SynAck Ransomware Uses New Code Injection Technique

Delaware, USA – May 8, 2018 – SynAck Ransomware uses a new sophisticated code injection technique to mask malicious processes and avoid detection by antivirus solutions. Researchers from Kaspersky Lab discovered highly targeted attacks on organizations in the US, Germany, Iran and Kuwait. SynAck was first seen in early August 2017 and for several months it was actively used by adversaries to attack organizations across the globe. This malware is installed manually after brute-forcing RDP connection and gaining access to systems on the organization’s network. The new version of SynAck is significantly improved, as the attackers adopted the Process Doppelgänging technique, which works on all versions of the Microsoft Windows operating system and allows bypassing most security solutions. Process Doppelgänging was discovered by researchers only several months ago, and this is the first attempt to use this technique in ransomware. Adversaries use AES-256-ECB to encrypt files and instead of demanding ransom they offer to contact them and pay for their help in recovering files. So far there is no way to decrypt the files for free.

Ransomware continues to be one of the most dangerous threats to the business. New techniques allow malware to remain under the radar until it’s too late to do anything. To detect the beginning of the attack on RDP connection, you can use Brute Force Detection use case, which can uncover various brute-force techniques. Also, you can use Ransomware Hunter to spot traces of ransomware that can bypass anti-virus tools.