Researchers at Kaspersky Labs have discovered a new ransomware variant named SynAck that uses a sophisticated technique called Process Doppelganging to mask itself from the prevalent anti-malware tools. Also, the researchers from Kaspersky have confirmed that the malware is hard to detect and block and is said to be mainly being used to target organizations operating in United States, Germany, Kuwait, Iran, and Italy.
Technically, Process doppleganging is a kind of code induction process that exploits the mechanisms of NTFS transactions in Windows operating system in order to craft and hide malicious processes. The process is similar to that of ‘Process Hallowing’ where cyber crooks replace the memory of a legitimate process with malicious code which from then on starts evading the monitoring tools of anti-malware.
The study made by Kaspersky has confirmed that the technique is relatively new and was first disclosed by Ensilo researchers who participated at the London Black Hat 2017 Security Conference held in last December.
According to sources reporting to Cybersecurity Insiders, SynAck ransomware emerged out first in September last year when cyber crooks tried to exploit open or badly secured RDP connections. It is said that they managed to infect over 100 victims with the destruction digital campaign.
Now, the newly discovered SynAck ransomware by Kaspersky happens to be a more matured version as it has been updated by the following noteworthy features to avoid detection. First, the ransomware is said to check whether it is installed in the right directory. And second, it checks if the computer keyboard it has infected is set to a certain script- like Cyrillic.
News is out that the said ransomware variant has hit over 12 organizations in the United States and the ransom demand is said to be as high as $3,000.
More details about the ransomware are awaited and will be updated shortly as soon as they are available to the media on an official note.
