What is SynAck Ransomware?
A new variant of the SynAck ransomware is identified by the researchers. It uses the newly identified process called Doppelgänging to avoid detection by Antivirus programs. SynAck ransomware is the first ransomware to employ this approach.
According to the researchers, the latest attacks of SynAck Ransomware are highly targeted to countries such as USA, Germany, Kuwait and Iran.
Files affected by SynAck ransomware are encrypted using AES-256-ECB algorithm with a randomly generated key. After encryption, the affected files have randomly generated extensions.
What is Doppelgänging Technique?
Doppelgänging process was discovered by Ensilo researchers. The technique is similar to the hacking method known as Process Hollowing. It is the process in which hackers replace the memory of a legitimate process with malicious code, thereby getting avoided by Antivirus process monitoring tools.
The main purpose of Doppelgänging technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malevolent process looks like a legitimate one.
SynAck ransomware was first discovered in September 2017. It was used by cybercriminals in an effective campaign to target open or unsecured RDP connections.
SynAck ransomware has matured since then. This variant has two noteworthy features added to avoid detection by Antivirus programs.
ALSO READ: How To Remove Instalador Ransomware From Computer? (Solved)
Working of SynAck Ransomware
The Working of SynAck ransomware can be explained as follows:
- The SynAck ransomware obfuscates its executable code before compilation, rather than packing it like other ransomware. This makes it harder for security researchers to reverse engineer and analyze the malicious code.
- The Trojan obscures the links to the necessary API function & stores hashes to strings rather than the actual strings.
- Upon installation, SynAck Trojan reviews the directory from which its executable is started. If the Trojan spots an attempt to launch it from an incorrect directory such as a potential automated sandbox, it exits.
- Before encrypting files on a system, SynAck ransomware checks the hashes of all running processes & services with its own hard coded list. If it finds a match, it tries to terminate the process.
How SynAck Ransomware Avoids Its Detection?
- According to the researchers, first, SynAck Ransomware checks if it is installed in the right directory. If it’s not, it does not run, researchers noted.
- Second, SynAck checks if it is installed on a computer system with a keyboard set to a certain script which is usually Cyrillic in this case. In this situation also, SynAck Ransomware does nothing.
Both these processes are attempts by the ransomware author to avoid running in an Antivirus lab environment or on computer systems from specific regions such as Russia, Ukraine or Serbia.
ALSO READ: Detailed Technical Analysis of Dharma Ransomware (Crysis Ransomware)
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
