It was only a matter of time before cybercriminals started using stenography to hide malicious tools. A new ransomware variant, SyncCrypt, hides within JPEG image files. This method of distribution will only become more prevalent, since most computer users view JPEGs as completely harmless. That is no longer the case, and SyncCrypt could be a very dangerous type of ransomware if left unchecked.

SyncCrypt Ransomware Lurks Within Images

The distribution of ransomware in this way is not entirely new. It is often delivered through spam email campaigns, and tries to trick users into downloading a WSF file. Once the attachment is opened by the user, the SyncCrypt payload is downloaded and executed. This method of distributing malware has been prevalent for some time now, but it looks like SyncCrypt has a few interesting tricks up its sleeve. In fact, it masks the ransomware payload as a ZIP file embedded within JPEG images.

That sounds a lot more complicated than it actually is, however. A WSF file is a Windows Script File, which is designed to let creators execute commands once the file is opened. In this case, it downloads a website image containing an embedded ZIP file. Within this ZIP file are the SyncCrypt ransomware and other tools necessary to break down a computer’s defenses. Unfortunately, this also means the images downloaded through the WSF file will not be detected by most antivirus solutions in existence today, as it does not contain any malicious code to flag.

Distributing images with embedded ransomware is a way of using steganography for nefarious uses. In most cases, individuals utilize steganography to hide information or data within images. This can only be done by including marginal amounts of data per image, lest the original file be corrupted in the process. The WSF files distributed through this particular email campaign run a JavaScript file to download images. Directly opening the download URL will just show a legitimate image which does not contain any malicious payload whatsoever.

However, taking a closer look at the image reveals it contains a ZIP archive containing the sync.exe file. There is also an HTML file and a PNG file included in this package. As one might expect, these three files are the main components of the SyncCrypt ransomware strain. It is highly probable that SyncCrypt is a test of sorts to gauge the efficacy of this method when it comes to distributing ransomware and other types of malware. This method is not commonly used currently, but once criminals hear of its potential for success that situation will change.

Every good type of ransomware comes with its own demand for a Bitcoin payment. In the case of SyncCrypt, victims must first open the AMMOUNT.txt file found in the README folder on their desktop. The exact amount of Bitcoins — it seems to hover around 0.1 BTC right now — must be sent to the address provided in the README file. Once the payment is made, victims are required to send an email to three different addresses containing a key and transaction ID. After that, they will automatically receive the decryption key necessary to restore their files, or so the criminals claim.

Unfortunately, there is no free way to decrypt files encrypted by SyncCrypt at this point in time. Until that changes, users who deal with this ransomware should either attempt to restore files from a backup or take the data loss and format their hard drive accordingly. It does not appear SyncCrypt removes shadow volume copies, which means data recovery should be possible, at least in theory. It is unclear if this ransomware is currently targeting specific areas of the world, but it is safe to say every computer user is a potential victim until proven otherwise.