SYMBOLCOMMON_NAMEaka. SYNONYMS
win.suncrypt (Back to overview)

SunCrypt

There is no description at this point.

References
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220727:gootkit:f1c63fa, author = {Buddy Tancio and Jed Valderama}, title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}}, date = {2022-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html}, language = {English}, urldate = {2022-07-29} } Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-04-12LIFARSVlad Pasca
@techreport{pasca:20220412:detailed:132144b, author = {Vlad Pasca}, title = {{A Detailed Analysis of The SunCrypt Ransomware}}, date = {2022-04-12}, institution = {LIFARS}, url = {https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf}, language = {English}, urldate = {2022-04-24} } A Detailed Analysis of The SunCrypt Ransomware
SunCrypt
2022-04-01Bleeping ComputerLawrence Abrams
@online{abrams:20220401:week:14d9669, author = {Lawrence Abrams}, title = {{The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'}}, date = {2022-04-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/}, language = {English}, urldate = {2022-04-05} } The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt
2022-03-28Bleeping ComputerBill Toulas
@online{toulas:20220328:suncrypt:27f9b79, author = {Bill Toulas}, title = {{SunCrypt ransomware is still alive and kicking in 2022}}, date = {2022-03-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/}, language = {English}, urldate = {2022-03-29} } SunCrypt ransomware is still alive and kicking in 2022
SunCrypt
2022-03-28Minerva LabsNatalie Zargarov
@online{zargarov:20220328:suncrypt:123d4d5, author = {Natalie Zargarov}, title = {{SunCrypt Ransomware Gains New Capabilities in 2022}}, date = {2022-03-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022}, language = {English}, urldate = {2022-03-29} } SunCrypt Ransomware Gains New Capabilities in 2022
SunCrypt
2021-09-09Medium s2wlabS2W TALON
@online{talon:20210909:case:fdbe983, author = {S2W TALON}, title = {{Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction}}, date = {2021-09-09}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc}, language = {English}, urldate = {2021-09-12} } Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction
SunCrypt
2021-07-22S2W LAB Inc.Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim
@online{kim:20210722:w4:c901bea, author = {Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim}, title = {{W4 July | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a}, language = {English}, urldate = {2021-07-26} } W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-03-28PC's Xcetra SupportDavid Ledbetter
@online{ledbetter:20210328:suncrypt:121d53e, author = {David Ledbetter}, title = {{SunCrypt, PowerShell obfuscation, shellcode and more yara}}, date = {2021-03-28}, organization = {PC's Xcetra Support}, url = {https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/}, language = {English}, urldate = {2021-03-31} } SunCrypt, PowerShell obfuscation, shellcode and more yara
SunCrypt
2021-03-02IntezerJoakim Kennedy
@online{kennedy:20210302:when:b33af31, author = {Joakim Kennedy}, title = {{When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?}}, date = {2021-03-02}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt}, language = {English}, urldate = {2021-03-04} } When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
QNAPCrypt SunCrypt
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-04ChainanalysisChainalysis Team
@online{team:20210204:blockchain:4e63b2f, author = {Chainalysis Team}, title = {{Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains}}, date = {2021-02-04}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer}, language = {English}, urldate = {2021-02-06} } Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-12Medium Sapphirex00Sapphire
@online{sapphire:20201112:diving:6b388eb, author = {Sapphire}, title = {{Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia}}, date = {2020-11-12}, organization = {Medium Sapphirex00}, url = {https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83}, language = {English}, urldate = {2020-11-23} } Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia
SunCrypt
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-08TesorionGijs Rijnders
@online{rijnders:20201008:shining:f05b53d, author = {Gijs Rijnders}, title = {{Shining a light on SunCrypt’s curious file encryption mechanism}}, date = {2020-10-08}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/}, language = {English}, urldate = {2022-04-07} } Shining a light on SunCrypt’s curious file encryption mechanism
SunCrypt
2020-10-01KELAVictoria Kivilevich
@online{kivilevich:20201001:to:fd3aa09, author = {Victoria Kivilevich}, title = {{To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem}}, date = {2020-10-01}, organization = {KELA}, url = {https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/}, language = {English}, urldate = {2021-05-07} } To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-26Bleeping ComputerLawrence Abrams
@online{abrams:20200826:suncrypt:426964e, author = {Lawrence Abrams}, title = {{SunCrypt Ransomware sheds light on the Maze ransomware cartel}}, date = {2020-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/}, language = {English}, urldate = {2020-08-27} } SunCrypt Ransomware sheds light on the Maze ransomware cartel
SunCrypt
Yara Rules
[TLP:WHITE] win_suncrypt_auto (20230407 | Detects win.suncrypt.)
rule win_suncrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.suncrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f118538ffffff 0f104598 0f118548ffffff 0f1045a8 0f118558ffffff e8???????? 8d8568ffffff }
            // n = 7, score = 200
            //   0f118538ffffff       | movups              xmmword ptr [ebp - 0xc8], xmm0
            //   0f104598             | movups              xmm0, xmmword ptr [ebp - 0x68]
            //   0f118548ffffff       | movups              xmmword ptr [ebp - 0xb8], xmm0
            //   0f1045a8             | movups              xmm0, xmmword ptr [ebp - 0x58]
            //   0f118558ffffff       | movups              xmmword ptr [ebp - 0xa8], xmm0
            //   e8????????           |                     
            //   8d8568ffffff         | lea                 eax, [ebp - 0x98]

        $sequence_1 = { 8d8508ffffff c68511ffffff00 50 ff15???????? 8bd0 85d2 0f84a3000000 }
            // n = 7, score = 200
            //   8d8508ffffff         | lea                 eax, [ebp - 0xf8]
            //   c68511ffffff00       | mov                 byte ptr [ebp - 0xef], 0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax
            //   85d2                 | test                edx, edx
            //   0f84a3000000         | je                  0xa9

        $sequence_2 = { 0f2985f0fdffff 660fefc1 0f28c8 660f72f007 660f72d119 660febc8 }
            // n = 6, score = 200
            //   0f2985f0fdffff       | movaps              xmmword ptr [ebp - 0x210], xmm0
            //   660fefc1             | pxor                xmm0, xmm1
            //   0f28c8               | movaps              xmm1, xmm0
            //   660f72f007           | pslld               xmm0, 7
            //   660f72d119           | psrld               xmm1, 0x19
            //   660febc8             | por                 xmm1, xmm0

        $sequence_3 = { 8b8d64ffffff 02ca 0fbec0 33c8 888c1568ffffff 42 83fa09 }
            // n = 7, score = 200
            //   8b8d64ffffff         | mov                 ecx, dword ptr [ebp - 0x9c]
            //   02ca                 | add                 cl, dl
            //   0fbec0               | movsx               eax, al
            //   33c8                 | xor                 ecx, eax
            //   888c1568ffffff       | mov                 byte ptr [ebp + edx - 0x98], cl
            //   42                   | inc                 edx
            //   83fa09               | cmp                 edx, 9

        $sequence_4 = { c745fc???????? e8???????? 8bf8 83c404 85ff 743f }
            // n = 6, score = 200
            //   c745fc????????       |                     
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   85ff                 | test                edi, edi
            //   743f                 | je                  0x41

        $sequence_5 = { ff15???????? 6a00 6a00 ff75f8 8bf0 8b4508 56 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8bf0                 | mov                 esi, eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi

        $sequence_6 = { 8b45fc ebdb 57 6a00 ff15???????? 50 }
            // n = 6, score = 200
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ebdb                 | jmp                 0xffffffdd
            //   57                   | push                edi
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_7 = { 8945f8 8d85dcfcffff 8945e4 8b4514 0f1000 0f11853cffffff 0f104010 }
            // n = 7, score = 200
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d85dcfcffff         | lea                 eax, [ebp - 0x324]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   0f1000               | movups              xmm0, xmmword ptr [eax]
            //   0f11853cffffff       | movups              xmmword ptr [ebp - 0xc4], xmm0
            //   0f104010             | movups              xmm0, xmmword ptr [eax + 0x10]

        $sequence_8 = { 8955f8 894dc8 8b4df4 660f1f440000 83f840 7321 }
            // n = 6, score = 200
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   894dc8               | mov                 dword ptr [ebp - 0x38], ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   83f840               | cmp                 eax, 0x40
            //   7321                 | jae                 0x23

        $sequence_9 = { 8845e8 8b45c0 0425 83f072 8845e9 8b45c0 0426 }
            // n = 7, score = 200
            //   8845e8               | mov                 byte ptr [ebp - 0x18], al
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   0425                 | add                 al, 0x25
            //   83f072               | xor                 eax, 0x72
            //   8845e9               | mov                 byte ptr [ebp - 0x17], al
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   0426                 | add                 al, 0x26

    condition:
        7 of them and filesize < 172032
}
Download all Yara Rules