Categories: Ad Guardian PlusNews

Snatch reboots Windows to bypass antivirus

Cybersecurity experts discovered a new version of the Snatch ransomware. This reboots infected Windows computers into Safe Mode. Then, it encrypts victims’ files to avoid antivirus detection.

In the diagnostic mode, Windows starts with a minimal set of drivers and services. The antivirus software and other thirt-party startup programs do not load in this mode. Thus, Snatch takes advantage of this.

SophosLabs researchers discovered the Safe Mode in the recent cyber attacks. Still, Snatch has been active since 2018.

According to SophosLabs, “Researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process. When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware.”

Snatch is also a data stealer

But the ransomware is also a data stealer. It includes a sophisticated data-stealing module which allows attackers obtain sensitive information.

“Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions. The samples we’ve seen are also packed with the open source packer UPX to obfuscate their contents,” the researchers say.

The attackers also offer partnership to other cybercriminals or mischievous employees that can access credentials and backdoors of important companies. One of the group members posted an offer “looking for affiliate partners with access to RDP \ VNC \ TeamViewer \ WebShell \ SQL injection in corporate networks, stores, and other companies.”

Using the stolen credentials, attackers gain access to the company’s internal network. Then, they run several legitimate system administrators and penetration testing tools to compromise devices. This way, they do not raise any red flag.

“We also found a range of otherwise legitimate tools that have been adopted by criminals installed on machines within the target’s network, including Process Hacker, IObit Uninstaller, PowerTool, and PsExec. The attackers typically use them to try to disable AV products,” the researchers say.

In order to avoid this kind of attacks, organizations should never expose their critical services and secure ports to the public Internet. Also, they should secure them by using strong passwords with multi-factor authentication.

Laurentiu Titei

View Comments

Recent Posts

How to Change My Default Browser on Windows 11 and 10

Windows ships with Edge as the default browser. However, that does not mean you have…

18 hours ago

5 Best VPN for Binance in 2026 (Free and Paid)

Binance, a popular cryptocurrency exchange platform, is unavailable or restricted in regions such as the…

2 days ago

Best Free VPN for Spotify in 2026 [Access Spotify]

It may come as a surprise, but Spotify is available in over 184 markets. In…

3 days ago

Fix Surface Pro 3 – White Spots on Screen Issue

The other day, we noticed white spots on the screen. For us, a computer screen…

4 days ago

How to Find the Epson L380 Driver for Windows System

Epson is a renowned name in the printer industry, known for its world-class yet cost-efficient printers, Epson…

4 days ago

Solved: Application Unable to Start Correctly 0xc0000142 Error

The “application unable to start correctly” 0xc0000142 error code is a problem for many Microsoft…

5 days ago