A cybercriminal organization has been attacking Windows users with a hybrid ransomware and data stealer program that encrypts machines while in Safe Mode in order to render endpoint protection programs moot.

Dubbed Snatch, the malware “runs itself in an elevated permissions mode, sets registry keys that instructs Windows to run it following a Safe Mode reboot, then reboots the computer and starts encrypting the disk while it’s running in Safe Mode,” according to a blog post published this week by cyber firm Sophos, whose Managed Threat Response (MTR) team and SophosLabs researchers have been analyzing the threat. 

Forcing Safe Mode is a clever strategy because most software, including security programs, do not run in that environment, explains blog post author Sophos principal researcher Andrew Brandt.

The threat actor behind the malware, called Snatch Group, has been active since summer 2018, targeting but the Safe Mode twist is a recent addition. According to Sophos’ analysis, the group’s targets have included organizations located in the U.S., Canada and Europe.

Snatch, which is named as an homage to the Guy Ritchie-directed film is programmed in Go and packed with the UPX for obfuscation, and affects Windows 7 through 10, both 32- and 64-bit versions. Sophos refers to Snatch as primarily a ransomware program, but it contains additional components, including a data stealer and a Cobalt Strike reverse-shell. It also abuses various legitimate tools and utilities – including Process Hacker, IObit Uninstaller, PowerTool and PsExec – generally to disable AV products, the blog post explains.

The ransomware appends a pseudorandom, five-character-long string to impacted files – each string unique to the targeted organization. Victims have been hit with ransomware demands that have varied anywhere from $2,000 to $35,000, Sophos reports, citing anecdotal information supplied by Coveware, a company that has handled some of the extortion negotiations.

Typically, companies are infected through brute-force attacks against vulnerable, exposed services like Remote Desktop Protocol (RDP), VNC and TeamViewer. One victim was an unidentified large international company that was compromised when Snatch Group actors used a brute-force attack to steal credentials to a Microsoft Azure server, which was accessed via RDP. From there, the attackers accessed a domain controller (DC) machine on the same network, allowing them to perform reconnaissance on the company’s network, install surveillance software on roughly 200 machines as well as malware executables.

“We also observed them dump WMIC [Windows Management Instrumentation Command line] system and user data, process lists, and even the memory contents of the Windows LSASS [Local Security Authority Subsystem Service] service, to a file… then upload them to their C2 server” in order to learn more about victims’ network reports Sophos, attributing this malicious activity to an attacker-created tool called Update_Collector.exe. “We’ve also observed that the attackers set up one-off Windows services to orchestrate specific tasks,” including exfiltrating information to the Snatch Group’s C2 server, the blog post adds.