Synack Ransomware
PC security researchers have received reports of activity involving a previously unknown ransomware Trojan named the Synack Ransomware. It seems that the Synack Ransomware is part of a RaaS (Ransomware as a Service) tactic that is being carried out in computer users in the wild. The first versions of the Synack Ransomware were observed on August 3 for the first time and have amplified since then substantially. There are three different variants of the Synack Ransomware, each with slight variations on the ransom note used in the attack.
Are the Authors of the Synack Ransomware Mocking Security Researchers?
The Synack Ransomware's payment is not carried out on a payment website on the Dark Web. Rather, victims of the Synack Ransomware attack are asked to contact the Synack Ransomware's creators using email or BitMessage through the author's BitMessage ID number. Each variant of the Synack Ransomware uses a different contact information. The Synack Ransomware also does not change the infected computer's desktop image after the attack, unlike many other encryption ransomware Trojans. Rather, the Synack Ransomware delivers text notes to the victim's desktop. The text file associated with the Synack Ransomware attack is named 'RESTORE_INFO-[id].txt.' The Synack Ransomware marks the files encrypted by the attack with a new file extension made up of 10 random upper and lower case alpha characters.
How the Synack Ransomware may be Delivered
The most likely way in which the Synack Ransomware is being delivered to victims is by taking advantage of weak RDP (Remote Desktop Protocol) connections. The Synack Ransomware's primary targets seem to be small and medium sized businesses. The con artists will take advantage of poorly protected systems to install the Synack Ransomware on the victims' computer. A victim that contacted the Synack Ransomware received the following email response from the people responsible for the Synack Ransomware:
'The cost of the decoder is $ 2100
We accept money only in bitcoins since this is the most anonymous currency in the world.
To buy bitcoins, we recommend using one of these services: https://www.bestchange.comor localbitcoins.com
To create a purse, this: blockchain.info
Transfer funds to this address:15n6gV8QUBsy2yh7wqLppWG4Fw4gsUTNAj
Afte r payment send us a link to the transaction or the address of your wallet and after receiving 3 confirmations we will send you a decoder.'
The Synack Ransomware has received 98 Bitcoin in payments currently, which is nearly half a million USD! There also is constant traffic associated with the Synack Ransomware's Bitcoin account, meaning that it is likely that the Synack Ransomware is part of a large RaaS operation. The following are the three different ransom notes that have been associated with the Synack Ransomware attack and its three different variants so far:
'Files on your computer are encrypted.
Algorithm: ecc-secp192r1 & aes-ecb-256
To decrypt your files, please contact us using one of these e-mail addresses:
synack@secmail.pro
synack@scryptmail.com
synack@countermail.com
Please include the following text in your message:
zMp9IPExgXlvg27MFOlQrOIssoqd/gUr5SiB5zhpbDt8TmZhBwkxrfJE6pI4eBWbQF27lVL9XlCbfSqA
WQwum1dAlwA4hzAWXAM9sOvnsRtAXbuVUv1eUJt9KoBZDC6bGh0AGcBiKVRHFPcrweumhtBd96yMBEVk
ITpQr8qSCJkX9awL1cG5KTUbP1XkGrC5JWS1itDYO/jL6r0uvWQ1cR/tIgYlOeA/QxKZKzl+POHPwuxs
V/bAeTZzqvTRuzVd92cZK8F9+9nbswxLvWCPDVO4LfokOOk2dumqyrmKxRQ8Lq2xuSoPvoSWIy7fXwN4
BNNB1Mw8YWHih97EujEMuchis3cxYos45GC9Oku+TU61iCsvYI64L6e319P2+tGvmRQ6Y/1KUKkyCEeH
mg5N4MTBoriLDLeyooXEfS5Is36ONSLU1HzMJQA+s2rQhGqjEccC++cY8erHYfeGgfFamyY=
Files are encrypted, algorithm used: ecies-secp192r1 & aes-ecb-256.
To decrypt your files, please contact us using this e-mail address:
tyughjvbn13@scryptmail.com
If for unknown reasons you did not receive any answer on e-mail,
write to BitMessage (using site https://bitmsg.me/):
BM-2cStoatQC4mDNWDHAoo2C1nYZJXhDsjCLj
Please do not perform any manipulations with encrypted files.
If you want to try to restore your files manually, do backups first.
And please do not remove files with text notes,
because they contain important information required for file restoring.
Please include the following text in your message:
0R/Bau5ipGsVLsGSzhqUVh3w5HoIvPGTpnfrDwvbQH71uckujfkvgIpEokGzpBYcmCKdbXYGMZSAr0DX
pREEtx/geN8g4oawmtt5ISwr19CYIp1tdgYxlICvQNelEQS3Vk2ZhGunReB+KX3JPtxYvBAaWjz6rTcn
LaMB7x5DkyQvgYcjPnmH5hlzKpWY3g6Utmv4sG4Kc6P/jQ/HShMug7SstMkAPlRiE8wr5nwesjTDi2Sd
Dkm8RQEwXzEOUwLtpmBEkP5CwttrMkET8ZDAUpXwzXbz51cHXfRttwZNRTERlM6c/D/HBejtkXltWRAB
mCKdbXYGMZSAr0DXpREEtwQS5CepltSqYYv6xE/sT9PpE4xzwWBtGb4RmZNn7/ck95+e/bbYS+hpj40g
Dgwncww/7Sdt25pB0kSuDC7vblyx2kr0/9iFasyTsjiVIU+zzGkPOJNEFmUs7ZR4YdEEhUn0JW6yq9Rk
j29v313sOFTJ'
Files are encrypted, algorithm used: ecies-secp192r1 & aes-ecb-256.
To decrypt your files, please contact us using this e-mail address:
bubkjdws@scryptmail.com
If for unknown reasons you did not receive any answer on e-mail,
write to BitMessage (using site https://bitmsg.me/):
BM-2cWsgWxq1X5M6qjDEBPvCdEbbPLn2zi43k
Please do not perform any manipulations with encrypted files.
If you want to try to restore your files manually, do backups first.
And please do not remove files with text notes,
because they contain important information required for file restoring.
Please include the following text in your message:
QOfVQofGOV9mZyevHkCSxLOwEVhq2qU/SfOxCoArf9lho5sZeMmIf2vsF3OM/p1DUIM4Y+K4VbtkHR9T
f0fjXbkkL7NI/jUCRQGIph7R/DZQgzhj4rhVu2QdH1N/R+NdkkynMyb1qeRC+qg0VMQOqi3uAWFm+XHJ
gHc9CYerWczrlbCU07tbWmMUnC8ojkkVaupL8y2mnr88iL8FYmbnorFTDtbRiOKNMMUIOdR16VguPZcL
GqzS1TL0INEtAyXbW3opmYsTCliYFfv0u7UgzBwmjeHMawETFM4vryc5YGUPDvyAPb9bQlfUhIew1yEG
UIM4Y+K4VbtkHR9Tf0fjXQTcIFD6Hqz78jzxJ72H0dZZAJeRiRamdPePaX+ivXvWt/XCQebomojtwwaP
5AVVmDC+mzR/3MQBF4ZUQzoeF5dfFXWsH27nKbZal5Rnh0QMJMIaBk126kwGZKnvI7TPP2KA5pD/WKcu
wS+eVJUsMxeH'
