New Ransomware Attack Reboots Systems into Safe Mode to Bypass Antivirus!

snatch-featuredThe latest strain of Snatch ransomware performs a devious task to ensure tools designed to protect against ransomware are nowhere to be found during encryption.

This one is pure evil genius! The latest variant of Snatch has been identified by the researchers at Sophos. Infecting Windows 7 through 10 (in both 32-bit and 64-bit versions), this version of Snatch installs a Windows service SuperBackupMan that is configured to run in Safe Mode. Once a forced restart is complete, and the system is in Safe Mode, those AV solutions not configured to run leave the system exposed and able to be encrypted.

But the impressiveness of this ransomware doesn’t stop there. Researchers also found the following attack measures in varying degrees:

  • Use of RDP as the initial attack vector
  • Exfiltration of system information
  • Monitoring of network traffic
  • Installation of surveillance software
  • Installation of remote access trojans (RATs)

The payload for this ransomware uses the open-source packer UPX to help obfuscate detection of the malicious code within. This is powerful and dangerous stuff here that has attack ramifications both in the immediate timeframe and in the future (depending on how patient the attacker is).

Your organization needs to address this in two ways:

  • Eliminate external RDP access – this has been shown to be a primary attack vector for ransomware for some time.
  • Train users to spot phishing attacks – Users need to be put through continual Security Awareness Training to help them understand the types of phishing scams used to infect machines with ransomware like Snatch and any other malware. With proper training, users begin to act just like IT pros do; becoming aware of the potential threat and always having a vigilant mindset when interacting with email and web content.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews