SynAck ransomware

A new and improved version of the SynAck ransomware has been spotted online these past days, and security researchers are reporting that the ransomware now uses the Process Doppelgänging technique.

Process Doppelgänging is a code injection technique that abuses the Windows mechanism of NTFS transactions to create and hide malicious processes, in an attempt to avoid detection by antivirus software.

The technique is relatively new, being first presented at a security conference in December last year, but a few malware strains have already adopted it in their arsenal.

SynAck ransomware makes a comeback

The latest malware family and the first ransomware to do so is SynAck, a ransomware strain that was extremely active in August and September 2017.

At the time, SynAck was going through its initial development stages and was a relatively simple threat.

But in a report released today, Kaspersky researchers paint the picture of a well-developed malware strain that uses a top-notch encryption routine, process doppelgänging to evade detection, and is heavily obfuscated to prevent reverse engineering.

The original SynAck version was spread after crooks broke into servers via open or badly-secured RDP connections. With no malspam campaign pushing the new version, it is very likely that crooks still use the same scheme to spread this new SynAck version as well.

Here's a quick summary of the new SynAck ransomware features, in case you need to verify that you've been infected by the new SynAck version. But if you want to be 100% sure, a service like ID Ransomware provides a better indication of the ransomware that's infected your computer.

¤  Mixed ECIES-XOR-HMAC-SHA1 encryption scheme
¤  Extension for encrypted made up of 10 random alpha characters
¤  Terminates selected processes so running apps won't interfere with the encryption operation
¤  Clears event logs to impede forensic analysis
¤  Drops ransom note named "==READ==THIS==PLEASE==[8-char-random-ID].txt"
¤  Victims must contact authors via email or BitMessage
¤  Victims must send an ID (from the ransom note) to the ransomware authors
¤  Decryption price is not included in ransom note. It is likely negotiated via email or BitMessage
¤  Ransomware won't run if its EXE is run from a directory not included on a whitelist
¤  Checks keyboard language and will not encrypt if keyboard format is for Russian, Ukrainian, Belorussian, Georgian, Armenian, Kazakh, Tajik, Azerbaijani Cyrillic, and Uzbek Latin and Cyrillic.
¤  SynAck executable is not packed, but heavily obfuscated
¤  Revamped SynAck version first saw in April 2018
¤  Known victims in USA, Kuwait, Germany, and Iran
¤  Shows a ransom demand on the login screen

SynAck ransom note showed on the login screen

New SynAck ransom note

Related Articles:

CommonRansom Ransomware Demands RDP Access to Decrypt Files

New LamePyre macOS Malware Sends Screenshots to Attacker

Android Malware Tricks User to Log into PayPal to Steal Funds

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More