{ "id": "69c4d216-2846-4044-9438-81c6fd3f1ad3", "created_at": "2026-04-06T00:07:35.729973Z", "updated_at": "2026-04-10T03:24:29.961256Z", "deleted_at": null, "sha1_hash": "092a0a225c673575d6b4d36a2510eb3bbd030c5e", "title": "Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47422, "plain_text": "Kaspersky Lab finds new variant of SynAck ransomware using\r\nsophisticated Doppelgänging technique\r\nBy Kaspersky\r\nPublished: 2018-05-07 · Archived: 2026-04-05 22:51:19 UTC\r\nKaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the\r\nDoppelgänging technique to bypass anti-virus security by hiding in legitimate processes.\r\nWoburn, MA – May 7, 2018 – Kaspersky Lab researchers have discovered a new variant of the SynAck\r\nransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate\r\nprocesses. This is the first time the Doppelgänging technique has been seen in ransomware in the wild. The\r\ndevelopers behind SynAck also implement other tricks to evade detection and analysis, obfuscating all malware\r\ncode prior to sample compilation and exiting if signs suggest it is being launched in a sandbox.\r\nThe SynAck ransomware has been known since fall 2017, and in December, it was observed targeting mainly\r\nEnglish-speaking users with remote desktop protocol (RDP) brute-force attacks followed by the manual download\r\nand installation of malware. The new variant uncovered by Kaspersky Lab researchers implements a far more\r\nsophisticated approach, using the Process Doppelgänging technique to evade detection.\r\nReported in December 2017, Process Doppelgänging involves a fileless code injection that takes advantage of a\r\nbuilt-in Windows function and an undocumented implementation of the Windows process loader. By manipulating\r\nhow Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes,\r\neven if they are using known malicious code. Doppelgänging leaves no traceable evidence behind, making this\r\ntype of intrusion extremely difficult to detect. This is the first time ransomware has been observed using this\r\ntechnique in-the-wild.\r\nOther noteworthy features of the new variant of SynAck include:\r\nThe Trojan obfuscates its executable code prior to compilation, rather than packing it like most other\r\nransomware, making it harder for researchers to reverse engineer and analyze the malicious code.\r\nIt also obscures the links to the necessary API function, and stores hashes to strings rather than the actual\r\nstrings.\r\nUpon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt\r\nto launch it from an ‘incorrect’ directory – such as a potential automated sandbox – it exits.\r\nThe malware also exits without execution if the victim PC has a keyboard set to Cyrillic script.\r\nBefore encrypting files on a victim device, SynAck checks the hashes of all running processes and services\r\nagainst its own hard coded list. If it finds a match, it tries to kill the process. Processes blocked in this way\r\ninclude virtual machines, office applications, script interpreters, database applications, backup systems,\r\ngaming applications and more - possibly to make it easier to seize valuable files which might otherwise be\r\ntied up into the running processes.\r\nhttps://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging\r\nPage 1 of 3\n\nResearchers believe attacks using this new variant of SynAck are highly targeted. To date, they have observed a\r\nlimited number of attacks in the U.S., Kuwait, Germany and Iran, with ransom demands of $3,000.\r\n“The race between attackers and defenders in cyberspace is a never-ending one. The ability of the Process\r\nDoppelgänging technique to sneak malware past the latest security measures represents a significant threat; one\r\nthat has, not surprisingly, quickly been seized upon by attackers,” said Anton Ivanov, lead malware analyst,\r\nKaspersky Lab. “Our research shows how the relatively low profile, targeted ransomware SynAck used the\r\ntechnique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was\r\nimplemented before it appeared in the wild.”\r\nKaspersky Lab detects this variant of the SynAck ransomware as:\r\nTrojan-Ransom.Win32.Agent.abwa\r\nTrojan-Ransom.Win32.Agent.abwb\r\nPDM:Trojan.Win32.Generic\r\nKaspersky Lab recommends the following actions to keep users and devices safe from ransomware:\r\nBack up data regularly.\r\nUse a reliable security solution that is powered with behavior detection and able to roll back malicious\r\nactions.\r\nAlways keep software updated on all the devices you use.\r\nIf you’re a business, you should also educate your employees as well as IT teams, and keep sensitive data\r\nseparate with access restricted. Use dedicated security solution, such as Kaspersky Endpoint Security for\r\nBusiness. \r\nIf you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No\r\nMore Ransom site; you may find a decryption tool that can help you get your files back.\r\nTo learn more about SynAck, read our blogpost on Securelist.com.\r\nAbout Kaspersky Lab\r\nKaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years.\r\nKaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation\r\nsecurity solutions and services to protect businesses, critical infrastructure, governments and consumers around\r\nthe globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of\r\nspecialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million\r\nusers are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters\r\nmost to them. Learn more at www.kaspersky.com \r\nMedia Contact\r\nJessica Bettencourt\r\n781.503.7851\r\nJessica.Bettencourt@kaspersky.com\r\nhttps://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging\r\nPage 2 of 3\n\nSource: https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging\r\nhttps://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging" ], "report_names": [ "2018_synack-doppelganging" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434055, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/092a0a225c673575d6b4d36a2510eb3bbd030c5e.pdf", "text": "https://archive.orkl.eu/092a0a225c673575d6b4d36a2510eb3bbd030c5e.txt", "img": "https://archive.orkl.eu/092a0a225c673575d6b4d36a2510eb3bbd030c5e.jpg" } }