From Security Weekly Wiki
Jump to navigationJump to search
2,406 bytes added ,  18:54, 10 December 2019
==Expert Commentary: Tyler Robinson ==
#[ Sophos Uncovers New Version of Snatch Ransomware]A New Variant of ransomware is using a novel but not NEW technique for safe mode EDR/AV evasion. new variant of ransomware is using a not new but still novel technique. The Snatch ransomware is using Safe Mode after reboot to bypass EDR and AV. This variant of Ransomware is continually getting new feature sets as well as buying initial access within corporations to begin infection, exfiltration, and lateral movement. Sophos Labs have released information regarding this new feature in a blog post and as part of their 2020 report. The ransomware uses a service that starts in Safe Mode and proceeds to encrypt the hard drive once it is rebooted. This often bypasses or limits many AV and EDR products allowing the ransomware to encrypt unimpeded.While this is nothing new, check out Episode 482 of Security Weekly. , this does show that ransomware and exploit kits are often updated and feature sets improved. Additionally, the initial access vector is being shown to often be bought or sold off, with man of the targets being attributed to bad security practices such as exposing RDP to the internet, poor passwords, and external services without MFA.So why is ransomware still such an issue in 2019? With AV/EDR, File monitoring and DLP catching so much more how are these places still having such widespread success? Not getting the fundamentals right! My prediction of 2019 still carries over to 2020, the gap between the security maturity of organizations will begin to become more apparent. Having some basics really setup correctly; good passwords, MFA on all external services, host-based firewalls blocking host to host SMB, endpoint logging (basics? Sysmon is free!), proper file share permission, basic network segmentation for servers and services.So Snatch and it’s new feature-set is pretty novel but I see this as just another variant of ransomware so keep up working on the list of fundamentals and don’t worry so much about locking down safe mode. This may not be as dangerous for corps due to network protections hopefully (hahah) and much of the really important data should be on a network share that is backed-up and typically not mounted during safe mode.
<!-- [[File:AdamGordon.jpg|thumb|right|<center>[ Adam Gordon] is an Edutainer at [ ITProTV].</center>]] -->


Navigation menu