Written by Anthony Carballo
on December 16, 2019

A new variant of Snatch ransomware has been seen in the wild. A unique particularity is that it first reboots the infected Windows computers into Safe Mode to disable any security software to run more freely and then encrypt the victims' files.

Another thing that makes Snatch different and more dangerous than the other ransomware is that it not only hijacks the information (encrypting it until you pay the ransom), it is also a stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the targeted organizations or persons.



According to the analysis performed by the security researchers at Sophos Labs, this ransomware sets itself up as a service, called SuperBackupMan, it can be spotted in the Windows registry, and it will do it once it reboots in Safe Mode.

When the computer starts again after the forced reboot, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware.

There are cases where the attacker initially accessed the company's internal network by brute-forcing the password of an administrator account on a Microsoft Azure server and was able to log in to the server using Remote Desktop (RDP).



While Snatch is written in Go, a programming language known for cross-platform app development, the adversaries have designed this ransomware to run only on Windows environments. This ransomware has around one year since the first variant was spotted. However, this new variant has evolved, bringing new and better ways to attack. In this instance, rebooting the computer, making it boot in safe mode, which disables most security solutions. Also, even when it encrypts the data, it steals it, putting you or your organization in trouble if the information taken is sensitive.

Cybersecurity culture in the workplace and even at home is the best way to prevent bad things from happening. However, something wrong, something out of our hands, will always occur. What we certainly can do is prepare ourselves with plans, being a step ahead, having at least one backup in an external device, this will significantly reduce the impact if you get hit by ransom.

Ransomware infections aim to encrypt your files using an encryption algorithm, which may be very difficult to decrypt. However, some alternatives can be beneficial to recover your data. Remember that paying is not a good idea; you would be supporting cybercriminals and does not warranties that you are getting your files back.



As we have stated in other reports related to ransomware, if you encounter yourself in this situation, we recommend not paying any ransom. You can go to and get help from them; they list tools that can help you to recover your data.

Some ransomware is delivered as a link, also in spammed email with an infected attachment such as Word, Excel, PowerPoint, or even a PDF that can take advantage of a vulnerability in any PDF viewer installed. Others come in exploit kits; some others are delivered via malvertisements (Malicious Advertisement) or on a compromised website. Thus, the importance of having a good cybersecurity culture at work and home.

Implementing multi factor authentication for users with administrative privileges is vital to make it more difficult for attackers to brute force those accounts.

Having a habit of back-up any critical information you might have, and if it is very sensitive, keep it in a very appropriate place.

Do yourself a favor and install behavior analytics. Try ours for free!

TTPs: Tactics, techniques and procedures


Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Threat report

Criminales usando Google Analytics para robar tarjetas de crédito

Investigadores informaron el lunes que cibercriminales están explotando el servicio de Google Analytics para robar infor...

Threat report

Ransomware usando mapa COVID-19

Hemos detectado un sitio web malicioso que se encuentra activo, el cual  está distribuyendo archivos sospechosos. Los mi...

Threat report

Intel processors – Another flaw but no patch available this time.

Researchers have discovered a new vulnerability that affects Intel processors, and that, for now, has no solution.