SynAck ransomware group releases decryption keys as they rebrand to El_Cometa

Emsisoft is creating its own decryption utility based on the decryption keys released by the SynAck ransomware group.
Written by Jonathan Greig, Contributor

The SynAck ransomware gang has released decryption keys for victims that were infected between July 2017 and 2021, according to data obtained by The Record

SynAck is in the process of rebranding itself as the El_Cometa ransomware gang, and a member of the old group gave the keys to The Record. 

Emsisoft's Michael Gillespie confirmed the veracity of the decryption keys and said they are working on their own decryption utility that they believe will be "safer and easier to use" because there are concerns that SynAck victims may damage their files further using the provided keys. 

Ransomware expert Allan Liska told ZDNet that the SynAck ransomware group started right before Ransomware-as-a-service began to take off in 2018. 

"So they never outsourced their ransomware activities. While they continued attacks, there weren't nearly as many as groups like Conti or REvil were able to conduct, so they got lost in the shuffle," Liska said. "They also didn't hit any really big targets."

A Kaspersky Lab report in 2018 said SynAck differentiated itself in 2017 by not using a payment portal and instead demanding victims arrange payment in Bitcoin through email or BitMessage ID. 

They generally demanded ransoms around $3000 and gained notoriety for using the Doppelgänging technique, which targets the Microsoft Windows operating system and is designed to circumvent traditional security software and antivirus solutions by exploiting how they interact with memory processes.

There is little data on victims of the ransomware group, but Kaspersky Lab researchers said they observed attacks by the gang in the US, Kuwait, Germany and Iran.

"The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers," said Anton Ivanov, lead malware analyst at Kaspersky Lab. 

"Our research shows how the relatively low profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild."

A SynAck representative told The Record that the group plans to launch a new Ransomware-as-a-service platform and recruit affiliates to help with their work on El_Cometa. 

Multiple ransomware groups, like Avaddon and Prometheus, have released decryption tools in recent months, either in an effort to rebrand or due to increased law enforcement activity. 

Editorial standards