Researchers have discovered a new variant of SynAck ransomware which uses the Process Doppelgänging technique.
Process Doppelgänging is a new code injection technique which utilized the windows mechanism NTFS transaction to create a malicious process from the transacted file to avoid detection from security products.
This attacking technique works on all version Microsoft Windows including Windows 10 and can bypass most of the modern security solutions.
You may be interested in reading: New Variant of GandCrab Ransomware Spread via Massive Spam Campaign
The new variant of SynAck ransomware strain was discovered by security researchers at Kaspersky Lab and said that “In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant”.
The ransomware targets users in the USA, Kuwait, Germany, Iran and avoid targeting user in Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.
After execution, the ransomware checks the country of the user by checking the keyboard layout installed on the victim’s PC with the hardcoded list stored in the malware body.
If it matches with the list, the ransomware sleeps for 300 seconds and then calls ExitProcess to prevent being infected.
After language check, the ransomware checks on the directory where its executable is started from in order to prevent automatic sandbox analysis and if it is loaded from an incorrect directory, the ransomware will just exit.
SynAck ransomware uses a mixed ECIES-XOR-HMAC-SHA1 encryption scheme, and after execution, it encrypts the content of each file with the AES-256-ECB algorithm with a randomly generated key.
After encryption, the files are appended with randomly generated extensions, and the ransomware also terminate processes and services which are interfering the encryption operation. It also clears the event log stored in the system to avoid forensic analysis detection.
The SynAck ransomware is capable of displaying a custom note into the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry.
The attacker also drops a ransom note named “==READ==THIS==PLEASE==[8-char-random-ID].txt” in which victims are asked to send a mail or bitMessage to recover their files.
Always follow these basic instructions to protect yourself from any ransomware attack:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.