This blog post comes from the “Snatch Ransonware Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.
Snatch ransomware is a variant of ransomware developed using the Go programming language in this sample. It was first discovered in the first few months of 2019 and was offered as a ransomware-as-a-service (RaaS). Instead of encrypting files directly, it initiates a system reboot, forcing the computer into Safe Mode. Once in Safe Mode, many default safeguards are disabled, allowing the ransomware to encrypt data. It uses common packers such as UPX to hide its payload.
File Name: bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02.exe
In summary, Snatch Ransomware stands out as a malicious software variant that poses a substantial menace to computer systems and data security. What distinguishes Snatch from other ransomware is its unique approach, which involves leveraging Safe Mode to bypass default safeguards, eliminating volume shadow copies to impede system recovery, and generating random batch files for execution.
All in all, Snatch Ransomware underscores the evolving and sophisticated nature of ransomware threats, underscoring the significance of robust cybersecurity practices, routine data backups, and proactive measures to thwart infection and mitigate potential repercussions stemming from such attacks.
MITRE ATT&CK Threat Matrix
- TA002 Execution
- T1059 Command and Scripting Interpreter
- T1064 Scripting
- TA0004 Privilege Escalation
- T1055 Process Injection
- TA005 Defense Evasion
- T1027 Obfuscated Files or Information
- T1036 Masquerading
- TA007 Discovery
- T1082 System Information Discovery
- T1614 System Location Discovery
- TA009 Collection
- T1005 Data From Local System
Download YARA Rules from GitHub.
This blog post comes from the “Echida Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.