Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SyncCrypt Ransomware Hides Components in Image Files

A newly discovered piece of ransomware hides its components inside online harmless-looking images that don’t trigger anti-virus detection.

A newly discovered piece of ransomware hides its components inside online harmless-looking images that don’t trigger anti-virus detection.

Dubbed SyncCrypt, the ransomware is distributed through spam emails that feature attachments containing WSF files pretending to be court orders. Once the attachments are executed, embedded JScript fetches seemingly innocuous images from specific locations and extracts malicious components hidden inside them.

The ransomware components are stored inside the images as ZIP files, and they aren’t triggered if the user simply accesses their URL via browser. The aforementioned JScript, however, not only downloads the images, but also extracts the hidden malicious components (sync.exe, readme.html, and readme.png), BleepingComputer’s Lawrence Abrams reveals.

The WSF file also creates a Windows scheduled task called Sync. Once the sync.exe file is executed, it starts scanning the victim’s computer for certain file types and encrypts them using AES encryption. The malware encrypts the used AES key with an embedded RSA-4096 public encryption key.

The ransomware targets over 350 file types and appends the .kk extension to them after encryption. The threat skips files located in several folders, namely windows, program files (x86), program files, programdata, winnt, system volume information, desktopreadme, and $recycle.bin.

The ransomware demands around $430 to be paid to retrieve the decryption key. The attackers instruct victims to provide them with the key file after paying the ransom to receive a decrypter. The email addresses used as part of the analyzed attack include [email protected], [email protected], and [email protected].

The distribution of this ransomware is highly effective because of its ability to bypass detection. According to Abrams, only one of the 58 vendors in VirusTotal could detect the malicious images at the time of analysis. Sync.exe, on the other hand, had a detection rate of 28 out of 63.

To stay protected, users should pay extra care when opening attachments or clicking on URLs in emails received from unknown sources. They should also keep their files backed up at all times, to ensure they can recover their data without having to pay a ransom. Keeping all software on the machine updated at all times should decrease the chances of becoming infected.

Advertisement. Scroll to continue reading.

Related: Locky Ransomware Campaign Ramps Up

Related: ICS Security Pros Increasingly Concerned About Ransomware: Survey

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

Chris Burger has been named Chief Information Security Officer at F5.

Bedrock Security has appointed George Gerchow as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.