The sub-techniques beta is now live! Read the release blog post for more info.


SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

ID: S0242
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 26 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

SynAck encrypts the victims machine followed by asking the victim to pay a ransom.[1]

Enterprise T1106 Execution through API

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[1][2]

Enterprise T1083 File and Directory Discovery

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]

Enterprise T1070 Indicator Removal on Host

SynAck clears event logs.[1]

Enterprise T1112 Modify Registry

SynAck can manipulate Registry keys.[1]

Enterprise T1027 Obfuscated Files or Information

SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[1][2]

Enterprise T1057 Process Discovery

SynAck enumerates all running processes.[1][2]

Enterprise T1186 Process Doppelgänging

SynAck abuses NTFS transactions to launch and conceal malicious processes.[1][2]

Enterprise T1012 Query Registry

SynAck enumerates Registry keys associated with event logs.[1]

Enterprise T1082 System Information Discovery

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[1]

Enterprise T1033 System Owner/User Discovery

SynAck gathers user names from infected hosts.[1]

Enterprise T1007 System Service Discovery

SynAck enumerates all running services.[1][2]

Enterprise T1497 Virtualization/Sandbox Evasion

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[1][2]