TTCSIRT-249.121019: TT-CSIRT ADVISORY – SNATCH RANSOMWARE

TTCSIRT-249.121019: TT-CSIRT ADVISORY – SNATCH RANSOMWARE

Sophos has released technical details and indicators of compromise for the ransomware variant known as Snatch. Researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process. The attackers may be using this technique to circumvent endpoint protection, which often won’t run in Safe Mode.

TTCSIRT strongly encourages administrators to review the following reports from Sophos and implement the necessary remediation actions which include (but are not limited to) blacklisting the catalogued IP addresses, email addresses and file extensions.

Technical Breakdown:

https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/

Indicators of Compromise:

https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Snatch