SyncCrypt Ransomware

The SyncCrypt Ransomware is an encryption ransomware Trojan. The SyncCrypt Ransomware is being distributed using corrupted spam email attachments that take the form of WSF files. Once installed, the SyncCrypt Ransomware will encrypt the victim's files, marking the files encrypted by the attack with the file extension '.kk.' The use of WSF files to distribute threats like the SyncCrypt Ransomware has been observed before, but is different from the most popular methods in use currently, which exploits corrupted macro scripts embedded in Microsoft Office documents. Once the SyncCrypt Ransomware finishes encrypting the files, there is no way to decrypt them without the decryption key (which the developers of the SyncCrypt Ransomware hold in their possession).

The SyncCrypt Ransomware can Compromise a Huge Number of Files

When the SyncCrypt Ransomware is installed, the SyncCrypt Ransomware will scan the victim's computer for certain file types. The SyncCrypt Ransomware uses AES encryption to make the victim's files inaccessible. The SyncCrypt Ransomware will target the following file types in its attack:

accdb, accde, accdr, adp, ach, arw, asp, aspx, backup, backupdb, bak, bat, bay, bdb, bgt, blend, bmp, bpw, cdf, cdr, cdr3, cdr4, cdr5, cdr6, cdrw, cdx, cer, cfg, class, cls, config, contact, cpp, craw, crt, crw, css, csv, d3dbsp, dbx, dcr, dcs, dds, der, dif, dit, doc, docm, docx, dot, dotm, dotx, drf, drw, dwg, dxb, dxf, edb, eml, eps, fdb, flf, fpx, frm, gif, gpg, gry, hbk, hpp, html, hwp, jpe, jpeg, jpg, kdbx, kdc, key, jar, java, laccdb, latex, ldf, lit, lua, mapimail, max, mbx, mdb, mfw, mlb, mml, mmw, midi, moneywell, mocha, mpp, nef, nml, nrw, oab, odb, odc, odf, odg, odi, odm, odp, ods, odt, otg, oth, otp, ots, p12, pas, pab, pbm, pcd, pct, pcx, pdf, pef, pem, pfx, pgm, php, pict, pntg, potm, potx, ppam, ppm, pps, ppsm, ppsx, ppt, pptm, pptx, ppz, prf, psd, ptx, pub, qbw, qbx, qpw, raf, rtf, safe, sav, save, sda, sdc, sdd, sdf, sdp, skp, sql, sqlite, sqlite3, sqlitedb, stc, std, sti, stm, stw, sxc, sxg, sxi, sxm, sxw, tex, txt, tif, tiff, vcf, wallet, wb1, wb2, wb3, wcm, wdb, wpd, wps, xlr, xls, xlsb, xlsm, xlsx, xlam, xlc, xlk, xlm, xlt, reg, rspt, profile, djv, djvu, ms11, ott, pls, png, pst, xltm, xltx, xlw, xml, r00, 7zip, vhd, aes, ait, apk, arc, asc, asm, asset, awg, back, bkp, brd, bsa, bz2, csh, das, dat, dbf, db_journal, ddd, ddoc, des, design, erbsql, erf, ffd, fff, fhd, fla, flac, iif, iiq, indd, iwi, jnt, kwm, lbf, litesql, lzh, lzma, lzo, lzx, m2ts, m4a, mdf, mid, mny, mpa, mpe, mpeg, mpg, mpga, mrw, msg, mvb, myd, myi, ndf, nsh, nvram, nxl, nyf, obj, ogg, ogv, p7b, p7m, p7r, p7s, package, pages, pat, pdb, pdd, pfr, pnm, pot, psafe3, pspimage, pwm, qba, qbb, qbm, qbr, qby, qcow, qcow2, ram, rar, ras, rat, raw, rdb, rgb, rjs, rtx, rvt, rwl, rwz, scd, sch, scm, sd2, ser, shar, shw, sid, sit, sitx, skm, smf, snd, spl, srw, ssm, sst, stx, svg, svi, swf, tar, tbz, tbz2, tgz, tlz, txz, uop, uot, upk, ustar, vbox, vbs, vcd, vdi, vhdx, vmdk, vmsd, vmx, vmxf, vob, vor, wab, wad, wav, wax, wbmp, webm, webp, wks, wma, wp5, wri, wsc, wvx, xpm, xps, xsd, zip, zoo.

After encrypting a file and changing its file extension, the SyncCrypt Ransomware will deliver a ransom note. The SyncCrypt Ransomware will not encrypt the files located in the following directories:

• windows\
• program files (x86)\
• program files\
• programdata\
• winnt\
• \system volume information\
• \desktop\readme\
• \$recycle.bin\

The SyncCrypt Ransomware's Ransom Note

After encrypting the victim's files, the SyncCrypt Ransomware creates a folder named README on the infected computer's desktop. This folder contains the files AMMOUNT.txt, key, readme.html and readme.png. These files are composed of two ransom notes; the encrypted the SyncCrypt Ransomware decryption key and the ransom amount. The following is the text of the SyncCrypt Ransomware's ransom note:

YOUR FILES WERE ENCRYPTED
using military grade encryption. The encrypted files have the additional extension .kk. You won't be able to retrieve your data unless you purchase the software provided by us. YOU HAVE EXACTLY 48 HOURS TO MAKE A DECISION OR YOU'LL NEVER SEE YOUR FILES AGAIN. Any atempt to recover your files on your own could damage the files permanently. There is no workaround, that's how encryption is supposed to work. In order to retrieve your data, please follow the steps below:
Go to Desktop folder, and open AMMOUNT.txt from within README folder. Obtaining the decryption sofware requires that you send EXACTLY the ammount of Bitcoin (without the transaction fee) that is written within the text file to the following address:
15LK2BQxj2MJGZZ3kcUi3B4C42CQKKMQzK
Note that if the ammount sent doesn't match EXACTLY the ammount in the text file, you will NOT receive the sofware, as it's the only way to validate and confirm the payment.
After the payment is done, send an email to ALL of the following addresses getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com containg:
The file named KEY, located within the README folder on your Desktop, as an Attachment - this file is a locked version of the decryption key (that must be unlocked by us), used to recover your files. DO NOT delete it if you plan to get your files back
The transaction id of the Bitcoin payment
Emails that dont contain the KEY file attached will be automatically rejected.
As soon as we confirm the payment, you will receive on your email address the decription key together with the required software and the instructions to recover your files.
Dont forget, TIME'S RUNNING OUT

Ignore the SyncCrypt Ransomware's instructions and use a reliable file backup system to ensure that you can recover your files after a SyncCrypt Ransomware attack without needing to pay the ransom amount.