“A novel hybrid data theft-ransomware threat”
The Snatch ransomware, a malware variant first identified in summer 2018, has started exhibiting new techniques including quickly rebooting the computer into “safe mode”, where most security software doesn’t run, before encrypting the victims’ hard drives, British cybersecurity firm Sophos warned today.
The cybercriminals behind the Snatch ransomware are also now also exfiltrating data before the ransomware attack begins, the company noted in a new report, which details the defense evasion and other techniques.
It published the report after being called in to remediate when an unnamed “large international company” was hit by the malware.
“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users,” the company said, after being called in to remediate the attack in October.
In that incident, Sophos managed threat response (MTR) team grabbed detailed logs from the targeted company that had evaded encryption.
Snatch Ransomware Incident: Attackers Brute-Forced Admin’s Azure Server Account
These showed that in this particular instance, the attackers initially accessed the company’s internal network by brute-forcing the password to an admin’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP).
They then used this to log into a domain controller (DC) machine on the same network, and then performed surveillance tasks on the target’s network over several weeks, querying the list of users authorised to log in on the box, and writing the results to a file: “We also observed them dump WMIC system & user data, process lists, and even the memory contents of the Windows LSASS service, to a file”, Sophos said.
During that particular attack, the cyber criminals installed surveillance software on about 200 machines, or roughly five percent of particular organisation’s internal network.
The attackers then installed a range of malware executables, including tools designed to give the attackers remote access to the machines without having to rely on the compromised Azure server, and a free Windows utility called Advanced Port Scanner to discover additional machines on the network they could target, Sophos said, describing it as a “novel hybrid data theft-ransomware threat”.
The Snatch ransomware is one of a growing number of malware families Sophos said that it has encountered that have been programmed in Go, a language designed by Google to produce programmes that, in theory, could run under multiple operating systems. Thus-far, Snatch has only been seen running on Windows (from 7 through 10), with samples packed with the open source packer UPX to obfuscate their contents.
It comprises a collection of tooling, which include a ransomware component and a separate data stealer, “both apparently built by the criminals who operate the malware”; a Cobalt Strike reverse-shell; and several publicly-available tools like Process Hacker, IObit Uninstaller, PowerTool, and PsExec used by penetration testers, system administrators, or technicians.
Sophos told businesses today: “If remote access is required, use a VPN with industry best practice multi-factor authentication, password audits and precise access control, in addition to actively monitoring remote access.”
Patch everything online religiously, it added, noting that, as per industry best practice, users logged into remote access services should have limited privileges for the rest of the corporate network and administrators should adopt multi-factor authentication and use a separate administrative account from their normal user account. Security teams should actively monitor for open RDP ports in public IP space, it added, although the ransomware is also delivered via phishing campaigns.