Skip to content
Ransomware group

SynAck

SynAck is ransomware known since at least September 2017 and observed in April 2018 using Process Doppelgänging.

Profile source: Mallory opens in a new tab

SynAck

Family profile

SynAck is ransomware known since at least September 2017 and observed in April 2018 using Process Doppelgänging. It encrypts victim machines and then demands ransom payment. Reported behaviors include enumerating Registry keys associated with event logs, manipulating Registry keys, clearing event logs, enumerating all running services, gathering usernames from infected hosts, and parsing export tables of system DLLs to locate and invoke Windows API functions. SynAck also performs language/keyboard-layout based geofencing: it uses the GetKeyboardLayoutList API to enumerate installed keyboard layouts, compares them against a hardcoded language code list, and if a match is found it sleeps for 300 seconds and exits without encrypting files. The provided content does not attribute SynAck to a specific threat actor or industry targeting, and no concrete IOCs are given.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

SynAck in ATT&CK

15 distinct techniques

Reporting

Research mentioning SynAck

Oct 21
Mitre Attack Website

Updates - Updates - October 2021 | MITRE ATT&CK®

Software changes: ... SynAck

Aug 1
Mitre Attack Website

System Location Discovery: System Language Discovery, Sub-technique T1614.001 - Enterprise | MITRE ATT&CK®

SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.

Aug 1
Mitre Attack Website

System Location Discovery: System Language Discovery, Sub-technique T1614.001 - Enterprise | MITRE ATT&CK®

SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.

May 7
Securelist

SynAck targeted ransomware uses the Doppelgänging technique

In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging.

Mar 7
Mitre Attack Website

Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®

SynAck enumerates Registry keys associated with event logs.

Mar 7
Mitre Attack Website

Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®

SynAck enumerates Registry keys associated with event logs.

Mar 20
Mitre Attack Website

Modify Registry, Technique T1112 - Enterprise | MITRE ATT&CK®

SynAck can manipulate Registry keys.

Mar 20
Mitre Attack Website

System Owner/User Discovery, Technique T1033 - Enterprise | MITRE ATT&CK®

SynAck gathers user names from infected hosts.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.