Snatch is a novel ransomware first observed in early 2019 being offered as Ransomware-as-a-Service (RaaS) by the actor "BulletToothTony." The actor indicated that, unlike most RaaS, it was deployed through targeted penetration, rather than traditional malicious spam ('malspam') or phishing.
The ransomware employs a relatively unique methodology in its execution in that in order to encrypt the contents of the drive it first reboots the system into Safe Mode. Upon entering Windows Safe Mode, many safeguards are, by default, disabled, allowing the malware to encrypt with impunity.
Additionally, the malware will delete volume shadow copies in order to inhibit system recovery.
Additionally, the malware has been observed being updated with a data theft module, which could indicate that the author intends to attempt to further coerce victims into paying their ransom.
Observed ransom note have taken the form of "RESTORE_[five_character_random_string]_FILES.txt"
As the ransomware is offered as Ransomware-as-a-Service, (RaaS) targeting will depend upon the actor purchasing the service.
The malware has been observed being delivered using the following methods:
Snatch has been observed establishing persistence by creating a new service entitled SuperBackupMan, along with a corresponding registry key (HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan) to ensure persistence into Safe Mode
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.