Threat Database Ransomware SunCrypt Ransomware

SunCrypt Ransomware

By GoldSparrow in Ransomware

The infamous "Maze" cartel of ransomware actors launched several months ago has recently welcomed a new member. The new group uses ransomware known as "SunCrypt" and has apparently been welcomed into the fold of Maze with open arms. While the exact nature of the Maze cartel remains unknown, it is believed that the cartel offers specialist advice, resources, and infrastructure to other threat actors. The groups may even provide each other with a share of the ransom profits to sweeten the deal.

A report was released about SunCrypt using information they had gathered by interacting with the team behind SunCrypt directly. SunCrypt claims that they are independent of Maze while remaining in close cooperation with the group. Specifically, SunCrypt says that they share resources and revenue with Maze in exchange for Maze, helping them to handle the different campaigns they run.

This Week In Malware Episode 22 Part 2: SunCrypt Ransomware Joins Forces with Maze Ransomware Hacker Cartel

Maze is a massive name in the field, and there are plenty of reports about new Maze infections each day. The group has an incredibly strong infrastructure and are not lacking in resources and members. The group has clearly advanced to a significant degree if they now have the resources to assist other groups and create an actual cartel.

Given that the team behind Maze is Russian, it is likely that the people behind SunCrypt are also Russian. This is only speculation right now, but the more Maze opens themselves up to other members, the more information we can gather about them.

What Does SunCrypt Ransomware Do?
Security researchers are still analyzing SunCrypt, but there are some things we know about it. For example, we know that the virus is distributed via a DLL file that encrypts computer files when accessed. We also know the virus changes the file extension of infected files to include a hexadecimal hash, but what the hash represents is currently unknown.

The virus also creates a ransom note entitled "YOUR_FILES_ARE_ENCRYPTED.HTML." This note is placed on the desktop and in each folder with an infected file. The file, as shown below, instructs victims on what they can do about their situation.

SunCrypt ransom note

Whats Happen?
We got your documents and files encrypted and you cannot access them. To make sure we\'re not bluffing just check out your files. Want to recover them? Just do what we instruct you to. If you fail to follow our recommendations, you will never see your files again. During each attack, we copy valuable commercial data. If the user doesn't pay to us, we will either send those data to rivals, or publish them. GDPR. Don't want to pay to us, pay 10x more to the government.
What Guarantees?
We're doing our own business and never care about what you do. All we need is to earn. Should we be unfair guys, no one would work with us. So if you drop our offer we won't take any offense but you'll lose all of your data and files. How much time would it take to recover losses? You only may guess.
How do I access the website?
Get TOR browser here
Go to our website
In case you decide not to cooperate, your private data will be published here or sold.
Offline how-to
Copy & Paste this secret message to this page textarea field

The Tor link for the ransom note is hardcoded into the executable file. That means that everyone who is infected with the ransomware is sent to the same site. The payment site doesn't have the same automated features as other ransomware. Instead, it has a chat screen where victims can talk to the attackers and negotiate a price.

The ransom note also contains a link to the data leak site where threat actors say they will publish user data if they don't pay the ransom. As of this writing, five victims have had their information published on this website.

Despite these threats, security researchers recommend against interacting with threat actors and paying the ransom. There is no guarantee that they will hand over the decryption key or not publish information on the leak website. Threat actors like this can't be trusted. The best thing to do would be to remove the virus from your computer and restore the hacked data from a backup.

Security researchers are keeping a close eye on the situation. Only time will tell if this is the start of more groups joining Maze. The implications are scary, to say the least.


Most Viewed