Skip to main content

Snatch ransomware hijacks Safe Mode to encrypt files

(Image credit: Image source: Shutterstock/Martial Red)

Security researchers from the Sophos Managed Threat Response team have uncovered a new version of the Snatch ransomware that uses a simple trick to bypass any installed security solutions and continue operating.

Once a machine is infected, Snatch reboots it into Safe Mode, as there – no antivirus solutions operate by default. Without security solutions in place, Snatch has an easy time encrypting the files on the device. Snatch installs itself as a Windows service under the name SuperBackupMan, which allows it to run in Safe Mode without the possibility to be stopped.

Snatch was written in Google’s multiplatform programming language Go. However, researchers are saying it can only infect Windows machines, from Windows 7 onwards, both 32-bit and 64-bit versions.

“The malware we’ve observed isn’t capable of running on platforms other than Windows. Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions. The samples we’ve seen are also packed with the open source packer UPX to obfuscate their contents,” the researchers said in a blog post.

The strain was first released in late 2018, but it wasn’t until April that it came into the limelight. In April, a sudden surge in ransom notes and encrypted file samples were sent to the ID Ransomware platform.

Researchers say Snatch deletes “all the Volume Shadow Copies on the system,” preventing “forensic recovery of the files encrypted by the ransomware”.

Sophos says the best way to stay safe is to keep remote desktop services off the internet, or use a VPN service as a safeguard. Two-factor authentication is also recommended.