SynAck ransomware – why nobody is ready for it?

by Linas Kiguolis - -
SynAck ransomware

SynAck ransomware – why nobody is ready for it?

It is pretty easy to be scammed on the internet today, and internet crooks are doing their best to trick not only you, but also your antimalware software. Have you heard about SynAck ransomware, which were discovered in September 2017? This is one of the best examples of rapidly evolving malware. SynAck was not a big deal at the beginning of its existence, but today it is using a whole new system, which is hardly detectable by any anti-malware software. This ransomware technique is known as Process Doppelgänging.

The main weapon – invisibility

So, how does SynAck work, what type of technique is being used? Obfuscation – changing a program code in order to make it hardly recognizable not only be human, but by antivirus software too. It’s pretty ironic that Obfuscation is usually being used as a way to preserve confidentiality and defend from cyber criminals.[1]

However, the good news is that antivirus developers didn’t give up so easily. So, they were able to detect even obfuscated software without any effort. But then, SynAck strikes again by finding another bypass – using obfuscation just before the code is compiled. This type of technique makes detection a few times harder.

And that is not the only path SynAck chose. It also uses a Process Doppelgänging technique, which was mentioned earlier. So, what is this technique and how does it work? First of all, it has been used in a ransomware for the first time ever. It was discovered by security researchers, but scammers noticed its advantage in ransomware very quickly and there it is – a very powerful, rapidly evolving harmful software.

Process Doppelgänging is based on NTFS (New Technology File System) and legacy Windows process loader, which is available in every single Windows version since XP. This type of ransomware lets its developers create a malware, which doesn’t have any files. So the problem is that the legacy Windows process loader lets all these “fileless” files through – even when these files are dangerous, Windows just doesn’t have a clue that something may be wrong with them.

After all, it is safe to say that the developers of SynAck have some dangerously powerful goals to reach. Just think about how much they want this ransomware to be unbeatable – when antivirus developers make a step, SynAck makes two.

And that is not all, as SynAck has a couple more features, which are worth mentioning. One of them is that SynAck is made to be cautious. It means that even if the file is installed on a computer, it still won’t run until SynAck will be sure about being in the right directory. If not, it will not run. This feature almost eliminates the chance of being caught by an automatic sandbox. For those who doesn’t know, automatic sandbox is an antivirus feature, which creates a very limited access to programs stored in it.

And there is another, even more interesting feature – choosing the right audience by the keyboard victims are using. The point is that a keyboard must use the certain script. In SynAck case, it accepts all types of keyboards except Cyrillic, which is the most common keyboard script in Eurasia. It means that if SynAck detects a Cyrillic scripted keyboard, it also won’t run.

Once you are trapped

As you would expect, SynAck developers are greedy. They ask 3000 dollars for a whole file system encryption. And to make sure that they are not asking such money for nothing, SynAck kills a few certain processes before an encryption in order to have an access to the files, which are vital for a proper computer functionality.

How does it look like when your computer is encrypted by SynAck?

Once you start your computer, a login screen will pop up with a message saying “Hello. Your files are encrypted. To restore files, please contact us” And their contact information. Unfortunately, as it is mentioned, the algorithm SynAck is using is very strong and yet there is no known way to decrypt files in such situation.[2]

As much as we know, all SynAck attacks are on business users, mostly in USA, Kuwait and Iran.

Stay on your toes

You can clearly see how powerful a ransomware attacker can be. You may think that you don’t have to be aware of that, because you have never had any problems with online attackers. But various types of malware are evolving hour after hour. You can get all your files encrypted, mining software installed or every press of a button followed by crooks. Even professional decryptors starting to give up.[3]

The only thing you can do is to be more cautious. So, make sure to:

  • Store your important files on an external drive (Flash drive, Hard drive, CD)
  • Disable all programs, which purpose is to control another desktop remotely, if you are not using them
  • Don’t ignore antivirus software – you can use more than one of them. Just make sure that the software you are using is well known and time tested.


About the author

Linas Kiguolis
Linas Kiguolis - Senior IT developer

Linas Kiguolis is a senior IT developer and news editor at He has a major in Applied Computer Science because IT has been his passion for a very long time even before he went to college.

Contact Linas Kiguolis
About the company Esolutions


now online
Like us on Facebook