A fresh ransomware variant known as “Snatch” has been spotted in campaigns, forcing Windows machines to reboot into Safe Mode before beginning the encryption process. It’s one of multiple components of a malware constellation being used in carefully orchestrated attacks that also feature rampant data collection.
According to researchers with SophosLabs, Snatch runs itself in an elevated permissions mode, and sets registry keys that instruct Windows to run it following a Safe Mode reboot.
“It the quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives,” explained Andrew Brandt, SophosLabs researcher, in a Monday posting.
Snatch’s operators appear to have been active since the summer of 2018, according to the analysis – however, the Safe Mode aspect is a newly added feature.
“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated,” Brandt said.
Snatch Collection of Malware
Snatch attacks Windows machines with a collection of malware that includes the ransomware executable; a custom-built data stealer; a Cobalt Strike reverse-shell; and several publicly available tools that are typically used by penetration testers, system administrators or technicians. It’s also all obfuscated by an open-source packer called UPX.
The adversaries (which call themselves “Snatch Team” in an homage to the 2000 Guy Ritchie movie) are using automated brute-force attacks to infiltrate company networks before spreading laterally. In an incident in October, the attackers brute-forced the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP). From there, Snatch spread other executables, designed to give the attackers remote access without having to rely on the compromised Azure server, to 200 machines, or roughly 5 percent of the computers on the company’s internal network.
The attackers also logged into a domain controller (DC) machine on the same network, and then surveilled the network over the course of several weeks, collecting and uploading data using a custom tool called “Update_Collector.exe.”
“The attackers query the list of users authorized to log in on the box, and write the results to a file,” Brandt said. “We also observed them dump WMIC system and user data, process lists, and even the memory contents of the Windows LSASS service, to a file then upload them to their command-and-control (C2) server…In fact, it uses this same method to upload a lot of information to the C2 server.”
In addition, Snatch Team installed a free Windows utility called Advanced Port Scanner, using it to discover additional machines on the network that they could target. Other legitimate tools included in the attack were Process Hacker, IObit Uninstaller, PowerTool and PsExec, which the attackers used to disable antivirus products.
And finally, after surveillance and data collection, Snatch Team downloaded the ransomware to infected machines.
Snatch Spreads
Snatch has been seen in attacks in United States, Canada and several European countries, researchers found. In all cases, the ransomware portion of the attack came several days to weeks after the initial network breach.
The firm also reached out to Coveware, which is a company that negotiates with ransomware attackers on behalf of victims.
“The company tells us they have negotiated with the Snatch criminals on 12 occasions between July and October on behalf of their clients,” Brandt said. “Ransom demands (in Bitcoin) ranged in value from $2,000 to $35,000, but trended up over that four month period.”
The majority of the initial compromises arose from unprotected and unmonitored devices – meaning that a first line of defense is patching, strong password protection and other basic security hygiene measures.
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.
