SynAck ransomware, which has been known since September 2017 (when it was just average, not particularly clever), has recently been overhauled to become a very sophisticated threat that avoids detection with unprecedented effectiveness and uses a new techniques.
A new and improved version of the SynAck ransomware has been spotted online these past days, and security researchers are reporting that the ransomware now uses the Process Doppelgänging technique.
Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.
Process Doppelgänging is similar to process hollowing, and works as a code injection that takes advantage of NTFS transactions used in Windows to run a malicious executable code under the impression of a legitimate process. It tricks the security tools into processing the load without being detected, allowing the malicious code to be mapped on the disk and leaving no traces of the malware once the process rolls back during scanning.
SynAck uses Process Doppelgänging not only as an attempt to evade detection, but also to make analysis difficult due to the heavy binary obfuscation and the executable trojan not being in a packer. Because retrieval of the API function address and the target hash value are obscured and the malware clears all event logs in the infected system, it’s also more complicated to reverse-engineer for malware analysis.
In the early stages of a SynAck attack, the ransomware matches the keyboard layouts installed in the system to check if it is running from a specific list of countries, sleeping for 300 seconds and exits the process when it finds a match, consequently preventing encryption. Included in this list of unaffected countries are Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan. It also doesn’t store strings to hinder detection of the original but uses hashes instead. SynAck uses AES-256-ECB algorithm, which encrypts the content of the files and appends them with random extensions with symmetric and asymmetric encryption. The custom ransom note is generated before the user can login by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry.
Attacks using the new SynAck variant have been recorded in the United States, Kuwait, Germany, and Iran.
Common symptoms of SynAck ransomware
- You are not able to access any of the files you try to open.
- Affected files have odd extensions (like .crypted, .locky, .sage, etc.).
- You may find .txt or .html ransomware instruction files in system folders.
- Your desktop screen might be locked, so you can’t access your PC.
- Pop-up messages that ask you to pay “a ransom” to get access to your PC or files again.
- Ransomware may delete important system files
- Sluggish PC performance.
- Your anti-virus software stops working.
Sources of SynAck ransomware infection
- Spam emails that contain malicious attachments or hyperlinks.
- Compromised websites that have exploit code injected in their web pages.
- Vulnerabilities in unpatched Windows operating system.
- Vulnerabilities in outdated web browsers.
- Drive-by downloads.
- Fake Flash Player update websites.
- Installing pirated software or operating systems.
- Facebook spam messages that contain malicious attachments or links.
- Malicious SMS messages (ransomware may target mobile devices).
- Malvertising campaigns (pop-up and banner ads).
- Self-propagation (spreading from one infected PC to another via LAN networks).
- Infected game servers.
- Botnets.
- Peer-to-peer networks.
Cybercriminals will continue to use creative means for digital extortion through ransomware. I recommends that victims avoid paying the ransom as there is no assurance that victims will recover the affected files.
Here are a few recommendations to protect your systems:
- Regularly backup your files. Practice the 3-2-1 system to mitigate the effects of data loss
- Practice data categorization and network segmentation for layered protection to isolate possible infections and limit attacker’s access to data
