SynAck is ransomware known since at least September 2017 and observed in April 2018 using Process Doppelgänging. It encrypts victim machines and then demands ransom payment. Reported behaviors include enumerating Registry keys associated with event logs, manipulating Registry keys, clearing event logs, enumerating all running services, gathering usernames from infected hosts, and parsing export tables of system DLLs to locate and invoke Windows API functions. SynAck also performs language/keyboard-layout based geofencing: it uses the GetKeyboardLayoutList API to enumerate installed keyboard layouts, compares them against a hardcoded language code list, and if a match is found it sleeps for 300 seconds and exits without encrypting files. The provided content does not attribute SynAck to a specific threat actor or industry targeting, and no concrete IOCs are given.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
14 distinct techniques documented for this family, organized by ATT&CK tactic.
During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe ... AADInternals can modify registry keys ... ADVSTORESHELL is capable of setting and deleting Registry values ... [many additional examples].
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
“APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security …” / “APT38 clears Window Event logs and Sysmon logs …” / “BlackCat can clear Windows event logs using wevtutil.exe …” / “NotPetya uses wevtutil to clear the Windows event logs …”
During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe ... AADInternals can modify registry keys ... ADVSTORESHELL is capable of setting and deleting Registry values ... [many additional examples].
"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"
The content repeatedly describes malware and threat actors querying, enumerating, opening, and reading Windows Registry keys and values, e.g., "APT41 queried registry values to determine items such as configured RDP ports and network configurations" and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content is a long ATT&CK-style listing of malware and threat actors that collect host details such as OS version, hostname, architecture, CPU, memory, BIOS, language, and other basic system characteristics; examples include use of commands like systeminfo, ver, uname, sw_vers, and WMI queries.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Examples include: “Bazar … check if the Russian language is installed … and terminate if it is found.”; “DropBook … checked for the presence of Arabic language …”; “Maze … checked the language … GetUserDefaultUILanguage”; “SynAck … checks installed keyboard layouts to estimate … countries.”
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Software changes: ... SynAck
Ransomware that enumerates installed keyboard layouts and exits without encrypting files when a listed language code is found.
Ransomware that enumerates keyboard layouts and exits without encrypting files when excluded language codes are detected.
Targeted ransomware that encrypts files (AES-256-ECB per file) and protects per-file encryption metadata using an ECIES-like hybrid scheme (ECDH over secp192r1 + PBKDF2-SHA1 + HMAC-SHA1, with XOR as the ENC primitive). Uses Process Doppelgänging (NTFS transactions) to masquerade malicious execution as legitimate, employs heavy pre-compilation obfuscation and hashed API/string resolution, performs locale/keyboard-layout and launch-directory checks to evade sandboxes, terminates processes/stops services to unlock files, clears Windows event logs, and can modify Windows logon legal notice text to display a ransom message.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.