Friday, June 13, 2025
HomeComputer SecurityBeware!! Snatch Ransomware Reboots PC in Safe Mode to Encrypt Files and...

Beware!! Snatch Ransomware Reboots PC in Safe Mode to Encrypt Files and Avoid Detection

Published on

SIEM as a Service

Follow Us on Google News

The Snatch Ransomware was first identified in the year 2018 and now it adopts a new technique that involves forcing the windows machine to reboot in safe mode for performing the encryption process.

The ransomware encrypts the personal documents on the victim’s computer and appends Snatch extension to the encrypted files. Then it displays a ransom note asking victims to make payment in Bitcoin’s to unlock the files.

Snatch Ransomware Infection

The ransomware was distributed through spam emails and by compromising the open Remote Desktop Services (RDP) ports. It affects all the versions of Windows operating systems that include Windows 7, Windows 8.1 and Windows 10.

- Advertisement - Google News
https://vimeo.com/378363798

Sophos observed a new Snatch Ransomware campaign that infects the victim machine, but it doesn’t start to encrypt the files, instead, it adds a windows registry key to safe boot the machine.

The attackers also install Advanced Port Scanner to find additional machines connected with the target network and Windows service called SuperBackupMan, the service has capabilities of stopping user action while it is running.

SuperBackupMan

Once the machine booted in safe mode the ransomware uses net.exe to halt the SuperBackupMan service and then delete all the Volume Shadow Copies on the system using vssadmin.exe components.

Then the ransomware starts the encryption process on the computer’s local hard drive and it won’t encrypt any of the system files to maintain the system stability.

Ransom Note

Upon successful encryption, it appends a pseudorandom string of five alphanumeric characters to the encrypted files and it gives ransomware notes unique to each targeted organization. The Ransom demands vary between $2,000 to $35,000.

The ransomware attack also abuses the following legitimate tools that include Process Hacker, IObit Uninstaller, PowerTool, and PsExec to disable the AV protection.

Ransomware Authors Seeking For Partners

The threat actors behind the ransomware posted on underground forums that they are looking for an automated active attack model for that they seek partnership with other cybercriminal gangs.

Sophos observed that a message board posting titled “Snatch ransomware” and the author is looking for “affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores, and other companies.”

In one of the incidents observed by Sophos the attackers “accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP).”

The bad news is that there is no decryptor available for the Snatch ransomware. It is always recommended to backup the data to prepare for these kinds of situations.

There are ways to prevent ransomware and protect yourself. In this article you will find straight-forward expert tips, so you never become a victim of Ransomware Attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

TokenBreak Exploit Tricks AI Models Using Minimal Input Changes

HiddenLayer’s security research team has uncovered TokenBreak, a novel attack technique that bypasses AI...

WebDAV Remote Code Execution 0-Day Actively Exploited — PoC Released

A critical zero-day vulnerability in Microsoft’s Web Distributed Authoring and Versioning (WebDAV) protocol, tracked...

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users

A new, highly sophisticated cyberattack campaign is targeting users seeking to download the popular...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Sensata Technologies Faces Disruption Due to Ransomware Attack

Sensata Technologies, Inc., a major technology company based in Attleboro, Massachusetts, has disclosed a...

Skitnet Malware Actively Adopted by Ransomware Gangs to Enhance Operational Efficiency

Skitnet malware, also referred to as Bossnet, has emerged as a critical tool for...

Kettering Health Confirms Interlock Ransomware Breach and Data Theft

On the morning of May 20, 2025, Kettering Health, a major Ohio-based healthcare provider...