New variant of SynAck malware found.

walden, system, systems, walden systems, accordion, backup, back up,back, up, ransom, ware, ransomware, data, recovery, critical, protection, remote, virtual, cloud, computing, desktop, ciel, cielview, view, vm, machine, vdi, infrastructure, server, paas, saas, platform, service, software, serverless, thin, client, workspace, private, public, iaas, cloud, terminal, ssh, developer, java, objective, c, c++, c#, plus, sharp, php, Excel, sql, windows, os, operating, system, o.s., powershell, power, shell, javascript, js, python, py, networks, faq, perl, pl, programming, script, scripting, program, programer, code, coding, example, devel, stored, procedure, sp, macro, switch, hub, router, ios, net, .net, interpreter socket, nas, network storage, virus, security



     Researchers found a new variant of the SynAck ransomware that is using the Process Doppelganging to slip past antivirus programs. Researchers state this is the first ransomware seen employing the approach. Both SynAck ransomware and Process Doppelganging are relatively new. The Doppelganging technique is similar to the hacking method known as Process Hollowing, where hackers replace the memory of a legitimate process with malicious code, thereby evading antivirus process monitoring tools. SynAck ransomware, first appeared in Sept. 2017 when hackers used it to target open or poorly secured RDP connections. More than 100 victims were infected in the short but destructive attack.

     With Process Doppelgangingm, hackers abuse Windows NTFS transactions and an outdated implementation of the Windows process loader. The main purpose of the Doppelganging technique is to use NTFS transactions to start a malicious process from the transacted file so that the malicious process looks like a legitimate one. SynAck first checks if it's installed in the right directory. If not, it doesn't run. SynAck next checks if it's installed on a computer with a keyboard set to Cyrillic, if not, it also does nothing. These are attempts by the malware creator to avoid running in an antivirus lab environment or on systems from a specific region, such as Russia, Serbia or Ukraine. The hackers behind SynAck make use of Process Doppelganging's non-standard packaging technique to hide malicious code from being detected by antivirus programs. One of the ways to do that is by forgoing the use of custom PE packers to protect the original code of the trojan executable. The trojan is not packed, instead, it is thoroughly obfuscated prior to compilation. As a result, the task of reverse engineering is more complicated with SynAck than it is with other recent ransomware strains.




     According to researchers, the latest attacks are highly targeted with attacks found in the U.S., Kuwait, Germany and Iran. Ransom demands are as high as $3,000. Files are encrypted by the AES-256-ECB algorithm with a randomly generated key and files have randomly generated extensions. Process Doppelganging's abilities to sneak malware past the latest security measures represents a major threat. Research shows how the relatively low-profile, targeted ransomware SynAck have used this technique to upgrade its stealth and infection capabilities.

     Currently, the major antivirus products such as McAfee, Symanec, Windows Defender Kaspersky and AVG aren't able to detect Process Doppelganging yet. Protect your data by backing up regularly and segregate your sensitve data with restricted access. Keeping security patches up to date will help protect your workstations and servers. Process Doppelganging technique's ability to sneak past antivirus softwre is the latest salvo in the battle against hackers.