Contents
Snatch ransomware is an advanced file-encrypting virus that has first appeared in the summer of 2018. Currently, in 2020, it has been updated and now includes a feature of booting the computer into Safe Mode, and only then performing the data encryption. This way it can easily avoid detection by security tools as they do not run the Safe Mode environment. The original version of this crypto-malware uses .Snatch file extension to mark the corrupted information. Although, newer variants might append .clhmotjdxp, .googl, .hceem, .ohwqg, .jimm, .dglnl, and .wvtr0 extensions. Initially, it targets corporate organizations and leaves Readme_Restore_Files.txt file as a ransom-demanding message with imboristheBlade@protonmail.com email for contact purposes.
Furthermore, security researchers have spotted this ransomware appending a random string of five alphanumeric characters to the encrypted files and the ransom note. The characters are included into the name of the virus’ executable file and then replicated on other files. For example, if the ransomware’s exe file is named 12345x64.exe, then the extension will appear as .12345 and victims will receive README_12345_FILES.txt or DECRYPT_12345_DATA.txt ransom note.
Snatch virus appears to have a similar ransom-demanding message to other ransomware-type infections, including DHARMA, MAZE, STOP/DJVU, PHOBOS, etc. The criminals confirm that the victim’s data has been encrypted and only they can unlock it. People are asked to refrain from renaming their files or any documents if they want to avoid data loss. Additionally, the crooks ask to contact them as soon as possible to arrange payment. According to the extortion negotiations company, Coveware, they have already dealt with 12 this ransomware cases between July and October. Companies were asked to pay from $2 000 to $35 000 as a ransom.
Researchers have performed a thorough investigation of one of the attacks by a Snatch ransomware virus. They have discovered that cybercriminals accessed the targeted company’s internal network by using brute-force attacks on the administrator’s password to the Microsoft Azure server. Following that, they were able to log into the account through Remote Desktop (RDP) and exploit it to access the Domain Controller (DC) machine on the same network to perform task surveillance for several weeks.
The investigation revealed that the attackers installed surveillance applications on over 200 devices operating in the same internal network and infiltrated several malware executables allowing them to access the machines remotely. Additionally, cybercriminals installed a free Windows tool, Advanced Port Scanner, to run some checks and identify other devices on the network that could be targeted by Snatch.
Furthermore, experts at Sophos have discovered a malware, Update_Collector.exe, that is believed to be created by the same people as this ransomware. In fact, it helps to transfer the collected information during the surveillance to a remote Command and Control (C&C) server accessible only by the attackers. The crooks employ other legitimate tools to perform their malicious activity as well. That includes PsExec, IObit Uninstaller, Process Hacker, PowerTool, etc. Most of the mentioned applications are used to disable security software on targeted networks and devices.
At some point during the network hack, the crooks download ransomware executable on the attacked device to help encrypt personal information. The executable includes a unique victim’s ID, a random five-character string, and _pack.exe in its filename. Right before the execution, this malware extracts itself into the Windows folder with the same beginning of the filename just with a different ending — _unpack.exe.
Following that, Snatch appears on the system as the Windows service under the name of SuperBackupMan. Criminals try to disguise the ransomware by including the service description that states “This service make backup copy every day”. Unfortunately, the malware cannot be stopped or interrupted by the user in any way. It modifies the Windows Registry keys to start up during the boot into Safe Mode and forces the computer to restart immediately.
Right after the reboot, this cyber threat employs the vssadmin.exe Windows component to get rid of all Volume Shadow Copies from the PC to prevent backup data recovery, and then it starts encrypting files. While Snatch aims to lock private information, there is a list of locations that are not being encrypted during the process:
The attackers behind this malware, also known as Snatch Team, have been spotted searching for alliances online. A user with the name of BulletToothTony posted on one of the criminal boards that the Snatch Team is “Looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies” (translation from the Russian language).
The same message goes by offering to train prospective people in ransomware execution and allow them to use the infrastructure of the threat. The user closes the post by stating that he is looking for partners to join their team — Russian speaking people only. Likewise, there is evidence that the ransomware originates from Russia. Yet, it targets companies in the United States, Canada, and multiple countries in Europe.
Unfortunately, there is no other way to stop this malicious program and its developers rather than by refusing to pay the ransom and performing Snatch ransomware removal instead. Keep in mind that the crooks are only motivated to spread the infection if it generates profit. Thus, disobeying their demands by the majority of victims can actually stop the virus spread.
The easiest way to remove Snatch ransomware virus from your system is by running a full system scan with RESTORO. This software can not only help you clean your system but also replace damaged Windows Registry keys and other corrupted files after the attack. Further instructions on the elimination are provided at the end of this article.
Name | Snatch ransomware |
Type | File-encrypting virus, File Locker, Crypto-malware |
Targets | Windows OS devices operating in corporate networks |
Extensions | .googl, .hceem, .ohwqg, .jimm, .dglnl, .wvtr0, .snatch, clhmotjdxp or other random character strings |
Ransom note | Readme_Restore_Files.txt, Readme_[random-chars]_Files.txt, DECRYPT_[random-chars]_DATA.txt |
Amount of the ransom | Ranging from $2 000 up to $35 000 and only increasing with every new attack |
Contact | imboristheBlade@protonmail.com |
Related .exe and other files | [random-chars]x64.exe, Update_Collector.exe, [random-chars]_pack.exe, [random-chars]_unpack.exe, vssadmin.exe, SuperBackupMan |
Symptoms | The ransomware modifies Windows Registry keys to execute itself during the boot into Safe Mode; Once the computer restarts, it operates in the Safe Mode and starts data encryption; All encoded files contact an extension and are no longer useful |
Legit utilities used by hackers | PsExec, IObit Uninstaller, Process Hacker, PowerTool, Advanced Port Scanner |
Distribution | Criminals try to gain their way into private networks through brute-force attacks; Then, they aim to distribute the malware by human-directed actions, such as spam e-mails |
Removal | You can only run a full system scan with RESTORO to help you uninstall the virus and its components |
First, the attackers manage their way into the private networks, and then human-actions act as the main distribution source to spread the malware. That might include clicking on malicious spam emails that contain infected links. For example, if anyone on the private network clicks on the link and download ransomware, it has the ability to infect all other devices connected to the network.
Therefore, people should be very careful when opening various email letters on corporate computers. In fact, they must refrain from opening suspicious messages or clicking on promotional content online. The best decision would be to have an active antivirus with real-time protection to help you avoid cyber threats.
If this advanced cyber threat has reached your system, there is a strong risk that the entire network is exposed. Regular computer users do not have the necessary knowledge to deal with such attacks. Likewise, people should remove Snatch ransomware virus by using professional software or in-person help.
You can install RESTORO to help your put malicious files into quarantine. Additionally, this security tool is designed to fix virus damage, including replacing corrupted Windows Registry keys and other in-built components. Further elimination guidelines are appended below.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
Snatch ransomware virus Removal Guidelines
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
Now, you can search for and remove Snatch ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Scott Bolton is a senior content strategist in our Geek’s Advice team. He is exceptionally passionate about covering the latest information technology themes and inspire other team members to follow new innovations. Despite the fact that Scott is an old-timer among the Geeks, he still enjoys writing comprehensive articles about exciting cybersecurity news or quick tutorials.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.