Detected and analyzed by Sophos security provider, Snatch virus attempts to bypass traditional security software by restarting the computer in safe mode.
Windows Safe Mode is trying to help you troubleshoot various problems by rebooting your computer in the usual way without downloading certain software, drivers, or services. This process also prevents the download of antivirus software. And this leads to the tactics used by a particularly dangerous strain of ransomware.
Known as Snatch, the ransomware described by Sophos on Monday's news feed causes Windows PCs to restart in safe mode, thereby preventing any antivirus or protection software from starting. Snatch, which itself operates as a service in safe mode, encrypts the victim’s hard drive and tries to force the user to pay the necessary ransom to be able to access the drive again.
Sophos actually ran into Snatch last year and said the ransomware has been active since the summer of 2018. In mid-October 2019, the security provider was supposed to help the target organization investigate and eliminate the outbreak.
What is snatch?
The Snatch malware includes a set of tools. According to a Sophos spokesperson, cybercriminals probably created a function to extort data and a separate one to steal and manage it. Also in this mixture is the Cobalt Strike back shell and several publicly available tools that are not malicious in themselves, but are used by system administrators and testers in penetration.
Created using the Google Go program, the Snatch variant seen by Sophos can only work on Windows, including all versions 7 through 10 in both 32-bit and 64-bit versions. Snatch samples were packaged by the open source UPX packer to hide their contents.
The criminals behind Snatch and calling themselves the Snatch Team use an active model of automatic attack, in which they try to bypass corporate networks by brute force attacking vulnerable accounts and services. Once inside, Snatch team members are trying to spread their attack within the organization’s network.
The type of malware used in Snatch attacks also stole large amounts of data from target organizations.
In one of the incidents with a large company, Sophos discovered that attackers picked up the password for the administrator account on the Microsoft Azure server, and then were able to log in to the server using Remote Desktop Protocol (RDP). Attackers used the same account to log on to a domain controller on the same network, which allowed them to monitor the network for several weeks. In this case, the attackers managed to install surveillance software on approximately 200 computers, about 5% of the computers on the network of this organization.
How it works
At some point during the attack, part of the ransomware is downloaded to the target computer. The ransomware virus installs itself as a Windows service called SuperBackupMan, which is installed immediately before the PC reboots, which gives the organization little or no chance of stopping the service on time.
Attackers then use administrator access to run the Windows BCDEDIT command-line tool to force a computer restart in safe mode. After rebooting the PC, the malicious program uses the Windows vssadmin.exe command to delete all shadow copies of volumes in the system, which prevents the recovery of files encrypted using ransomware. Finally, the ransomware encrypts documents on the hard drive.
Sophos said its endpoint protection system was able to detect ransomware, thus preventing the infection of computers equipped with this product. But another company called Coveware, which negotiates between ransomware victims and cybercriminals, told Sophos that in July of this year, it negotiated with Snatch criminals 12 times - from July to October. The ransom demand in bitcoins ranged from $ 2,000 to $ 35,000, but over the four months the amount has increased.
To protect your organization from this type of ransomware, Sophos offers some tips:
• Do not expose the remote desktop interface to unprotected Internet access. Sophos encourages organizations not to open the remote desktop interface to an unsecured Internet. Organizations that need to allow remote access to specific devices must host them over a VPN on their network so that no one can access them without VPN credentials.
• Protect other remote access tools. It is known that attackers wanted to hire or contract with other criminals who could penetrate the network using remote access tools such as VNC and TeamViewer. They also searched for people with experience using web shells or hacking SQL servers using SQL attacks. Any tools for remote access to the Internet and other vulnerable programs are dangerous if left unattended.
• Use multi-factor authentication for administrators. Organizations should set up multi-factor authentication for users with administrative privileges to make it harder for attackers to use these credentials.
• Inventory of your devices. Most of the original access points and support points that Sophos discovered in connection with Snatch were on unprotected and uncontrolled devices. Organizations need to regularly conduct thorough inventory checks of all devices to ensure there are no gaps.
• Search for threats on the network. The Snatch ransomware began to act after the attackers had several days of undetected, unlimited access to the network. A complete threat scanner can potentially identify this type of activity before the ransomware can grab your hard drive.
Futureinapps is committed to creating sophisticated and secure IT products for every niche. We always keep abreast of the latest IT news. Follow us on Facebook and Yandex. Zen and stay informed!