How to Protect Your Organization Against the Snatch Ransomware Threat

How to Protect Your Organization Against the Snatch Ransomware Threat

Source: TechRepublic

TechRepublic recently published an article detailing the latest ransomware threat and how you can protect your organization. We have included excerpts from the article below, and you can access the full article here.

Discovered and analyzed by security provider Sophos, Snatch attempts to bypass traditional security software by rebooting your PC into Safe Mode. 

Windows Safe Mode tries to help you troubleshoot various maladies by rebooting your PC in a vanilla way without loading certain software, drivers, or services. That process also prevents anti-virus software from loading. And that leads to a tactic being employed by a particularly dangerous strain of ransomware.

Known as Snatch, the ransomware as described by Sophos in a recent news post, forces a Windows PC to reboot into Safe Mode, thereby preventing any anti-virus or security software from running. Snatch, which itself runs as a service during Safe Mode, encrypts the victim’s hard drive, and tries to force the user to pay the necessary ransom to be able to access the drive again. 

Sophos actually ran into Snatch last year and said it believes the ransomware has been active since the summer of 2018. In mid-October 2019, the security vendor had to help a targeted organization investigate and resolve a ransomware outbreak. Seeing Snatch at work, Sophos believes that the Safe Mode component is a newly added tactic.

How it works

At some point during an attack, the ransomware piece is downloaded to a targeted computer. The ransomware installs itself as a Windows service called SuperBackupMan, which is set immediately before the PC starts to reboot, giving an organization little or no chance to stop the service in time.

The attackers then use administrator access to run the Windows command-line tool BCDEDIT to force an immediate reboot of the computer in Safe Mode. After the PC reboots, the malware uses a Windows command called vssadmin.exe to delete all the Volume Shadow Copies on the system, thereby preventing a recovery of the files encrypted by the ransomware. Finally, the ransomware encrypts documents on the hard drive.

Protection tips

To protect your organization against this type of ransomware, Sophos offers several pieces of advice:

  • Don’t expose your Remote Desktop interface to unprotected internet access. Sophos recommends that organizations refrain from exposing the Remote Desktop interface to the unprotected internet. Organizations that need to permit remote access to machines should put them behind a VPN on their network, so they can’t be accessed by anyone without VPN credentials.
  • Secure your other remote access tools. In a post on a criminal message board, the Snatch attackers wanted to hire or contract with other criminals able to break into networks using such remote access tools as VNC and TeamViewer. They also were looking for people with experience using Web shells or hacking into SQL servers using SQL injection attacks. Any internet-facing remote access tools and other vulnerable programs pose risks if they’re left unattended.
  • Use multi-factor authenticator for administrators. Organizations should set up multi-factor authentication for users with administrative privileges to make it harder for attackers to brute force those account credentials.
  • Inventory your devices. Most of the initial access points and footholds that Sophos found in connection with Snatch were on unprotected and unmonitored devices. Organizations need to run regular, thorough inventory checks of all devices to make sure no gaps exist.
  • Search your network for threats. The Snatch ransomware went into action after the attackers had several days of undetected, uninhibited access to the network. A full threat-hunting program could potentially identify this type of activity before the ransomware has the ability to take hold.

Photo credit: Pexels 

Leave a Comment