The latest ransomware called Snatch is trying to reboot machines in order to get into safe mode to evade malware tools.  It’s one of multiple components of a malware constellation being used in carefully orchestrated attacks that also feature rampant data collection.

Some other ransomware recently noticed include: AdGholas, Cerber, DNSChanger, Stegano, Stegoloadr (aka ‘Lurk’). Some other classes include: Sundown, SyncCrypt, TeslaCrypt, Vawtrak (aka ‘Neverquest’), VeryMal, Zbot and ZeroT. Steganography is increasingly being used by miscreants.

This Snatch malware was first spotted some 12 months ago but it has been modified several times since. The attacks come from aggressive spamming which trick people into downloading malicious programs.

The Snatch malware also copies files from networks and other locations to remote command and control servers. It’s not completely know what the miscreants are seeking.

Snatch’s operators appear to have been active since the summer of 2018, according to Microsoft’s security bulletins – however, the Safe Mode aspect is a newly added feature.

In an incident in October, the attackers brute-forced the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP). From there, Snatch spread other executables, designed to give the attackers remote access without having to rely on the compromised Azure server, to 200 machines, or roughly 5 percent of the computers on the company’s internal network.

Snatch seems to attack with a ransomware attack some weeks after its initial introduction.

Windows Defender and Malwarebytes seem to be able to clean up risks quickly. Other tools I have tested are not as effective.