The Snatch ransomware, also known as Snatch Team, has unveiled a new strategy to facilitate data encryption. Snatch, after breaking into the system, before starting the encryption, restarts the computer in safe mode. In this mode the system does not start most software, including security software.
But the ransomware is activated and can then freely encrypt and extract files, as well as move laterally through the company’s internal system in search of credentials with high access privileges.
The group uses brute force attack to break into the company’s systems, this brute force attack is automated so that it is done with more agility.
In a recent attack by the group, the ransomware forced entry to a Microsoft Azure server with the administrator’s account and password. After gaining access to the server, the ransomware spread throughout the system and installed itself on at least 200 machines and opened ports on those machines for remote access.
The ransomware was hidden on the network for several days harvesting sensitive information for the company and after that the files were encrypted paralysing the company’s operation.
This case is a clear example of how the double extortion tactic works, the groups that adhere to this tactic are not only interested in encrypting the company’s system. They can break into the system and only start encrypting the data many weeks later, during that time they can alter the backup routine, extract valuable information for the company.
Faced with a scenario as critical as this, when files are encrypted, backups have been modified and there is pressure for the stolen data to be leaked on the internet, and the ransom price easily reaching into the millions of dollars. Encrypted data recovery needs to be an option, perhaps the least disastrous option for the company.
We at Digital Recovery are used to working on highly complex cases where files have been totally or partially encrypted. We have exclusive technologies that have saved our clients millions of dollars by not paying the ransom demanded by criminals.
All our processes are unique and compliant with data protection laws (GDPR) and we also provide our clients with the confidentiality agreement (NDA).
From the first contact until the end of the process the client is accompanied by one of our specialists, this is so that the service is personalized, so that we can deal with the need of real of each client.
No matter which data storage device has been affected by ransomware, we at Digital Recovery can recover your files.