Latest News Latest News

Update Windows 10 Immediately to Patch a Flaw Discovered by the NSA

After Adobe today releases its first Patch Tuesday updates for 2020, Microsoft has now also published its January security advisories warning billions of users of 49 new vulnerabilities in its various products.

Read More...

Adobe Releases First 2020 Patch Tuesday Software Updates

Adobe today released software updates to patch a total of 9 new security vulnerabilities in two of its widely used applications, Adobe Experience Manager and Adobe Illustrator. It's the first...

Read More...

Drupal Warns Web Admins to Update CMS Sites to Patch a Critical Flaw

Drupal development team yesterday released important security updates for its widely used open-source content management software that addresses a critical and three "moderately critical" vulnerabilities in its core system.

Read More...

Latest Microsoft Update Patches New Windows 0-Day Under Active Attack

With its latest and last Patch Tuesday for 2019, Microsoft is warning billions of its users of a new Windows zero-day vulnerability that attackers are actively exploiting in the wild in combination with a Chrome exploit to take remote control over vulnerable computers.

Read More...

Snatch Ransomware Reboots Windows in Safe Mode to Bypass Antivirus

Cybersecurity researchers have spotted a new variant of the Snatch ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims' files to avoid antivirus detection.

Read More...

Avast and AVG Browser Extensions Spying On Chrome and Firefox Users

If your Firefox or Chrome browser has any of the below-listed four extensions offered by Avast and its subsidiary AVG installed, you should disable or remove them as soon as possible; Avast Online Security, AVG Online Security,Avast SafePrice and AVG SafePrice.

Read More...

Malicious Android SDKs Caught Accessing Facebook and Twitter Users Data

Two third-party software development kits integrated by over hundreds of thousands of Android apps have been caught holding unauthorized access to users' data associated with their connected social media accounts.

Read More...

First Cyber Attack 'Mass Exploiting' BlueKeep RDP Flaw Spotted in the Wild

Cybersecurity researchers have spotted a new cyberattack that is believed to be the very first but an amateur attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining.

Read More...

Mysterious malware that re-installs itself infected over 45,000 Android Phones

Over the past few months, hundreds of Android users have been complaining online of a new piece of mysterious malware that hides on the infected devices and can reportedly reinstall itself even after users delete it, or factory reset their devices.

Read More...

New PHP Flaw Could Let Attackers Hack Sites Running On Nginx Servers

If you're running any PHP based website on NGINX server and have PHP-FPM feature enabled for better performance, then beware of a newly disclosed vulnerability that could allow unauthorized attackers to hack your website server remotely.

Read More...

Most Viewed News Most Viewed News

Back

Snatch Ransomware Reboots Windows in Safe Mode to Bypass Antivirus

Cybersecurity researchers have spotted a new variant of the Snatch ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims' files to avoid antivirus detection.

Unlike traditional malware, the new Snatch ransomware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software.

Snatch has been active since at least the summer of 2018, but SophosLabs researchers spotted the Safe Mode enhancement to this ransomware strain only in recent cyber attacks against various entities they investigated.

"SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process," the researchers say.

"The ransomware, which calls itself Snatch, sets itself up as a service [called SuperBackupMan with the help of Windows registry] that will run during a Safe Mode boot."

"When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware."

What makes Snatch different and dangerous from others is that in addition to ransomware, it's also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organizations.

Though Snatch is written in Go, a programming language known for cross-platform app development, the authors have designed this ransomware to run only on the Windows platform.

"Snatch can run on most common versions of Windows, from 7 through 10, in 32- and 64-bit versions. The samples we've seen are also packed with the open source packer UPX to obfuscate their contents," the researchers say.

Besides this, the attackers behind Snatch ransomware also offer partnership opportunities to other cybercriminals and rogue employees who possess credentials and backdoors into large organizations and can exploit it to deploy the ransomware.

As shown in the screenshot taken from an underground forum, one of the group members posted an offer "looking for affiliate partners with access to RDP \ VNC \ TeamViewer \ WebShell \ SQL injection in corporate networks, stores, and other companies."

Using brute-forced or stolen credentials, attackers first gain access to the company's internal network and then run several legitimate system administrators and penetration testing tools to compromise devices within the same network without raising any red flag.

"We also found a range of otherwise legitimate tools that have been adopted by criminals installed on machines within the target's network, including Process Hacker, IObit Uninstaller, PowerTool, and PsExec. The attackers typically use them to try to disable AV products," the researchers say.

Coveware, a company that specializes in extortion negotiations between attackers and ransomware victims, told Sophos that they negotiated with the Snatch criminals "on 12 occasions between July and October 2019 on behalf of their clients" with the ransom payments ranging between $2,000 to $35,000 in bitcoins.

To prevent ransomware attacks, organizations are recommended not to expose their critical services and secure ports to the public Internet, and if required, secure them using a strong password with multi-factor authentication.


Values Values

  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving