LTS Secure Warning: SynAck Ransomware developed a new technique to breach modern security

SynAck is not new, it has been known since September 2017, but in a recent discovery, sample caught our attention after it was found to be using Process Doppelgänging. The Process Doppelgänging technique was introduced in December 2017 at BlackHat Conference.

“Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, tricking process monitoring tools and antivirus into believing that the legitimate process is running.”

SynAck Ransomware first spotted on April 2018, utilizing Process Doppelgänging techniques to bypass modern security and take over the victim’s machine to perform a further attack process.

Technical Details

SynAck has two noteworthy features. First, it checks the language of the system to verify whether it runs on a PC from a certain list of countries. Second, it also checks the directory where its executable is started from and exits if it is launched from an ‘incorrect’ directory.

The security researchers also discovered that the Trojan doesn’t store the strings it wants to check, but only their hashes, an effort to hinder attempts to find the original strings. SynAck uses a combination of symmetric and asymmetric encryption algorithms.

Before encrypting user’s files, the malware enumerates all running processes and services and checks the hashes of their names against hardcoded values. If it finds a match, SynAck attempts to kill the processor to stop the service.

The Ransomware encrypts the content of each file using the AES-256-ECB algorithm with a randomly generated key and adds a random extension to the encrypted files. The victim sees the ransom note, including contact instructions, on the login screen.

To impede possible forensic analysis of an infected machine, SynAck clears the event logs stored by the system.

Impact

This Ransomware targets programs related to virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications, and more. This malware kills these processes to grant itself access to the files they might be using.

Recommended Actions

Although, only a few security and antivirus software can defend or alert you against the threat. Here are few recommendations that can help you to avoid the infection.

  • It is always a good practice to have an effective antivirus security suite on your system and keep it up-to-date.
  • Back up your data regularly. Store backups on separate media not permanently connected to your network or to the Internet.
  • If you do not use Windows Remote Desktop in your business processes, disable it.

 

Kaspersky Lab has released a security advisory about SynAck Ransomware on May 7, 2018.