Geek's Advice

Snatch ransomware forces to boot the PC into Safe Mode to protect the encryption process

Snatch ransomware is an advanced file-encrypting virus that has first appeared in the summer of 2018. Currently, in 2020, it has been updated and now includes a feature of booting the computer into Safe Mode, and only then performing the data encryption. This way it can easily avoid detection by security tools as they do not run the Safe Mode environment. The original version of this crypto-malware uses .Snatch file extension to mark the corrupted information. Although, newer variants might append .clhmotjdxp, .googl, .hceem, .ohwqg, .jimm, .dglnl, and .wvtr0 extensions. Initially, it targets corporate organizations and leaves Readme_Restore_Files.txt file as a ransom-demanding message with imboristheBlade@protonmail.com email for contact purposes.

Furthermore, security researchers have spotted this ransomware appending a random string of five alphanumeric characters to the encrypted files and the ransom note. The characters are included into the name of the virus’ executable file and then replicated on other files. For example, if the ransomware’s exe file is named 12345x64.exe, then the extension will appear as .12345 and victims will receive README_12345_FILES.txt or DECRYPT_12345_DATA.txt ransom note.

Snatch virus appears to have a similar ransom-demanding message to other ransomware-type infections, including DHARMA, MAZE, STOP/DJVU, PHOBOS, etc. The criminals confirm that the victim’s data has been encrypted and only they can unlock it. People are asked to refrain from renaming their files or any documents if they want to avoid data loss. Additionally, the crooks ask to contact them as soon as possible to arrange payment. According to the extortion negotiations company, Coveware, they have already dealt with 12 this ransomware cases between July and October. Companies were asked to pay from $2 000 to $35 000 as a ransom.

Attackers use the admin’s account on the Microsoft Azure server to steal sensitive data

Researchers have performed a thorough investigation of one of the attacks by a Snatch ransomware virus. They have discovered that cybercriminals accessed the targeted company’s internal network by using brute-force attacks on the administrator’s password to the Microsoft Azure server. Following that, they were able to log into the account through Remote Desktop (RDP) and exploit it to access the Domain Controller (DC) machine on the same network to perform task surveillance for several weeks.

The investigation revealed that the attackers installed surveillance applications on over 200 devices operating in the same internal network and infiltrated several malware executables allowing them to access the machines remotely. Additionally, cybercriminals installed a free Windows tool, Advanced Port Scanner, to run some checks and identify other devices on the network that could be targeted by Snatch.

Furthermore, experts at Sophos have discovered a malware, Update_Collector.exe, that is believed to be created by the same people as this ransomware. In fact, it helps to transfer the collected information during the surveillance to a remote Command and Control (C&C) server accessible only by the attackers. The crooks employ other legitimate tools to perform their malicious activity as well. That includes PsExec, IObit Uninstaller, Process Hacker, PowerTool, etc. Most of the mentioned applications are used to disable security software on targeted networks and devices.

Execution of the crypto-malware

At some point during the network hack, the crooks download ransomware executable on the attacked device to help encrypt personal information. The executable includes a unique victim’s ID, a random five-character string, and _pack.exe in its filename. Right before the execution, this malware extracts itself into the Windows folder with the same beginning of the filename just with a different ending — _unpack.exe.

Following that, Snatch appears on the system as the Windows service under the name of SuperBackupMan. Criminals try to disguise the ransomware by including the service description that states “This service make backup copy every day”. Unfortunately, the malware cannot be stopped or interrupted by the user in any way. It modifies the Windows Registry keys to start up during the boot into Safe Mode and forces the computer to restart immediately.

Right after the reboot, this cyber threat employs the vssadmin.exe Windows component to get rid of all Volume Shadow Copies from the PC to prevent backup data recovery, and then it starts encrypting files. While Snatch aims to lock private information, there is a list of locations that are not being encrypted during the process:

1. C:\Program Files\
   • windows mail
   • windows media player
   • windows nt
   • windows photo viewer
   • dvd maker
   • internet explorer
   • microsoft
   • mozilla firefox
   • windows
   • perflogs
   • $recycle.bin
   • system volume information
   • common files
   • reference assemblies
   • tap-windows
   • windows defender
   • windows journal
2. C:\ ProgramData
   • templates
   • start menu
   • favorites
   • microsoft
3. C:\
   • $recycle.bin
   • windows
   • perflogs
   • recovery

Ransomware developers are searching for partners

The attackers behind this malware, also known as Snatch Team, have been spotted searching for alliances online. A user with the name of BulletToothTony posted on one of the criminal boards that the Snatch Team is “Looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies” (translation from the Russian language).

The same message goes by offering to train prospective people in ransomware execution and allow them to use the infrastructure of the threat. The user closes the post by stating that he is looking for partners to join their team — Russian speaking people only. Likewise, there is evidence that the ransomware originates from Russia. Yet, it targets companies in the United States, Canada, and multiple countries in Europe.

Unfortunately, there is no other way to stop this malicious program and its developers rather than by refusing to pay the ransom and performing Snatch ransomware removal instead. Keep in mind that the crooks are only motivated to spread the infection if it generates profit. Thus, disobeying their demands by the majority of victims can actually stop the virus spread.

The easiest way to remove Snatch ransomware virus from your system is by running a full system scan with RESTORO. This software can not only help you clean your system but also replace damaged Windows Registry keys and other corrupted files after the attack. Further instructions on the elimination are provided at the end of this article.

Summary

Name	Snatch ransomware
Type	File-encrypting virus, File Locker, Crypto-malware
Targets	Windows OS devices operating in corporate networks
Extensions	.googl, .hceem, .ohwqg, .jimm, .dglnl, .wvtr0, .snatch, clhmotjdxp or other random character strings
Ransom note	Readme_Restore_Files.txt, Readme_[random-chars]_Files.txt, DECRYPT_[random-chars]_DATA.txt
Amount of the ransom	Ranging from $2 000 up to $35 000 and only increasing with every new attack
Contact	imboristheBlade@protonmail.com
Related .exe and other files	[random-chars]x64.exe, Update_Collector.exe, [random-chars]_pack.exe, [random-chars]_unpack.exe, vssadmin.exe, SuperBackupMan
Symptoms	The ransomware modifies Windows Registry keys to execute itself during the boot into Safe Mode; Once the computer restarts, it operates in the Safe Mode and starts data encryption; All encoded files contact an extension and are no longer useful
Legit utilities used by hackers	PsExec, IObit Uninstaller, Process Hacker, PowerTool, Advanced Port Scanner
Distribution	Criminals try to gain their way into private networks through brute-force attacks; Then, they aim to distribute the malware by human-directed actions, such as spam e-mails
Removal	You can only run a full system scan with RESTORO to help you uninstall the virus and its components

Malware spread

First, the attackers manage their way into the private networks, and then human-actions act as the main distribution source to spread the malware. That might include clicking on malicious spam emails that contain infected links. For example, if anyone on the private network clicks on the link and download ransomware, it has the ability to infect all other devices connected to the network.

Therefore, people should be very careful when opening various email letters on corporate computers. In fact, they must refrain from opening suspicious messages or clicking on promotional content online. The best decision would be to have an active antivirus with real-time protection to help you avoid cyber threats.

Snatch ransomware removal guide

If this advanced cyber threat has reached your system, there is a strong risk that the entire network is exposed. Regular computer users do not have the necessary knowledge to deal with such attacks. Likewise, people should remove Snatch ransomware virus by using professional software or in-person help.

You can install RESTORO to help your put malicious files into quarantine. Additionally, this security tool is designed to fix virus damage, including replacing corrupted Windows Registry keys and other in-built components. Further elimination guidelines are appended below.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.