Russian-speaking gang are big fans of Mockney heist caper. Blimey!

Cybercriminals have developed a strain of ransomware that circumvents security protections by rebooting Windows machines in the middle of its infection routine.

The Snatch ransomware forces a compromised Windows machine to reboot into Safe Mode before launching into its file encryption process.

The tactic seems like a way to bypass the protection offered by security software packages, which are often designed not to run on PC in Safe Mode.

Sophos said that the Snatch malware first appeared around a year ago before more recent enhancements to add the Safe Mode encryption routines. The fortified malware has since featured on an ongoing series of attacks, starting around mid-October.

A common thread among victims is that they had one or more computers with Remote Desktop Protocol (RDP) exposed to the internet.

Hybrid threat

Snatch is a hybrid threat that poses a problem on multiple fronts. For example, the malware bundles a data stealer and a Cobalt Strike reverse-shell as well as several publicly available penetration testing tools.

Sophos reports that the malware is being spread through targeted attacks rather than the ‘spray-and-pray’ approach common in ransomware campaigns many consumers have suffered from over recent years.

“The threat actors behind this malware (who refer to themselves on criminal message boards as ‘Snatch Team’) appear to have adopted the active automated attack model, in which they seek to penetrate enterprise networks via automated brute-force attacks against vulnerable, exposed services, and then leverage that foothold to spread internally within the targeted organization’s network through human-directed action,” SophosLabs’ Andrew Brandt explains in a posting.

In one example, attackers first accessed a company’s internal network by brute-forcing the admin password to a Microsoft Azure server.

Using the Azure server as a foothold, the attackers abused the compromised administrator’s account to log into a domain controller machine on the same network before laying low and carrying out weeks on reconnaissance on the target network.

The attackers installed surveillance software on about 200 machines, or roughly 5% of the computers on this particular organization’s internal network, according to SophosLabs. This fits a larger pattern where the attacks will wait days or weeks after the initial network breach before deploying ransomware onto targeted machines.

Snatch and grab

SophosLabs adds that a presumed member of the cybercrime crew behind the Snatch ransomware is offering to pay in return for compromised remote access to corporate systems. The offer was made on a Russian-language cybercrime forum. The same individual, who goes by the online moniker ‘BulletToothTony’, goes on to offer would-be affiliates training in using their technology, at no charge (at least initially).

Coveware, a firm that specializes in extortion negotiations between ransomware victims and attackers, has reportedly negotiated with the Snatch criminals on 12 occasions since July on behalf of clients who faced extortionate demands that ranged in value between $2,000 to $35,000, trending upwards over recent months.

Payment in at least some cases is directed to an email address “imBoristheBlade@[redacted].com”, an apparent reference to a character in the Guy Ritchie movie Snatch (2000).

The aforementioned Bullet Tooth Tony references another character in the same film.