SynAck
SynAck is ransomware known since at least September 2017 and observed in April 2018 using Process Doppelgänging.
Profile source: Mallory opens in a new tabSynAck
Family profile
SynAck is ransomware known since at least September 2017 and observed in April 2018 using Process Doppelgänging. It encrypts victim machines and then demands ransom payment. Reported behaviors include enumerating Registry keys associated with event logs, manipulating Registry keys, clearing event logs, enumerating all running services, gathering usernames from infected hosts, and parsing export tables of system DLLs to locate and invoke Windows API functions. SynAck also performs language/keyboard-layout based geofencing: it uses the GetKeyboardLayoutList API to enumerate installed keyboard layouts, compares them against a hardcoded language code list, and if a match is found it sleeps for 300 seconds and exits without encrypting files. The provided content does not attribute SynAck to a specific threat actor or industry targeting, and no concrete IOCs are given.
Ransomware.live
Operational record
MITRE ATT&CK
SynAck in ATT&CK
15 distinct techniquesReporting
Research mentioning SynAck
Updates - Updates - October 2021 | MITRE ATT&CK®
Software changes: ... SynAck
System Location Discovery: System Language Discovery, Sub-technique T1614.001 - Enterprise | MITRE ATT&CK®
SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.
System Location Discovery: System Language Discovery, Sub-technique T1614.001 - Enterprise | MITRE ATT&CK®
SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.
SynAck targeted ransomware uses the Doppelgänging technique
In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging.
Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®
SynAck enumerates Registry keys associated with event logs.
Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®
SynAck enumerates Registry keys associated with event logs.
Modify Registry, Technique T1112 - Enterprise | MITRE ATT&CK®
SynAck can manipulate Registry keys.
System Owner/User Discovery, Technique T1033 - Enterprise | MITRE ATT&CK®
SynAck gathers user names from infected hosts.