SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script (Fig. 1) which is similar to Netwalker.
[caption id="attachment_8278" align="aligncenter" width="624"]
Fig. 1: Obfuscated PowerShell script[/caption]
Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware. Once SunCrypt is installed, it connects to the IP address 91.218.114.31 and transmits information about the attack and the victim. This ransomware prevents victims from accessing files by encrypting them with the ChaCha20 cryptographic algorithm.
It renames all encrypted files and creates a ransom note (Fig. 2). It also renames encrypted files by appending a string of random characters as a new extension. For example, SunCrypt would rename a file named "1.jpg" to “1.jpg.F3F2420C68439B451670486B17EF6D1B0188A -7982E7A9DBD9327E7F967C15767."
Once the infection is complete, all files on the device will be encrypted and the operators of SunCrypt demand a ransom for the decryptor. Additional password-stealing trojans and malware infections are also installed together with the ransomware, at times, to log the user’s activities.
[caption id="attachment_8279" align="aligncenter" width="599"]
Fig. 2: SunCrypt ransom note[/caption]
Fig. 1: Obfuscated PowerShell script[/caption]
Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware. Once SunCrypt is installed, it connects to the IP address 91.218.114.31 and transmits information about the attack and the victim. This ransomware prevents victims from accessing files by encrypting them with the ChaCha20 cryptographic algorithm.
It renames all encrypted files and creates a ransom note (Fig. 2). It also renames encrypted files by appending a string of random characters as a new extension. For example, SunCrypt would rename a file named "1.jpg" to “1.jpg.F3F2420C68439B451670486B17EF6D1B0188A -7982E7A9DBD9327E7F967C15767."
Once the infection is complete, all files on the device will be encrypted and the operators of SunCrypt demand a ransom for the decryptor. Additional password-stealing trojans and malware infections are also installed together with the ransomware, at times, to log the user’s activities.
[caption id="attachment_8279" align="aligncenter" width="599"] Fig. 2: SunCrypt ransom note[/caption]
Indicators of Compromise
-
- 91.218.114.30
- http://91.218.114.30
- http://91.218.114.31
- 91.218.114.31
- ebwexiymbsib4rmw.onion
- nbzzb6sa6xuura2z.onion
- SHA256: E3DEA10844AEBC7D60AE330F2730B7ED9D18B5EEC02EF9FD4A394660E82E2219
- PowerShell loader
-
- MD5: d87fcd8d2bf450b0056a151e9a116f72
- SHA1: 48cb6bdbe092e5a90c778114b2dda43ce3221c9f
- SHA256: 3090BFF3D16B0B150444C3BFB196229BA0AB0B6B826FA306803DE0192BEDDB80
Impact
- Major outcome of the ransomware attack is unavailability of the data due to encryption.
- The ransom demanded is oftentimes hefty. The operators base their demands on the value of the target organisation.
- Client lawsuits and compliance fines lead to loss of reputation and goodwill of the company.
- Service downtime will affect the company financially and downgrade relationships with the clients.
Mitigation
- Do not open suspicious and irrelevant emails, especially those received from unknown/ suspect senders.
- Block the installation of programs from unknown sources.
- Download from relevant and trusted sources.
- Do a regular backup of your data.
- Use a trusted scanner to detect the malware.
- Disable Windows PowerShell, which is a task automation framework.
