https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/

Researchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions and immediately starts encrypting files once the system loads.

Encrypting the victim's files is possible because most security tools are automatically disabled when Windows devices boot in Safe Mode as the Sophos Managed Threat Response (MTR) team and SophosLabs researchers found.