SunCrypt Ransomware Threat Intel Advisory

SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script (Fig. 1) which is similar to Netwalker.

Fig. 1: Obfuscated PowerShell script

Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware. Once SunCrypt is installed, it connects to the IP address 91.218.114.31 and transmits information about the attack and the victim. This ransomware prevents victims from accessing files by encrypting them with the ChaCha20 cryptographic algorithm.

It renames all encrypted files and creates a ransom note (Fig. 2). It also renames encrypted files by appending a string of random characters as a new extension. For example, SunCrypt would rename a file named “1.jpg” to “1.jpg.F3F2420C68439B451670486B17EF6D1B0188A -7982E7A9DBD9327E7F967C15767.”

Once the infection is complete, all files on the device will be encrypted and the operators of SunCrypt demand a ransom for the decryptor. Additional password-stealing trojans and malware infections are also installed together with the ransomware, at times, to log the user’s activities.

Read more Here

4 Likes