Snatch ransomware reboots PCs in Windows Safe Mode to bypass antivirus apps
Credit:
Twitter
The authors of the Snatch ransomware are using a never-before-seen trick to bypass antivirus software and encrypt victims' files without being detected.
The trick relies on rebooting an infected computer into Safe Mode, and running the ransomware's file encryption process from there.
The reason for this step is that most antivirus software does not start in Windows Safe Mode, a Windows state meant for debugging and recovering a corrupt operating system. However, the Snatch crew discovered that they could use a Windows registry key to schedule a Windows service to start in Safe Mode. This service would run their ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped.