Jump to content

Snatch ransomware reboots PCs in Windows Safe Mode to bypass antivirus

pps

By pps
in ESET Endpoint Products

 Share

Recommended Posts

pps

pps 4

Posted
Posted

Hello,

As I know if you run eset uninstalltool in safe mode you can uninstall agent and endpoint.

If a zero day ransomware reboots the pc into safe mode is there any client settings to be enabled to prevent the ransomware from uninstalling the endpoint security?

https://www.zdnet.com/article/snatch-ransomware-reboots-pcs-in-windows-safe-mode-to-bypass-antivirus-apps/

 

Thanks,

Peter

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

Off the top of my head, the best way to prevent this is to create a HIPS rule to monitor the running of shutdown.exe. Note that malware since the XP days have used this to force a reboot to run their nasty at boot time. As such, it would not surprise me that Eset already as a built-in HIPS rule to monitor the start up of shutdown.exe.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Also of note is this malware uses bcdedit.exe to modify Win startup settings. I have had an existing HIPS rule in place for sometime to monitor its startup:

Quote

Using the BCDEDIT tool on Windows, it issues a command that sets up windows operating system to boot in Safe Mode, and then immediately forces a reboot of the infected computer. 


bcdedit.exe /set {current} safeboot minimal
shutdown /r /f /t 00
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

The Sophos article is a bit murky on how PsExec is being used.

From what is shown, it appears the attacker is running PsExec remotely after the reboot to safe mode to execute the ransomware. To accomplish this, both psexecsvc.exe download and creation of a service to run it would have had to been created prior to reboot. I have an Eset HIPS rule in place to prevent this but creation of it was a bit tricky.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

I also forgot to post on the most important part of this ransomware attack:

Quote

Deciphering the Snatch attack

In one of the incidents, which targeted a large international company, the MTR team managed to obtain detailed logs from the targeted company that the ransomware had not been able to encrypt. The attackers initially accessed the company’s internal network by brute-forcing the password to an administrator’s account on a Microsoft Azure server, and were able to log in to the server using Remote Desktop (RDP).

All the organizations where these same files were found also were later discovered to have one or more computers with RDP exposed to the internet.

At this point, the attacker had admin privileges. Any thing after this point is academic in what the attacker could do.

Edited by itman
Link to comment
Share on other sites
pps

pps 4

Posted
  • Author
Posted

 

15 hours ago, itman said:

Off the top of my head, the best way to prevent this is to create a HIPS rule to monitor the running of shutdown.exe. Note that malware since the XP days have used this to force a reboot to run their nasty at boot time. As such, it would not surprise me that Eset already as a built-in HIPS rule to monitor the start up of shutdown.exe.

@Marcos  is any official answer from ESET,  is there any builtin protection or is gonna to be one?

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...