SynAck ransomware: The doppelgängster

August 29, 2018

Malware tends to evolve, with crooks adding new functions and techniques to help it avoid detection by antivirus programs. Sometimes, the evolution is rather rapid. For example, SynAck ransomware, which has been known since September 2017 (when it was just average, not particularly clever), has recently been overhauled to become a very sophisticated threat that avoids detection with unprecedented effectiveness and uses a new technique called Process Doppelgänging.

Sneak attack

Malware creators commonly use obfuscation — attempts to make the code unreadable so that antiviruses will not recognize the malware — typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it, making detection significantly harder for security solutions.

That’s not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelgänging technique — and it is the first ransomware seen in the wild to do so. Process Doppelgänging was first presented at Black Hat 2017 by security researchers, after which it was picked up by malefactors and used in several malware species.

Process Doppelgänging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes. The technique is complicated; to read more about it, see Securelist’s more detailed post on the topic.

SynAck has two more noteworthy features. First, it checks if it’s installed in the right directory. If it’s not, it doesn’t run — that’s an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing. That’s a common technique for restricting malware to specific regions.

The usual crime

From the user’s perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user’s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.

The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.

We have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it’s mostly targeted at business users. The limited number of attacks thus far — all of them in the USA, Kuwait, and Iran — bears out this hypothesis.

Getting ready for the next generation of ransomware

Even if SynAck is not coming for you, its existence is a clear sign that ransomware is evolving, becoming more and more sophisticated and harder to protect against. Decryptor utilities will appear less frequently as attackers learn to avoid the mistakes that made the creation of those decryptors possible. And despite ceding ground to hidden miners (just as we predicted), ransomware is still a big global trend, and knowing how to protect against all such threats is a must for every Internet user.

Here are a few tips that can help you avoid infection or, if necessary, minimise the consequences.

  • Back up your data regularly. Store backups on separate media not permanently connected to your network or to the Internet.
  • If you do not use Windows Remote Desktop in your business processes, disable it.
  • Use a good security solution with a built-in firewall and specific antiransomware components, such as for small business or for bigger companies. Kaspersky Lab’s products detect SynAck despite its evasion strategies.
  • If you already have another security solution installed, you can still install Kaspersky anti-ransomware tool, which is free and compatible with security suites from other vendors.