Malware that Manipulates Safe Mode to Take Over Corporate Networks

There are times when you may be instructed to reboot in safe mode to remove malware from your computer. The reason for this is that safe mode only boots in drivers that will allow Windows or other operating systems to run at a minimal level. It will not boot in the drivers for third party software or those that support malware. For this reason, malware that cannot be removed in normal mode can be eradicated. This removal can be done without using antivirus programs. In some cases, it must be done without using antivirus programs because those programs are also third party software programs that will not run in safe mode. If you want, you can install antivirus programs while in safe mode, but they don’t, by default, operate here.

However, some operating systems, like Windows, will allow its built in firewall protection to run in safe mode but only if you choose the “Safe Mode with Networking” option when booting up. If this option is not chosen, (if you choose the regular safe mode) and you are connected to a network, you are vulnerable to an attack. In other words, safe mode is not really so safe.

Malware that you seemingly remove in regular mode will sometimes reappear with the next boot. This means that it has probably worked its way into your registry and registry surgery will be necessary. If this doesn’t work, the boot sector or even the kernel could be infected. Rootkits will infect the computer in such a way that the malware they deploy will be undetectable by your antivirus programs. They are too well-hidden to be removed by normal means and some believe if a computer is controlled in this way, it is simply better to reinstall the operating system. Rootkits employ malware that allows remote hackers to take full control of your computer. With administrative rights, they will simply adjust any antivirus programs to overlook the malware that’s been installed.

Recently, new ransomware has appeared on the scene that uses the fact that safe mode doesn’t have access to antivirus programs. In order to bypass antivirus detection, Snatch ransomware forces a reboot into safe mode before it encrypts files. Once in safe mode, it searches for a process called vssadmin.exe. This is the program that helps restore files in case some problem occurs. Obviously, the ransomware developers don’t want the victim to have the ability to restore files, so the malware will destroy any backups that it finds.

Because of its vulnerability, some writers have suggested deleting the vssadmin.exe file entirely, since it is rarely used. This, of course, means it won’t be available if you find yourself in need of file restoration at some point. So, to get around this, there are ways to rename the file. For those interested, the information for doing this is given here. I wouldn’t suggest this for the average user. However, if you feel you have a network that may be targeted by such ransomware, renaming or removing this file is something to consider.

How dangerous is this ransomware? SophosLabs, the firm which analyzed it gives this warning.

“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users.”

 So, yes, this appears to be a serious threat, even more so because of the victims it targets.

Snatch malware apparently targets large corporations which use Microsoft Azure’s cloud service. The malware attempts to breach the corporate account on the server through a brute force password attack. It then uses this as a platform to launch attacks on the company. Once within the corporate network, the malware quietly gathers data and sends it on to the C2 server. At some point, the attackers don’t need to rely on the Azure server as they have enough information to access the corporate data directly.

The attackers use a number of free tools to help in their attack. They use port scanners to detect vulnerable machines on the network; machines that can be accessed remotely. They use other tools to disable antivirus programs.

Collecting money from a ransomware attack does not appear to be the hackers’ main objective. In fact, this appears to be an attack to gather data. The ransomware attack only begins after all the desired data has been acquired. As a parting shot, the malware downloads the ransomware package. This malware uses the BCEdit tool to change the boot configuration so that the infected machine will boot in safe mode then forces a reboot, triggering the ransomware which encrypts all the files on the hard drive. It will then send the victim this typical ransom note.


SophosLabs does not go into details about those behind the attack. They do show evidence that the team has been recruiting partners through Russian websites.

russia recruit

This M.O. seems familiar. It is similar to the Jokeroo ransomware-as-a-service (RaaS) that appeared last May (see my post on this here). Russian hacking teams are loose affiliates. They often work together to accomplish certain tasks. They may be paid a percentage of whatever money they make on a particular breach. It is also common for certain hackers or private hacking teams to work for the Russian government. For agreeing to help the government, they may be allowed to continue their criminal activities without interference. These latest hacks seem to indicate such government involvement.

The Snatch Team searches for data first. It is not clear what happens next. Some investigators think that they may ask the breached company for a ransom even before they encrypt the files. They may threaten to make the stolen data public unless they are paid. This they have done in the past, posting the data on publicly accessible deep web sites. Others believe the use of these drop sites is simply a way to show the breached company they actually have their data. The idea is that the company may then be more amenable to negotiate for a ransom. But that was in the old days. It now appears that they are going directly to file encryption and a ransomware request.

However, even if they decrypt the files, they would still have time to make copies of all the files they have stolen and map the breached network down to all of its endpoints. Such data may be of little value to private hackers who are mainly interested in making money, but it may prove to be a treasure trove to the Russian government. It’s a win-win situation for both sides.

Take just one example. Recently, Russian hackers have been hacking cities and towns across North America. (see my post on this here). They may, in fact, be doing this with the blessings or even the assistance of the Russian government. If they can breach and map a city government’s network, they may be able to work through it to find connections to U.S. government agencies. Government hacking teams may be able to exploit municipal-U.S. government affiliations to do such things as influence elections or affect policy decisions. Depending on how far they could work their way into the U.S. government networks, the possibilities are, in fact, endless.

Keep in mind that these criminals take advantage of two cybersecurity weaknesses. First of all, they depend on a corporation or organization’s blind trust in the safety of cloud storage or other cloud services. Remember, the cloud is nothing more than a server. Secondly, these attackers need a vulnerable endpoint, normally, with ports open to remote access (RDP or Remote Desktop Protocol). And, finally, they need an irresponsible employee who can be tricked into downloading a file or clicking on a weaponized link, yet another reason companies need to take the time to institute the best available endpoint protection. Real good protection, will stop attacks before they even begin and will operate while in safe mode. Here is a chart from ransomware fee negotiator, Coveware, which shows that endpoints are the main targets.


Although Snatch malware is in its early stages of deployment, it has already claimed a few high profile victims. If the Russian government is working with the Snatch team, the success rate will be much higher. In addition, their M.O. indicates they may not be averse to attempting to recruit employees in targeted corporations and agencies. Those employees in the banking and health sector are especially vulnerable, while the Russian government would be more likely to try recruiting employees from companies or organizations with U.S. government affiliations. And another word of advice for those in these sectors: Be careful who you hire.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s