SynAck Ransomware Gets Smarter and Potentially Undetected
Malware tends to evolve to help it avoid detection by antivirus programs. For example, SynAck ransomware, which has been known since September 2017, has been overhauled to become a very sophisticated threat that avoids detection, Kasperksy Labs notes.
Malware creators commonly use obfuscation - attempts to make the code unreadable so that antiviruses will not recognize the malware - typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it, making detection significantly harder for security solutions.
That's not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelganging technique - and it is the first ransomware seen in the wild to do so. Process Doppelganging was first presented at Black Hat 2017 by security researchers, after which it was picked up by malefactors and used in several malware species.
Process Doppelganging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes.
SynAck has two more noteworthy features. First, it checks if it's installed in the right directory. If it's not, it doesn't run - that's an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it's installed on a computer with a keyboard set to a certain script - in this case, Cyrillic - in which case it also does nothing. That's a common technique for restricting malware to specific regions.
From the user's perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user's files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.
The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files.
Researchers at kaspersky Labs have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it's mostly targeted at business users. The limited number of attacks thus far all of them in the USA, Kuwait, and Iran - bears out this hypothesis.
Here are a few tips that can help you avoid infection or, if necessary, minimize the consequences.
Back up your data regularly. Store backups on separate media not permanently connected to your network or to the Internet.
If you do not use Windows Remote Desktop in your business processes, disable it.
Use a good security solution with a built-in firewall and specific antiransomware components