SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

ID: S0242
Platforms: Windows
Version: 1.3
Created: 17 October 2018
Last Modified: 08 September 2021

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [1]

Enterprise T1083 File and Directory Discovery

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

SynAck clears event logs.[1]

Enterprise T1112 Modify Registry

SynAck can manipulate Registry keys.[1]

Enterprise T1106 Native API

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[1][2]

Enterprise T1027 Obfuscated Files or Information

SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[1][2]

Enterprise T1057 Process Discovery

SynAck enumerates all running processes.[1][2]

Enterprise T1055 .013 Process Injection: Process Doppelgänging

SynAck abuses NTFS transactions to launch and conceal malicious processes.[1][2]

Enterprise T1012 Query Registry

SynAck enumerates Registry keys associated with event logs.[1]

Enterprise T1082 System Information Discovery

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[1]

Enterprise T1614 .001 System Location Discovery: System Language Discovery

SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.[1]

Enterprise T1033 System Owner/User Discovery

SynAck gathers user names from infected hosts.[1]

Enterprise T1007 System Service Discovery

SynAck enumerates all running services.[1][2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]