A team of researchers have made public the existence of a new variety of ramsomware the "Snatch" which has been known for more than a year, this variant makes use of behavior never seen before in this kind of malware, what does it do? Simple… restart the infected PC in “safe mode†before starting hard disk encryption to be able to infect the system faster.
The researchers affirm that the reason for such a novel strategy would be to circumvent the antivirus installed on said computers, since their real-time protection does not start in the 'Safe Mode' in that Windows mode starts only the components strictly necessary to function, regardless of numerous services and drivers.
Good news is that this "Snatch" ramsomware is not intended for home users.
Snatch uses a Windows Registry to program the encryption process, which makes it impossible for the antivirus to detect it or stop the encryption.
Another of Snatch's peculiarities is that it not only encrypts the information on the victims' hard drive to demand a rescue, but steals personal information from it. This makes it one of the most dangerous varieties of ransomware circulating right now on the Internet.
Our only consolation is that it is not being used to attack domestic users through massive spam campaigns, but that its creators attack carefully selected government and corporate objectives, which then require bailouts of between 2,000 and 35,000 dollars in bitcoins.
This malware only works on Windows, from version 7 onwards, in both 32 and 64 bit editions. It is programmed with Google's Go language and packaged using UPX to hide its contents.
It uses tools such as Cobalt Strike to exploit the vulnerabilities of each system and is installed as a Windows service called SuperBackupMan, which is responsible for installing the aforementioned registry key and restarting it in Safe Mode.
To avoid being a victim of Snatch, it is recommended not to leave our Remote Desktop interface unprotected, and to ensure similar tools such as VNC and TeamViewer, in addition to using multi-factor authentication systems to hinder brute force attacks.
