Snatch Ransomware Variant Uses Safe Mode to Avoid Detection


A new Snatch ransomware variant was discovered by researchers at SophosLabs during recent investigations into a series of ransomware attacks. This new Snatch variant avoids antivirus detection by rebooting Windows machines into Safe Mode before encrypting files on users’ computers.

How is this New Snatch Ransomware Variant Different?

Like all ransomware and previous Snatch variants, this new Snatch variant infects machines and encrypts files on the device. Victims are then required to pay a ransom to have their files decrypted.

However, the new Snatch variant uses a different method for infecting machines, which involves booting machines into Safe Mode to avoid detection. The Safe Mode is usually used for debugging and recovering a corrupted operating system.

Furthermore, unlike previous ransomware variants, this new Snatch variant can also encrypt files on infected networks not just infected machines.

How Does the New Snatch Ransomware Variant Work?

When booted into Safe Mode, Windows machines often do not run security software. Therefore, the new Snatch variant can infect machines without detection and then encrypt the files contained on them without having its encryption process stopped.

According to SophosLabs researchers, the new Snatch ransomware variant: “…sets itself up as a service that will run under a Safe Mode boot. It the [then] quickly reboots the computer into Safe Mode and in the rarefied Safe Mode environment… Snatch encrypts the victims’ hard drives.”

This piece of malware relies on brute force attacks to access vulnerable networks and computers. In brute force attacks, attackers submit many computer-generated passwords one after the other until the correct one is found.

Safeguarding Against Ransomware Attacks

The new Snatch ransomware variant appears only to be able to attack computers running the most common versions of the Windows operating system, from 7 through to 10, and in both 32 and 64-bit versions. It doesn’t appear to be able to run on other operating systems.

Therefore, users running Windows are advised to implement some safeguards to prevent falling victim to this new Snatch variant. Windows users are advised to regularly backup files on their computers, keep their operating system software updated to the latest patch and check their Windows privacy settings.

Organizations wishing to keep their networks safe are advised to implement 2-Factor Authentication. Other safeguards include regularly scanning networks for vulnerabilities and patching these as soon as possible, and not exposing Remote Desktop interfaces to the unprotected internet by using VPNs.

The above-mentioned safeguards do not only help safeguard against attacks from this new Snatch ransomware variant, but against all malware attacks.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.