Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 14 submissions in the queue.

Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools

posted by martyb on Thursday December 12 2019, @02:30AM   Printer-friendly
from the safe-mode...for-whom? dept.

Fnord666 writes:

Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools

Researchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions and immediately starts encrypting files once the system loads.

Encrypting the victim's files is possible because most security tools are automatically disabled when Windows devices boot in Safe Mode as the Sophos Managed Threat Response (MTR) team and SophosLabs researchers found.

"Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions," they add. "The samples we've seen are also packed with the open-source packer UPX to obfuscate their contents."

Snatch ransomware came out towards the end of 2018 and it became noticeably active during April 2019 as shown by a spike in ransom notes and encrypted file samples submitted to Michael Gillespie's ID Ransomware platform.

[...] To take advantage of anti-malware solutions not loading in Safe Mode, the Snatch ransomware component installs itself as a Windows service dubbed SuperBackupMan capable of running in Safe Mode that can't be stopped or paused, and then force restarts the compromised machine.

After the device enters Windows Safe Mode, Snatch ransomware will delete "all the Volume Shadow Copies on the system" as the researchers discovered, preventing "forensic recovery of the files encrypted by the ransomware."

In the next stage, the malware will start encrypting its victims' files, with the attackers now being sure that recovery without payment is impossible.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by Anonymous Coward on Thursday December 12 2019, @10:48AM (2 children)

    by Anonymous Coward on Thursday December 12 2019, @10:48AM (#931361)

    Safe mode never was safe from viruses or malware, since there are settings in the registry on the service/driver level which dictate which services and drivers are allowed to load in safe mode, which kind of defeats the whole point of it if you don't honour the trust system in place that honest services won't enable this flag on themselves. Which we see is happenning here, where the malware installs itself as a safe-mode-enabled service.

    Been a while since I used Windows safe mode, but wasn't there an option where when it boots into safe mode, you get to choose which services and drivers load on a one-by-one basis? That option might prevent the malware loading, but I guess you'd only have one shot at pressing the magic key pretty damn quick to break into that routine, and you'd need to know in advance that your machine was about to get hosed to know to use this mode. So the chances of doing this to prevent the malware doing damage is very slim.

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Total Score:   2  

  • (Score: 4, Insightful) by FatPhil on Thursday December 12 2019, @05:35PM (1 child)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday December 12 2019, @05:35PM (#931457) Homepage
    Yup, safe mode was to protect you from the honest but incompetent. Alas that's not the threat model most people need to protect themselves against.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 0) by Anonymous Coward on Friday December 13 2019, @03:30AM

      by Anonymous Coward on Friday December 13 2019, @03:30AM (#931620)
      Actually if the ransomware only starts encrypting your stuff after it reboots into safe mode that's a good opportunity to prevent it from encrypting stuff. Just tell people if your computer starts rebooting unexpectedly and starting into safe mode, forcibly power it down and then get help...

      Furthermore there's safe mode and safe mode with networking. If it picks the former that limits the impact of the ransomware.