sophos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Snatch ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Hacking hacking news information security news Pierluigi Paganini Security Affairs Security News Snatch ransomware

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT