SunCrypt Ransomware

The SunCrypt Ransomware is a file-locking Trojan with a business association with the Maze Ransomware campaign's threat actors. This element primarily manifests in sharing domain contacts and, potentially, techniques for infecting victims' computers. Despite the originality of its history, users can protect their files through the same means of backing work up to other storage devices and keep a reliable anti-malware product for removing the SunCrypt Ransomware.

Shining Some Sun on Criminal Extortion Ops

File-locking Trojans can cast long shadows, with their business models and attack methodology making ripples throughout the Dark Web. Although Ransomware-as-a-Service is the most typical way of seeing Trojan software and resources proliferate among like-minded hackers, there are other options. For example, the SunCrypt Ransomware shows the increasing, long-term support, and possible financial success, of Maze Ransomware's developers.

TThe Maze Ransomware, experiencing serious activity throughout 2020 against business entities, is part of a broader operation that provides Trojan-associated services to threat actors interested in the same 'business' of locking files and taking ransoms. Out of these preliminaries, the cyber-security industry tracks the rise of the SunCrypt Ransomware – another Windows Trojan with file-locking features, and network communications in common with the Maze Ransomware's gang.

Access to the infected network may be another product that the Maze Ransomware group sells to affiliates. For its part, the SunCrypt Ransomware hides as a DLL with obfuscated PowerShell scripting for installing itself before passing system data off to a remote server, locking files and creating an HTML ransom note. None of these features are out-of-the-way for a threat of its kind. However, the facts that the SunCrypt Ransomware shares IP addresses with Maze Ransomware, and that the developers assert ongoing cooperation and shareable resources between the two groups of attacks, are of note.

Turning Down the SunCrypt Ransomware's Lights

Some areas of the SunCrypt Ransomware's payload remain inadequately-defined as to their purpose. The Trojan adds a series of semi-random characters to files as extensions but changes the sequence per file, which rules out the possibility of a victim-based ID. Whether or not there is any coding crossover between the program and other file-locking Trojans related to the Maze Ransomware operations (such as the Ragnar Locker Ransomware or the LockBit Ransomware) is unclear.

Besides its relationships to other threats, the SunCrypt Ransomware also offers a pressing danger to victims: additional blackmail via leaking. The Trojan's anonymous TOR site offers 'leaks' of server data for victims who reject the payment option, as malware experts recommend generally. Such a social engineering trick provides another means of collecting payment for criminals, even if their encryption security breaks – an uncommon event for Trojans targeting business entities.

Workplaces should remain vigilant around sources of possible exposure to these attacks, such as e-mail attachment or the brute-forcing of login credentials leading into hijacking RDP. In most circumstances, dedicated anti-malware tools should remove the SunCrypt Ransomware, while secondary location backups always are a relevant recovery resource.

Assertions by the SunCrypt Ransomware's threat actors suggest repeated, ongoing experience in the field, with Maze Ransomware's group 'farming out' some of the labor due to high demand on the Black Market. Since splitting ransoms makes for crimes with long-term revenue options for multiple groups, victims should try that much harder to deny them their payday.