Stories
Slash Boxes
Comments

SoylentNews is people

Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools

posted by martyb on Thursday December 12 2019, @02:30AM   Printer-friendly
from the safe-mode...for-whom? dept.

Fnord666 writes:

Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools

Researchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions and immediately starts encrypting files once the system loads.

Encrypting the victim's files is possible because most security tools are automatically disabled when Windows devices boot in Safe Mode as the Sophos Managed Threat Response (MTR) team and SophosLabs researchers found.

"Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions," they add. "The samples we've seen are also packed with the open-source packer UPX to obfuscate their contents."

Snatch ransomware came out towards the end of 2018 and it became noticeably active during April 2019 as shown by a spike in ransom notes and encrypted file samples submitted to Michael Gillespie's ID Ransomware platform.

[...] To take advantage of anti-malware solutions not loading in Safe Mode, the Snatch ransomware component installs itself as a Windows service dubbed SuperBackupMan capable of running in Safe Mode that can't be stopped or paused, and then force restarts the compromised machine.

After the device enters Windows Safe Mode, Snatch ransomware will delete "all the Volume Shadow Copies on the system" as the researchers discovered, preventing "forensic recovery of the files encrypted by the ransomware."

In the next stage, the malware will start encrypting its victims' files, with the attackers now being sure that recovery without payment is impossible.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday December 12 2019, @07:30AM (2 children)

    by Anonymous Coward on Thursday December 12 2019, @07:30AM (#931337)

    They have never heard of archive backups? Tape? rsync? WTF?

  • (Score: 3, Informative) by choose another one on Thursday December 12 2019, @01:20PM

    by choose another one (515) Subscriber Badge on Thursday December 12 2019, @01:20PM (#931374)

    > They have never heard of archive backups? Tape? rsync? WTF?

    Yup, these young uns know nothin - I'm protected, all I got to do is get the QIC02 out of the loft and find a slot for the ISA card and I can recover from my backup tapes! If I can find them, it's a bit dusty in here...

  • (Score: 0) by Anonymous Coward on Saturday December 14 2019, @05:23AM

    by Anonymous Coward on Saturday December 14 2019, @05:23AM (#931962)

    Deleting the Volume Shadow Copies deletes all backups of the system. If the backup drive is attached and accessible, then the actual backup is deleted. This also means even if you have offline backups, then you have deleted the associated metadata for the backups. This means that the restoration process is impossible in-place. You have to reinstall the whole machine. Then restore the backups to a different directory, losing the historical information in the process, if you are lucky. If you are unlucky, you and your tech won't know how to disestablish the shadowstorage relationship and will nuke your backup anyway.

    Thanks again, Microsoft, for getting rid of the traditional backup tool in Home!