Sat. Aug 15th, 2020

SNATCH ransomware can automatically enter safe mode to kill anti-virus software

2 min read

Researchers at SOPHOS, a security company, have recently detected new ransomware. This ransomware uses extremely sophisticated means to circumvent anti-virus software interception. Researchers refer to this ransomware as predatory malware because it automatically enters safe mode and uninstalls all other software before encrypting files. We know that in theory, all non-Microsoft third-party software cannot start automatically, and even anti-virus software is also limited by this law. And this ransomware disguises itself as a system service and then use the restrictions of safe mode, uninstall the installed anti-virus software and then occupy the computer.

This ransomware does not spread the net as widely as possible to infect as many computers as possible, but collects computer data and carefully selects potential targets. The development team behind it mainly uses Microsoft Remote Desktop, VNC, Teamviewer, Webshell and SQL injection to try to infect some seed computers. If an enterprise uses this software or tools but does not have adequate security defenses, it may be scanned by hackers and then used to penetrate the corporate intranet. After successfully invading the corporate intranet, the ransomware will collect corporate related information and sensitive information in advance, and usually, the hacker will decide the next step after monitoring for several weeks.

PyLocky ransomware decryption

To solve the problem of anti-virus software, the ransomware will disguise itself as a system service, and the software name disguised as SNATCH is SuperBackupMan. This name is a system backup tool and may, therefore, cause users to relax their vigilance, but as long as the software is installed, it cannot be uninstalled, suspended or stopped. At the same time, the software will force the computer to automatically enter safe mode, in which other system tools such as anti-virus or cleaning software are uninstalled directly.

In addition, to prevent users from restoring data from backups, the ransomware will find and delete all Windows shadow backups or system restore points that it can find. As for how the ransomware implements self-starting in safe mode, it is not clear, but this strategy of uninstalling anti-virus software is indeed better. After successfully uninstalling the antivirus software, the ransomware will restart the computer to exit safe mode, and then start to encrypt all user files after startup.

Of course, the ransomware also uses a high-strength algorithm for file encryption. Therefore, brute force cracking is almost impossible. It is recommended that companies back up the files on a daily basis.