Snatch Ransomware

The group operating Snatch target exposed Microsoft Azure servers in opportunistic attacks to deliver the tool. Once identified, they will attempt to brute-force the vulnerable servers over Remote Desktop Services in order to obtain administrative credentials.

The group then logs into the target network’s domain controller using these credentials, where they will then monitor the network for several weeks. Snatch is then dropped, along with a number of other tools, on any systems connected to the network.

Once downloaded, Snatch will install itself as a Windows Safe Mode service called ‘SuperBackupMan’ in order to bypass anti-malware and security services, before force restarting the affected system.

Snatch then attempts to remove or disable any recovery services and delete any backups, before encrypting all non-system files using an unknown algorithm.

SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated

Indicators of Compromise

URL

mydatassuperhero[.]com
mydatasuperhero[.]com
snatch24uldhpwrm[.]onion
snatch6brk4nfczg[.]onion

IP Addresses

185[.]61[.]149[.]242
193[.]188[.]22[.]25
193[.]188[.]22[.]26
193[.]188[.]22[.]29
37[.]59[.]146[.]180
45[.]147[.]228[.]91
67[.]211[.]209[.]151
91[.]218[.]114[.]11
91[.]218[.]114[.]25
91[.]218[.]114[.]26
91[.]218[.]114[.]31
91[.]218[.]114[.]32
91[.]218[.]114[.]37
91[.]218[.]114[.]38
91[.]218[.]114[.]4
91[.]218[.]114[.]77
91[.]218[.]114[.]79
94[.]140[.]125[.]150

SHA-256

0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb
28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184
329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa
36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4
36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4
5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb
63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940
78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852
80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4
8c9fab558b3e9e21936a91422d9e2666f210c5fd7d9b0fd08d2353adb64a4c00
ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1
ae9cdbb717625506ed0df7af153dc2741395655aeb1da2f91079e3ea616af6a1
c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6
d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33
d22b46ea682838e0b98bc6a1e36fd04f0672fe889c03d227cdeb5dcc5d76ae7c
e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d
ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a
eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56
fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: