{
	"id": "50f825bf-b6e8-47a7-aec9-a1ffc212b344",
	"created_at": "2026-04-06T00:17:18.602515Z",
	"updated_at": "2026-04-10T13:12:38.266876Z",
	"deleted_at": null,
	"sha1_hash": "de291adf7a418b9c67983fafe208846e7c61ef88",
	"title": "SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1149303,
	"plain_text": "SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension\r\nBy Lawrence Abrams\r\nPublished: 2017-08-16 · Archived: 2026-04-05 16:28:43 UTC\r\nA new ransomware called SyncCrypt was discovered this week by Emsisoft security researcher xXToffeeXx that is being\r\ndistributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and\r\nappend the .kk extension to encrypted files.\r\nWhile the use of WSF files to distribute malware is not uncommon, when I analyzed the script I noticed that the method\r\nbeing used to download and install the ransomware is quite interesting. This is because the WSF script will download\r\nimages with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt. This method has also\r\nmade the images undetectable by almost all antivirus vendors on VirusTotal.\r\nUnfortunately, at this time there is no way to decrypt files encrypted by SyncCrypt for free, but if you wish to receive help\r\nor discuss this ransomware, you can use our dedicated SyncCrypt Support Topic.\r\nImages with Embedded Ransomware Evade Antivirus Detection\r\nAt this time we have not been able to find the actual spam emails that are distributing the SyncCrypt downloader, but we do\r\nknow that the WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf. When\r\nexecuted, these WSF files contain a JScript script that will download an image from one of three sites as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 1 of 10\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 2 of 10\n\nVisit Advertiser websiteGO TO PAGE\r\nDownload Images Script Source\r\nIf a user was to open one of these image URLs directly, they would just just see an image that contains the logo for Olafur\r\nArnalds' album titled \"\u0026 They Have Escaped the Weight of Darkness\".\r\nEmbedded in this image, though,  is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the\r\ncore components of the SyncCrypt ransomware.\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 3 of 10\n\nHex Editor View of the Image File\r\nAfter the image is downloaded to the %Temp% folder under a random named zip file, it will extract the files into the\r\n%Temp%\\BackupClient. The sync file is the executed to install the ransomware, which is discussed in the next section.\r\nBackupClient Folder Containing Ransomware Components\r\nWhat makes this distribution highly effective is that the majority of antivirus vendors are not detecting these image files.\r\nWhen I scanned these images files on VirusTotal, only DrWeb out of 58 other vendors detected it as malware.\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 4 of 10\n\nVirusTotal Results\r\nWhile the images alone are not malicious in any way, the distribution vector provides an effective way to distribute malware\r\nwithout being detected by security software. Thankfully, the malicious sync.exe executable has a much higher VirusTotal\r\ndetection rate of 28 out of 63, but is still being missed by a great deal of popular vendors.\r\nHow the SyncCrypt Ransomware Encrypts Files\r\nOnce the Sync.exe executable is extracted from the zip file as described above, the WSF file will create a Windows\r\nscheduled task called Sync that is configured to go off 1 minute after the WSF file is executed. Once the sync.exe file is\r\nexecuted it will scan the computer for certain file types and encrypt them using AES encryption. The AES key used to\r\nencrypt the files will be encrypted with an embedded RSA-4096 public encryption key as saved in\r\n%Desktop%\\README\\key.\r\nThe targeted file types are:\r\naccdb, accde, accdr, adp, ach, arw, asp, aspx, backup, backupdb, bak, bat, bay, bdb, bgt, blend, bmp, bpw, cdf, cdr, cdr3\r\nWhen a file is encrypted it will have the .kk extension appended to the filename. For example, a file named test.jpg would\r\nbe encrypted and renamed as test.jpg.kk. You can see an example of an encrypted folder below.\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 5 of 10\n\nSyncCrypt Encrypted Files\r\nWhile encrypting files, SyncCrypt will skip files located in the following folders:\r\nwindows\\\r\nprogram files (x86)\\\r\nprogram files\\\r\nprogramdata\\\r\nwinnt\\\r\n\\system volume information\\\r\n\\desktop\\readme\\\r\n\\$recycle.bin\\\r\nWhen SyncCrypt has finished encrypting a computer, a folder called README will be present on the desktop. This folder\r\ncontains the AMMOUNT.txt, key, readme.html, and readme.png files. The ammount.txt file is the ransom amount, the key is\r\nthe encrypted decryption key, and the other two files are the ransom notes. SyncCrypt will then automatically open and\r\ndisplay the readme.html ransom note in the victim's default browser as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 6 of 10\n\nSyncCrypt Ransom Note\r\nThis ransom note will contain instructions to send a payment, which in my test was 0.1001270 bitcoins or ~429 USD, to the\r\nenclosed bitcoin address. After a payment has been made the victim is told to send an email containing the key file to one of\r\nthe getmyfiles@keemail.me, getmyfiles@scryptmail.com, or getmyfiles@mail2tor.com emails to get a decrypter.\r\nUnfortunately, at this time there is no way to decrypt files for free, but if you wish to receive help or discuss this\r\nransomware, you can use our dedicated SyncCrypt Support Topic.\r\nHow to Protect Yourself from the SyncCrypt Ransomware\r\nIn order to protect yourself from SyncCrypt, or from any ransomware, it is important that you use good computing habits\r\nand security software. First and foremost, you should always have a reliable and tested backup of your data that can be\r\nrestored in the case of an emergency, such as a ransomware attack.\r\nYou should also have security software that contains behavioral detections such as Emsisoft Anti-Malware or Malwarebytes.\r\nI also recommend trying a dedicated ransomware protection program like RansomFree.\r\nLast, but not least, make sure you practice the following good online security habits, which in many cases are the most\r\nimportant steps of all:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 7 of 10\n\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\nIOCs\r\nFile Hashes:\r\nSHA256: 877488d8f43548c6e3016abd33e2d593a44d450f1910084733b3f369cbdcae85 (sync.exe)\r\nSHA256: 3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e (CourtOrder_845493809.wsf)\r\nSHA256: c6565d22146045e52110fd0a13eba3b6b63fbf6583c444d7a5b4e3a368cc4b0d (image files)\r\nFilenames associated with the SyncCrypt Ransomware Variant:\r\n%UserProfile%\\AppData\\Local\\Temp\\BackupClient\\\r\n%UserProfile%\\AppData\\Local\\Temp\\BackupClient\\tmp.bat\r\n%UserProfile%\\AppData\\Local\\Temp\\BackupClient\\sync.exe\r\n%UserProfile%\\AppData\\Local\\Temp\\BackupClient\\readme.html\r\n%UserProfile%\\AppData\\Local\\Temp\\BackupClient\\readme.png\r\n%UserProfile%\\Desktop\\README\\\r\n%UserProfile%\\Desktop\\README\\AMMOUNT.txt\r\n%UserProfile%\\Desktop\\README\\KEY\r\n%UserProfile%\\Desktop\\README\\readme.html\r\n%UserProfile%\\Desktop\\README\\readme.png\r\nC:\\Windows\\System32\\Tasks\\sync\r\nCourtOrder_[random].wsf\r\nRegistry entries associated with the SyncCrypt Ransomware:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{FE99549B-A4F1-4534-9658-2AEAAE683D25}\\Path\r\nSyncCrypt Ransomware Ransom Note Text:\r\nYOUR FILES WERE ENCRYPTED\r\nusing military grade encryption. The encrypted files have the additional extension .kk. You won't be able to retrieve your\r\nGo to Desktop folder, and open AMMOUNT.txt from within README folder. Obtaining the decryption sofware requires that you s\r\n15LK2BQxj2MJGZZ3kcUi3B4C42CQKKMQzK\r\nNote that if the ammount sent doesn't match EXACTLY the ammount in the text file, you will NOT receive the sofware, as it'\r\nAfter the payment is done, send an email to ALL of the following addresses getmyfiles@keemail.me, getmyfiles@scryptmail.co\r\nThe file named KEY, located within the README folder on your Desktop, as an Attachment - this file is a locked version of\r\nThe transaction id of the Bitcoin payment\r\nEmails that dont contain the KEY file attached will be automatically rejected.\r\nAs soon as we confirm the payment, you will receive on your email address the decription key together with the required so\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 8 of 10\n\nDont forget, TIME'S RUNNING OUT\r\nEmails Associated with the SynCrypt Ransomware:\r\ngetmyfiles@keemail.me\r\ngetmyfiles@scryptmail.com\r\ngetmyfiles@mail2tor.com\r\nTargeted File Extensions:\r\naccdb, accde, accdr, adp, ach, arw, asp, aspx, backup, backupdb, bak, bat, bay, bdb, bgt, blend, bmp, bpw, cdf, cdr, cdr3\r\nBundled Public RSA-4096 Keys:\r\n-----BEGIN PUBLIC KEY-----\r\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdA\r\nUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4\r\nZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhU\r\nYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuOAnrsxIZhR7M0HF+qDpnsuhQuLZ\r\n5XVGvzy+/nN8JC8bv+Xvcbtm115kOn46nKjJeUxqv3pCv1fUxQ/kAIBdACiUM7j1\r\nJuAcA7zrDsRuTNGgGiKSyQCEU8sQpvnC1DQU/Dxkfbhc7xhqzXZsS+Znxlp7zmZV\r\nGuUMbuM48rp8mm/QrigW9biIz/Gy8xFjjX0L6u/YjPy65OmN5tvNve4pjp6NhpOd\r\nYeMoM6qRgOTIzMTc7SuGTCWcbdZ2ioNcnw7n9bq4E8OVzGUDh5FvX5iY9s9wMxzZ\r\nWfqYW85nxnOtuppDc0J+bB0hS+wzzxByWh9wTmvOuTR+pQJ8nRmlgsoGtlg1F4zH\r\niIbFBzya4Q6pFDRbRAUIiHq9S67T7XS5NeDVtSFWcQiKQCMqbCukZwV6ZVOkUu2/\r\noaYPYrvezVz5on8DjoP3Kq2NMIbxTXEdg+M4eL4DNs0SPZ6kfbrDnNWrJUKalLub\r\nYNdj2oZzFK3x+MhN7l7hTt8CAwEAAQ==\r\n-----END PUBLIC KEY-----\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 9 of 10\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nhttps://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/"
	],
	"report_names": [
		"synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension"
	],
	"threat_actors": [],
	"ts_created_at": 1775434638,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de291adf7a418b9c67983fafe208846e7c61ef88.pdf",
		"text": "https://archive.orkl.eu/de291adf7a418b9c67983fafe208846e7c61ef88.txt",
		"img": "https://archive.orkl.eu/de291adf7a418b9c67983fafe208846e7c61ef88.jpg"
	}
}