What Is Snatch Ransomware and How to Remove It

It seems that criminal software developers never sleep when defenses go up. They are always looking for different ways to perfect their attack weapons. One of the most recent techniques is a ransomware strain that can force a Windows device to restart in safe mode just before the encryption starts, in order to bypass endpoint protection.

This particular strain is known as Snatch due to its authors, who refer to themselves as the Snatch team. It was discovered by researchers at Sophos Labs, who described their discovery as well as information on how these gangs break into companies and other entities on their hit list.

We will explain what Snatch ransomware is, how it works and how to remove it from your devices.

What is Snatch Ransomware

Snatch is a new ransomware variant whose executable forces Windows devices to reboot in safe mode before the encryption process even begins in order to bypass the protection of terminals which often do not run in this mode.

Discovered by SophosLabs researchers and the Sophos Managed Threat Response team, the Snatch ransomware is one of several components of the malware constellation used in a continuous series of carefully orchestrated attacks including extensive data collection.

The new strain of ransomware uses a unique infection method that applies sophisticated AES encryption so that users whose machines are infected cannot access their files.

Snatch ransomware was substantially active for the first time in April 2019, but it was released in late 2018. However, the increase in encrypted files and ransom notes led to its discovery and tracking by 39; Sophos research team.

Its crypto-virus form attacks high-level targets, but this new strain, created using the Google Go program, includes a collection of tools, including a data thief and ransomware function. . Additionally, it has a Cobalt Strike reverse shell and other tools used by penetration testers and system administrators.

Note: The variant discovered by Sophos can only run on Windows in the 32-bit and 64-bit editions of version 7 to 10.

How Snatch Ransomware Works

As a file locking virus, Snatch ransomware is unrelated to other strains. However, its developers have released nine variants of the threat, which add different extensions after encrypting data with AES encryption.

The trick is to restart the machines in safe mode, then the ransomware restricts access to your data by encrypting your files. After that, hackers try to extort money from you by asking for ransom in the form of Bitcoin in exchange for unlocking your files and giving back access to the data.

There is a reason why their trick works. Some antivirus software does not start in safe mode, and the developers have discovered that they can easily change a Windows registry key and simply start your computer in safe mode. Thus, the ransomware runs without being detected by your security software.

The first time it is installed on your device, it goes through SuperBackupMan, a Windows service, and installs just before restarting your computer so that you cannot shut it down in time.

Once installed, attackers use administrator access to run BCDEDIT, a Windows command line tool, to force your computer to restart immediately in safe mode.

It then creates an executable randomly named in your% AppData% or% LocalAppData% folder, which will be launched and begins scanning your computer's drive letters for files to encrypt.

Files targeted by Snatch Ransomware

It encrypts specific file extensions, including .doc, .docx, .pdf, .xls and many others, that it infects and changes their extensions to Snatch so that you cannot reopen them.

The ransomware leaves a text file note Readme_Restore_Files.txt, requiring anything between one and five Bitcoin in exchange for a decryption key, along with information on how to communicate with hackers to recover your data files .

Once the ransomware has fully scanned your computer, it uses vssadmin.exe, a Windows command to delete all copies of ghost volumes on it so that you cannot recover them and use them to restore encrypted data files. The last step is to encrypt all the data files on your hard drive.

Currently, infected files are not decryptable due to the sophisticated nature of the AES encryption used. However, you still have a lifeline if your computer is infected by restoring your files from the most recent backup.

The Snatch ransomware targeted regular users via spam. But today, the main targets are businesses. By paying such criminals, you not only lose money and have no guarantee that they will send you the decryption key, but it also encourages them to continue their cybercrime.

If you don't have an updated backup, there is little you can do other than wait for security experts to come up with a Snatch ransomware decryptor. It might take a long time, but there are other ways to protect yourself from such attacks.

How to remove Snatch Ransomware from your computer

One of the best ways to remove Snatch ransomware and other malware is to install good antivirus security software such as Malwarebytes or SpyHunter which can scan, detect and eliminate the threat. Not all antivirus engines can detect it because it is a brand new malware, so it is good to scan using multiple programs.

You can protect yourself and your devices from ransomware attacks by taking simple steps such as downloading software from trusted sources and by avoiding opening email attachments from untrusted sources .

You can also protect yourself and your organization from Snatch and other types of ransomware:

• Maintain an updated operating system and back up your data.
• Perform a regular password audit.
• Deploy comprehensive, multi-layered security software to protect all entry points from a ransomware attack.
• Securing remote access tools and other vulnerable programs, as Snatch attackers hire other criminals with experience using web shells or capable of hacking SQL servers via injection attacks.
• Protect your Remote Desktop interface by placing it behind a VPN on your network so that users do not access it without VPN credentials.
• Run regular and thorough checks on all devices in your home or organization to make sure they are protected and monitored while Snatch operates these access points and anchor points to enter .
• Configure and use multi-factor authentication for all administrators in your organization so that attackers cannot brutally force your credentials.
• Perform a full threat hunt on your network to identify such activity before infection.

Protect your system

Snatch ransomware can seem deadly in the way it works to paralyze your files and devices. Before you think about paying this ransom, try the above steps to remove the threat and always take preventive measures to make sure that such threats do not appear on your computer or network.

Then: If you think your phone is infected with ransomware, check out our next article for how to detect and remove it.