SyncCrypt is a brand new strain of ransomware which hides its components inside image files.
Similarly to other malware infections, the SyncCrypt ransomware is distributed through spam emails alongside attachments which contain WSF files.
The attachments are disguised as court orders and as soon as they get executed an embedded JScript fetches seemingly innocuous images from specific locations extracting the ransomware components they contain.
At first sight, the images may look harmless, however, they contain SyncCrypt components in the form of ZIP files.
According to security researchers, the JScript also extracts the hidden malicious components (sync.exe, readme.html, andreadme.png).
“If a user was to open one of these image URLs directly, they would just just see an image that contains the logo for Olafur Arnalds’ album titled “& They Have Escaped the Weight of Darkness”.”
“Embedded in this image, though, is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.”
In addition, the WSF file creates a Windows scheduled task, named Sync, which being executed, starts scanning the infected system for certain file types and encrypts them using AES encryption. The embedded RSA-4096 public encryption key is used by the SyncCrypt ransomware to encrypt the used AES key.
SyncCrypt targets more than 350 file types and appends the .kk extension to them after encryption. According to the experts, the ransomware skips files located in several folders, including\windows\, \program files (x86)\, \program files\, \programdata\, \winnt\, \system volume information\, \desktop\readme\, and\$recycle.bin\.
The developers of SyncCrypt demand approximately $429 to be paid for decrypting the files. Once the payment is completed by the victims, they have to send an email containing the key file to one of the emails getmyfiles@keemail.me, getmyfiles@scryptmail.com, or getmyfiles@mail2tor.com in order to to get a decrypter.
Security researchers claim that the distribution process is capable of evading detection, and there is only one of the 58 vendors in VirusTotal which could detect the malicious images at the time of analysis.
According to the experts, the Sync.exe, on the other hand, had a detection rate of 28 out of 63.
The bad news about SyncCrypt is that currently, there is no free decryptor available to release the victims’ files.
