SyncCrypt Ransomware hides behind an image file

This week, the SonicWall Capture Labs Threat Research team has received reports of yet another ransomware being distributed via spam. The email purports to be a message with a sense of urgency and importance that comes with a document attached but in fact contains a Windows Script file (.wsf) within a zip archive. Once executed it will download a seemingly non-malicious image file and then installs a ransomware called SyncCrypt.

Infection Cycle:

Upon execution, it downloads a jpg file as seen in the snippet of the javascript code below:

Trying to download the jpg file from the sources above will get you this non-malicious looking file:

But upon careful examination, this jpg file appears to be an archive containing the ransomware components.

These files are then unpacked and saved in the following location:

• %temp%/BackupClient/sync.exe [Detected as GAV: SyncCrypt.RSM (Trojan) ]
• %temp%/BackupClient/readme.html
• %temp%/BackupClient/readme.png

It then tries to confuse the victim by displaying this error message after the script runs.

Meanwhile the ransomware encrypts the victim's file like usual and appends .KK to all encrypted files. The ransomware note with details on payment instructions is then displayed as shown in the figure below:

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: SyncCrypt.RSM (Trojan)
• GAV: WScript.SyncCrypt.RSM (Trojan)