Sugar Ransomware

Sugar Ransomware is a powerful malware threat that is being offered in a ransomware-as-a-service (RaaS) scheme. Unlike most prominent ransomware strains out there, Sugar appears to be geared towards infecting individual users, instead of corporate targets. Another distinguishing characteristic of the threat is its frequent borrowing from other ransomware groups. Details about the threat were released in a report published by the cyber-threat team at Walmart.

According to the findings of infosec researchers, the Sugar Ransomware is written using the Delphi programming language. However, in its code, it uses various objects taken from other ransomware families. The threat's file encryption piece bears a striking similarity to the SCOP encryption algorithm from GPLib, an interfaced library containing procedures and functions dealing with encryption and decryption.

The ransom note delivered to the systems infected by the Sugar Ransomware appears to be mostly identical to the ransom-demanding messages of the REvil Ransomware threats with the addition of minor distinctions and various misspellings. As for the threat's dedicated decryptor page, it seems to be borrowing generously from the website of the Cl0p threat.

The most interesting feature that was uncovered during Sugar Ransomware's analysis is its cryptor. It uses modified RC4 encryption, but, more importantly, parts of its code can be found reused in the string decoding routine of the ransomware threat itself. This led the researchers to the conclusion that the creators of the threat and cryptor may be the same group of cybercriminals. The cryptor also could potentially be a part of a service that the main threat actor offers to its affiliates.