Snatch Overview

Snatch groups became active relatively long ago – the first cases were reported in 2018. Like Matrix ransomware, Snatch uses the trick with Windows Safe Mode and privileged service. After the injection, ransomware creates a Windows service, and gives it the permission to startup even in the Safe Mode, using certain registry keys. This service uses the executive files of ransomware as its basis, so each time you boot your PC you launch the virus. Safe Mode is needed to prevent the launch of anti-malware tools, installed on your PC.

Besides disabling the third-party antiviruses in such a way, Snatch ransomware also suspends Windows Defender in a well-known way – through editing the Group Policies. Moreover, to prevent any recovery attempts, this ransomware removes the Volume Shadow Copies and the backups which were created with basic Windows functionality. Such behavior is not new – the majority of ransomware variants that are aiming at corporations do the same.

Source