New Snatch Ransomware Variant Avoids Detection Using Safe Mode

• Researchers have spotted a new variant of the Snatch ransomware that avoids antivirus detection by rebooting machines to Safe Mode.
• This ransomware is believed to be active at least from the 2018 summer, but the Safe Mode enhancement appears to be a recently added feature.

The backdrop

While investigating a series of ransomware attacks, researchers from Sophos Labs spotted this new variant of the Snatch ransomware.

• This technique of forcing the Windows machines to reboot into Safe Mode is possibly a way to skip endpoint protection.
• In the Safe Mode, most software including security software doesn’t run, and the ransomware beings to encrypt the hard drives in the infected system.

“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users,” said the researchers.

Technical details

This malware that is written in the Go programming language, can not run under multiple operating systems.

• The malware contains a ransomware component, a data stealer component, along with several publicly available tools.
• The attacks involving this malware are usually of the ‘active automated attack model’ type. This means brute force attacks are launched against vulnerable networks, and then the penetration happens.

Detecting and preventing attacks

Most of the attacks involving this malware were observed to be on networks that allowed uninhibited access for several days. Security experts recommend monitoring networks and periodically hunting for threats.

To prevent this ransomware from impacting your network, here are a few things you may want to do:

• Organizations must implement multifactor authentication, especially for those accounts with more privileges.
• Vulnerabilities must be regularly scanned for and patched as soon as possible.
• As much as possible, organizations must prevent exposing their Remote Desktop interface to the unprotected internet.