A new ransomware named “Snatch” has been detected, which forces windows to run it in safe mode and after that, it starts the encryption process, the reason for running windows in safe mode is that most antiviruses are unable to run in safe mode.
This safe mode trick was discovered by the incident response team at Sophos Labs who were investigating a ransomware infection in the past few weeks.
SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated and that we needed to publish this information as a warning to the rest of the security industry, as well as to end-usersAndrew Brandt, a malware researcher and network forensic investigator at Sophos said in a report.
However, the snatch crew discovered that they could use a Windows registry key to schedule a windows service to start it in a safe mode and runs ransom in safe mode without the risk of being detected by antivirus.
Sophos researchers say that this ransomware group is active since the summer of 2018.
Snatch ransomware Analysis
The ransomware attacks windows machine with a bunch of malware and a ransomware executable and a custom-built data-stealer, a Cobalt Strike reverse-shell, and several publicly available tools which are used by pentesters and IT guys and system administrator. The samples are supposed to pack with the open-source packer UPX to obfuscate their contents.
The malware is capable of running in most common platforms of windows, i.e from windows 7 to 10 in 32 bit as well as in 64-bit version. However, it is not capable of running other than windows.
It is seen that this ransomware spreads mostly through the medium of e-mails and SMS and can also be embedded with word files.
Although snatch has been written in googles’ open-source programming language GO.