A ransomware variant known as Snatch is now more dangerous than ever. Learn about the newest trick that cybercriminals are using to make this ransomware harder to detect while it is encrypting files.
Cybercriminals have been using a ransomware variant known as Snatch to encrypt files on Windows computers since 2018. Recently, researchers at SophosLabs discovered that hackers have added a new capability that makes Snatch more dangerous. The ransomware now reboots infected computers into Safe Mode before encrypting the files on their hard drives. When a computer is rebooted into this troubleshooting mode, a limited set of software is loaded. Most security software does not run in Safe Mode, letting Snatch avoid detection while it encrypts victims’ files.
Snatch is also dangerous for another reason. Before encrypting files and holding them for ransom, it steals massive amounts of data from victims.
Because of the increased threat, it is a good idea to have a basic understanding of who is behind this attack and how it is carried out.
The Group Behind the Snatch Attacks
The cybercriminals behind Snatch are big game hunters. Instead of using mass-distribution methods (e.g., phishing emails) to get ransomware installed on as many computers as possible, big game hunters select and study specific targets and use sophisticated delivery methods to get ransomware installed in their networks. The targets are typically companies and other types of organizations because they are more likely to pay big ransoms.
To see whether the Snatch victims have been paying big bucks to get their files back, the SophosLabs researchers contacted Coveware, a company that specializes in extortion negotiations between ransomware attackers and their victims. The researchers learned that Coveware had negotiated with the Snatch cybercriminals on 12 occasions between July and October 2019. The ransom demands ranged from $2,000 to $35,000 [USD].
How the Attacks Are Carried Out
Because the Snatch cybercriminals are big game hunters, they do not sit around and wait for an employee to fall for a phishing email ruse to get the ransomware installed into a target’s network. Instead, they typically pay for the information they need (e.g., purchase compromised credentials on the dark web) or work with another hacker to breach the target’s network. In the latter case, they sometimes launch an automated brute-force password attack to crack the password of an exposed service account. Once they have a foothold, they use various tools and techniques to access other machines in the network.
In one case, the cybercriminals were able to access a company’s network by cracking the password of an administrator account on a Microsoft Azure server, which they logged in to using the Remote Desktop Protocol (RDP). They then leveraged the administrator account to access a domain controller in the network.
The Snatch cybercriminals used the domain controller to gather some initial data about the network. Based on what was learned, they installed various programs on key machines, including additional surveillance apps, remote access malware so they could easily access those machines, and a Windows utility that enabled them to discover even more computers to target on the network. They then continued to gather and steal data.
Eventually, the hackers downloaded the actual ransomware component to the compromised machines. The ransomware installed itself as a Windows service named SuperBackupMan and added a registry key that enabled the service to run in Safe Mode. The ransomware then issued a command that forced the machines to reboot into Safe Mode.
Once a computer was in Safe Mode, Snatch went to work. It first deleted the existing Volume Shadow Copy Service files (aka shadow copies) and then encrypted the files on the machine’s local hard drive. The shadow copies were deleted to prevent the company from using them to recover the files that were encrypted by the ransomware.
What You Can Do to Protect Your Company
Although Snatch is sophisticated ransomware, there are some surprisingly simple ways to help mitigate an attack:
- Use two-step verification (aka two-factor authentication) for service and administrator accounts. That way, even if an account’s password is compromised, it cannot be used to gain access to the account. If using two-step verification is not possible, at least use strong account passwords and implement an account lockout policy to thwart brute-force password-cracking attacks.
- Disable or secure RDP. Cybercriminals like to use RDP to remotely access computers in companies’ networks. For this reason, you shouldn’t enable RDP if it isn’t needed. If your business uses remote access, you need to secure RDP. There are several ways to do this, such as using an RDP gateway.
- Regularly back up files and systems, and make sure the backups can be successfully restored. Although having restorable backups will not prevent a Snatch attack, you won’t have to pay the ransom if the attack is successful.
For the most effective protection, these measures should be part of a comprehensive security strategy that includes other defenses such as applying the principle of least privilege and regularly updating software to patch known vulnerabilities. We can help you create and implement a strategy that will help protect your company against all types of malware.
binary damage code flickr photo by markus spiske shared into the public domain using Creative Commons Public Domain Dedication (CC0)
