First reported in 2017, the SynAck malware was nothing particularly special.  Like most ransomware based malware, SynAck employed file encryption and blackmail to extort victims of money through Bitcoin.  All of that has changed, however, as a new SynAck variant has been reported that uses a technique known as Doppelgänging to bypass security programs.

The lockout screen of a SynAck victim.

Process Doppelgänging circumvents security software and antivirus programs by exploiting how they interact with memory in the Windows operating system.  In simple terms, Doppelgänging takes a legitimate Windows program and hollows out the code, hiding itself within the shell of a program flagged as safe by the antivirus.  While many antivirus programs are designed to check for hollowed programs, Doppelgänging takes things a step further and will restore hollowed programs to a functional state when investigated.

Researchers from Kaspersky Lab have noted that the latest variant of SynAck takes additional precautions to avoid detection.


[SynAck] checks if it’s installed in the right directory. If it’s not, it doesn’t run,” researchers noted. “Second, SynAck checks if it’s installed on a computer with a keyboard set to a certain script — in this case, Cyrillic — in which case it also does nothing.”

The reason for these measures is to prevent the malware from running in a test lab environment to ensure that reverse engineering is difficult.  The Cyrillic script being singled out also gives away some additional information about the origin of the malware as well as its intent.  The main regions where Cyrillic is used are Russia, Serbia or Ukraine which likely puts one of those countries as the malwares origin.  Furthermore, the fact that they don’t want to infect their home country likely means that the malware is intended as a targeted attack against specific countries or businesses.

SynAck has been observed used against targets in the U.S., Kuwait, Germany and Iran with ransom demands going as high as $3,000.  Because SynAck cannot be detected by most antivirus programs, the best defense is an awareness of how the ransomware spreads.  Ransomware typically infects users through targeted phishing scams in email.  Users should never download or open an email attachment from an unknown sender.  Even if the name looks familiar, check the actual sending address as it is possible to mask email display names.  Furthermore, make sure that all critical files are backed up to an offsite or cloud based storage site.  If a user does become infected, it is far easier, cheaper, and more reliable to restore the files than to give into the demands of the attacker.