A fresh ransomware variant known as “Snatch” has been spotted in campaigns, forcing Windows machines to reboot into Safe Mode before beginning the encryption process. It’s one of multiple components of a malware constellation being used in carefully orchestrated attacks that also feature rampant data collection.
According to researchers with SophosLabs, Snatch runs itself in an elevated permissions mode, and sets registry keys that instruct Windows to run it following a Safe Mode reboot.
“It the quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives,” explained Andrew Brandt, SophosLabs researcher, in a Monday posting.
Read more…
Source: ThreatPost