Content, Breach, Ransomware

Kaspersky: SynAck Ransomware Uses Doppelgänging Anti-Detection Technique

A SynAck ransomware variant is using the Process Doppelgänging anti-detection technique to bypass modern security solutions, according to Kaspersky Lab.

The SynAck ransomware variant has been discovered in several cyberattacks in the United States, Kuwait, Germany and Iran, Kaspersky said in a prepared statement.

The SynAck variant may be targeted ransomware, Kaspersky indicated. It uses NTFS transactions to deploy a malicious process from a transacted file and disguises a malicious process as a legitimate one.

During a cyberattack, SynAck leverages an executable file that is "thoroughly obfuscated," according to Kaspersky. This makes SynAck difficult to reverse engineer in comparison to other ransomware strains.

SynAck determines if it has been launched on a PC from a list of countries, Kaspersky noted. It lists all the keyboard layouts installed on a victim's PC and checks against a list hardcoded into the malware body. If SynAck identifies a match, it sleeps for 5 minutes and calls "ExitProcess" to prevent encryption of files belonging to a victim from these countries.

In addition, SynAck checks on the directory where its executable file originates, Kaspersky said. If there is an attempt to launch SynAck from an "incorrect" directory, the ransomware exits on its own, thereby countering automatic sandbox analysis.

SynAck also enables cybercriminals to target database applications, office applications, virtual machines (VMs) and other applications and systems, Kaspersky stated. By doing so, the ransomware may be able to gain access to victim files across a variety of applications and systems.

Process Doppelgänging: Here's What You Need to Know

Process Doppelgänging uses the following steps to execute a ransomware attack:

  • Transact: Overwrites a legitimate executable file with a malicious one.
  • Load: Loads a malicious executable file.
  • Rollback: Rollbacks to the original executable file.
  • Animate: Executes the Doppelgänger.

Process Doppelgänging is fileless and works on all versions of Windows since Vista, according to automated endpoint security solutions provider enSilo. It also has been shown to help ransomware bypass a wide range of security products, including advanced cybersecurity tools like the Volatility open source memory forensics framework.

How Can Organizations Address Ransomware Attacks?

Process Doppelgänging and other ransomware anti-detection techniques are major problems for organizations around the globe. Fortunately, MSSPs can help organizations address these issues.

MSSPs can provide security services to protect organizations against ransomware, malware and other cyberattacks. They also can offer cybersecurity training and resources to help organizations eliminate cyber risks.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.