Snatch ransomware use Safe Mode loophole to beat Windows defenses

Sophos’s research team has identified a new exploit in the wild which uses a Windows feature to bypass security software installed on a PC.

The Snatch ransomware crashes your computer and forces it to reboot into Safe Mode. In Safe Mode antivirus and other security software are normally disabled, allowing the software, which auto-starts as a service, to encrypt your PC and then demand a ransom in bitcoin.

Sophos has seen the exploit on at last 12 occasions over the last 3 months, demanding Bitcoin ransoms between the value of $2900 to $51,000.

“Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions,” the news report said. “The malware we’ve observed isn’t capable of running on platforms other than Windows. Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions.”

The ransomware does not use any specific vulnerability, but rather a toolkit of exploits to infect PCs. Sophos recommends the following measures to prevent and detect infection:


  • As we’ve been urging organizations to do for a while now, Sophos recommends that organizations of any size refrain from exposing the Remote Desktop interface to the unprotected internet. Organizations that wish to permit remote access to machines should put them behind a VPN on their network, so they cannot be reached by anyone who does not have VPN credentials.
  • The Snatch attackers also expressed interest in contracting with, or hiring, criminals who are capable of breaching networks using other types of remote access tools, such as VNC and TeamViewer, as well as those with experience using Web shells or breaking in to SQL servers using SQL injection techniques. It stands to reason that these types of internet-facing services also pose significant risks if left unattended.
  • Likewise, organizations should immediately implement multifactor authentication for users with administrative privileges, to make it more difficult for attackers to brute force those account credentials.
  • For Sophos customers, it is imperative that all users are running the most current endpoint protection, and enable the CryptoGuard feature within Intercept X.


  • The majority of initial access and footholds that we have observed are on unprotected and unmonitored devices. It’s extremely important for organizations of almost any size to perform regular and thorough inventory of devices, to ensure no gaps or “dark corners” exist on your network.
  • Execution of the Snatch ransomware occurred after threat actors had several days of undetected and uninhibited access to the network. A rigorous and mature threat hunting program would have greater potential to identify the threat actors prior to the execution of the ransomware executable.

Read all the details on the new threat at Sophos here.

via Life Hacker

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}