Malware, Deepfakes, Snatch ……the threats keep coming

December 12th, 2019 by Stephen Jones Leave a reply »

Over the last decade when malware exploded from a casual semi-amateur landscape into highly organised criminal operations, capable of generating hundreds of millions of US dollars per year.Malware strains like Necurs, Andromeda, Kelihos, Mirai, or ZeroAccess have made a name for themselves after they’ve infected millions of devices across the globe.

The next couple of years will bring a new range of threats that will take tech security far beyond its traditional boundaries and will require a whole new set of skills and alliances. One example: tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m.

There’s the risk to your share price if someone creates a deepfake of your CEO apparently resigning from the company. Alternatively, a convincing deepfake of a celebrity well known for using your products seemingly being rude about your brand could easily hurt sales if it spreads widely. But there’s also the risk that deepfakes could be added to the toolkits used by phishing gangs. There have already been a few cases of crooks using AI tools to fake the voices of CEOs to trick workers into transferring money to their accounts. The next step would be to create a convincing video of an executive asking for an emergency funds transfer.

If employees are regularly tricked into handing money over to fraudsters on the strength of a bogus email (and they still are), imagine how easy it would be to be fooled by a deepfaked video chat with the CEO instead?

The Internet of Things will greatly increase the number of devices and applications that security teams will have to protect. That’s hard for teams that have used to protecting just PCs and servers to have to worry about everything from smart air-conditioning units or vending machines in the canteen, right through to power plants and industrial machinery.

A new threat has arisen with Snatch ransomware which uses a new trick to bypass antivirus software and encrypt victims’ files without being detected – it relies on rebooting an infected computer into Safe Mode, and to run the ransomware’s file encryption process within Safe mode.The reason is that most antivirus software does not start in Windows Safe Mode, a Windows state that is meant for debugging and recovering a corrupt operating system. Snatch uses a Windows registry key to schedule a Windows service to start in Safe Mode. This service ill run the ransomware in Safe Mode without the risk of being detected by antivirus software, and having its encryption process stopped. Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of most endpoint security tools. Devious! and evil.

The Safe Mode trick was discovered by the incident response team at Sophos Labs, who were called in to investigate a ransomware infection in the past few weeks. Its research team says this is a big deal, and a trick that could be rapidly adopted by other ransomware..

Snatch never targeted home users and was not spread by use of mass-distribution methods like email spam campaigns or browser-based exploit kits — that get a lot of attention from cyber-security firms. Snatch targets a small list of carefully selected companies and public or government organizations.This type of targeting and methodology is known in the cyber-security field as “big-game hunting” and is a strategy that’s been widely adopted by multiple ransomware.
The idea behind big-game hunting is that instead of going after the small ransom fees malware authors can extract from home users, crooks go after large corporations and government organizations, from where they can ask for ransom fees that are hundreds of thousands of times bigger.
Ransomware like Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga are big-game hunters.

The group buys their way into a company’s network. Researchers tracked down ads the Snatch team has posted on hacking forums, to recruit partners for their scheme. According to a translation of the ad, the Snatch team was “looking for affiliate partners with access to RDP\VNC\TeamViewer\WebShell\SQL inj [SQL injection] in corporate networks, stores and other companies.” the Snatch team will buy access to a hacked network, or work with another hacker to breach a desired company. Once in, they rarely install the ransomware and encrypt files right away. Instead, the Snatch team bide their time and slowly escalate access to internal domain controllers, from where the spread to as many computers on an internal network as possible. To do this, the Snatch crew use legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool, and PsExec. Since these are common tools, most antivirus products failed to raise any alarms.

Once the Snatch gang has all the access they need, they add the registry key and Windows service that starts Snatch in Safe Mode on all infected hosts, and force a reboot of all workstations — reboot that begins the file encryption process.Unlike most ransomware gangs who are primarily focused on encrypting files and asking for ransoms, the Snatch crew also engaged in data theft. This makes Snatch cunique and highly dangerous, and companies also stand to lose from their data being sold or leaked online at a later date, even should they pay the ransom fee and decrypted their files. This type of behavior makes Snatch one of today’s most dangerous ransomware strains.

Combing a company’s internal network for files to steal takes time, and a reason why Snatch has not made the same amount of victims as other “big game hunting” strains/gangs. The number of Snatch victims is very small. The only known public case of a Snatch ransomware infection was SmarterASP.NET, a web hosting company that boasted to have around 440,000 customers.

Secure ports and services that are exposed on the internet with either strong passwords or with multi-factor authentication. Snatch may experiment with e.g. VNC, TeamViewer, or SQL injections, so securing a company’s network for these attack points is also a must.

Ask us about our security solutions.



Comments are closed.