Never let it be said that malware authors don’t continue to find innovative ways to prevent their creations from being detected.
A new strain of the Snatch ransomware reboots PCs it has just infected into Safe Mode.
As many Windows users will be aware, Safe Mode is a method of booting up a Windows system deployed when attempting to diagnose a problem and resolve software conflicts.
So why would the Snatch ransomware want a PC to boot up in Safe Mode?
Because Safe Mode turns off all those pesky programs which might be interfering with your Windows computer’s operation – such as, for instance, anti-virus software which might have detected a rogue process behaving in a suspicious fashion by encrypting all the documents on your hard drive.
Sophos’s team of researchers produced a video showing the ransomware in operation:
[embedded content]
The ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service make backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself.
The SuperBackupMan service has properties that prevent it from being stopped or paused by the user while it’s running.
The malware then adds this key to the Windows registry so it will start up during a Safe Mode boot.
Sophos’s researchers say that they have found ev ..
Support the originator by clicking the read the rest link below.
