As news of ransomware attacks continue to grow, Volvo Cars is another name that has found a place on the victim list.
By Minu Sirsalewala, Editorial Consultant, CISO MAG
In a recent notice, Volvo Cars confirmed that it was a victim of data breach by a third-party; its R&D file repository was illegally accessed and some data was stolen.
Snatch ransomware claimed responsibility for the breach, though Volvo Cars has not validated or reported the claim.
Borns IT- und Windows-Blog, a German blogger, shared the news through his blog post that the DarkFeed website has published brief information in which the Snatch ransomware group claims a successful attack on the company. The ransomware gang has shared screenshots of the stolen data establishing the breach.
— Günter Born (@etguenni) December 10, 2021
Volvo said in a statement, “Volvo Cars has conducted its own investigation and is working with third-party specialists to investigate the property theft. We do not, with currently available information, see that this has an impact on the safety or security of our customers’ cars or their personal data. We cannot comment further at this time.”
In an exclusive email interaction with CISO Mag, Volvo Cars shared, “We are aware that an organization called ‘Snatch’ has claimed responsibility for the property theft; Volvo Cars is investigating.”
On the ransomware demand it asserted, “No files have been encrypted; however, the company has been approached by the third party.”
It also added, “After detecting the unauthorized access, we immediately implemented security countermeasures including steps to prevent further access to its property and notified relevant authorities.”
What is Snatch?
According to malpedia, Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode, which loads minimal drivers and background apps or agents. In this mode the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload. Due to the Safe Mode the malware goes undetected and is difficult to identify.
Sophos MTR Team revealed, “The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives. Snatch runs itself in an elevated permissions mode, sets registry keys that instructs Windows to run it following a Safe Mode reboot, then reboots the computer and starts encrypting the disk while it’s running in Safe Mode.”
Threat actors have been resorting to tools and techniques primarily used for testing and troubleshooting to launch cyberattacks. Like the pentesting tool Cobalt Strike and the Safe Mood used for troubleshooting. There has been a trend where threat actors are also looking at old school techniques and repackaging them to launch unexpected campaigns and coming out of their hideouts.
And this is one of the security trends we see coming in 2022.
About the Author
Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.