SophosLabs researchers spotted a new variant of the Snatch ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims’ files. Unlike traditional malware, the new Snatch malware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software. Snatch is written in Go, a programming language known for cross-platform app development, the authors have designed this ransomware to run only on the Windows platform.
Source: https://thehackernews.com/2019/12/snatch-ransomware-safe-mode.html