Technical Analysis Of The SynapseCrypter Ransomware-As-A-Service

A recently identified ransomware SynapseCrypter which emerged in early 2024 is distributed via Ransomware-as-a-Service (RaaS) on the the Russian dark web forum RAMP. The SynapseCrypter.exe payload is capable of rapid encryption using multiple encryption modes performs NTFS searches and privilege escalation via access token manipulation. It avoids encrypting systems in Iran suggesting possible affiliations with Iran-sympathizer groups. Synapse uses a custom encryption algorithm like Babuk Ransomware and appears to have borrowed features from the Lambda ransomware family hinting at reused code and connections with other ransomware as a service groups or developers. The ransomware checks system time zones and languages to ensure Iranian systems are excluded employs NTFS search and deletes shadow copies before encryption. Encrypted telemetry is sent to designated C2 IPs the malware is also capable of performing network scanning and replication.