SyncCrypt Ransomware is Delivered in JPG Files

London, UK – August 17, 2017 – Earlier this month, researchers from Kaspersky Lab noted that steganography was becoming an increasingly attractive technique for hackers and published a list of malware that used this technique. This week, a researcher from Emsisoft discovered a new Ransomware using steganography in the Delivery phase. The SyncCrypt virus is distributed through spam campaign; emails contain attached Windows Script File (WSF). When a user runs a script, it downloads a jpg file containing embedded zip archive. Most antivirus solutions do not perceive this picture as a threat, and therefore do not interrupt the download. Then the script extracts the Ransomware components from an embedded archive and creates a Windows scheduled task to execute it. SyncCrypt encrypts files using AES encryption, and encrypted files will have the .kk extension.

Adversaries increasingly frequent use steganography in malware at different stages, this allows them to evade antivirus protection and hide communications with C&C servers. To reduce the risks tied to such threats, it is necessary to conduct Security Awareness training for employees, since spear-phishing remains the most effective method of delivering malware. Also, you can download content for your SIEM from the S.M.A. cloud to increase the capability of detecting sophisticated threats. DNS Security Check use case will help you discover hidden communications through DNS tunneling.