Snatch data-theft ransomware, which is newly discovered, forces a Windows machine to reboot into Safe Mode to bypass endpoint protection, according Sophos Managed Threat Response (MTR). Snatch cybercriminals also are exfiltrating data before a ransomware attack begins.
Snatch cybercriminals are using automated brute-force attacks to penetrate vulnerable, exposed Windows services and leverage that foothold to spread the ransomware within a victim's network, according to SophosLabs and Sophos MTR. In doing so, Snatch cybercriminals have been able to use the ransomware to steal data from various organizations.
How Does Snatch Work?
Snatch was first seen in December 2018. It consists of both a ransomware component and data stealer, a Cobalt Strike reverse-shell and several publicly available tools that are commonly used by penetration testers, system administrators and technicians.
Cybercriminals set up Snatch as a service that runs during a Windows machine's Safe Mode boot and reboots the device into Safe Mode. Then, in a rarefied Safe Mode environment where most software is inactive, cybercriminals use Snatch to encrypt a victim’s hard drive.
How to Combat Snatch Attacks
SophosLabs and Sophos MTR offered the following recommendations to help organizations combat Snatch attacks:
- Use a virtual private network (VPN) to manage access to Windows machines.
- Implement multi-factor authentication (MFA) for users with administrative privileges to Windows machines.
- Deploy endpoint protection software that leverages artificial intelligence (AI) and machine and deep learning technologies.
- Ensure a Windows machine's endpoint protection software is up to date.
- Monitor Windows devices and networks.
- Identify and shut down publicly accessible Windows remote access services.
- Develop and implement a threat hunting program.
MSSPs and Ransomware Mitigation
MSSPs can help organizations guard against Snatch and other ransomware attacks by promoting and managing such risk mitigation strategies as:
- backup software/services and associated testing services;
- endpoint, network and cloud security;
- cybersecurity awareness training;
- patch management; and
- best practices such as two-factor authentication (2FA).
