LOLBAS
- BCDEdit
- ServiceControl (sc.exe)
Snatch is a Windows ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018.
Profile source: Mallory opens in a new tabSNATCH
Snatch is a Windows ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018. It is notable for rebooting infected Windows systems into Safe Mode before encrypting files, a technique intended to bypass endpoint protection because many security products do not run in Safe Mode. Sophos reported the malware is written in Go, packed with UPX, targets Windows 7 through Windows 10 in both 32-bit and 64-bit versions, and installs itself as a Windows service named SuperBackupMan. It adds the registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan with value Default:Service, uses bcdedit.exe to force a Safe Mode reboot, then in Safe Mode stops its service with net.exe, deletes Volume Shadow Copies with vssadmin.exe, and encrypts local files. Encrypted files receive a pseudorandom five-character alphanumeric extension, and ransom notes were observed as README_ABCDE_FILES.txt or DECRYPT_ABCDE_DATA.txt. Earlier samples used the email address imBoristheBlade@protonmail.com, and the binaries contain hardcoded OpenPGP public key blocks.
Snatch operators were linked by Sophos to the self-described "Snatch Team," including a suspected member using the handle BulletToothTony who recruited affiliates with access via RDP, VNC, TeamViewer, web shells, and SQL injection. Sophos observed initial access primarily through brute-forced internet-exposed RDP, followed by days or weeks of reconnaissance, credential theft, lateral movement, and data exfiltration using custom tooling, Cobalt Strike, PsExec, Advanced Port Scanner, Process Hacker, IObit Uninstaller, and PowerTool. In one case, attackers brute-forced an administrator account on a Microsoft Azure server, pivoted to a domain controller, deployed surveillance tooling to about 200 machines, collected WMI data, process lists, and LSASS memory contents, and uploaded data to command-and-control infrastructure. Snatch has also been described as one of the earlier ransomware operations to steal data and threaten publication, and FBI/CISA reporting states the group uses double extortion.
Additional reporting states Snatch has been delivered as a secondary payload by the Get2 downloader in TA505 campaigns. The malware family has also been observed using Namecoin .bit domains as part of its C2 infrastructure. Public reporting cited in the content notes victims in the United States, Canada, and several European countries, and an FBI/CISA joint advisory was issued covering Snatch RaaS tactics, techniques, procedures, mitigations, and indicators of compromise.
Ransomware.live
Reported operators
Get2 was, in turn, observed downloading FlawedGrace, FlawedAmmyy, Snatch, and SDBbot (a new RAT) as secondary payloads.
The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.
MITRE ATT&CK
Reporting
この状態でランサムウェアを実行するのを仕組化して悪用したのがSnatch。
The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.
I learned about this technique reading about snatch ransomware. ... Snatch ransomware reboots PCs into Safe Mode to bypass protection
FBI and CISA issued a joint advisory for Snatch RaaS.
Notably, competitor RaaS groups expressed much interest in learning about how LockBit was infiltrated. A Snatch RaaS operator also pointed out on their Telegram channel that they were all at risk.
Malware families that we have observed using Namecoin domains as part of their C2 infrastructure include: ... SNATCH ...
...Rhysida, Snatch, and Trigona: less than one percent each (2 incidents each)
In 2022, the same list grew to include some well known closed Ransomware-as-a-service (RaaS) variants that typically target mid-market and larger enterprises: Phobos Dharma Quantum Artemis BlackByte Vice Society Conti Hive Lone Wolf Actors Snatch
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.