This, the company pointed out, helped to bypass some behavioural protections on Windows systems that detected ransomware activity, and was a new attack technique. Additionally, Snatch had also incorporated a tool that exfiltrates data.
In a blog post, Sophos' principal researcher Andrew Brandt said endpoint protection often did not function when a Windows PC was running in safe mode.
"The ransomware... sets itself up as a service that will run during a safe mode boot," he wrote. "It then quickly reboots the computer into safe mode, and in the rarefied safe mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives."
"What we refer to as Snatch malware comprises a collection of tooling, which include a ransomware component and a separate data stealer, both apparently built by the criminals who operate the malware; a Cobalt Strike reverse-shell; and several publicly-available tools that aren’t inherently malicious, but used more conventionally by penetration testers, system administrators, or technicians," he sa
Brandt said the actors behind Snatch appeared to be using automated brute-force attacks to gain access to Windows systems and then spread through internal networks by human action.
The detailed blog post also provided details of one specific attack on a Microsoft Azure platform.
Brandt said exposing Windows' Remote Desktop interface to the Internet was a risk. "Organisations that wish to permit remote access to machines should put them behind a VPN on their network, so they cannot be reached by anyone who does not have VPN credentials," he added.
Additionally, since the Snatch ransomware was executed on a network only several days after the attackers had gained access, it was necessary to have a rigorous and mature threat-hunting program running, Brandt said.
"And the name Snatch doesn’t appear to be a coincidence," he added. "In earlier versions of the ransomware, the ransom note included an email address of 'imBoristheBlade @ protonmail.com' which seems to be a reference to the Guy Ritchie movie Snatch (2000), in which a Rasputin-esque former-KGB agent character named Boris the Blade is beaten, shot, and stabbed throughout, often with little to no effect on his ability to get up and carry on fighting. Bullet Tooth Tony, the handle used by the message board poster, is another character who appears in the same movie."
Screenshot: courtesy Sophos