SyncCrypt targets Windows OS and is distributed via malicious email attachments containing a Windows Script File (WSF). This variant uses steganography to evade detection and infect victims as, once opened, the WSF downloads an image embedded with a ZIP file. This ZIP file contains the SyncCrypt executable and "readme" files. After the image downloads to the%Temp% folder, it extracts the files from the ZIP file into the %Temp%\BackupClient folder and proceeds to install the ransomware component. SyncCrypt encrypts files using AES and appends .kk to the file names. It then drops a folder named README onto the desktop that contains the RSA-4096 public encryption key, readme.html, readme.png, and AMMOUNT.TXT, a text file that contains the ransom amount.

Extensions appended to file names:

Emails associated with this variant include:,,

Bitcoin wallet addresses associated with this variant:

Ransom note file names:
readme.html, readme.png, AMMOUNT.TXT

  • Bleeping Computer provides more information about SyncCrypt here.
  • The NJCCIC is not aware of any decryption tools available for SyncCrypt.

Image Source: Bleeping Computer