DBO595

HB1PMS > TECH     29.02.20 20:42l 70 Lines 3028 Bytes #999 (0) @ WW
BID : 2287HB1PMS
Read: GAST
Subj: New Snatch Ransomware Variant Avoids Detection Usi
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200229/1606Z 8604@HB1BBS.ZL.NLD.EU BPQ6.0.19

Van: HB1PMS@HB1BBS.ZL.NLD.EU

New Snatch Ransomware Variant Avoids Detection Using Safe Mode
Researchers have spotted a new variant of the Snatch ransomware that avoids 
antivirus detection by rebooting machines to Safe Mode.
This ransomware is believed to be active at least from the 2018 summer, but 
the Safe Mode enhancement appears to be a recently added feature.
The backdrop

While investigating a series of ransomware attacks, researchers from Sophos 
Labs spotted this new variant of the Snatch ransomware.

This technique of forcing the Windows machines to reboot into Safe Mode is 
possibly a way to skip endpoint protection.
In the Safe Mode, most software including security software doesn’t run, and 
the ransomware beings to encrypt the hard drives in the infected system.
“SophosLabs feels that the severity of the risk posed by ransomware which 
runs in Safe Mode cannot be overstated, and that we needed to publish this 
information as a warning to the rest of the security industry, as well as to 
end users,ö said the researchers.

Technical details

This malware that is written in the Go programming language, can not run 
under multiple operating systems.

The malware contains a ransomware component, a data stealer component, along 
with several publicly available tools.
The attacks involving this malware are usually of the ‘active automated 
attack model’ type. This means brute force attacks are launched against 
vulnerable networks, and then the penetration happens.
Detecting and preventing attacks

Most of the attacks involving this malware were observed to be on networks 
that allowed uninhibited access for several days. Security experts recommend 
monitoring networks and periodically hunting for threats.

To prevent this ransomware from impacting your network, here are a few 
things you may want to do:

Organizations must implement multifactor authentication, especially for 
those accounts with more privileges.
Vulnerabilities must be regularly scanned for and patched as soon as 
possible.
As much as possible, organizations must prevent exposing their Remote 
Desktop interface to the unprotected internet.

73 Henk.

======================================================================
  _    _ ____  __ ____  ____   _____ 
 | |  | |  _ \/_ |  _ \|  _ \ / ____|  SYS: Henk (hb1nos@hb1bbs.com)
 | |__| | |_) || | |_) | |_) | (___    QTH: Ouwerkerk - JO11XO
 |  __  |  _ < | |  _ <|  _ < \___ \   BBS: HB1BBS.ZLD.NLD.EU
 | |  | | |_) || | |_) | |_) |____) |  QRV: 27.235 MHz (FM 1200bps)
 |_|  |_|____/ |_|____/|____/|_____/   WEB: www.hb1bbs.com

======================================================================

** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93  

======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed zaterdag 29 februari 2020  17:05 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU





Lese vorherige Mail | Lese naechste Mail