Digging the Deep Web: Exploring the dark side of the web
A new strain of ransomware recently discovered, dubbed SyncCrypt, hides its components inside harmless-looking images.
The SyncCrypt ransomware is distributed through spam emails that use attachments containing WSF files pretending to be court orders.
Once the victims execute the attachment, an embedded JScript fetches seemingly innocuous images from specific locations and extracts ransomware components they hide.
The ransomware components are stored into the images as ZIP files.
According to the BleepingComputer malware expert Lawrence Abrams, the JScript also extracts the hidden malicious components (sync.exe, readme.html, andreadme.png).
“If a user was to open one of these image URLs directly, they would just just see an image that contains the logo for Olafur Arnalds’ album titled “& They Have Escaped the Weight of Darkness”.” states the analysis published by Lawrence Abrams.
“Embedded in this image, though, is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.”
The WSF file also creates a Windows scheduled task called Sync that once is executed, it starts scanning the infected system for certain file types and encrypts them using AES encryption.
The SyncCrypt ransomware uses an embedded RSA-4096 public encryption key to encrypt the used AES key.
The ransomware targets more than 350 file types and appends the .kk extension to them after encryption. The researcher observed that the ransomware skips files located in several folders, including\windows\, \program files (x86)\, \program files\, \programdata\, \winnt\, \system volume information\, \desktop\readme\, and\$
The ransomware demands around $429 to be paid to decrypt the files, after the payment was completed by the victims they have to send an email containing the key file to one of the emails firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org to get a decrypter.
According to Abrams, the distribution process is able to evade the detection, only one of the 58 vendors in VirusTotal could detect the malicious images at the time of analysis. The researchers noticed that the Sync.exe, on the other hand, had a detection rate of 28 out of 63.
Unfortunately, at this time there is no way to decrypt files encrypted by the SyncCrypt ransomware for free.
Abrams analysis includes IoCs and provides the following recommendations to avoid being infected by ransomware.
For a complete guide on ransomware protection, give a look at How to Protect and Harden a Computer against Ransomware article.
(Security Affairs – SyncCrypt Ransomware, malware)