Loading ...

Snatch Ransomware - A New Threat Bypassing Antivirus in Safe Mode

Snatch Ransomware the Stealthy Malware Bypassing Antivirus in Safe Mode

11 Dec 2019
3-5 min read


Snatch, unlike most ransomware, not only encrypts files but also steals them from infected networks. The authors of Snatch have developed a cunning method to evade antivirus detection and carry out their encryption undetected.

Unlike most ransomware, Snatch also steals files on infected networks. The authors of Snatch ransomware use a novel trick to evade antivirus software and encrypt the victims' files.

The Safe Mode Evasion Technique

The trick is to reboot the infected computer in safe mode and run the process of encrypting the files from there. The reason for this step is that most antivirus software does not start in Windows Safe Mode, a Windows state for debugging and recovering a corrupted operating system. Furthermore, it could use a Windows registry key to schedule the boot of a Windows service in safe mode.

This service would run its ransomware in safe mode without the risk of being detected by antivirus software and having its encryption process stopped.

The safe mode tip was discovered by the incident response team at Sophos, which has been called to investigate a ransomware infection in recent weeks. His research team explains that this is a big problem and a trick that could also be quickly adopted by other ransomware groups.

Sophos believes that the seriousness of the risk posed by ransomware that runs in safe mode should not be underestimated and that we should publish this information as a warning to the rest of the security industry, as well as to end-users, said Andrew Brandt, a cybersecurity researcher and network expert at Sophos.

We've been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process...

Read more here: https://t.co/wm4LGwqB64 pic.twitter.com/8BoYNMGH9h

— SophosLabs (@SophosLabs) December 9, 2019

Snatch’S Threat Actors Job Postings

According to Sophos, the group buys access to a company's network. The researchers say they found the advertisements that the Snatch team posted on the hacking forums, advertisements to recruit partners for their project. According to a translation of the announcement, the Snatch team was looking for affiliate partners with access to RDP \ VNC \ TeamViewer \ WebShell \ SQL Injection in corporate networks, stores, and other companies.

Snatch Ransomware - A New Threat Bypassing Antivirus in Safe Mode

To do this, the Snatch team used legitimate system administration tools and penetration test tool kits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products do not trigger alarms.

Once Snatch has all the accesses they need, they add the registry key and the Windows service that starts Snatch in safe mode on all infected hosts, and force a restart of all workstations to start the process of encrypting files.

As explained by Sophos, the ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service makes a backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself.

Snatch Ransomware - A New Threat Bypassing Antivirus in Safe Mode

Stealing Customer Data

Besides, Sophos explains that unlike most ransomware that focuses mainly on file encryption and ransom demand, they also found evidence that the Snatch team was also involved in the theft of data. This makes Snatch unique and very dangerous, as companies also risk losing their data sold or disclosed online at a later date, even if they have paid ransom and decrypted their files.

But analyzing the internal network of a company to find the files to steal takes time, and that's probably why Snatch did not make as many casualties as other "big game" groups. The number of Snatch victims is very low.

The Deceptive Windows Service

Snatch installs itself as a service named SuperBackupMan, misleadingly described as a daily backup service. This disguise allows it to operate unnoticed, setting the stage for a forced reboot and file encryption.

Data Theft - An Additional Threat

Sophos warns that Snatch poses a dual threat: it not only demands ransom for file decryption but also steals data, which could be sold or leaked even after the ransom is paid. This aspect makes Snatch particularly dangerous.


The low number of victims suggests that Snatch's operations are time-consuming, focusing on data analysis to identify valuable files. However, its ability to bypass antivirus software in safe mode makes it a formidable threat.

Maria C.
Created by
Maria C.

Don’t Want to Miss Anything?

Sign up for Newsletters

* Yes, I agree to the terms and privacy policy