Snatch Ransomware
The group operating Snatch target exposed Microsoft Azure servers in opportunistic attacks to deliver the tool. Once identified, they will attempt to brute-force the vulnerable servers over Remote Desktop Services in order to obtain administrative credentials.
The group then logs into the target network’s domain controller using these credentials, where they will then monitor the network for several weeks. Snatch is then dropped, along with a number of other tools, on any systems connected to the network.
Once downloaded, Snatch will install itself as a Windows Safe Mode service called ‘SuperBackupMan’ in order to bypass anti-malware and security services, before force restarting the affected system.
Snatch then attempts to remove or disable any recovery services and delete any backups, before encrypting all non-system files using an unknown algorithm.
SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated
Indicators of Compromise
URL
| mydatassuperhero[.]com |
| mydatasuperhero[.]com |
| snatch24uldhpwrm[.]onion |
| snatch6brk4nfczg[.]onion |
IP Addresses
| 185[.]61[.]149[.]242 |
| 193[.]188[.]22[.]25 |
| 193[.]188[.]22[.]26 |
| 193[.]188[.]22[.]29 |
| 37[.]59[.]146[.]180 |
| 45[.]147[.]228[.]91 |
| 67[.]211[.]209[.]151 |
| 91[.]218[.]114[.]11 |
| 91[.]218[.]114[.]25 |
| 91[.]218[.]114[.]26 |
| 91[.]218[.]114[.]31 |
| 91[.]218[.]114[.]32 |
| 91[.]218[.]114[.]37 |
| 91[.]218[.]114[.]38 |
| 91[.]218[.]114[.]4 |
| 91[.]218[.]114[.]77 |
| 91[.]218[.]114[.]79 |
| 94[.]140[.]125[.]150 |
SHA-256
| 0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb |
| 28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184 |
| 329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa |
| 36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4 |
| 36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4 |
| 5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb |
| 63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940 |
| 78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852 |
| 80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4 |
| 8c9fab558b3e9e21936a91422d9e2666f210c5fd7d9b0fd08d2353adb64a4c00 |
| ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1 |
| ae9cdbb717625506ed0df7af153dc2741395655aeb1da2f91079e3ea616af6a1 |
| c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6 |
| d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33 |
| d22b46ea682838e0b98bc6a1e36fd04f0672fe889c03d227cdeb5dcc5d76ae7c |
| e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d |
| ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a |
| eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56 |
| fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb |
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.