SyncCrypt targets Windows OS and is distributed via malicious email attachments containing a Windows Script File (WSF). This variant uses steganography to evade detection and infect victims as, once opened, the WSF downloads an image embedded with a ZIP file. This ZIP file contains the SyncCrypt executable and "readme" files. After the image downloads to the%Temp% folder, it extracts the files from the ZIP file into the %Temp%\BackupClient folder and proceeds to install the ransomware component. SyncCrypt encrypts files using AES and appends .kk to the file names. It then drops a folder named README onto the desktop that contains the RSA-4096 public encryption key, readme.html, readme.png, and AMMOUNT.TXT, a text file that contains the ransom amount.
Extensions appended to file names:
Emails associated with this variant include: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Bitcoin wallet addresses associated with this variant:
Ransom note file names:
readme.html, readme.png, AMMOUNT.TXT
- Bleeping Computer provides more information about SyncCrypt here.
- The NJCCIC is not aware of any decryption tools available for SyncCrypt.
Image Source: Bleeping Computer