There is a reason why ransomware continues to be a leading cyber threat. The cryptovirological operators are constantly working to make their attacks more lethal, deadly and unassailable against ransomware removal methods. In a new ransomware discovery, the researchers have found a cryptographic strain that uses complex antivirus circumvention techniques to infiltrate the system; they are calling it a Doppelganging method.
This strain is built on the platform of SynAck ransomware that was first discovered last year. Aside from different payment method used by its operators, there was nothing new in its encryption algorithm. Instead of using payment portal, the operators of SynAck use BitMessage ID for the payment of ransom.
Digital security experts at Kaspersky Lab think that the integration of this Doppelganging technique to avoid the detection from antivirus applications can transform SynAck ransomware into a more effective cryptovirological strain. It is imperative to understand that infiltration is central to any ransomware attack. Successful infiltration ensures that the ransomware will continue with his cryptographic activity.
What is Doppelganging?
Doppelganging is a complex method that exploits the basics of Windows operating system to circumvent all digital security measures. In Doppelganging, malicious files of a ransomware are masked as legitimate executable files and they replace and overwrite the original files in connection to Transactional NTFS, a component of Windows that makes it easier for developers to run and test Windows-based applications.
The masked executables or Doppelganger are then loaded through transactional NTFS and automatically deliver the payload without getting detected by any security software since they assess the execution of ransomware strain as a legitimate Window process.
Aside from this effective circumvention technique, the use of Doppelganging process hallowing has also made the compilation and encryption more obfuscated, which has made reverse engineering an arduous activity. Reverse engineering is an important component of ransomware removal activity that is used to develop the decryption key for any particular strain.
Researchers are also suggesting that the new variant of SynAck is a targeted ransomware because it has been only been found to attack the devices with the locale addresses of Iran, Kuwait, US, and Germany.
