Researchers discover ‘Snatch’ ransomware attack that circumvents endpoint protection on your PC

Security researchers have discovered a new ransomware attack which allows cybercriminals to reboot Windows PCs into Safe Mode to bypass protection. Researchers believe the new technique, dubbed as 'Snatch', is aimed at circumventing the endpoint protection which doesn't run in the Safe Mode.

"The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It then quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn't run, Snatch encrypts the victims' hard drives," said Sophos Managed Threat Response (MTR) team and SophosLabs researchers in a post.

Researchers said they first discovered the Snatch ransomware about one year ago. The ransomware has been active since 2018 summer but the Safe Mode technique is the latest addition.

"What we refer to as Snatch malware comprises a collection of tooling, which include a ransomware component and a separate data stealer, both apparently built by the criminals who operate the malware; a Cobalt Strike reverse-shell; and several publicly-available tools that aren't inherently malicious, but used more conventionally by penetration testers, system administrators, or technicians," it added.

ALSO READ: 2020 cyberthreat watchlist: Keep an eye out for the rise of deepfakes, ransomware

According to the security experts, Snatch targets insecure IT remote access services such as Remote Desktop Protocol (RDP). The report adds that the ransomware attack is also discussed on the dark web forums.

Security researchers recommend users and enterprises to use newer age technologies such as machine or deep learning to reduce risks from such ransomware attacks. The IT administrators should also identify remote accesses are exposed to the public internet. In the case of compulsory remote access, admins should implement VPN for multi-step authentication.