eastof111
BinThere
By Lawrence Abrams
August 16, 2017
A new ransomware called SyncCrypt was discovered this week by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.
While the use of WSF files to distribute malware is not uncommon, when I analyzed the script I noticed that the method being used to download and install the ransomware is quite interesting. This is because the WSF script will download images with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt. This method has also made the images undetectable by almost all antivirus vendors on VirusTotal.
Unfortunately, at this time there is no way to decrypt files encrypted by SyncCrypt for free, but if you wish to receive help or discuss this ransomware, you can use our dedicated SyncCrypt Support Topic.
Images with Embedded Ransomware Evade Antivirus Detection
At this time we have not been able to find the actual spam emails that are distributing the SyncCrypt downloader, but we do know that the WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.
Embedded in this image, though, is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.
What makes this distribution highly effective is that the majority of antivirus vendors are not detecting these image files. When I scanned these images files on VirusTotal, only DrWeb out of 58 other vendors detected it as malware.
While the images alone are not malicious in any way, the distribution vector provides an effective way to distribute malware without being detected by security software. Thankfully, the malicious sync.exe executable has a much higher VirusTotal detection rate of 28 out of 63, but is still being missed by a great deal of popular vendors.
How to Protect Yourself from the SyncCrypt Ransomware
In order to protect yourself from SyncCrypt, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that contains behavioral detections such as Emsisoft Anti-Malware or Malwarebytes. I also recommend trying a dedicated ransomware protection program like RansomFree.
Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:
Backup, Backup, Backup!
Do not open attachments if you do not know who sent them.
Do not open attachments until you confirm that the person actually sent you them,
Scan attachments with tools like VirusTotal.
Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
Make sure you use have some sort of security software installed.
Use hard passwords and never reuse the same password at multiple sites.
August 16, 2017
A new ransomware called SyncCrypt was discovered this week by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.
While the use of WSF files to distribute malware is not uncommon, when I analyzed the script I noticed that the method being used to download and install the ransomware is quite interesting. This is because the WSF script will download images with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt. This method has also made the images undetectable by almost all antivirus vendors on VirusTotal.
Unfortunately, at this time there is no way to decrypt files encrypted by SyncCrypt for free, but if you wish to receive help or discuss this ransomware, you can use our dedicated SyncCrypt Support Topic.
Images with Embedded Ransomware Evade Antivirus Detection
At this time we have not been able to find the actual spam emails that are distributing the SyncCrypt downloader, but we do know that the WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.
Embedded in this image, though, is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.
What makes this distribution highly effective is that the majority of antivirus vendors are not detecting these image files. When I scanned these images files on VirusTotal, only DrWeb out of 58 other vendors detected it as malware.
While the images alone are not malicious in any way, the distribution vector provides an effective way to distribute malware without being detected by security software. Thankfully, the malicious sync.exe executable has a much higher VirusTotal detection rate of 28 out of 63, but is still being missed by a great deal of popular vendors.
How to Protect Yourself from the SyncCrypt Ransomware
In order to protect yourself from SyncCrypt, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that contains behavioral detections such as Emsisoft Anti-Malware or Malwarebytes. I also recommend trying a dedicated ransomware protection program like RansomFree.
Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:
Backup, Backup, Backup!
Do not open attachments if you do not know who sent them.
Do not open attachments until you confirm that the person actually sent you them,
Scan attachments with tools like VirusTotal.
Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
Make sure you use have some sort of security software installed.
Use hard passwords and never reuse the same password at multiple sites.