Snatch, a ransomware variant, has been discovered in campaigns that force Windows machines to reboot into Safe Mode before beginning the encryption process. Snatch is one of multiple components of a malware constellation that is emerging in carefully orchestrated and sophisticated attacks that can feature rampant and high-risk data collection. Researchers with SophosLabs claim that Snatch runs itself in an elevated permissions mode that can lead to a Safe Mode reboot in which most security software does not run, effectively encrypting victims’ hard drives.
Although Snatch’s operators have been active since the summer of 2018, the Safe Mode reboot is a new feature according to the SophosLabs researchers. The researchers stated that the severity of the risk posed by ransomware that has the capability to run in Safe Mode cannot be overstated. The adversaries to the Snatch ransomware call themselves the “Snatch Team” and they are using automated brute force attacks to infiltrate networks. In October, Snatch Team attackers brute forced the password to an administrator’s account on a Microsoft Azure server and were able to log in using Remote Desktop and spread executables. The team surveilled the network over the course of several weeks, eventually uploading the data it collected. Snatch has been seen in attacks in which the victims are based in the US, Canada, and other European countries.
Read More: Snatch Team Steals Data and Hammers Orgs with Ransomware