Sophos published an investigative report, Snatch Ransomware Reboots PCs into Safe Mode to Bypass Protection, by SophosLabs and Sophos Managed Threat Response. The report details the changing attack methods of Snatch ransomware, first seen in December 2018, including rebooting PCs into Safe Mode mid-attack in an attempt to bypass behavioral protections that detect ransomware activity. Sophos believes this is a new attack technique adopted by cybercriminals for defense evasion.
Continuing a trend noted in SophosLabs' 2020 Threat Report, the Snatch cybercriminals are now also exfiltrating data before the ransomware attack begins. This behavior has been used by other ransomware groups, including Bitpaymer. Sophos expects this sequence of exfiltrating data before ransomware encryption to continue. Businesses needing to comply with GDPR, the upcoming California Consumer Privacy Act and other regulatory laws may need to notify data protection regulators if they are victims of Snatch.
Snatch is an example of an automated, active attack, also outlined in SophosLabs' 2020 Threat Report. Once attackers gain access by abusing remote access services, they use hand-to-keyboard hacking to move laterally and do damage. As explained in the Snatch report, attackers are gaining entry through insecure IT remote access services, such as (but not limited to) Remote Desktop Protocol (RDP). The report shows examples of Snatch attackers recruiting potential collaborators who are skilled in compromising remote access services in dark web forums. Below is a screen shot of the dark web forum conversation in Russian, which states, "Looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQLinj in corporate networks, stores and other companies."
Advice for defenders: