Sophos researchers are warning Windows 10 users about a new type of malware that can disable and bypass computers’ security software. Known as Snatch, this ransomware is comprised of a collection of tools, including a separate data stealer. Designed to target businesses, this ransomware forces your Windows PC to reboot in Safe Mode to prevent any security software from launching.
Who's behind the Snatch ransomware?
According to the report released by Sophos, the threat actors responsible for the Snatch ransomware call themselves the Snatch Team on dark web message forums. The researchers observed this team posting appeals for affiliate partners on Russian language message forums. The cybercriminal group is looking to purchase network access intelligence so they can launch automated brute force attacks against unsuspecting enterprises.
What does Snatch do?
When this malware infects your computer, it installs a Windows service called SuperBackupMan. The SuperBackupMan is then executed, allowing hackers to use administrator access to run the BCDEDIT tool and force your computer to restart in Safe Mode. After restarting, Snatch then uses the Windows command vssadmin.com to erase all the Volume Shadow Copies on your system. This prevents you from recovering the files locked by this ransomware.
Aside from encrypting your data, Snatch is also capable of installing surveillance software, as well as stealing important business and personal information.
How to protect yourself from Snatch
Sophos offered several tips on how you can protect your business from this dangerous ransomware.
- Monitor your network – Be proactive when it comes to hunting for breaches and potential threats in your network. You can invest in the latest threat-hunting program, or, if you lack the resources to do so, you can employ the services of a reputable managed IT services provider (MSP) to assist you in identifying and stopping any malicious activity in your system.
- Use multifactor authentication (MFA) – In this day and age, having a strong password is not enough to protect you from cybercriminals. Set your network up with MFA to make it harder for hackers to brute force their way into your system.
- Check all your devices – Sophos stated in their report that the initial access points of Snatch attacks were unmonitored and unprotected devices. Your IT staff or MSP should run regular checkups on all your active devices to make sure no vulnerabilities exist.
- Protect remote access protocols – If your organization uses servers with remote access protocols, make sure they're updated with the latest security patches and protected by endpoint protection software solutions. These access points should also be monitored regularly for abnormal activity and login attempts.
- Use a secure internet connection – Do not use your remote desktop interface on an unprotected internet connection. If remote access is needed, you should protect your computers by using a virtual private network (VPN).
The severity of the risk posed by Snatch is something you should not ignore. Building a solid and secure network is not enough to protect your business from ransomware. Hackers are always looking for new ways to gain access to your system, which is why your security software solutions, backups, strategy, and training should adapt and keep up. If you want to learn more about how to step up your network security, contact us today.