Microsoft Windows machines are at risk from a malware threat that can bypass antivirus protection
Security researchers are investigating a particularly nasty piece of malware that can bypass Windows 10 security. The threat, which comprises not only a new variation of ransomware known as Snatch but also a data stealer component, has been targeting businesses since 2018. However, according to the Sophos researchers who have published a report into the Snatch threat actors, it has been modified recently in such a way to effectively bypass Windows 10 security measures. It achieves this as the Snatch executable will force the infected Windows machine into rebooting immediately into Safe Mode before doing anything else. The researchers think this is to circumvent corporate network security endpoint protection, including antivirus software, that often does not run in Safe Mode. “SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated,” Andrew Brandt, principal researcher for Sophos, said, “we needed to publish this information as a warning to the rest of the security industry, as well as to end-users.” Brandt called Snatch “devious and evil” in a Twitter posting about the threat.
Who is behind the Snatch malware threat?
According to the Sophos report, the threat actors behind the Snatch malware refer to themselves on dark web message forums as the Snatch Team. On these same Russian language message forums, the criminal group has been posting appeals for “affiliate partners” and buy network access intelligence used to carry out the automated brute-force attacks against networks to start a targeted exploit campaign.
What is the Snatch Team modus operandi?
Currently at least, it would appear that the Snatch Team is only targeting corporate networks rather than consumers. The adverts for affiliate partners confirm this, as the group is looking for systems that are vulnerable to the type of automated brute-force attack it favors. This looks for exposed services, notably the Remote Desktop Protocol (RDP). If this sounds familiar, it should: exposed RDP was the attack vector for the Windows BlueKeep attack that the U.S. Government warned about. The Sophos report suggested that attacks have been happening against organizations in the U.S., Canada and several European countries. By using a targeted approach to exploit corporate targets, rather than home users, the Snatch Team has managed to stay relatively “under the radar” until now.
What does this Windows 10 malware do?
As well as the typical ransomware behavior of encrypting files, Snatch goes one step beyond most such threats. Actually, make that a few steps beyond. I’m not just talking about the Safe Mode reboot that follows after installing a Windows service called “SuperBackupMan,” but the fact that it deletes all volume shadow copies it finds to prevent the forensic recovery of the encrypted files. Another piece of malware that is employed by the Snatch Team is “capable of, and has been,” Brandt said, “stealing vast amounts of information from the target organizations.” If ransomware and data theft weren’t bad enough, in one attack, there was also surveillance software installed on some of the machines in the infected network. The ransom demanded by the threat actors can be as high as $35,000 (£26,500) but the ongoing cost could be much higher if that stolen data is sold via dark marketplaces.
Recommended mitigation for the Snatch Team threat
Snatch can run on most versions of Windows going back as far as Windows 7 and through to both 32-bit and 64-bit versions of Windows 10. Sophos advised that to mitigate the Snatch risk, organizations should “refrain from exposing the RDP interface to the unprotected internet,” and “immediately implement multifactor authentication for users with administrative privileges.” Although, as already stated, the Snatch Team has been targeting corporate users to date, the threat could well morph to embrace consumers. Now that the methodology is out in the open, I would expect other threat actors to adopt similar tactics in future ransomware exploits. Home users should, therefore, take note of the same ransomware mitigation basics that apply to business.