(Courtesy Bleeping Computer)
(Courtesy Bleeping Computer)

A new ransomware called SyncCrypt is using a unique method of downloading the malicious files that makes it very hard for an antivirus program to detect.

SyncCrypt was detected by Emisoft researcher xXToffeeXx, reported Bleeping Computer,  and is spread via spam emails containing an attachment with .wsf (Windows Script File) files. What is unusual about this, other than a .wsf file being used – which is rare – said Bleeping Computer founder Lawrence Abrams, is the .wsf will download an image with embedded .zip files containing the ransomware.

“This method has also made the images undetectable by almost all antivirus vendors on VirusTotal,” Abrams said.

Once the email is opened and the target decides to open the attachment, the social engineering plan being used has the document being listed as a court order, a JavaScript script activates that downloads the image. If the victim clicks on the downloaded image the cybercriminal's sense of humor, or perhaps musical taste, appears when an image of Olafur Arnalds' album titled "& They Have Escaped the Weight of Darkness" is shown.

However, whether or not the image is opened the .zip file is downloaded and its contents, a sync.exe, readme.html and readme.png, are extracted, Abrams said. The good news is that while image file tends to pass through most antivirus files contained inside the .zip file are more susceptible to detection. Although Bleeping Computer found that VirusTotal still detected them less than 50 percent of the time.

If properly installed the files are encrypted with a .kk extension and then the ransom note appears giving the victim 48 hours to pay about 0.1 bitcoin. 

At this time there is no way to decrypt the files and the best defense is to ensure all files are properly backed up.