Meet SyncCrypt: A ransomware without possibility of decryption

Ransomware is the hottest method of attack for many black hat hackers. The reasons for this are obvious, as there are tons of willing hosts (a.k.a. gullible users) and the payouts from the ransoms are often quite lucrative. With this in mind, it is no surprise that new variants of ransomware are emerging seemingly by the day. One such ransomware making the rounds in the cybersecurity research community is SyncCrypt.

Originally identified by Emsisoft security researcher xXToffeeXx SyncCrypt is a ransomware that, according to an extensive analysis from Bleeping Computer’s Lawrence Abrams, is distributed via spam email attachments that are Windows Script Files (WSF) files.

As Abrams notes in his post, “the use of WSF files to distribute malware is not uncommon.” In fact, security firms as early as 2016 noted the massive uptick in malware attacks that utilized WSF files. Consider these words from a SentinelOne report written in November 2016 about Locky ransomware:

Like many scripting and development languages, Windows script files (WSF) can be a powerful tool when used for good. Unfortunately, when it’s in the hands of an attacker, it can be used to create malicious WSF files with the purpose of creating malware.

Since WSF files are a common transmission method of ransomware, you might think that new ransomware like SyncCrypt would be easy to detect and neutralize. As Lawrence Abrams discovered, however, the situation is quite to the contrary as he states:

The WSF script will download images with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt. This method has also made the images undetectable by almost all antivirus vendors on VirusTotal.

Even worse, once SyncCrypt encrypts your system’s files via AES, there is no decryption method available (this is likely due to the newness of the ransomware). Upon the total infection and encryption you are met with the following message:

Lawrence Abrams/Bleeping Computer

The file extensions affected, as of the time of this article’s writing, are the following:

Lawrence Abrams/Bleeping Computer

Until SyncCrypt receives a decryption method, and even when it does, the best defense against this ransomware is common sense. Do not open emails or attachments from unknown sources. Always be mindful of the fact that your personal contacts can be hacked and impersonated with the intention of releasing ransomware. Patch every vulnerability on both client-side and server-side areas of your network as soon as these patches are released. Make sure that you have an effective firewall, antivirus, and any other IDS you see fit.

Stay safe out there.

Photo credit: Pexels