This week, we have seen a new kind of ransomware being distributed via spam but also being repopulated on Facebook, Instagram and PinTerest. The purpose of this image is to be a message with a sense of urgency and importance that comes with a document attached but in fact contains a Windows Script file (.wsf) within a zip archive. Once executed it will download a seemingly non-malicious image file and then installs a ransomware called SyncCrypt.
Downloading the file will get you this non-malicious looking file:
The downloaded JPG is actually an archive which contains the Ransomeware components.
These files are then unpacked and saved in the following location:
- %temp%/BackupClient/sync.exe [Detected as GAV: SyncCrypt.RSM (Trojan)
- %temp%/BackupClient/readme.html
- %temp%/BackupClient/readme.png
It then tries to confuse the victim by displaying an error message after the script runs.
Meanwhile the ransomware encrypts the victim’s file like usual and appends .KK to all encrypted files. The ransomware note with details on payment instructions is then displayed as shown in the figure below:
Because of the prevalence of these types of malware attacks, I recommend training users as well having them back up their files regularly.
