Rewterz Threat Alert – Snatch Ransomware Reboots Windows in Safe Mode to Bypass Antivirus

Severity

High

Analysis Summary

A new variant of the Snatch ransomware is found, that first reboots infected Windows computers into Safe Mode and only then encrypts victims’ files to avoid antivirus detection. Unlike traditional malware, the new Snatch ransomware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software.

When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware.
What makes Snatch different and dangerous from others is that in addition to ransomware, it’s also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organizations. Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions.

Snatch attacks Windows machines with a collection of malware that includes the ransomware executable; a custom-built data stealer; a Cobalt Strike reverse-shell; and several publicly available tools that are typically used by penetration testers, system administrators or technicians. It’s also all obfuscated by an open-source packer called UPX.
The attackers query the list of users authorized to log in on the box, and write the results to a file. Additionally, WMIC system and user data, process lists, and even the memory contents of the Windows LSASS service are dumped to a file then uploaded to their command-and-control (C2) server.

Impact

• Files Encryption
• Security Bypass
• Data Theft

Indicators of Compromise

Domain Name

• mydatassuperhero[.]com
• mydatasuperhero[.]com

From Email

• doctor666[@]cock.li
• jimmtheworm[@]dicksinmyan.us
• doctor666[@]mail.fr
• newrecoveryrobot[@]pm.me
• imboristheblade[@]protonmail.com

SHA-256

• 80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4
• eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56
• ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a
• fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb
• e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d
• c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6
• 28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184
• 63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940
• 36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4
• d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33
• 329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa
• d22b46ea682838e0b98bc6a1e36fd04f0672fe889c03d227cdeb5dcc5d76ae7c
• 5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb
• ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1
• 8c9fab558b3e9e21936a91422d9e2666f210c5fd7d9b0fd08d2353adb64a4c00
• 78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852
• 0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb

Source IP

• 91.218.114[.]26
• 193.188.22[.]25
• 91.218.114[.]37
• 91.218.114[.]77
• 91.218.114[.]4
• 91.218.114[.]25
• 91.218.114[.]31
• 193.188.22[.]26
• 91.218.114[.]79
• 37.59.146[.]180
• 193.188.22[.]29
• 91.218.114[.]38
• 67.211.209[.]151
• 91.218.114[.]11
• 185.61.149[.]242
• 91.218.114[.]32
• 142.11.196[.]65
• 142.11.195[.]192

URL

• http[:]//45.147.228.91/
• http[:]//94.140.125.150/
• http[:]//snatch24uldhpwrm.onion/
• https[:]//snatch24uldhpwrm.onion/
• http[:]//snatch6brk4nfczg.onion
• https[:]//snatch6brk4nfczg.onion/
• http[:]//mydatasuperhero.com/
• http[:]//mydatasuperhero.com/login
• http[:]//mydatassuperhero.com

Remediation

• Block the threat indicators at their respective controls.