A security breach believed to be in the form of SNet ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

SNet ransomware

The ransomware in question is called SNet and appears to be changing all files with file name and extension.SNet.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is built based on C++ and deletes shadow copies and, in the case of Windows Server version, deletes backup catalogs. Since the ransomware executable file is registered in the startup program conditions in the task scheduler, it can be run again if the executable file remains even if the first attempt fails. Smart Screen Filter and other processes related to Windows operation are also forcefully terminated.

  
  [Figure 3 Dynamic code for shadow copy deletion and backup catalog deletion]

  
  [Figure 4: Registering ransomware executable file in startup program]

  
  [Figure 5 Dynamic code to force termination of Windows-related programs such as smart screen filter]

Infection results

The guidance file <DecryptNote.txt> is created in each path, and when encryption is performed, the files are changed to <file name.extension.SNet>.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

Go see the SNet blocking video