SynAck targets Windows OS and is distributed manually across networks via Remote Desktop Protocol (RDP) compromise. Once SynAck infects a system, it appends ten random alpha characters to the name of each encrypted file and drops a ransom note named RESTORE_INFO-[alphanumeric ID number].txt. It does not change the desktop wallpaper. Although the ransom payment amount is not listed on the ransom note, one victim who posted on the Bleeping Computer support forum received a ransom demand of $2100 worth of Bitcoin after he contacted the hacker.

5/7/2018 A new version of SynAck uses the Process Doppelgänging technique to evade antivirus detection, clears event logs, and displays a ransom note on the logon screen. The updated version was first detected in April 2018 and has infected victims in the United States, Kuwait, Germany, and Iran. This version of SynAck checks the keyboard language and will not infect a machine if the keyboard format is set to Russian, Ukrainian, Belorussian, Georgian, Armenian, Kazakh, Tajik, Azerbaijani Cyrillic, Uzbek Latin or Cyrillic.

Email addresses associated with SynAck:,,,,,,

Bitcoin wallet addresses associated with SynAck:

  • Bleeping Computer provides more information about SynAck here.
  • The NJCCIC is not aware of any free decryption tools available for SynAck.


Image Source: Bleeping Computer