Snatch Ransomware Pwns Security Using Sneaky ‘Safe Mode’ Reboot

Snatch Ransomware Pwns Security Using Sneaky ‘Safe Mode’ Reboot (Dec 10, 2019)

Researchers with Sophos’s Managed Threat Response team have identified a ransomware trick that involves encrypting data after rebooting into Safe Mode on Windows PCs. The technique has been observed in “Snatch” ransomware, and can be effective against endpoint security software that does not load when Safe Mode is in operation. The ransomware installs itself as a Windows service called SuperBackupMan. This service has properties that prevent the user from stopping or pausing while it runs, afterwhich it creates a registry key ensuring the target will boot into Safe Mode. This tactic of using Safe Mode to bypass security presents a few complications and challenges to the malicious actors, such as a need to get past the Windows login, and break into domain controls to distribute to targets within the network. Regardless of these challenges, Snatch has been successful in as many as 12 incidents between July and October 2019, according to Coveware, a ransomware settlements firm involved in negotiations, paying bitcoin ransoms between $2,000 and $35,000 USD.

Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions, but as this story shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.