SynAck ransomware uses a sophisticated technique to create look-up processes to circumvent protection

Researchers from Kaspersky Lab have detected a new variant of the ransomware trojan named SynAck, which uses the technique of creating process doubles to circumvent antivirus protection by hiding in legitimate resources. This is the first known case of using this technique in malicious code distributed on the internet. The creators of SynAck also use other tricks to avoid detection and analysis.

SynAck ransomware is known since autumn 2017. In December, its main purpose was English-speaking users. Detected by researchers from Kaspersky Lab, the new variant is much more sophisticated.

The process of creating double-working processes (Process Doppelgänging), which was presented in December 2017, involves injecting the fileless code that uses the built-in Windows function and the undocumented implementation of the process loader in this operating system. By manipulating the way Windows handles file transactions, attackers can make dangerous operations look like harmless, legitimate processes, even if they use known malicious code. The technique does not leave any visible trace, which makes this kind of interference extremely difficult to detect. This is the first ransomware software observed in the wild that uses this technique.

Other important features of the new version of the SynAck Trojan:

  • Unlike most ransomware programs that pack their executable code, the Trojan obscures it, making it difficult for researchers to reproduce and analyze malicious code.
  • The malware also links to the necessary API function and stores their shortcuts instead of the actual string.
  • After installation, the Trojan checks the directory from which its executable file is run, and if it notices an attempt to run it from the "wrong" directory - such as the potential automated sandbox used by the analyst - it terminates.
  • The malware also terminates without execution if the Cyrillic alphabet is set on the victim's computer keyboard.
  • Before encrypting files on the victim device, SynAck compares the shortcuts of all running processes and services with its own hard-coded list. If he finds a match, he tries to end the process. Processes blocked in this way relate to virtual machines, office applications, script interpreters, database applications, backup systems, games and others - probably to facilitate the capture of valuable files that could otherwise be blocked in running processes.
  • SynAck ransomware can add custom text to the Windows login screen. It does this by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. As a result, before the user logs in to his account, Windows will display a message from cybercriminals:

SynAck ransomware login screen lock

Researchers believe that attacks with the new version of the SynAck malware are strictly targeted. So far, a limited number of attacks have been observed in the United States, Kuwait, Germany and Iran, in which a ransom worth 3,000 was claimed. American dollars.

For more information on the latest version of the SynAck Trojan, please visit this page .

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.