Professional Documents
Culture Documents
SyncCrypt
To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive Malware and
Threat Reports at the following URL: https://sns.snssecure.mcafee.com/content/signup_login.
Summary
SyncCrypt belongs to a family of malware that encrypts user files available in the compromised system and
demands the user to pay ransom to retrieve the files.
Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections:
The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please
review the Threat Library for the most up-to-date coverage information.
Mitigation
Mitigating the threat at multiple levels such as file, registry, and URL can be achieved at various layers of McAfee
products. Browse the product guidelines available here to mitigate the threats based on the behavior described
below in the Characteristics and symptoms section.
Mitigation methods for assorted malware is available in the following product guide:
http://b2b-download.mcafee.com/products/evaluation/Endpoint_Security/Evaluation/ens_1000_help_0-00_en-
us.pdf
Any specific mitigation steps, if necessary, will be described later in this advisory.
ENS 10.x
Refer to article KB86577 to create an Endpoint Security Threat Prevention user-defined Access Protection
Rule for a file or folder registry.
VSE
Refer to article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against
viruses that can disable regedit.
Refer to article KB53355 to use Access Protection policies in VirusScan Enterprise to protect against
viruses that can disable Task Manager.
Refer to article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent malware
from changing folder options.
HIPS
To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329.
To create an application blocking rules policy to prevent the binary from running, refer to KB71794.
To create an application blocking rules policy that prevents a specific executable from hooking any other
executable, refer to KB71794.
MRI
To download and install McAfee Ransomware Interceptor, refer to McAfee Free Tools.
hxxps://image.ibb.co/mxRqXF/arrival.jpg
hxxp://sm.uploads.im/X8IOl.jpg
hxxp://185.10.202.115/images/arrival.jpg
The JPG file contains one Zip file, which contains a Zip file. The Zip file contains three files: sync.exe, readme.html,
and readme.png. The Zip file is extracted to the TEMP%\ BackupClient folder. After extracting, malware creates a
scheduled task to run sync.exe at the same time.
Scheduled task:
Location on the disk for the files extracted from the Zip file:
C:\Users\User\AppData\Local\Temp\BackupClient\sync.exe
C:\Users\User\AppData\Local\Temp\BackupClient\readme.html
C:\Users\User\AppData\Local\Temp\BackupClient\readme.png
When sync.exe is executed, malware checks for arguments to execute its behavior. The malware copies
readme.html and readme.png to the desktop folder by executing the following commands:
The encryption used by the malware to encrypt files is AES encryption with an RSA 4096 key. The AES key used
to encrypt the files will be encrypted with an embedded RSA-4096 public encryption key as saved
in %Desktop%\README\key.
The ammount.txt file is the ransom amount to be paid. The other two files are ransom notes.
windows\
program files (x86)\
program files\
programdata\
winnt\
\system volume information\
\desktop\readme\
\$recycle.bin\
The malware encrypts all files and adds the extension .kk. After encryption of all files present in system, it shows
the following:
AP Rule:
Remediation
Coverage of the Samples described in the Threat Alert are available in DAT 8632 and above.
This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy,
relevance, and timeliness of the information and events described; they are subject to change without notice.