Sneak attack<\/h2>\n
<\/p>\n
Malware creators commonly use obfuscation<\/a> \u2014 attempts to make the code unreadable so that antiviruses will not recognize the malware \u2014 typically employing special packaging software for that purpose. However, antivirus developers caught on, and now antivirus software effortlessly unpacks such packages. The developers behind SynAck chose another way that requires more effort on both sides: thoroughly obfuscating the code before compiling it<\/em>,<\/em> making detection significantly harder for security solutions.<\/p>\n That\u2019s not the only evasion technique the new version of SynAck uses. It also employs a rather complicated Process Doppelg\u00e4nging technique \u2014 and it is the first ransomware seen in the wild to do so. Process Doppelg\u00e4nging was first presented at Black Hat 2017<\/a> by security researchers, after which it was picked up by malefactors and used in several malware species.<\/p>\n Process Doppelg\u00e4nging relies on some features of the NTFS file system and a legacy Windows process loader that exists in all Windows versions since Windows XP, letting developers create fileless malware that can pass off malicious actions as harmless, legitimate processes. The technique is complicated; to read more about it, see Securelist\u2019s more detailed post<\/a> on the topic.<\/p>\n SynAck has two more noteworthy features. First, it checks if it\u2019s installed in the right<\/em><\/em> directory. If it\u2019s not, it doesn\u2019t run \u2014 that\u2019s an attempt to avoid detection by the automatic sandboxes various security solutions use. Second, SynAck checks if it\u2019s installed on a computer with a keyboard set to a certain script \u2014 in this case, Cyrillic \u2014 in which case it also does nothing. That\u2019s a common technique for restricting malware to specific regions.<\/p>\n <\/strong><\/p>\n <\/p>\n From the user\u2019s perspective, SynAck is just more ransomware, notable mainly for its steep demand: $3,000. Before encrypting a user\u2019s files, SynAck ensures it has access to its important file targets by killing some processes that would otherwise keep the files in use and off limits.<\/p>\n The victim sees the ransom note, including contact instructions, on the logon screen. Unfortunately, SynAck uses a strong encryption algorithm, and no flaws have been found in its implementation, so there is no way yet to decrypt the encrypted files. We have seen SynAck distributed mostly by Remote Desktop Protocol brute force, which means it\u2019s mostly targeted at business users. The limited number of attacks thus far \u2014 all of them in the USA, Kuwait, and Iran \u2014 bears out this hypothesis.<\/p>\n <\/strong><\/p>\n <\/p>\n Even if SynAck is not coming for you, its existence is a clear sign that ransomware is evolving, becoming more and more sophisticated and harder to protect against. Decryptor utilities will appear less frequently as attackers learn to avoid the mistakes that made the creation of those decryptors possible. And despite ceding ground to hidden miners (just as we predicted<\/a>), ransomware is still a big global trend, and knowing how to protect against all such threats is a must for every Internet user.<\/p>\n Here are a few tips that can help you avoid infection or, if necessary, minimize the consequences.<\/p>\nThe usual crime<\/h3>\n
![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2018\/05\/07162856\/synack-logon-screen.png\")
<\/a><\/p>\nGetting ready for the next generation of ransomware<\/h3>\n
\n