Cybersecurity researchers have discovered the first-ever ransomware exploiting Process Doppelgänging, which is a new fileless code injection technique that could help the ransomware to evade detection.
The Process Doppelgänging attack leverage of a built-in Windows function, i.e., NTFS Transactions, and an outdated implementation of Windows process loader. The most significant issue here is that it works on all modern versions of Microsoft Windows OS, including Windows 10.
Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, tricking method monitoring tools and antivirus into believing that the legitimate process is running.
Since the Process Doppelgänging attack details went public, several hackers found various ways of abusing it in an attempt to bypass modern cybersecurity solutions.
In this case, the new variant of SynAck is using this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran.
This cybersecurity problem can be easily avoided by implementing a cybersecurity solution inside every device, so don’t let your guard down depending of which OS your device is running it is mandatory to install an antivirus for Windows or antivirus for Mac.
If you are a company the install of antivirus is only the first layer of security, you must contract a cybersecurity company that will carry some advance cybersecurity tests to your company networks, like penetration tests, and ethical hacking tests.
During a malware analysis made on the SynAck ransomware, first found in September 2017, researchers found that it is using sophisticated obfuscation techniques to prevent reverse engineering.
Another interesting fact researchers found about SynAck is that this ransomware does not infect people from specific countries, including Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.
To identify the country, the SynAck ransomware matches keyboard layouts installed on the user’s PC with a hardcoded list stored in the malware. If a match is found, the ransomware sleeps for 30 seconds and then calls ExitProcess to prevent encryption of files.
SynAck ransomware has implemented various features that prevent automatic sandbox analysis by checking the directory from where it executes. If it founds out that there is an attempt to execute it from an ‘incorrect’ directory, SynAck won’t proceed further and will instead terminate itself.
Like any other ransomware, SynAck encrypts the content of each infected file with the AES-256-ECB algorithm and won’t provide victims a decryption key until they contact the hackers and fulfill their demands.
SynAck is displaying its ransomware note in the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. The ransomware also deletes the event logs stored by the system to avoid forensic analysis of an infected machine.
Those are the best cybersecurity pieces of advice for companies and users that want to prevent future ransomware cyber attacks:
1. Always update and backup your important files regularly and verify that the backups can be restored.
2. Do not use pirated software or download paid software offered for free.
3. Don’t download anything that came from shady sources.
4. Don’t use or download any keygen, password cracking or license check removal software
5. Don’t open or download any email attachments from unknown or unexpected senders
6. Install and use at least one cybersecurity solution like an anti-malware or an anti-ransomware tool
Ransomware attacks represent reality for all major companies or individual users, and unfortunately, this kind of cyber attacks will keep coming. However, there are steps companies can take to protect and secure themselves which includes adopting a top cybersecurity solution like an antivirus, implementing robust procedures for patching software and technologies against security vulnerabilities and hiring a specialized cybersecurity firm that would run extra tests like penetration test and ethical hacking test on their network. Maintaining a routine like this closes potential holes in company infrastructure.
Ransomware spreads like wildfire and is the most time critical of cyber threats. The ability to detect the pre-cursor behaviors of ransomware is the only way to get ahead of the attack. Unfortunately, that’s almost impossible to do if you are unprotected. To be safe and secured against ransomware like this, depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac.