As we continue to investigate new incidents, we will update this post, and may post a followup in the next few days. SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users. SophosLabs believes that the Safe Mode enhancement to this malware is a newly added feature. The threat actor identities behind the ransomware appear to have been active since the summer of 2018. Sophos analysts first encountered the Snatch ransomware about a year ago. Snatch runs itself in an elevated permissions mode, sets registry keys that instructs Windows to run it following a Safe Mode reboot, then reboots the computer and starts encrypting the disk while it’s running in Safe Mode It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.
The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. In mid-October, the Sophos MTR team worked with a targeted organization to investigate and remediate a ransomware outbreak within their network.
0 kommentar(er)
