SYMBOLCOMMON_NAMEaka. SYNONYMS
win.suncrypt (Back to overview)

SunCrypt

VTCollection    

According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.

References
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-04-12LIFARSVlad Pasca
A Detailed Analysis of The SunCrypt Ransomware
SunCrypt
2022-04-01Bleeping ComputerLawrence Abrams
The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt
2022-03-28Bleeping ComputerBill Toulas
SunCrypt ransomware is still alive and kicking in 2022
SunCrypt
2022-03-28Minerva LabsNatalie Zargarov
SunCrypt Ransomware Gains New Capabilities in 2022
SunCrypt
2021-09-09Medium s2wlabS2W TALON
Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction
SunCrypt
2021-07-22S2W LAB Inc.Denise Dasom Kim, Jungyeon Lim, Sujin Lim, Yeonghyeon Jeong
W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-03-28PC's Xcetra SupportDavid Ledbetter
SunCrypt, PowerShell obfuscation, shellcode and more yara
SunCrypt
2021-03-02IntezerJoakim Kennedy
When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
QNAPCrypt SunCrypt
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-04ChainanalysisChainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-12Medium Sapphirex00Sapphire
Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia
SunCrypt
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-08TesorionGijs Rijnders
Shining a light on SunCrypt’s curious file encryption mechanism
SunCrypt
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-26Bleeping ComputerLawrence Abrams
SunCrypt Ransomware sheds light on the Maze ransomware cartel
SunCrypt
Yara Rules
[TLP:WHITE] win_suncrypt_auto (20230808 | Detects win.suncrypt.)
rule win_suncrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.suncrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 6a00 6a00 6a03 6a00 6a00 ff75b8 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff75b8               | push                dword ptr [ebp - 0x48]

        $sequence_1 = { 8b8d60ffffff 8945c8 8b856cffffff 8945ac 8b8564ffffff 8945cc 8b855cffffff }
            // n = 7, score = 200
            //   8b8d60ffffff         | mov                 ecx, dword ptr [ebp - 0xa0]
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   8b856cffffff         | mov                 eax, dword ptr [ebp - 0x94]
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8b855cffffff         | mov                 eax, dword ptr [ebp - 0xa4]

        $sequence_2 = { c645f84c c645f90e c645fa44 c645fb4c c645fc4c 8a45f4 c645fd00 }
            // n = 7, score = 200
            //   c645f84c             | mov                 byte ptr [ebp - 8], 0x4c
            //   c645f90e             | mov                 byte ptr [ebp - 7], 0xe
            //   c645fa44             | mov                 byte ptr [ebp - 6], 0x44
            //   c645fb4c             | mov                 byte ptr [ebp - 5], 0x4c
            //   c645fc4c             | mov                 byte ptr [ebp - 4], 0x4c
            //   8a45f4               | mov                 al, byte ptr [ebp - 0xc]
            //   c645fd00             | mov                 byte ptr [ebp - 3], 0

        $sequence_3 = { 02ca 0fbec0 33c8 884c15ec 42 83fa11 72e8 }
            // n = 7, score = 200
            //   02ca                 | add                 cl, dl
            //   0fbec0               | movsx               eax, al
            //   33c8                 | xor                 ecx, eax
            //   884c15ec             | mov                 byte ptr [ebp + edx - 0x14], cl
            //   42                   | inc                 edx
            //   83fa11               | cmp                 edx, 0x11
            //   72e8                 | jb                  0xffffffea

        $sequence_4 = { 894dd0 034d98 8bf9 337dcc c1c70c 03c7 898534ffffff }
            // n = 7, score = 200
            //   894dd0               | mov                 dword ptr [ebp - 0x30], ecx
            //   034d98               | add                 ecx, dword ptr [ebp - 0x68]
            //   8bf9                 | mov                 edi, ecx
            //   337dcc               | xor                 edi, dword ptr [ebp - 0x34]
            //   c1c70c               | rol                 edi, 0xc
            //   03c7                 | add                 eax, edi
            //   898534ffffff         | mov                 dword ptr [ebp - 0xcc], eax

        $sequence_5 = { c3 8b07 0fb74f0e 8b4004 8b0488 894724 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   0fb74f0e             | movzx               ecx, word ptr [edi + 0xe]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   8b0488               | mov                 eax, dword ptr [eax + ecx*4]
            //   894724               | mov                 dword ptr [edi + 0x24], eax

        $sequence_6 = { 8b7308 83c140 8b7da0 894df4 8b4df0 eb7e }
            // n = 6, score = 200
            //   8b7308               | mov                 esi, dword ptr [ebx + 8]
            //   83c140               | add                 ecx, 0x40
            //   8b7da0               | mov                 edi, dword ptr [ebp - 0x60]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   eb7e                 | jmp                 0x80

        $sequence_7 = { 8b45a8 0411 c645be00 83f00a 33d2 8845bd 8a45ac }
            // n = 7, score = 200
            //   8b45a8               | mov                 eax, dword ptr [ebp - 0x58]
            //   0411                 | add                 al, 0x11
            //   c645be00             | mov                 byte ptr [ebp - 0x42], 0
            //   83f00a               | xor                 eax, 0xa
            //   33d2                 | xor                 edx, edx
            //   8845bd               | mov                 byte ptr [ebp - 0x43], al
            //   8a45ac               | mov                 al, byte ptr [ebp - 0x54]

        $sequence_8 = { 660f6dec 660fefd8 660f6ccc 0f28a500feffff 0f1118 83c010 0f1007 }
            // n = 7, score = 200
            //   660f6dec             | punpckhqdq          xmm5, xmm4
            //   660fefd8             | pxor                xmm3, xmm0
            //   660f6ccc             | punpcklqdq          xmm1, xmm4
            //   0f28a500feffff       | movaps              xmm4, xmmword ptr [ebp - 0x200]
            //   0f1118               | movups              xmmword ptr [eax], xmm3
            //   83c010               | add                 eax, 0x10
            //   0f1007               | movups              xmm0, xmmword ptr [edi]

        $sequence_9 = { 7324 8d0c10 2bf2 894df0 8b4df8 2bca }
            // n = 6, score = 200
            //   7324                 | jae                 0x26
            //   8d0c10               | lea                 ecx, [eax + edx]
            //   2bf2                 | sub                 esi, edx
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   2bca                 | sub                 ecx, edx

    condition:
        7 of them and filesize < 172032
}
Download all Yara Rules