SynAck Ransomware Leverages Process Doppelgänging for Evasion and Infection

Security researchers found the SynAck ransomware family to be the first to use Process Doppelgänging to bypass known security solutions. While SynAck was discovered in September 2017 and Process Doppelgänging presented in December of the same year, this is the first discovered sample of targeted ransomware using the said evasion technique for attacks on users in the United States, Kuwait, Germany and Iran.

[Read: The ransomware landscape in 2017]

Process Doppelgänging is similar to process hollowing, and works as a code injection that takes advantage of NTFS transactions used in Windows to run a malicious executable code under the impression of a legitimate process. It tricks the security tools into processing the load without being detected, allowing the malicious code to be mapped on the disk and leaving no traces of the malware once the process rolls back during scanning. Threat actors have used this technique since it was presented in 2017 as a way to get by most detection patterns.

[Read: Ransomware: Past, Present, and Future]

SynAck uses Process Doppelgänging not only as an attempt to evade detection, but also to make analysis difficult due to the heavy binary obfuscation and the executable trojan not being in a packer. Because retrieval of the API function address and the target hash value are obscured and the malware clears all event logs in the infected system, it's also more complicated to reverse-engineer for malware analysis.

[Roundup: The Paradox of Cyberthreats]

In the early stages of a SynAck attack, the ransomware matches the keyboard layouts installed in the system to check if it is running from a specific list of countries, sleeping for 300 seconds and exits the process when it finds a match, consequently preventing encryption. Included in this list of unaffected countries are Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan. It also doesn’t store strings to hinder detection of the original but uses hashes instead. SynAck uses AES-256-ECB algorithm, which encrypts the content of the files and appends them with random extensions with symmetric and asymmetric encryption. The custom ransom note is generated before the user can login by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry.

[Read: Ransomware: 10 years of bullying, fear-mongering and extortion]

While there are no determined sources for the infection or spread, the ransomware targets virtual machines, office and gaming applications, database and multimedia files, and backup systems to make it easier to scan for valuable data in vulnerable enterprise systems. Considering the sophistication of the malware and targeting, the attackers have only requested ransom amounts averaging $3,000. This may imply that the threat actors are hoping to profit through volume infections compared to demanding large amounts from a smaller number of victims.

[Read: A historical overview of proactive incident response strategies and what they mean to enterprises]

Cybercriminals will continue to use creative means for digital extortion through ransomware. Trend Micro recommends that victims avoid paying the ransom as there is no assurance that victims will recover the affected files. Here are a few recommendations to protect your systems:


Trend Micro detects and blocks SynAck [Ransom_Acknys.A] with XGen™ security software. Our solutions can detect attacks from the gateway to the endpoint with Hybrid Cloud Security, User Protection and Network Defense. Enterprises can be protected on all fronts through cross-generational defense techniques using artificial intelligence and machine learning for threat analysis, securing your business from known, unseen and unknown threats.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.