WHAT IS KNOWN?
SynAck ransomware was first discovered in 2017. The new variant of SynAck recently discovered utilizes the Process Doppelgänging technique to bypass detection of antivirus products. This is the first known ransomware that has adopted the sophisticated technique, Process Doppelgänging.
WHAT IS PROCESS DOPPELGANGING?
Process Doppelganging is a technique that allows bypassing real-time file scanning of all tested AV and NGAV products on Microsoft Windows starting from Windows Vista. It was first shown by a team of researchers from enSilo during BlackHat Europe 2017 on December 7th in London.
HOW DOES PROCESS DOPPELGANGING HIDE MALWARE?
On most Windows computers the files are stored on disks that use NTFS file system. This file system is relatively old, although Microsoft updates it from time to time. In 2007, with the release of Windows Vista, Microsoft introduced a new feature to NTFS – transactions. NTFS transactions allow many file operations to be performed and at the end to either accept those operations or to cancel them. This way, any application could make many changes to many files on disk and return all files to the original state if an error is detected. The most common use of transactions is during installations of Windows updates. If everything goes well – the transaction is accepted or as it is called in transaction language - committed. On error, the transaction is cancelled or rolled back. Process Doppelganging utilizes this mechanism to hide the main malware payload, it chooses an innocent file, overwrites it and runs malware. Just before letting the malware run – it rejects or rolls back all changes thus preventing antivirus software from scanning the file content that is really being executed. Note that the malware process can still be run in such a case. If opened, the file on disk will contain no suspicious content. Moreover, this file can be a well-known, digitally signed application.
METHOD OF DISTRIBUTION OF SYNACK RANSOMWARE?
Kaspersky has noted Remote Desktop Protocol brute force is the most common form of distribution method.
ENSILO BLOCKING SYNACK X'S 2
enSilo’s protection platform blocks the SynAck on both pre and post infection stages. During the initial execution process and by that stops to threat chain from occurring any further. Figure 1 emphasizes that process:
Figure 1: Blocking in Pre-Infection
In order to see our post-infection protection in action, we disabled our pre-execution engine. As shown in Figure 2, SynAck is blocked by enSilo’s Ransomware Prevention policy as it attempts to use Process-Doppleganger technique in attempt to avoid detection by AV.
Figure 2: enSilo blocking in Post-Infection
Would you like to see enSilo blocking malicious threats in action?
Ransomware is continuously evolving and ransomware authors are adapting their methods to tap into vulnerabilities, exploits and code injections to evade detection. Current cybersecurity solutions were created based on keeping attackers out. Due to the malicious drive of attackers, infiltration methods are evolving and nearly impossible to stay ahead of.
WHO DOES RANSOMWARE AFFECT?
Ransomware can infect a single user and then can spread throughout the entire organization, knocking computers offline. Forcing employees to use pen and paper while IT and SOC teams scramble to mitigate the infection.
WHAT HAPPENS IF I ACCIDENTALLY CLICK ON A RANSOMWARE FILE?
Some ransomware encrypts files, while others lock out the user. After a ransomware is triggered, a file appears in a pop-up format and it is often a friendly message from the attacker explaining exactly how the user can regain access to their files – and how much it’s going to cost them."Of course, there’s no guarantee that even if a victim pays the demanded amount they will actually get access to their files again, which makes dealing with ransomware somewhat of a tricky issue"
CAN ENSILO PROTECT ME AGAINST PROCESS DOPPELGANGING? IF SO, WHY?
Yes. enSilo’s own NGAV pre-infection mechanism is also susceptible to Process Doppelganging. However, because enSilo also offers post-infection protection with real-time blocking at the kernel level the second line of protection (post-infection) blocks Process Doppelganging.
MOST IMPORTANT TAKEAWAYS?
Ransomware authors are creating sophisticated ransomware variants that are custom-built and creating new variants objectively, to bypass the current cybersecurity methods that are still concentrating on keeping attackers out of environments. In order to detect, contain and protect data from being encrypted by ransomware, stolen or tampered with, cybersecurity products need to be re-evaluated with these capabilities:
- Utilizing a single, easy to use, management console for post and pre-infection capabilities. Streamline your operational process by eliminating alert clutter.
- Detecting advanced malware that bypass your traditional AV and NGAV prevention defenses. Do it in any way that allows you to take immediate action
- Silo advanced malware in real-time, post-infection, to protect from data tampering or a breach. Drastically improve reaction time to advanced malware impact.
- Protect legacy and new Windows, MacOS, and Linux operating systems. Protect Virtual Desktop Infrastructure (VDI) environments in VMWARE and Citrix.
- Easily obtain detailed information on malware, post and pre infection, to conduct forensics on a single or multiple infected endpoints.