Snatch Ransomware, the new ransomware in the town is successful in sneaking into Windows PC by a typical method of Safe Mode rebooting to encrypt user files gradually.
First discovered by incident response team at Sophos Labs, they claimed it to be a “big deal and a trick that could be rapidly adopted by other ransomware crews as well.” So here we go, explaining how it crawls onto secured systems and locks them with their encryptions to demand you a huge ransom.
While the team has been active since mid-2018, it was least known in the industry due to insignificant attacks to date. But, it’s now hurling in ransomware space with a new formula. This new ransomware is making its mark by employing a new technique of entering into victims’ PC. It’s trying to deploy its virus by launching the system in Safe Mode! This one of the kind methods has a specific purpose of doing so.
Why Safe Mode?
The Safe Mode is a situation where the system after rebooting into this Mode, allows only required applications to function. This method allows for correcting any software problems by debugging the corrupt Operating System. While this is the actual case, this rebooting into Safe Mode disables antivirus applications, thus leading any viruses or malware to pass through. Clever isn’t? Yet, this is a hard process to go through. Here’s how they do this;
How They Do It?
It decides to target big companies or players rather than small households, as hitting the jackpot all at once is seemed more profitable that numerous minute payments. This style is called Big Hunting in hacking space. The Snatch team literally buys its access into the companies. The security firms Sophos said it has tracked few ads of Snatch posted in hacker forums, it says,
“looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL injection [SQL injection] in corporate networks, stores, and other companies.”
This reveals the crew is partnering with exclusive people linked to companies and deploy their virus. This happens by players (those who’re hired) giving access to Snatch by letting their system ports open. After this, Snatch reboots to start their file encryption and spread.
Data theft, as usual. As data gathered by companies from their users is so valuable, Snatch encrypts them and asks for a ransom to give the key for reopening. Sophos team alerts everyone and suggests users encrypt their internet ports with strong passwords and if possible, two-factor authentication.
Source: Sophos Blog