Cybersecurity solution providers are smart, but criminals are even smarter. Every day they come up with new methods to bypass AV engine detection and infect systems. The latest entrant to the ransomware family is called Snatch which packs some clever tricks to infect your computer even if it has security.
How they do it
Researchers at Sophos claimed the new ransomware is capable of detecting whether there is any security suite installed in the target's machine. And if it does have one, the ransomware cleverly reboots the device into safe mode.
Safe modes in any operating system usually come bundled to debug the machine and install any software, check errors, and so on. Mostly, in the safe mode, security suites remain inactive. Researchers say that Snatch installs itself in safe mode. Once installed, it starts the encryption process of the ransomware, encrypting all necessary files in the system, leaving the machine inactive.
To reboot the machine forcefully, the ransomware uses a registry key in the Windows registry database. For the uninitiated, the Windows registry database keeps all the software and hardware information and setting inside it. Tweaking the database would let you control many functionalities without clicking on anything.
The Snatch gang
According to Sophos researchers, the ransomware has been around since the summer of 2018, staying undetected mostly till now. The reason behind this is they usually stay away from home users and never use any common tricks like phishing to infect random devices. Instead, the gang prefers to attack specific targets which include large enterprises and government organisations.
The gang is said to be active on all popular hacking forums, enabling it to find new recruits for the group or get involved with other groups to hunt down targets. All members of the gang are reported to be Russian-speaking hackers and are engaged in stealing data beside locking down systems. Even after the Snatch victim pays ransom, the data could later go up for sale or get leaked online.
The style of operation helps the Snatch gang to remain hidden even after executing a massive ransomware attack. The only known victim of Snatch is a web hosting company dubbed SmarterASP.NET. The attack took down data of its 440,000 customers. According to Sophos experts, Snatch has triggered 19 attacks between July and October 2019.