SNATCH
Snatch is a Windows ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018. It is notable for rebooting infected systems into Safe Mode before encrypting files, a technique intended to evade endpoint security products that may not run in Safe Mode. Sophos reported the malware is written in Go, packed with UPX, supports Windows 7 through Windows 10 in both 32-bit and 64-bit variants, and installs itself as a Windows service named "SuperBackupMan" with the description "This service make backup copy every day." It creates the SafeBoot registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan with value Default:Service, uses bcdedit.exe to force a Safe Mode reboot, then after reboot uses net.exe to stop its service and vssadmin.exe to delete Volume Shadow Copies before encrypting local files. Encrypted files receive a pseudorandom five-character alphanumeric extension, and ransom notes were observed with names such as README_ABCDE_FILES.txt or DECRYPT_ABCDE_DATA.txt. Earlier ransom notes used the email address imBoristheBlade@protonmail.com.
Snatch operators have used double extortion, stealing data and threatening to publish it in addition to encrypting systems. Reporting describes Snatch as one of the earlier ransomware operations to combine data theft with publication threats, and FBI/CISA issued a joint advisory on the Snatch RaaS operation, its TTPs, mitigations, and IOCs. The operators refer to themselves as "Snatch Team," and Sophos linked recruitment activity on Russian-language criminal forums to a user named BulletToothTony, who sought affiliates with access via RDP, VNC, TeamViewer, web shells, and SQL injection.
Observed intrusions were associated primarily with brute-forced internet-exposed RDP access, followed by days or weeks of reconnaissance, credential theft, lateral movement, surveillance, and data exfiltration before ransomware deployment. In one investigated case, attackers brute-forced an administrator account on a Microsoft Azure server, pivoted to a domain controller, and deployed surveillance tooling to about 200 machines. Tools observed in Snatch-related activity included Cobalt Strike, PsExec, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and a suspected custom exfiltration tool named Update_Collector.exe. Sophos also reported collection of WMIC system and user data, process lists, authorized user lists, and LSASS memory contents.
Snatch has also been observed as a secondary payload delivered by TA505 campaigns via the Get2 downloader in 2019. Separate reporting states malware families observed using Namecoin .bit domains for C2 infrastructure include SNATCH. Victimology in the provided content spans multiple sectors and countries, with related opportunistic attacks reported in the United States, Canada, and several European countries. Coveware reported negotiating with Snatch operators 12 times between July and October in one period, with ransom demands ranging from $2,000 to $35,000 in Bitcoin. The content also notes Snatch among ransomware variants associated with re-extortion behavior and references underground discussion by a Snatch RaaS operator following the LockBit disruption.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Get2 was, in turn, observed downloading FlawedGrace, FlawedAmmyy, Snatch, and SDBbot (a new RAT) as secondary payloads.
The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
5 techniques
Persistence
Using the Azure server as a foothold, the attackers leveraged that administrator’s account to log into a domain controller (DC) machine on the same network, and then performed surveillance tasks on the target’s network over the course of several weeks.
Snatch runs itself in an elevated permissions mode, sets registry keys that instructs Windows to run it following a Safe Mode reboot...
Looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks...
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
The samples we’ve seen are also packed with the open source packer UPX to obfuscate their contents.
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
Discovery
4 techniques
Discovery
The attackers query the list of users authorized to log in on the box, and write the results to a file.
The attackers also installed a free Windows utility called Advanced Port Scanner and used that tool to discover additional machines on the network they could target.
Lateral Movement
4 techniques
Lateral Movement
The attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP).
The attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP).
Command and Control
1 technique
Command and Control
Exfiltration
1 technique
Exfiltration
Impact
4 techniques
Impact
The ransomware then begins encrypting documents on the infected machine’s local hard drive.
When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service... net stop SuperBackupMan
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Safe Modeでシステムを再起動させ、AV/EDRが十分に動作しない状態を悪用して実行されるランサムウェアとして言及されている。
Windows ransomware written in Go that installs itself as a service, forces the host to reboot into Safe Mode to evade endpoint protections, deletes shadow copies, encrypts local files, and uses associated tooling for surveillance and data theft/exfiltration.
Snatch is a ransomware-as-a-service (RaaS) operation known for encrypting files and demanding ransom payments. It has been observed targeting organizations across various sectors and is notable for its use of techniques such as rebooting infected systems into Safe Mode to evade detection by security software.
A ransomware-as-a-service operation mentioned as reacting to the LockBit disruption and recognizing similar operational risk.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.