Snatch is a novel ransomware first observed in early 2019 being offered as Ransomware-as-a-Service (RaaS) by the actor “BulletToothTony.” The actor indicated that, unlike most RaaS, it was deployed through targeted penetration, rather than traditional malicious spam (‘malspam’) or phishing.

The ransomware employs a relatively unique methodology in its execution in that in order to encrypt the contents of the drive it first reboots the system into Safe Mode. Upon entering Windows Safe Mode, many safeguards are, by default, disabled, allowing the malware to encrypt with impunity.

Additionally, the malware will delete volume shadow copies in order to inhibit system recovery.

Additionally, the malware has been observed being updated with a data theft module, which could indicate that the author intends to attempt to further coerce victims into paying their ransom.

Observed ransom note have taken the form of “RESTORE_[five_character_random_string]_FILES.txt”


As the ransomware is offered as Ransomware-as-a-Service, (RaaS) targeting will depend upon the actor purchasing the service.


The malware has been observed being delivered using the following methods:

  • Post-Exploitation – this method of delivery requires that the actor gain access to the affected network or system through other means. Once they have established access, other tools will be downloaded from external sources. Snatch has been observed being delivered following an RDP brute force.


Snatch has been observed establishing persistence by creating a new service entitled SuperBackupMan, along with a corresponding registry key (HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan) to ensure persistence into Safe Mode

Join our newsletter

Follow Us

Discover More!