The authors of the Snatch ransomware are using a never-before-seen trick to bypass antivirus software and encrypt victims’ files without being detected.
The trick relies on rebooting an infected computer into Safe Mode, and running the ransomware’s file encryption process from there.
The reason for this step is that most antivirus software does not start in Windows Safe Mode, a Windows state meant for debugging and recovering a corrupt operating system.
However, the Snatch crew discovered that they could use a Windows registry key to schedule a Windows service to start in Safe Mode.
