New Ransomware Attack Reboots Systems into Safe Mode to Bypass Antivirus!


The latest strain of Snatch ransomware performs a devious task to ensure tools designed to protect against ransomware are nowhere to be found during encryption.

This one is pure evil genius! The latest variant of Snatch has been identified by the researchers at Sophos. Infecting Windows 7 through 10 (in both 32-bit and 64-bit versions), this version of Snatch installs a Windows service SuperBackupMan that is configured to run in Safe Mode. Once a forced restart is complete, and the system is in Safe Mode, those AV solutions not configured to run leave the system exposed and able to be encrypted.

But the impressiveness of this ransomware doesn’t stop there. Researchers also found the following attack measures in varying degrees:

  • Use of RDP as the initial attack vector
  • Exfiltration of system information
  • Monitoring of network traffic
  • Installation of surveillance software
  • Installation of remote access trojans (RATs)

The payload for this ransomware uses the open-source packer UPX to help obfuscate detection of the malicious code within. This is powerful and dangerous stuff here that has attack ramifications both in the immediate timeframe and in the future (depending on how patient the attacker is).

Your organization needs to address this in two ways:

  • Eliminate external RDP access – this has been shown to be a primary attack vector for ransomware for some time.
  • Train users to spot phishing attacks – Users need to be put through continual Security Awareness Training to help them understand the types of phishing scams used to infect machines with ransomware like Snatch and any other malware. With proper training, users begin to act just like IT pros do; becoming aware of the potential threat and always having a vigilant mindset when interacting with email and web content.

** Optrics Inc. is an Authorized KnowBe4 partner

Find out how affordable new-school security awareness training is for your organization. Get a quote now.

The original article can be found here:

Leave a Reply