Technology 4 min read

Snatch Ransomware Bypasses Antivirus Apps by Rebooting PCs

Andrey_Popov /

Andrey_Popov /

Cybersecurity researchers just discovered a new strain of Snatch ransomware that can bypass a personal computer’s security solution by rebooting it to Windows Safe Mode.

The said trick is reportedly new, said the Sophos Managed Threat Response (MTR) team and SophosLabs researchers who discovered it. Once the said ransomware infects a computer, it will execute its file encryption process immediately.

Since October, the Sophos team has been working with an organization that reported a ransomware outbreak in its network. The researchers explained in a press release:

“The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It the quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.”

The Snatch Ransomware

Sophos analysts allegedly encountered the Snatch ransomware about a year ago. They believe that the people behind the said malware have been actively operating since the summer of 2018 and that the Safe Mode feature has only been added recently.

The researchers claimed that the Snatch ransomware is not one to be taken lightly. Andrew Brandt, a principal researcher from Sophos, said:

“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated and that we needed to publish this information as a warning to the rest of the security industry, as well as to end-users.”

According to Brandt, the Snatch malware they discovered includes a ransomware component and a data stealer. However, it’s not capable of running on other OS platforms except Windows.

Penetrating Enterprise Networks

In one cybercriminal forum, the Sophos team found messages posted by what they suspect as the threat actors behind the Snatch malware. The alleged cybercriminals refer to themselves as the Snatch Team.

The hackers appear to have adopted the “active automated attack” model. Apparently, they seek to penetrate enterprise networks by using automated brute-force attacks on vulnerable, exposed services.

A post in Russian by a certain BulletToothTony seems to support the alleged modus operandi. The threat actor was soliciting assistance in the said kind of attack. He was actively looking for people with access to company RDP, VNC, TeamViewer, Webshell, SQL injections in corporate networks.

A post by BulletToothTony about the Snatch Ransomware
A post by BulletToothTony, a suspected threat actor behind the Snatch Ransomware | Screenshot by Andrew Brandt / SophosLabs

Aside from looking for affiliates, BulletToothTony also posted an offer to train other interested individuals on how to use the Snatch malware for free. The “best students” would have the chance to be a part of the Snatch team and would reportedly gain access to their infrastructure and customized server running Metasploit.

How to Protect Yourself from Snatch Ransomware

If you’re worried about your network’s safety, here’s a detailed list released by SophosLabs on how you can protect your organization from Snatch ransomware. For the full report, click here.

  • As we’ve been urging organizations to do for a while now, Sophos recommends that organizations of any size refrain from exposing the Remote Desktop interface to the unprotected internet. Organizations that wish to permit remote access to machines should put them behind a VPN on their network, so they cannot be reached by anyone who does not have VPN credentials.
  • The Snatch attackers also expressed interest in contracting with or hiring, criminals who are capable of breaching networks using other types of remote access tools, such as VNC and TeamViewer, as well as those with experience using Web shells or breaking into SQL servers using SQL injection techniques. It stands to reason that these types of internet-facing services also pose significant risks if left unattended.
  • Likewise, organizations should immediately implement multifactor authentication for users with administrative privileges, to make it more difficult for attackers to brute force those account credentials.
  • For Sophos customers, it is imperative that all users are running the most current endpoint protection, and enable the CryptoGuard feature within Intercept X.

Read More: Researchers Develop Time-Traveling Solid State Drive To Fight Ransomware Attacks

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Chelle Fuertes know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.

Profile Image

Chelle Fuertes

Chelle is the Product Management Lead at INK. She's an experienced SEO professional as well as UX researcher and designer. She enjoys traveling and spending time anywhere near the sea with her family and friends.

Comments (0)
Least Recent least recent
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.