Snatch Ransomware force systems to Windows Safe Mode to bypass security solutions

Experts spotted a new piece of the Snatch ransomware that reboots computers it infects into Safe Mode to bypass resident security solutions.

Researchers discovered a new strain of the Snatch ransomware that reboots computers it infects into Safe Mode to bypass resident security solutions and encrypt files on the system.

The malware attempts to exploit the fact that many security tools are automatically disabled when Windows machines run in Safe Mode.

“The Sophos Managed Threat Response (MTR) team and SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process.” reads an analysis published by Sophos. “The attackers may be using this technique to circumvent endpoint protection, which often won’t run in Safe Mode.”

In mid-October, experts from the Sophos MTR team investigated a targeted ransomware attack against an organization.

The threat actors behind the Snatch ransomware (so-called “Snatch Team”) are adopting an active automated attack model to compromise the target networks. The attackers launched automated brute-force attacks against exposed services and then leverage that foothold for lateral movements through manual operation conducted by its members.

One of the alleged members of the Snatch Team was observed by Sophos’ researchers while “looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores, and other companies.” The members of the gang has been observed recruiting hackers on hacking forums.

“Later in the same message thread, this user offers to (at no charge) train others in the use of the malware, allow prospective criminal partners to use their infrastructure, provide “the best students” with a customized server running Metasploit, and then says “we are looking for capable people to join our team.” continues the analysis.

Snatch ransomware runs on almost any versions of Windows, from 7 through 10, for both 32- and 64-bit versions. The malware samples analyzed by the experts were also packed with the open-source packer UPX to obfuscate their contents.

The analysis of the logs of a targeted organization confirmed that the threat actors carried out a brute-forcing attack against a server’s Microsoft Azure admin account, then logged in via Remote Desktop (RDP).

Hunting the attackers, the experts noticed they used the same collection of tools in other opportunistic attacks against organizations worldwide, including the United States, Canada, and several European countries.

All the target organizations have one or more computers with RDP exposed online.

The attackers once compromised the target network log into the domain controller (DC) machine using the same admin account and maintain access, monitor the activity on the network and exfiltrate information.

Experts found surveillance software on around 5% of all machines on the network (roughly 200 computers).

The Snatch team has also been observed while dropping a series of legitimate tools including Process Hacker, IObit Uninstaller, PowerTool, and PsExec that were used to disable AV solutions.

The Snatch ransomware is dropped on the compromised network following a seemingly random timeline, that could last for a few days to weeks.

To encrypt files while the systems run in Safe Mode, the Snatch ransomware component installs itself as a Windows service dubbed SuperBackupMan that could run in Safe Mode and that can’t be stopped or paused.

“When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware. reads the analysis.

net stop SuperBackupMan
vssadmin delete shadows /all /quiet

“The ransomware then begins encrypting documents on the infected machine’s local hard drive.”

Below a video PoC of the Snatch ransomware attack, is shows the malware rebooting an infected system and encrypting files once the victim’s machine is in Windows Safe Mode.

Additional technical details, including indicators of compromise (IOCs) are reported in the analysis published by Sophos.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Snatch ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]