Jump to content

SyncCrypt ransomware able to sneak past most antivirus defenses


Matsuda

Recommended Posts

IQx1WmJ.png



A newly discovered piece of ransomware hides its components inside online harmless-looking images that don’t trigger anti-virus detection.
 

Dubbed SyncCrypt, the ransomware is distributed through spam emails that feature attachments containing WSF files pretending to be court orders. Once the attachments are executed, embedded JScript fetches seemingly innocuous images from specific locations and extracts malicious components hidden inside them.
 

The ransomware components are stored inside the images as ZIP files, and they aren’t triggered if the user simply accesses their URL via browser. The aforementioned JScript, however, not only downloads the images, but also extracts the hidden malicious components (sync.exe, readme.html, and readme.png), BleepingComputer’s Lawrence Abrams reveals.
 

The WSF file also creates a Windows scheduled task called Sync. Once the sync.exe file is executed, it starts scanning the victim’s computer for certain file types and encrypts them using AES encryption. The malware encrypts the used AES key with an embedded RSA-4096 public encryption key.
 

The ransomware targets over 350 file types and appends the .kk extension to them after encryption. The threat skips files located in several folders, namely \windows\, \program files (x86)\, \program files\, \programdata\, \winnt\, \system volume information\, \desktop\readme\, and \$recycle.bin\.
 

The ransomware demands around $430 to be paid to retrieve the decryption key. The attackers instruct victims to provide them with the key file after paying the ransom to receive a decrypter. The email addresses used as part of the analyzed attack include [email protected][email protected], and [email protected].
 

The distribution of this ransomware is highly effective because of its ability to bypass detection. According to Abrams, only one of the 58 vendors in VirusTotal could detect the malicious images at the time of analysis. Sync.exe, on the other hand, had a detection rate of 28 out of 63.
 

To stay protected, users should pay extra care when opening attachments or clicking on URLs in emails received from unknown sources. They should also keep their files backed up at all times, to ensure they can recover their data without having to pay a ransom. Keeping all software on the machine updated at all times should decrease the chances of becoming infected.



Source

Link to comment
Share on other sites


  • Replies 7
  • Views 1.5k
  • Created
  • Last Reply
On 8/19/2017 at 2:00 AM, 0bin said:

Images with Embedded Ransomware Evade Antivirus Detection

That's pretty revealing...:o

Ransomware needs other Protection methods as most AVs have failed. ;)

Link to comment
Share on other sites


I don't understand, you open the JPG & it will automatically extract the files in the zip embedded in the JPG ?

That doesn't make any sense

Link to comment
Share on other sites


knowledge-Spammer
9 hours ago, info999 said:

I don't understand, you open the JPG & it will automatically extract the files in the zip embedded in the JPG ?

That doesn't make any sense

trust me it happen more then people think

Link to comment
Share on other sites


1 hour ago, info999 said:

I don't understand, you open the JPG & it will automatically extract the files in the zip embedded in the JPG ?

That doesn't make any sense

 

the WSF script will download images with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt (cit.)

Link to comment
Share on other sites


2 hours ago, knowledge said:

trust me it happen more then people think

 

2 hours ago, neofita said:

 

the WSF script will download images with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt (cit.)

 

FYI http://www.wikihow.com/Hide-a-File-in-an-Image-File

if the embedded zip file can be extracted and the content executed by simply opening the JPG, then we all would be doomed. malware creators would only need to host the JPG (such as naked pictures of JLaw)  and everybody who downloads and opens the JPG would be infected. easy as that

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...