During last month LIFARS DFIR Team encountered various variants of Snatch Ransomware. This ransomware is known for its capability to reboot affected devices into Safe Mode, where most of the services and security tools are disabled. Then, in this weakened state, it encrypts user data.
We found multiple variants, either 32-bit and 64-bit binaries written in Go and packed with UPX packer. These Go binaries also contain obfuscated strings, so for accelerating the analysis we developed the IDA Python script for IDA Pro Disassembler, which can be used to automate strings extraction and deobfuscation.
The Snatch ransomware is operated by Snatch Team, which prepares unique samples tailored to their victims – the attackers can recognize these samples and appropriate decryption keys either by Victim name or by extension of encrypted files.
Download “Snatch Ransomware – Malware Analysis Case Study” to learn more