Unlike most ransomware, Snatch also steals files on infected networks. The authors of Snatch ransomware use a novel trick to evade antivirus software and encrypt the victims' files.

The trick is to reboot the infected computer in safe mode and run the process of encrypting the files from there. The reason for this step is that most antivirus software does not start in Windows Safe Mode, a Windows state for debugging and recovering a corrupted operating system. Furthermore, it could use a Windows registry key to schedule the boot of a Windows service in safe mode.

This service would run its ransomware in safe mode without the risk of being detected by antivirus software and having its encryption process stopped.

The safe mode tip was discovered by the incident response team at Sophos, which has been called to investigate a ransomware infection in recent weeks. His research team explains that this is a big problem and a trick that could also be quickly adopted by other ransomware groups.

Sophos believes that the seriousness of the risk posed by ransomware that runs in safe mode should not be underestimated and that we should publish this information as a warning to the rest of the security industry, as well as to end-users, said Andrew Brandt, a cybersecurity researcher and network expert at Sophos.


According to Sophos, the group buys access to a company's network. The researchers say they found the advertisements that the Snatch team posted on the hacking forums, advertisements to recruit partners for their project. According to a translation of the announcement, the Snatch team was looking for affiliate partners with access to RDP \ VNC \ TeamViewer \ WebShell \ SQL Injection in corporate networks, stores, and other companies.

Snatch Restarts PCs in Safe Mode to Bypass Antivirus Detection

To do this, the Snatch team used legitimate system administration tools and penetration test tool kits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products do not trigger alarms.

Once Snatch has all the accesses they need, they add the registry key and the Windows service that starts Snatch in safe mode on all infected hosts, and force a restart of all workstations to start the process of encrypting files.

As explained by Sophos, the ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service makes a backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself.

Snatch Restarts PCs in Safe Mode to Bypass Antivirus Detection


Besides, Sophos explains that unlike most ransomware that focuses mainly on file encryption and ransom demand, they also found evidence that the Snatch team was also involved in the theft of data. This makes Snatch unique and very dangerous, as companies also risk losing their data sold or disclosed online at a later date, even if they have paid ransom and decrypted their files.

But analyzing the internal network of a company to find the files to steal takes time, and that's probably why Snatch did not make as many casualties as other "big game" groups. The number of Snatch victims is very low.