A new and improved version of the SynAck ransomware has been spotted online these past days, and security researchers are reporting that the ransomware now uses the Process Doppelgänging technique.
Process Doppelgänging is a code injection technique that abuses the Windows mechanism of NTFS transactions to create and hide malicious processes, in an attempt to avoid detection by antivirus software.
The technique is relatively new, being first presented at a security conference in December last year, but a few malware strains have already adopted it in their arsenal.
The latest malware family and the first ransomware to do so is SynAck, a ransomware strain that was extremely active in August and September 2017.
At the time, SynAck was going through its initial development stages and was a relatively simple threat.
But in a report released today, Kaspersky researchers paint the picture of a well-developed malware strain that uses a top-notch encryption routine, process doppelgänging to evade detection, and is heavily obfuscated to prevent reverse engineering.
The original SynAck version was spread after crooks broke into servers via open or badly-secured RDP connections. With no malspam campaign pushing the new version, it is very likely that crooks still use the same scheme to spread this new SynAck version as well.
Here's a quick summary of the new SynAck ransomware features, in case you need to verify that you've been infected by the new SynAck version. But if you want to be 100% sure, a service like ID Ransomware provides a better indication of the ransomware that's infected your computer.