As data protection measures are becoming stronger, crimeware perpetrators are developing more sophisticated products. Snatch ransomware is the latest example. It’s a new weapon that has been added to their arsenal. Snatch ransomware reboots your PC into Safe Mode and then encrypts your data!
Snatch ransomware hijacks PC Safe Mode
Any variant of ransomware is designed to perpetually block access to data unless a ransom is paid. Snatch ransomware is no different. However, it follows a different approach. It adds the ability to reboots PCs into Safe Mode to bypass protection, a unique technique designed to circumvent endpoint protection.
According to Sophos Labs, the ransomware featuring an array of executables and tools for carrying out carefully orchestrated attacks. The company had first encountered the Snatch ransomware about a year ago and believes it has remained active since then. However, it seems the ransomware has acquired the Safe Mode enhancement capability only recently.
What we refer to as Snatch malware comprises a collection of tooling, which include a ransomware component and a separate data stealer, both apparently built by the criminals who operate the malware; a Cobalt Strike reverse-shell; and several publicly-available tools that aren’t inherently malicious, but used more conventionally by penetration testers, system administrators, or technicians, mentioned Sophos blog post.
Interestingly, in addition to the discovery of a new variant of malware, Sophos offers some valuable and deep insight into ransomware thugs strategy for breaking into a business.
As a precautionary measure, Sophos recommends that organizations of any size (small or large) should refrain from exposing their Remote Desktop interface to the unprotected internet. If organizations wish to permit remote access to machines, they should put them behind a VPN on their network, so they cannot be reached by anyone who does not have ‘VPN’ credentials.
Also, organizations should implement multifactor authentication for users with administrative privileges. This mechanism will make it more difficult for attackers to brute force those account credentials.