A research team from SophosLabs and Sophos managed Threat Response(SMTR) has come across a new ransomware dubbed Snatch that reboots Windows PCs into safe mode before initiating encryption. According to researchers, this is a never-before-seen behavior and the possible reason why Snatch reboots PCs mid-attack is to evade antivirus apps installed in infected computers.
The authors behind Snatch know very well that most antivirus apps are ineffective in Windows Safe Mode as the mode only allows essential system programs and services to run during boot.
Snatch ransomware uses a Windows registry key to schedule the encryption process which makes it impossible for antivirus to catch it or stop the encryption.
But the most dangerous aspect of the attack is this: Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of many endpoint security tools. Devious! and evil. pic.twitter.com/lqCxhxwg4y
— Andrew Brandt (@threatresearch) December 9, 2019
Snatch ransomware was spotted a year ago by security researchers and the new technique to avoid antivirus apps by rebooting PCs in safe mode is a recently added feature.
The ransomware, in question, has a ransomware component, a data stealer, a Cobalt Strike reverse-shell and many tools (not essentially harmful) that are publicly available and used by administrators and penetration testers.
[embedded content]
Andrew Brandt from Sophos research team says, “SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and ..
Support the originator by clicking the read the rest link below.
