Snatch ransomware pwns security using sneaky ‘safe mode’ reboot

Sophos’s Managed Threat Response (MTR) team has warned the industry of a dangerous new ransomware trick – encrypting data only after rebooting Windows PCs into ‘safe mode’.

Deployed recently by the Russian-developed ‘Snatch’ ransomware – named after the 2000 movie of the same name – it’s effective against much endpoint security software, which often doesn’t load when safe mode is in operation.

That’s despite the fact that in real-world attacks analysed by MTR, Snatch starts out like many other ransomware campaigns currently targeting business networks.

The attackers look for weakly secured Remote Desktop (RDP) ports to force their way into Azure servers, a foothold they use to move sideways to Windows domains controllers, often spending weeks gathering reconnaissance.

In one network attack, the attackers the installed the ransomware on around 200 machines using command and control (C2) after utilising a grab-bag of legitimate tools (Process Hacker, IObit Uninstaller, PowerTool, PsExec, Advanced Port Scanner) plus some of their own.

The same software profile was detected in other attacks in the US, Canada and several European countries, which also exploited exposed RDP.

One trick, but a good one

But Snatch still has the same problem as any other ransomware – how to beat local software protection.

Its approach is to load a Windows service called SuperBackupMan which can’t be stopped or paused, which adds a registry key ensuring the target will boot into safe mode after its next reboot.

Only after this has happened, and the machine has entered safe mode, does it execute a routine that deletes Windows volume shadow copies, after which it encrypts all documents it detects on the target.

Using safe mode to bypass security has its pros and cons. The upside is that in many cases, it works – security software not expecting this technique is easily bypassed.

The tricky bit is that it must still execute its bogus Windows service, which relies on breaking into domain controllers to distribute it to targets from inside the network.

Rebooting in safe mode also won’t get past the Windows login, which in theory gives an alerted user a fighting chance to stop the encryption.

However, this hasn’t stopped it achieving plenty of success. A company involved in negotiating ransomware settlements, Coveware, told Sophos it had acted for companies in 12 incidents between July and October, which involved paying bitcoins ransoms between $2,000 and $35,000.

Attacks also often involve manual oversight by the criminals, as an MTR researcher discovered when his IP address was blacklisted in real time to prevent his analysis of Snatch’s C2 behaviour.

What to do

For Sophos customers, the protection is already part of the latest endpoint protection versions although it’s important to enable the CryptoGuard feature within Intercept X.

Sophos security detects Snatch’s different components under the following signatures:

Troj/Snatch-H
Mal/Generic-R
Troj/Agent-BCYI
Troj/Agent-BCYN
HPmal/GoRnSm-A
HPmal/RansMaz-A
PUA Detected: ‘PsExec’

Unusually, Snatch’s encryption uses OpenPGP, complete with hardcoded public keys which SophosLabs has published on its GitHub page for defenders to use as Indicators of Compromise (IoCs).

Defending against Snatch

• RDP should either be turned off or secured using a VPN with authentication.
• VNC and TeamViewer is another possible entry point, and there is evidence the attackers might soon start using web shells, or breaking into SQL/SQL injection.
• All admin accounts should be protected with multi-factor authentication and good passwords.
• Unprotected devices are a big target the attackers use to gain a foothold. The defence against this is to carry out regular audits, including to detect shadow IT.
• Ransomware attacks require having a ‘plan b’ response in place, including reinstatement from backups and forensics/mitigation of the weaknesses that allowed an attack to happen.
• Endpoint protection tools are not alike – will yours notice Snatch or cope with its safe mode attack? This technique is likely to become more common during 2020.