Snatch ransomware encrypts files and manages to avoid antivirus detection

Snatch: ransomware encrypts files and manages to avoid detection by antivirus. Find out more about its operation

By Heimdall: The Snatch Ransomware, in its operations, has affected various types of organizations, from the most varied segments. The group has apparently been active for approximately 5 years since it was first identified, adopting specific characteristics in its attacks, such as using a specific Windows service name and restarting Safe Mode to encrypt data.

In view of this, we present a summary of their history, an understanding of the attacks carried out, their modus operandi, TTPs according to MITRE ATT&CK and other relevant details, such as an analysis of the malware they use.

About Snatch Ransomware

According to records, the Snatch ransomware first appeared in 2018 and initially operated as a form of Ransomware-as-a-Service (RaaS). In 2019, it allegedly claimed its first victim in the US.

Originally, the group was known as Team Truniger, a nickname for an important member called Truniger. This individual acted as an affiliate of GrandCrab. The actors behind Snatch use a customized ransomware variant, notable for restarting devices in safe mode. This allows the ransomware to avoid detection by antivirus or endpoint protection and then encrypt files when few services are running.

As for the etymology of the name, the term "Snatch" is associated with the movie "Snatch" (2000). The ransom note contains the e-mail address, which refers to the character in the movie named Boris Yurinov, nicknamed Boris "The Blade" or Boris "The Bullet-Dodger".

Character from the movie Boris

One of the first variants was identified in February 2019, showing different emails with the extension ".FileSlack" after encrypting the files.

Redemption note template for the first variants

Over time, the group added .onion sites so that victims could access them and start negotiating the payment. This approach allows the group of attackers to maintain greater anonymity and make it difficult to trace the transactions. It is a common tactic in ransomware operations, where criminals seek to obtain ransoms in cryptocurrencies, such as Bitcoin, to release victims' encrypted files. The negotiation takes place through these hidden sites on the Tor network (The Onion Router).

Snatch website presented
File decryption test function

In this variant, the ransomware changed the name of the PC to ABCDE, as shown in another photo.

In addition, messages were identified on the underground forum from the persona "BulletToothTony", who published various types of advertisements. The name of this persona corresponds to the "Snatch" file.

Possible persona identified in underground forums
Possible persona identified in underground forums

As of December 2019, the Snatch ransomware began rebooting the PC to remove antivirus software and encrypt files. In addition, the Snatch Ransomware component is installed as a Windows service called "SuperBackupMan", which can be run reliably in Safe Mode.

Service installed by SuperBackupMan

The following key is written in the registry:


It is worth noting that SuperBackupMan cannot be interrupted or paused by the user while it is running. It then forces computers to restart in Safe Mode to disable any antivirus programs and encrypt files.

After rebooting the PC into Windows Safe Mode, the malware deletes all shadow copy file volumes to prevent the files from being recovered after their shadow copies have been encrypted.

In the next step, Snatch starts encrypting the files and can be run on Windows 7, 8 and 10 computers (x32 and x64). After identifying the last event in the Snatch group, related to the reboot operation, no new evidence was found to add to its story.

In September 2023, the FBI and CISA published an alert about the ransomware group, sharing information about its operations that will be covered below.

CISA and FBI Operation Report on Snatch Ransomware

The alert explains that Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom and preventing their data from being posted on the Snatch extortion blog.

One observation made by the FBI is that, since November 2021, the extortion site operating under the name Snatch has served as a clearing house for data exfiltrated or stolen from companies, whether on Clearnet or TOR. In August 2023, individuals claiming to be associated with the blog gave an interview to the media, claiming that the blog was not associated with the Snatch ransomware and that "none of our targets have been attacked by Snatch ransomware...", despite several confirmed Snatch victims appearing on the blog, along with victims associated with other ransomware groups, notably Nokoyawa and Conti.

Home page of the Snatch Ransomware group on the Tor network

It's worth noting that the owners of the aforementioned site have claimed to have "nothing to do" with the Snatch ransomware project that emerged in 2019 and existed for around 2 years.

These statements were collected by, where they claimed that Snatch Ransomware and Security Notification Attachment were different projects, which had started approximately a year earlier (at the time of the interview), and the work was mentioned on their websites. The group stated that it would not be Snatch Ransomware, but Snatch Team.

Therefore, there is little information on this group of ransomware.

Malware analysis

The ISH Malware Analysis team gained access to the potentially malicious artifact extracted from the security incident related to the ransomware attack on an architecture and urbanism company, identified with the signatures below:

Malware Commitment Indicators

An analysis of the artifact showed that this variant was compiled using the GoLang programming language, written for 64-bit architecture systems, with a size of 4.5 MB (4,695,552 bytes).

Executable's PE header information
Executable's PE header information

After performing a static analysis of this file, it was possible to verify that it has a compilation ID in the executable, obtaining the string:

Go build ID: "8G4DFSWsaKldkqmLUlue/sDX85TNDTybU_g7kqpMP/W1tefjYSczGjxhDBK2X4/nL6QH1oHX9GVW0rQgGie" 

String identified in ASCII text

Among the functions that this executable uses, it executes the WriteFile function, which performs operations to write new files, and CreateFile, both of which manipulate files in the operating system.

After the static analysis resulted in only a few types of data, we proceeded with the dynamic analysis of the artifact, with the aim of understanding the real behavior of the artifact in relation to the operating system.

During the execution of this artifact, the creation of .bat files was observed, i.e. to execute certain functions and tasks in the operating system. These files have the following content:

Contents of the file querying initialization information

The ransomware also creates the folder in the path:


This first file corresponds to querying the system's boot partition, i.e. it checks the operating system's instructions for booting.

Contents of the file creating a service called bRWukSamSs

This file creates a service using Windows sc.exe. It defines the name of the service as "bRWukSamSs", specifies the path where the Ransomware executable is located and, finally, the name displayed in the service user interface for management, with automatic start-up: "Manages the security information of the wDaUSBfy user account".

The main focus of the artifact is to make changes for the normal startup of the operating system, including changing the registry key by adding values to the Registry using:

REG ADD "HKLM\SYSTEM\CurrentSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D ServiceREG ADD "HKLM\SYSTEM\CurrentSet\Control\SafeBoot\Minimal\bRWukSamSs /VE /T REG_SZ /F /D Service

Finally, after dropping other bat files, it executes the Windows process called bcdedit.exe and then forces the operating system to reboot itself using the command in a batch file (.bat) in safe mode:

bcdedit.exe /set {current} safeboot minimalshutdown /r /f /t 00

In other words, in this case, the restart command is used with the restart parameters [r], using force [f], which forces any programs/processes to be terminated and [t], for time, which defines how long in seconds to restart.

When the computer is restarted and after the restart, this time in safe mode, the malware uses the Windows "net.exe" component to interrupt the service created and then uses the Windows vssadmin.exe component to delete all the "Shadow Copies" on the system, which ultimately prevents recovery of the encrypted files.

net stop bRWukSamSsvssadmin delete shadows /all /quiet

After that, the process of encrypting the files begins, just like any other type of Ransomware.

 Therefore, we can conclude that the artifact is effectively Ransomware from the Snatch family, developed and compiled in the GoLang language, with a focus on 64-bit operating systems. It creates several .bat files on the operating system, which are listed in the Indicators of Compromise section of this report.

No network packets were requested or received, and this executable only ran on the host where it was started.

After encrypting the data, it creates ransom notes related to the attack:

Snatch Ransomware Ransom Note

In addition to the details mentioned, other commands were identified during the incidents, such as:

wmiadap.exe /F /T /R %windir%\System32\svchost.eve -k WerSvcGroupconhost.exe 0xFFFFFF -ForceV1vssadmin delete shadows /all /quietbcdedit.exe /set {current} safeboot minimalREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D Service

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mXoRpcSsx /VE /T REG_SZ /F /D ServiceREG QUERY HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions%CONHOST% "1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320″C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -flag-switches-begin -flag-switches-end -no-startup-window /prefetch:5cmd /d /c cmd /d /c cmd /d /c start " " C:\Users\grade1\AppData\Local\PRETTYOCEANluvApplication\ 

Links and details

  • Email domains:




tutanota[.]com / tutamail[.]com / tuta[.]io



protonmail[.]com / proton[.]me


  • E-mail addresses used:[.]me







  • TOX ids with operators:





  • Mutexes created in the system:







  • Bitcoin wallet



  • Websites:



hxxx://snatchh5ssxiorrn.onion and hxxx://


Recognition TA0043Gathers the victim's network information. T1590Snatch threat actors can collect information about the victim's networks that can be used during targeting.
Resource Development TA0042Acquire infrastructure: Virtual Private Server T1583.003Snatch actors can rent virtual private servers (VPSs) that can be used during targeting. Agents acquire infrastructure from VPS service providers known for renting VPSs with minimal log information, allowing for more anonymous acquisition of infrastructure.
TA0001 Home AccessValid Accounts T1078The actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on the victim's network.
External Remote Services T1133Snatch agents exploit RDP weaknesses to brute-force and obtain administrator credentials for the victim organization's network. The actors use VPN services to connect to the victim's network.
Execution TA0002Command and Script Interpreter: Windows Command Shell T1059.003Snatch actors use batch files (.bat) during ransomware execution and data discovery.
System Services: Execution of Services T1569.002Snatch actors can take advantage of various Windows tools to enumerate systems on the victim's network, using "sc.exe".
Persistence TA0003Valid accounts: Domain accounts. T1078.002Snatch actors compromise domain accounts to maintain persistence on the victim's network.
Defense Evasion TA0004T1036 MaskingSnatch actors make the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection.
Removal of indicator: File deletion T1070.004Snatch actors delete batch files from a victim's file system as soon as execution is complete.
Modify records. T1112Threat actors modify Windows Registry keys to aid persistence and execution.
Damaging defenses: Disabling or modifying tools T1562.001The threat actors tried to disable a system's antivirus program to allow the ransomware to persist and run.
 Damaging defenses: Restarting in safe mode. T1562.009The agents abused Windows Safe Mode to bypass detection by antivirus or endpoint protection and encrypt files when few services are running.
Access to Credentials TA0006Brute Force: Password guessing T1110.001Snatch actors use brute force to obtain administrator credentials for the victim's network.
Discovery TA0007Query T1012 recordsActors can interact with the Windows Logger to collect information about the system configuration and installed software.
Process discovery T1057Threat actors seek information about the processes running on a system.
Lateral movement TA0008Remote Services: Desktop Protocol T1021.001Threat actors can use valid accounts to log into a computer using the remote desktop protocol.
TA0009 CollectionLocal system data T1005Capture threat actors' search systems to find files and folders of interest before exfiltration.
Command and Control TA0011Application bed protocols: Web protocols T1071.001Threat actors establish connections over port 443 to combine C2 traffic with other web traffic.
Exfiltration TA0010Exfiltration TA0010Snatch actors use the exfiltration technique to steal data from the victim's network.
Impact TA0040Data encrypted for impact. T1486Threat actors have encrypted data on the target system or on a large number of systems in a network to disrupt the availability of system and network resources.
Inhibit system recovery. T1490Snatch threat actors delete all volume shadow copies of the victim's file system to inhibit system recovery.


  • Heimdall by ISH Tecnologia
  • FBI report - Ransomware Snatch published in September-2023

Leave a Comment

Your e-mail address will not be published. Required fields are marked with *