SynAck is a ransomware noted for demanding $3,000 from users before decrypting users’ files. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.
The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.
SynAck is distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.
How SynAck Ransomware Operates:
It employs a rather complicated Process Doppelgänging technique. It is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers.
The technique “Process Doppelgänging” relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes.
Before SynAck start to encrypt files on users’ machine, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use.
Secondly, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.
Tips to Avoid Ransomware:
Source: Kaspersky Lab Blog
Sign up our newsletter for update information, insight and promotion.
