TheWindowsClub News

TheWindowsClub Tech News covers the latest Microsoft Windows 10 news, along with other products & services like Office, etc.

Snatch ransomware bypasses anti-virus programs by entering Windows Safe Mode

As data protection measures are becoming stronger, crimeware perpetrators are developing more sophisticated products. Snatch ransomware is the latest example. It’s a new weapon that has been added to their arsenal. Snatch ransomware reboots your PC into Safe Mode and then encrypts your data!

Snatch Ransomware

Snatch ransomware hijacks PC Safe Mode

Any variant of ransomware is designed to perpetually block access to data unless a ransom is paid. Snatch ransomware is no different. However, it follows a different approach. It adds the ability to reboots PCs into Safe Mode to bypass protection, a unique technique designed to circumvent endpoint protection.

According to Sophos Labs, the ransomware featuring an array of executables and tools for carrying out carefully orchestrated attacks. The company had first encountered the Snatch ransomware about a year ago and believes it has remained active since then. However, it seems the ransomware has acquired the Safe Mode enhancement capability only recently.

What we refer to as Snatch malware comprises a collection of tooling, which include a ransomware component and a separate data stealer, both apparently built by the criminals who operate the malware; a Cobalt Strike reverse-shell; and several publicly-available tools that aren’t inherently malicious, but used more conventionally by penetration testers, system administrators, or technicians, mentioned Sophos blog post.

Interestingly, in addition to the discovery of a new variant of malware, Sophos offers some valuable and deep insight into ransomware thugs strategy for breaking into a business.

As a precautionary measure, Sophos recommends that organizations of any size (small or large) should refrain from exposing their Remote Desktop interface to the unprotected internet. If organizations wish to permit remote access to machines, they should put them behind a VPN on their network, so they cannot be reached by anyone who does not have ‘VPN’ credentials.

Also, organizations should implement multifactor authentication for users with administrative privileges. This mechanism will make it more difficult for attackers to brute force those account credentials.

Updated on Tags:

HemantSaxena@TWCN

A post-graduate in Biotechnology, Hemant switched gears to writing about Microsoft technologies and has been a contributor to TheWindowsClub since then. When he is not working, you can usually find him out traveling to different places or indulging himself in binge-watching.

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap