SyncCrypt Ransomware hides its components in image files

Pierluigi Paganini August 21, 2017

A new strain of ransomware distributed through spam emails, dubbed SyncCrypt, hides its components inside harmless-looking images.

A new strain of ransomware recently discovered, dubbed SyncCrypt, hides its components inside harmless-looking images.

The SyncCrypt ransomware is distributed through spam emails that use attachments containing WSF files pretending to be court orders.

Once the victims execute the attachment, an embedded JScript fetches seemingly innocuous images from specific locations and extracts ransomware components they hide.

The ransomware components are stored into the images as ZIP files.

According to the BleepingComputer malware expert Lawrence Abrams, the JScript also extracts the hidden malicious components (sync.exe, readme.html, andreadme.png).

“If a user was to open one of these image URLs directly, they would just just see an image that contains the logo for Olafur Arnalds’ album titled “& They Have Escaped the Weight of Darkness”.” states the analysis published by Lawrence Abrams.

“Embedded in this image, though,  is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.”

SyncCrypt ransomware image

The WSF file also creates a Windows scheduled task called Sync that once is executed, it starts scanning the infected system for certain file types and encrypts them using AES encryption.

The SyncCrypt ransomware uses an embedded RSA-4096 public encryption key to encrypt the used AES key.

The ransomware targets more than 350 file types and appends the .kk extension to them after encryption. The researcher observed that the ransomware skips files located in several folders, including\windows\, \program files (x86)\, \program files\, \programdata\, \winnt\, \system volume information\, \desktop\readme\, and\$recycle.bin\.

The ransomware demands around $429 to be paid to decrypt the files, after the payment was completed by the victims they have to send an email containing the key file to one of the emails [email protected], [email protected], or [email protected] to get a decrypter.

According to Abrams, the distribution process is able to evade the detection, only one of the 58 vendors in VirusTotal could detect the malicious images at the time of analysis. The researchers noticed that the Sync.exe, on the other hand, had a detection rate of 28 out of 63.

Unfortunately, at this time there is no way to decrypt files encrypted by the SyncCrypt ransomware for free.

Abrams analysis includes IoCs and provides the following recommendations to avoid being infected by ransomware.

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, give a look at How to Protect and Harden a Computer against Ransomware article.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SyncCrypt Ransomware, malware)

[adrotate banner=”13″]



you might also like

leave a comment