New ransomware variant in the wild

1 June 2018 Information Security

Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. This is the first time the Doppelgänging technique has been seen in ransomware in the wild. The developers behind SynAck also implement other tricks to evade detection and analysis: obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.

The SynAck ransomware has been known since the autumn of 2017, and in December was observed targeting mainly English-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download and installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more sophisticated approach, using the Process Doppelgänging technique to evade detection.

Reported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this type of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this technique in-the-wild.

Other noteworthy features of the new variant of SynAck include:

• The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyse the malicious code.

• It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings.

• Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.

• The malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.

• Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard-coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more – possibly to make it easier to seize valuable files which might otherwise be tied up in the running processes.

Researchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a limited number of attacks in the US, Kuwait, Germany, and Iran, with ransom demands of US$3 000.

“The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers. Our research shows how the relatively low profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild,” said Anton Ivanov, lead malware analyst, Kaspersky Lab.

Kaspersky Lab recommends the following actions to keep users and devices safe from ransomware:

• Back up data regularly.

• Use a reliable security solution that is powered with behaviour detection and able to roll back malicious actions.

• Always keep software updated on all the devices you use.

• If you’re a business, you should also educate your employees and IT teams; and keep sensitive data separate with access restricted. Use dedicated security solution, such as Kaspersky Endpoint Security for Business.

• If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site (www.nomoreransom.org); you may well find a decryption tool that can help you get your files back.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Continuous security optimisation.
News & Events Information Security
Cymulate has announced its partnership with SentinelOne, a threat exposure validation and AI-powered cybersecurity platform. The collaboration delivers self-healing endpoint security that empowers businesses to increase protection for every endpoint on their network.

Read more...
Protect your smart home devices
Kaspersky IoT & Automation Information Security Smart Home Automation
Voice assistants, kitchen robots, smart lights and many other intelligent devices have become part of our everyday life. However, with the rise of smart technology comes the need for robust protection against potential vulnerabilities.

Read more...
ISPA’s take-down process protects from local scams
News & Events Information Security
During the recent school holidays, parents could rest a little easier knowing that ISPA, SA’s official internet industry representative body, is removing an average of three to four problematic websites from the local internet every week.

Read more...
NEC XON disrupts sophisticated cyberattack
Information Security
NEC XON recently showcased its advanced cyberthreat detection and response capabilities by successfully thwarting a human-operated ransomware attack targeting a major service provider.

Read more...
What’s your cyber game plan?
Information Security
“Medium-sized businesses are often the easiest target for cyber criminals, because they are just digital enough to be vulnerable, but not mature enough to be fully protected," says Warren Bonheim, MD of Zinia.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.