{ "id": "aa2e5625-1f31-45c9-8eee-98b56601a72a", "created_at": "2026-04-06T02:11:04.390172Z", "updated_at": "2026-04-10T03:24:29.342409Z", "deleted_at": null, "sha1_hash": "691ea9b248e30bc7bc581d748d1ee70aac79ebc6", "title": "Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 913809, "plain_text": "Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools\r\nBy Sergiu Gatlan\r\nPublished: 2019-12-09 · Archived: 2026-04-06 01:31:52 UTC\r\nResearchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any\r\nresident security solutions and immediately starts encrypting files once the system loads.\r\nEncrypting the victim's files is possible because most security tools are automatically disabled when Windows devices boot\r\nin Safe Mode as the Sophos Managed Threat Response (MTR) team and SophosLabs researchers found.\r\n\"Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions,\" they add. \"The\r\nsamples we’ve seen are also packed with the open-source packer UPX to obfuscate their contents.\"\r\nhttps://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSnatch ransomware came out towards the end of 2018 and it became noticeably active during April 2019 as shown by a\r\nspike in ransom notes and encrypted file samples submitted to Michael Gillespie's ID Ransomware platform.\r\nSnatch ransomware 2019 activity (ID Ransomware)\r\nPersistence, stealing data, and payload delivery\r\nA suspected member of the Snatch ransomware team was observed by Sophos' researchers while \"looking for affiliate\r\npartners with access to RDP\\VNC\\TeamViewer\\WebShell\\SQL inj [SQL injection] in corporate networks, stores, and other\r\ncompanies.\"\r\nThis hints at the group or its affiliates abusing this type of security holes into organizations' computing systems, as shown by\r\nlogs the researchers discovered on one the victims' encrypted servers pointing at the threat actors brute-forcing a server's\r\nMicrosoft Azure admin account and logging in via Remote Desktop (RDP).\r\n\"Subsequent hunts for related files revealed several other attacks in which precisely the same collection of tools was used in\r\nwhat appear to be opportunistic attacks against organizations located around the world, including the United States, Canada,\r\nand several European countries,\" Sophos says.\r\n\"All the organizations where these same files were found also were later discovered to have one or more computers with\r\nRDP exposed to the internet.\"\r\nAfter the initial intrusion, the attackers logged into the domain controller (DC) machine using the same admin account and\r\nmaintained access, collecting and exfiltrating information, as well as monitoring the victim's network for a few weeks.\r\nInstalling a service to exfiltrate stolen data (Image: Sophos)\r\nThey also installed surveillance software on around 5% of all machines on the network (roughly 200 computers), which also\r\nallowed for remote access making it possible to maintain persistence on the compromised network even if the compromised\r\nAzure server would've been taken down.\r\n\"The threat actors have also innovated their crime in another important way: one piece of malware used in the Snatch attacks\r\nis capable of, and has been, stealing vast amounts of information from the target organizations,\" Sophos adds.\r\nThe group behind it has also been observed while dropping a series of other tools including Process Hacker, IObit\r\nUninstaller, PowerTool, and PsExec that would also help them disable security tools on devices they compromise.\r\nDropping the Snatch ransomware component payload on the compromised network happens following a seemingly random\r\ntimeline, in some cases taking just a few days while in others it can take weeks.\r\nhttps://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/\r\nPage 3 of 5\n\nSnatch ransomware ransom note sample\r\nDisabling anti-malware solutions and encrypting devices\r\nTo take advantage of anti-malware solutions not loading in Safe Mode, the Snatch ransomware component installs itself as a\r\nWindows service dubbed SuperBackupMan capable of running in Safe Mode that can't be stopped or paused, and then force\r\nrestarts the compromised machine.\r\nAfter the device enters Windows Safe Mode, Snatch ransomware will delete \"all the Volume Shadow Copies on the system\"\r\nas the researchers discovered, preventing \"forensic recovery of the files encrypted by the ransomware.\"\r\nIn the next stage, the malware will start encrypting its victims' files, with the attackers now being sure that recovery without\r\npayment is impossible.\r\nThe researchers made a video demo showing one of the Snatch ransomware samples rebooting an infected system and\r\nencrypting files once the Windows Safe Mode is loaded.\r\nSorry\r\nThis video does not exist.\r\nCoveware, a company specialized in intermediating ransomware negotiations, told Sophos that they negotiated with the\r\nSnatch team \"on 12 occasions between July and October on behalf of their clients\" with the ransom demands ranging\r\nbetween $2,000 to $35,000 worth of bitcoins, going up over those four months.\r\nTo avoid getting breached and infected with Snatch ransomware, companies are advised by Sophos not to expose RDP\r\nservices to the Internet or protect them by using a VPN.\r\nhttps://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/\r\nPage 4 of 5\n\nSince the group behind this ransomware is also actively looking for affiliates with access to exposed VNC and TeamViewer\r\nendpoints, as well as with experience in SQL server hacking and deploying/using web shells, exposing this type of services\r\ncould also expose potential victims to attacks.\r\nLast but least, Sophos recommends organizations to use multifactor authentication (MFA) for protecting administrator\r\naccounts to prevent brute force attacks.\r\nAn extensive list of indicators of compromise (IOCs) including malware sample hashes, exfiltration server addresses,\r\ncommands used in the attacks, and more, are available here.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/\r\nhttps://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/" ], "report_names": [ "snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441464, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/691ea9b248e30bc7bc581d748d1ee70aac79ebc6.pdf", "text": "https://archive.orkl.eu/691ea9b248e30bc7bc581d748d1ee70aac79ebc6.txt", "img": "https://archive.orkl.eu/691ea9b248e30bc7bc581d748d1ee70aac79ebc6.jpg" } }