SynAck Targeted Ransomware Uses the Doppelganging Technique (May 7, 2018)
Threat actors are using a bypass technique called “Process Doppelganging” to distribute a new variant of the “SynAck” ransomware, according to Kaspersky Lab researchers. Process Doppelgänging is a fileless code injection technique that works on all Windows versions by utilizing a built-in Windows function and an undocumented implementation of Windows process loader; the technique was first explained at the 2017 BlackHat conference. Researchers observed this technique first being utilized by actors in April 2018. The ransomware encrypts files with the AES-256-ECb algorithm.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.