classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


New ransomware variant in the wild
June 2018, Cyber Security

Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. This is the first time the Doppelgänging technique has been seen in ransomware in the wild. The developers behind SynAck also implement other tricks to evade detection and analysis: obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.

The SynAck ransomware has been known since the autumn of 2017, and in December was observed targeting mainly English-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download and installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more sophisticated approach, using the Process Doppelgänging technique to evade detection.

Reported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a built-in Windows function and an undocumented implementation of the Windows process loader. By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this type of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this technique in-the-wild.

Other noteworthy features of the new variant of SynAck include:

• The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyse the malicious code.

• It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings.

• Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.

• The malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.

• Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard-coded list. If it finds a match, it tries to kill the process. Processes blocked in this way include virtual machines, office applications, script interpreters, database applications, backup systems, gaming applications and more – possibly to make it easier to seize valuable files which might otherwise be tied up in the running processes.

Researchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a limited number of attacks in the US, Kuwait, Germany, and Iran, with ransom demands of US$3 000.

“The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers. Our research shows how the relatively low profile targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild,” said Anton Ivanov, lead malware analyst, Kaspersky Lab.

Kaspersky Lab recommends the following actions to keep users and devices safe from ransomware:

• Back up data regularly.

• Use a reliable security solution that is powered with behaviour detection and able to roll back malicious actions.

• Always keep software updated on all the devices you use.

• If you’re a business, you should also educate your employees and IT teams; and keep sensitive data separate with access restricted. Use dedicated security solution, such as Kaspersky Endpoint Security for Business.

• If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site (www.nomoreransom.org); you may well find a decryption tool that can help you get your files back.


  Share via Twitter   Share via LinkedIn      

Further reading:

  • Facing the cybersecurity challenge
    August 2018, Technews Publishing, Cyber Security
    There are many cybersecurity products and solutions out there, but what do they offer and how will they protect you and strengthen your cybersecurity posture?
  • Visibility is security
    August 2018, Cyber Security
    Andrew Wilson, CEO at LucidView says effective threat detection boils down to one thing – visibility.
  • 5 steps to integrating business continuity and cyber resilience
    August 2018, ContinuitySA, Cyber Security, Security Services & Risk Management
    It is imperative that cyber resilience is integrated into organisations’ business continuity management plans.
  • Knowledge and visibility leads to security
    August 2018, J2 Software, Cyber Security
    John Mc Loughlin highlights some key areas an organisation needs to take note of in effectively securing their systems from cyber-attacks in all their different forms.
  • The cyber-skills conundrum
    August 2018, Cyber Security
    A lack of skilled resources is not the only factor behind the cybersecurity workforce shortage, says Rick Rogers, area manager for Africa at Check Point Technologies.
  • Nearly every third corporate data breach gets employees fired
    August 2018, Cyber Security
    According to a new report from Kaspersky Lab and B2B International, 25% of data breaches in the Middle East, Turkey and Africa (META) region in the past year have led to people losing their jobs.
  • Protecting the machines
    July 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Integrated Solutions, Industrial (Industry)
    Security operations at industrial sites need to include cybersecurity and it needs to be treated with the same importance as the physical security of the site as well as health and safety standards.
  • Securex 2018 pulls the (right) crowds
    July 2018, Technews Publishing, Access Control & Identity Management, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions
    With over 6000 visitors attending and exhibitors expressing their satisfaction with not only the number, but also the calibre of the visitors, this year’s Securex was a winner.
  • Securing your digital assets
    July 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, IT infrastructure
    Cyberattacks can’t be prevented, but companies and individuals have ways to keep the attackers out. However, the coming year will see more attacks and more losses because of poor cyber planning.
  • The generations that matter
    July 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Security Services & Risk Management
    According to Doros Hadjizenonos, country manager, SADC at Check Point, we have entered the fifth generation of cyberattacks.
  • EOH introduces managed Security-as-a-Service
    July 2018, EOH Security & Building Technologies, News, Cyber Security, Security Services & Risk Management
    EOH has introduced a solution to modern security concerns through a managed Security-as-a-Service suite of offerings.
  • How data leaks can be avoided
    July 2018, This Week's Editor's Pick, Cyber Security, News, Security Services & Risk Management
    MyID runs as a service, monitoring your ID number, email address, mobile number and credit card number for fraudulent usage or fraudulent input on the Web.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.