Snatch ransomware forces to boot the PC into Safe Mode to protect the encryption processAttackers use the admin’s account on the Microsoft Azure server to steal sensitive dataExecution of the crypto-malwareRansomware developers are searching for partnersSummaryMalware spreadSnatch ransomware removal guide

Furthermore, security researchers have spotted this ransomware appending a random string of five alphanumeric characters to the encrypted files and the ransom note. The characters are included into the name of the virus’ executable file and then replicated on other files. For example, if the ransomware’s exe file is named 12345x64.exe, then the extension will appear as .12345 and victims will receive README_12345_FILES.txt or DECRYPT_12345_DATA.txt ransom note. Snatch virus appears to have a similar ransom-demanding message to other ransomware-type infections, including DHARMA, MAZE, STOP/DJVU, PHOBOS, etc. The criminals confirm that the victim’s data has been encrypted and only they can unlock it. People are asked to refrain from renaming their files or any documents if they want to avoid data loss. Additionally, the crooks ask to contact them as soon as possible to arrange payment. According to the extortion negotiations company, Coveware, they have already dealt with 12 this ransomware cases between July and October. Companies were asked to pay from $2 000 to $35 000 as a ransom.

Attackers use the admin’s account on the Microsoft Azure server to steal sensitive data

Researchers have performed a thorough investigation of one of the attacks by a Snatch ransomware virus. They have discovered that cybercriminals accessed the targeted company’s internal network by using brute-force attacks on the administrator’s password to the Microsoft Azure server. Following that, they were able to log into the account through Remote Desktop (RDP) and exploit it to access the Domain Controller (DC) machine on the same network to perform task surveillance for several weeks. The investigation revealed that the attackers installed surveillance applications on over 200 devices operating in the same internal network and infiltrated several malware executables allowing them to access the machines remotely. Additionally, cybercriminals installed a free Windows tool, Advanced Port Scanner, to run some checks and identify other devices on the network that could be targeted by Snatch. Furthermore, experts at Sophos have discovered a malware, Update_Collector.exe, that is believed to be created by the same people as this ransomware. In fact, it helps to transfer the collected information during the surveillance to a remote Command and Control (C&C) server accessible only by the attackers. The crooks employ other legitimate tools to perform their malicious activity as well. That includes PsExec, IObit Uninstaller, Process Hacker, PowerTool, etc. Most of the mentioned applications are used to disable security software on targeted networks and devices.

Execution of the crypto-malware

At some point during the network hack, the crooks download ransomware executable on the attacked device to help encrypt personal information. The executable includes a unique victim’s ID, a random five-character string, and _pack.exe in its filename. Right before the execution, this malware extracts itself into the Windows folder with the same beginning of the filename just with a different ending — _unpack.exe. Following that, Snatch appears on the system as the Windows service under the name of SuperBackupMan. Criminals try to disguise the ransomware by including the service description that states “This service make backup copy every day”. Unfortunately, the malware cannot be stopped or interrupted by the user in any way. It modifies the Windows Registry keys to start up during the boot into Safe Mode and forces the computer to restart immediately. Right after the reboot, this cyber threat employs the vssadmin.exe Windows component to get rid of all Volume Shadow Copies from the PC to prevent backup data recovery, and then it starts encrypting files. While Snatch aims to lock private information, there is a list of locations that are not being encrypted during the process:

Ransomware developers are searching for partners

The attackers behind this malware, also known as Snatch Team, have been spotted searching for alliances online. A user with the name of BulletToothTony posted on one of the criminal boards that the Snatch Team is “Looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies” (translation from the Russian language). The same message goes by offering to train prospective people in ransomware execution and allow them to use the infrastructure of the threat. The user closes the post by stating that he is looking for partners to join their team — Russian speaking people only. Likewise, there is evidence that the ransomware originates from Russia. Yet, it targets companies in the United States, Canada, and multiple countries in Europe. Unfortunately, there is no other way to stop this malicious program and its developers rather than by refusing to pay the ransom and performing Snatch ransomware removal instead. Keep in mind that the crooks are only motivated to spread the infection if it generates profit. Thus, disobeying their demands by the majority of victims can actually stop the virus spread. The easiest way to remove Snatch ransomware virus from your system is by running a full system scan with RESTORO. This software can not only help you clean your system but also replace damaged Windows Registry keys and other corrupted files after the attack. Further instructions on the elimination are provided at the end of this article.

Summary

Malware spread

First, the attackers manage their way into the private networks, and then human-actions act as the main distribution source to spread the malware. That might include clicking on malicious spam emails that contain infected links. For example, if anyone on the private network clicks on the link and download ransomware, it has the ability to infect all other devices connected to the network. Therefore, people should be very careful when opening various email letters on corporate computers. In fact, they must refrain from opening suspicious messages or clicking on promotional content online. The best decision would be to have an active antivirus with real-time protection to help you avoid cyber threats.

Snatch ransomware removal guide

If this advanced cyber threat has reached your system, there is a strong risk that the entire network is exposed. Regular computer users do not have the necessary knowledge to deal with such attacks. Likewise, people should remove Snatch ransomware virus by using professional software or in-person help. You can install RESTORO to help your put malicious files into quarantine. Additionally, this security tool is designed to fix virus damage, including replacing corrupted Windows Registry keys and other in-built components. Further elimination guidelines are appended below. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Alternative software recommendations

Malwarebytes Anti-Malware

Method 1. Enter Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove Snatch ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.