Cybersecurity researchers have spotted new ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims’ files to avoid antivirus detection.
Snatch has been active since at least the summer of 2018, but SophosLabs researchers spotted the Safe Mode enhancement to this ransomware strain only in recent cyber attacks against various entities they investigated.
“SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process,” the researchers say.
What makes Snatch different and dangerous from others is that in addition to ransomware, it’s also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organizations.
Besides this, the attackers behind Snatch ransomware also offer partnership opportunities to other cybercriminals and rogue employees who possess credentials and backdoors into large organizations and can exploit it to deploy the ransomware.
Using brute-forced or stolen credentials, attackers first gain access to the company’s internal network and then run several legitimate system administrators and penetration testing tools to compromise devices within the same network without raising any red flag.
To prevent ransomware attacks, organizations are recommended not to expose their critical services and secure ports to the public Internet, and if required, secure them using a strong password with multi-factor authentication.