SECURITY ALERT: Snatch Ransomware Reboots Your PC in Safe Mode to Avoid Detection
This is a never-before-seen strategy in ransomware and malware. Here’s how the Snatch ransomware will bypass Antivirus detection, and how to stay safe.
Ransomware is experiencing a resurgence in the second half of 2019 and it will probably grow in 2020, which is about to begin, too. In perhaps the most disturbing ransomware development of the year, a newcomer has developed a novel strategy to bypass Antivirus detection. The Snatch ransomware starts its activity by rebooting Windows computers in Safe Mode. This allows it to elude Antivirus detection since it only starts behaving like ransomware after rebooting. Unfortunately, most commercial Antivirus programs don’t initialize in Windows Safe Mode, since that type of booting is only used as a temporary state for troubleshooting a malfunctioning system. It’s not the first time malware has found ways to disable Windows defenses and trick it, but the Snatch ransomware has the potential to be the most damaging attack vector yet. I can’t stress the importance of learning about Snatch and taking all defensive measures against it.
How the Snatch Ransomware Works
After the Snatch ransomware successfully infects a computer, it doesn’t begin behaving like ransomware (encrypting files) right away. This would cause it to get detected by whatever Antivirus software the machine is running. Instead, Snatch exploits a Windows vulnerability which allows it to reboot the system in safe mode. Once it reaches Windows Safe Mode, the ransomware will finally start doing its expected act of encrypting files. Since by that time the Antivirus software is not turned on, it can proceed with encryption uninterrupted. Even if you get some wind that you might be infected, there’s little chance of eluding it. This is what makes the Snatch ransomware so dangerous and difficult to disinfect. From the get-go, it will set itself up as a service within the operating system, making sure it will run even during a system reboot. Then, it simply forces that reboot to take place, effectively making sure the playing field is clear of all adversaries (endpoint security solutions such as Antivirus software).
But the most dangerous aspect of the attack is this: Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of many endpoint security tools. Devious! and evil. pic.twitter.com/lqCxhxwg4y
— Andrew Brandt (@threatresearch) December 9, 2019
The reason the Snatch ransomware is able to do this is that its creators found a way to exploit a Windows vulnerability. By using a registry key, Snatch can embed itself in the list of services that survive a Safe Mode reboot. Sophos Labs, the team of researchers who initially discovered this new ransomware behavior, says this is a major public danger. Other ransomware groups could soon borrow the Safe Mode trick, leaving plenty of Antivirus software virtually useless against them. Since most consumers and businesses sadly rely only on a regular Antivirus for protection (at best), this could lead to successful ransomware attacks on an unprecedented scale.
More info on the Snatch Ransomware
The ransomware group which created the Snatch ransomware has been active since summer 2018. The Safe Mode trick used by the ransomware now seems to be a recent development, but these guys were clearly remarkable from the start. They didn’t go after consumer targets (back then) through mass-delivered spam campaigns or browser exploit kits, as most ransomware do. Instead, they focused on high profile, government or corporate targets. Since these targets have the money for bigger payouts, they obviously make more attractive targets for big game hunters like Snatch. The group has been operating as a business, advertising for affiliate partners and looking for collaborators since last year. Here is an ad from one of the group’s operators (mentioning that they only work with Russian speakers). Photo by Sophos, via ZDnet. Especially when targeting large organizations, the Snatch ransomware doesn’t just shoot in the dark. They do their homework really well about who they’re after, much like in the process of spear-phishing. They buy access to a network or work with other hackers to breach their target’s systems if they can’t get in themselves. Then, they stay silent for weeks and even months, gathering more info, observing and waiting. The ransomware part of the attack only starts to unfold once the Snatch team has covered all their basis and the victory is all-but-guaranteed. Furthermore, unlike other ransomware gangs who simply encrypt files and then demand to be paid for the encryption key, Snatch also steals valuable data. The researchers who have been investigating the Snatch ransomware gang found evidence that they also engage in data theft through it. Thus, even if you pay the ransom to get your files back (a strategy we never recommend, even if it means losing your files), you can later find it leaked and for sale on the dark web. Coverware, a company that sometimes negotiates ransomware payouts on behalf of the victims, told Sophos that they privately handled 12 payouts for the Snatch infection between July and October 2019. The payments ranged between $2,000 and $35,000. The only publicly known case of Snatch ransomware infection was the SmarterASP.net web hosting company. So far, the ransomware gang managed to keep a low profile.
How to Stay Safe from the Snatch Ransomware
Priority no #1: Get your security straightened out (DNS shields up!)
No matter how good you think your Antivirus solution is, this time it might not cut it. You definitely need to up your game with a DNS traffic filter which helps detect unknown threats and blocks ransomware before it can reach your system.
Heimdal® Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Priority no #2: Spread the word and educate your users
No one can afford to stop learning and just leave security to the experts (system admins and so on). Even if you have the best EDR solution out there, distracted and uninformed users can jeopardize all the security efforts. There’s no way around it anymore: everyone needs to be on their toes and learn more about how contemporary threats work. As these threats evolve and change, so should the best security practices that users must employ in their online activity. You can get started with our free cybersecurity resources here. It’s simple, actionable advice and no matter how non-technical you are, as long as you read a bit every few days, you’ll be better prepared to handle cyber-emergencies.