Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools
Researchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions and immediately starts encrypting files once the system loads.
Encrypting the victim's files is possible because most security tools are automatically disabled when Windows devices boot in Safe Mode as the Sophos Managed Threat Response (MTR) team and SophosLabs researchers found.
"Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions," they add. "The samples we've seen are also packed with the open-source packer UPX to obfuscate their contents."
Snatch ransomware came out towards the end of 2018 and it became noticeably active during April 2019 as shown by a spike in ransom notes and encrypted file samples submitted to Michael Gillespie's ID Ransomware platform.
[...] To take advantage of anti-malware solutions not loading in Safe Mode, the Snatch ransomware component installs itself as a Windows service dubbed SuperBackupMan capable of running in Safe Mode that can't be stopped or paused, and then force restarts the compromised machine.
After the device enters Windows Safe Mode, Snatch ransomware will delete "all the Volume Shadow Copies on the system" as the researchers discovered, preventing "forensic recovery of the files encrypted by the ransomware."
In the next stage, the malware will start encrypting its victims' files, with the attackers now being sure that recovery without payment is impossible.
(Score: 1, Funny) by Anonymous Coward on Thursday December 12 2019, @02:52AM (1 child)
This must be why it's called Safe Mode. It's safe for Ransomware.
(Score: 5, Insightful) by aristarchus on Thursday December 12 2019, @08:41AM
In my experience, the only Safe Mode for Windows, is no Windows at all.
(Score: 5, Interesting) by TheLink on Thursday December 12 2019, @04:00AM (5 children)
I'm a bit too lazy to write one myself. I can probably figure it out but someone should have written one already by now right?
You could in theory use "dictionaries" and similar (file type, size, date ranges and distribution) to create hopefully "believable" files and filenames. Start from a base seed and use a cache/temp for writes (so that if the ransomware checks to see if stuff is written, it looks like it was actually written and you can fool it for up to around X GB of writes- probably hard to be exact in implementation).
For bonus points throttle the performance to a slow but believable level.
Link some folders in network file shares to such fakes and you can increase the chances of a ransomware infection getting spending most of its time encrypting faked stuff, if it happens to target network shares too (many seem to).
If the ransomware avoids an entire tree of folders just because there are many sub-folders with "suspicious" files, you still win if legit files are actually in some of the branches/folders.
One major issue of course is training people to use the correct folder/branch for storing real files, and to not use the faked areas (where the files they create will exist till they get expired by the cache).
Another major issue is AV software will get confused trying to scan infinite amounts of fake files.
The other issue is cleverer ransomware could use the AV exclusion lists, "recent files" and similar features to figure out which locations to hit and which not to hit. But even in such cases it can mean other teams/groups have a lower chance of getting affected - the ransomware hits that group's files and then gets stuck in some child or sibling folder. Or the ransomware avoids network file shares full of legit files completely because they're on the normal users AV exclusion lists (but those shares actually scanned by server-side realtime AV).
(Score: -1, Offtopic) by Anonymous Coward on Thursday December 12 2019, @06:49AM
I'm pretty sure most malware could just try to live inside "C:\Program Files\KMSPico".
(Score: 2) by kazzie on Thursday December 12 2019, @08:24AM (3 children)
The trouble I see with that idea is that you've just honeypotted one instance of the software, which doesn't slow or stop the ransomware on any other machines.
At least when you set up a VM for tech-support phone call scammers, you're tying up a person that can't phone other potential victims in the meantime.
(Score: 0) by Anonymous Coward on Thursday December 12 2019, @08:44AM
These fake shares could also be a "canary" and trigger alerts or actions if the writes seem too suspicious..
(Score: 0) by Anonymous Coward on Thursday December 12 2019, @10:23AM (1 child)
(Score: 2) by kazzie on Thursday December 12 2019, @03:33PM
Ah. I got stuck in the mindset of (intentionally) placing the ransomware into the virtual filing system, as opposed to keeping the virtual system up and running to act as a decoy or shield.
(Score: 0) by Anonymous Coward on Thursday December 12 2019, @07:30AM (2 children)
They have never heard of archive backups? Tape? rsync? WTF?
(Score: 3, Informative) by choose another one on Thursday December 12 2019, @01:20PM
> They have never heard of archive backups? Tape? rsync? WTF?
Yup, these young uns know nothin - I'm protected, all I got to do is get the QIC02 out of the loft and find a slot for the ISA card and I can recover from my backup tapes! If I can find them, it's a bit dusty in here...
(Score: 0) by Anonymous Coward on Saturday December 14 2019, @05:23AM
Deleting the Volume Shadow Copies deletes all backups of the system. If the backup drive is attached and accessible, then the actual backup is deleted. This also means even if you have offline backups, then you have deleted the associated metadata for the backups. This means that the restoration process is impossible in-place. You have to reinstall the whole machine. Then restore the backups to a different directory, losing the historical information in the process, if you are lucky. If you are unlucky, you and your tech won't know how to disestablish the shadowstorage relationship and will nuke your backup anyway.
Thanks again, Microsoft, for getting rid of the traditional backup tool in Home!
(Score: 2, Interesting) by Anonymous Coward on Thursday December 12 2019, @10:48AM (2 children)
Safe mode never was safe from viruses or malware, since there are settings in the registry on the service/driver level which dictate which services and drivers are allowed to load in safe mode, which kind of defeats the whole point of it if you don't honour the trust system in place that honest services won't enable this flag on themselves. Which we see is happenning here, where the malware installs itself as a safe-mode-enabled service.
Been a while since I used Windows safe mode, but wasn't there an option where when it boots into safe mode, you get to choose which services and drivers load on a one-by-one basis? That option might prevent the malware loading, but I guess you'd only have one shot at pressing the magic key pretty damn quick to break into that routine, and you'd need to know in advance that your machine was about to get hosed to know to use this mode. So the chances of doing this to prevent the malware doing damage is very slim.
(Score: 4, Insightful) by FatPhil on Thursday December 12 2019, @05:35PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday December 13 2019, @03:30AM
Furthermore there's safe mode and safe mode with networking. If it picks the former that limits the impact of the ransomware.