Snatch Ransomware Technical Analysis

This blog post comes from the “Snatch Ransonware Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.

Executive Summary

Snatch ransomware is a variant of ransomware developed using the Go programming language in this sample. It was first discovered in the first few months of 2019 and was offered as a ransomware-as-a-service (RaaS). Instead of encrypting files directly, it initiates a system reboot, forcing the computer into Safe Mode. Once in Safe Mode, many default safeguards are disabled, allowing the ransomware to encrypt data. It uses common packers such as UPX to hide its payload.

Overview

File Name: bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02.exe
MD5: cfd31737ccacf6e9a0e2ac18cf3445ac
SHA-1: 74c615ca54aaff3c5e6734efef04259290c357ba
SHA256: bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02

Conclusion

In summary, Snatch Ransomware stands out as a malicious software variant that poses a substantial menace to computer systems and data security. What distinguishes Snatch from other ransomware is its unique approach, which involves leveraging Safe Mode to bypass default safeguards, eliminating volume shadow copies to impede system recovery, and generating random batch files for execution.

All in all, Snatch Ransomware underscores the evolving and sophisticated nature of ransomware threats, underscoring the significance of robust cybersecurity practices, routine data backups, and proactive measures to thwart infection and mitigate potential repercussions stemming from such attacks.

MITRE ATT&CK Threat Matrix

  1. TA002 Execution
    • T1059 Command and Scripting Interpreter
    • T1064 Scripting
  2. TA0004 Privilege Escalation
    • T1055 Process Injection
  3. TA005 Defense Evasion
    • T1027 Obfuscated Files or Information
    • T1036 Masquerading
  4. TA007 Discovery
    • T1082 System Information Discovery
    • T1614 System Location Discovery
  5. TA009 Collection
    • T1005 Data From Local System

Download YARA Rules from GitHub.

This blog post comes from the “Echida Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.