Snatch ransomware adds ability to reboot PCs into Safe Mode to bypass protection

As defenses rise, crimeware developers are always looking for ways to hone their weapons.

One of the latest techniques, according to Sophos Labs, is adding the capability to a ransomware strain that forces a Windows machine to reboot into Safe Mode before beginning the encryption process. This may be aimed at getting around endpoint protection, which often won’t run in Safe Mode.

Researchers outlined their discovery in a blog this week which also offers infosec pros interesting insight into one ransomware gang’s strategy for breaking into an enterprise.

Sophos calls this particular strain of ransomware Snatch because the authors refer to themselves in online postings as the Snatch Team. First seen about a year ago, Snatch is programmed in Google’s Go language and consists of a collection of tools including a ransomware component that only works on Windows machines and a separate data stealer; a Cobalt Strike reverse-shell; and several publicly-available tools that aren’t inherently malicious but are used more conventionally by penetration testers, system administrators, or technicians.

The Safe Mode enhancement appears to be a recent addition.

After gaining a foothold the ransomware component is downloaded with a filename that includes a unique-to-each-victim five-character code and the word “_pack.exe” in the filename. The ransomware installs itself as a Windows service called SuperBackupMan.Then it adds a key to the Windows registry so it will start up during a Safe Mode boot.

Using Windows’ BCDEDIT tool it issues a command that sets up the OS to boot in Safe Mode, and then immediately forces a reboot. The malware then uses the Windows component net.exe to halt the SuperBackupMan service, after which it uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system to prevent forensic recovery of the files encrypted by the ransomware. Finally, the ransomware begins encrypting documents on the infected machine’s local hard drive.

The threat actors apparently actively monitor the systems running their agents, Sophos discovered.

The report also goes into one Snatch attack against what is described as a large international company that Sophos investigated. It was able to retrieve detailed logs from the company that the ransomware had not been able to encrypt.

The attackers initially brute-forced the password to an administrator’s account on a Microsoft Azure server, then logged in to the server using Remote Desktop (RDP). Using the Azure server as a foothold, the attackers leveraged that administrator’s account to log into a domain controller machine on the same network and watched the network for several weeks.

The attackers queried the list of users authorized to log in on the box and wrote the results to a file. That file, along with WMIC system and user data, process lists, and the memory contents of the Windows LSASS service, were put in files and uploaded to a command and control server.

The attackers also set up one-off Windows services to orchestrate specific tasks, such as querying the list of running processes from the tasklist program, putting the output in a file in the temp directory, then running a batch file (also located in the temp directory) that uploads the tasklist file to the C2 server.

Ultimately the attackers installed surveillance software on about 200 machines or roughly five per cent of the computers on the organization’s internal network. The attackers installed several malware executables, the first group of which appeared to be designed to give the attackers remote access to the machines without having to rely on the compromised Azure server.

Sophos analysts also found a tool on some compromised machines believed to have been created by the gang named Update_Collector.exe. It takes the data that had been collected using WMI to learn more about other machines and user accounts on the network, dumps that information to a file, and then uploads it to the attackers’ command-and-control server. We came across copies on some of the compromised machines. Other tools were likely available to try to disable AV products.

“Subsequent hunts for related files revealed several other attacks in which precisely the same collection of tools was used in what appear to be opportunistic attacks against organizations located around the world, including the United States, Canada, and several European countries. All the organizations where these same files were found also were later discovered to have one or more computers with RDP exposed to the internet. Many of the components were found in the Downloads folder for an admin account on the infected system.”

Apparently, after enough data was gathered the ransomware component was installed.

To prevent and detect such attacks Sophos recommends organizations refrain from exposing the Remote Desktop interface to the unprotected internet. CISOs wanting to permit remote access to machines should put them behind a VPN. on their network, so they cannot be reached by anyone who does not have VPN credentials. They should also immediately implement multifactor authentication for users with administrative privileges to make it more difficult for attackers to brute force those account credentials.

Since the majority of initial access and footholds that Sophos has seen are on unprotected and unmonitored devices infosec pros need to perform regular and thorough inventory of devices, to ensure no gaps or “dark corners” exist on the network. Researchers also stress that since the attackers in the case study had several days of undetected and uninhibited access to the network a rigorous and mature threat hunting program would increase the odds of detection.

Lastly, because the Snatch attackers say in dark forums they want to hire criminals capable of breaching networks using other types of remote access tools, such as VNC and TeamViewer, as well as those with experience using Web shells or breaking into SQL servers using SQL injection techniques, defenders should protect these types of internet-facing services.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now