

















Snatch is a novel ransomware first observed in early 2019 being offered as Ransomware-as-a-Service (RaaS) by the actor "BulletToothTony." The actor indicated that, unlike most RaaS, it was deployed through targeted penetration, rather than traditional malicious spam ('malspam') or phishing.
The ransomware employs a relatively unique methodology in its execution in that in order to encrypt the contents of the drive it first reboots the system into Safe Mode. Upon entering Windows Safe Mode, many safeguards are, by default, disabled, allowing the malware to encrypt with impunity.
Additionally, the malware will delete volume shadow copies in order to inhibit system recovery.
Additionally, the malware has been observed being updated with a data theft module, which could indicate that the author intends to attempt to further coerce victims into paying their ransom.
Observed ransom note have taken the form of "RESTORE_[five_character_random_string]_FILES.txt"
As the ransomware is offered as Ransomware-as-a-Service, (RaaS) targeting will depend upon the actor purchasing the service.
The malware has been observed being delivered using the following methods:
Snatch has been observed establishing persistence by creating a new service entitled SuperBackupMan, along with a corresponding registry key (HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan) to ensure persistence into Safe Mode
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。