Snatch ransomware pwns security using sneaky ‘safe mode’ reboot
Sophos’s Managed Threat Response (MTR) team has warned the industry of a dangerous new ransomware trick – encrypting data only after rebooting Windows PCs into ‘safe mode’.
Deployed recently by the Russian-developed ‘Snatch’ ransomware – named after the 2000 movie of the same name – it’s effective against much endpoint security software, which often doesn’t load when safe mode is in operation.
That’s despite the fact that in real-world attacks analysed by MTR, Snatch starts out like many other ransomware campaigns currently targeting business networks.
The attackers look for weakly secured Remote Desktop (RDP) ports to force their way into Azure servers, a foothold they use to move sideways to Windows domains controllers, often spending weeks gathering reconnaissance.
In one network attack, the attackers the installed the ransomware on around 200 machines using command and control (C2) after utilising a grab-bag of legitimate tools (Process Hacker, IObit Uninstaller, PowerTool, PsExec, Advanced Port Scanner) plus some of their own.
The same software profile was detected in other attacks in the US, Canada and several European countries, which also exploited exposed RDP.
One trick, but a good one
But Snatch still has the same problem as any other ransomware – how to beat local software protection.
Its approach is to load a Windows service called SuperBackupMan which can’t be stopped or paused, which adds a registry key ensuring the target will boot into safe mode after its next reboot.
Only after this has happened, and the machine has entered safe mode, does it execute a routine that deletes Windows volume shadow copies, after which it encrypts all documents it detects on the target.
Using safe mode to bypass security has its pros and cons. The upside is that in many cases, it works – security software not expecting this technique is easily bypassed.