snatch

Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.

Perfil del actor (IA)

Genera un perfil del actor con IA (defensivo) cuando lo pidas.

Víctimas divulgadas

Países afectados

import "pe" rule snatch_ransomware_x3_loader { meta: description = "snatch-ransomware - file x3.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-17" hash1 = "b9e4299239880961a88875e1265db0ec62a8c4ad6baf7a5de6f02ff4c31fcdb1" strings: $s1 = "jd4ob7162ns.dll" wide fullword $s2 = "kb05987631s.dll" wide fullword $s3 = "fw0a53482aa.dll" wide fullword $s4 = "C:\\Builds\\TP\\rtl\\common\\TypInfo.pas" wide fullword $s5 = "C:\\Builds\\TP\\rtl\\sys\\SysUtils.pas" wide fullword $s6 = "C:\\Builds\\TP\\rtl\\common\\Classes.pas" wide fullword $s7 = "/K schtasks /Create /RU SYSTEM /SC DAILY /ST 00:00 /TN \"Regular Idle Maintenance\" /TR \"" wide fullword $s8 = "/K schtasks /Create /RU SYSTEM /SC ONSTART /TN \"Regular Idle Maintenances\" /TR \"" wide fullword $s9 = "RootP0C" ascii fullword $s10 = "Component already destroyed: " wide fullword $s11 = "Stream write error The specified file was not found2Length of Strings and Objects arrays must be equal#''%s'' is not a valid int" wide $s12 = "PPackageTypeInfo$\"@" ascii fullword $s13 = "PositionP0C" ascii fullword $s14 = "DesignInfoP0C" ascii fullword $s15 = "OwnerP0C" ascii fullword $s16 = "3\"4\\4~4" ascii fullword $s17 = "TComponentClassP0C" ascii fullword $s18 = ":$:2:6:L:\\:l:t:x:|:" ascii fullword $s19 = ":P:T:X:\\:t:" ascii fullword $s20 = ":,:<:@:L:T:X:\\:`:d:h:l:p:t:x:|:" ascii fullword condition: uint16(0) == 0x5a4d and filesize < 900KB and (pe.imphash() == "d6136298ea7484a715d40720221233be" or 8 of them) } rule snatch_ransomware_safe_go_ransomware { meta: description = "snatch-ransomware - file safe.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-17" hash1 = "3160b4308dd9434ebb99e5747ec90d63722a640d329384b1ed536b59352dace6" strings: $s1 = "dumpcb" ascii fullword $s2 = "dfmaftpgc" ascii fullword $s3 = "ngtrunw" ascii fullword $s4 = "_dumpV" ascii fullword $s5 = ".dll3u^" ascii fullword $s6 = "D0s[Host#\"0" ascii fullword $s7 = "CPUIRC32D,OPg" ascii fullword $s8 = "WSAGetOv" ascii fullword $s9 = "Head9iuA" ascii fullword $s10 = "SpyL]ZIo" ascii fullword $s11 = "cmpbody" ascii fullword $s12 = "necwnamep" ascii fullword $s13 = "ZonK+ pW" ascii fullword $s14 = "printabl" ascii fullword $s15 = "atomicn" ascii fullword $s16 = "powrprof" ascii fullword $s17 = "recdvoc" ascii fullword $s18 = "nopqrsx" ascii fullword $s19 = "ghijklm" ascii fullword $s20 = "spdelta" ascii fullword condition: uint16(0) == 0x5a4d and filesize < 8000KB and (pe.imphash() == "6ed4f5f04d62b18d96b26d6db7c18840" or 8 of them) }

snatch

Perfil del actor (IA)

snatch

Perfil del actor (IA)

Países que ataca

Sectores objetivo

Técnicas (MITRE ATT&CK) — estimadas por IA

Regla YARA de detección

Notas de rescate

Referencias públicas

Víctimas recientes

Banco Promerica

Todas las víctimas divulgadas