SunCrypt (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.suncrypt (Back to overview)

SunCrypt

VTCollection

According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.

References

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-04-12 ⋅ LIFARS ⋅ Vlad Pasca
A Detailed Analysis of The SunCrypt Ransomware
SunCrypt

2022-04-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams
The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt

2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas
SunCrypt ransomware is still alive and kicking in 2022
SunCrypt

2022-03-28 ⋅ Minerva Labs ⋅ Natalie Zargarov
SunCrypt Ransomware Gains New Capabilities in 2022
SunCrypt

2021-09-09 ⋅ Medium s2wlab ⋅ S2W TALON
Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction
SunCrypt

2021-07-22 ⋅ S2W LAB Inc. ⋅ Denise Dasom Kim, Jungyeon Lim, Sujin Lim, Yeonghyeon Jeong
W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER

2021-03-28 ⋅ PC's Xcetra Support ⋅ David Ledbetter
SunCrypt, PowerShell obfuscation, shellcode and more yara
SunCrypt

2021-03-02 ⋅ Intezer ⋅ Joakim Kennedy
When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
QNAPCrypt SunCrypt

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-12 ⋅ Medium Sapphirex00 ⋅ Sapphire
Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia
SunCrypt

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-08 ⋅ Tesorion ⋅ Gijs Rijnders
Shining a light on SunCrypt’s curious file encryption mechanism
SunCrypt

2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-08-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
SunCrypt Ransomware sheds light on the Maze ransomware cartel
SunCrypt

Yara Rules

[TLP:WHITE] win_suncrypt_auto (20260504 | Detects win.suncrypt.)

rule win_suncrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.suncrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c685dafeffff2d c685dbfeffff34 c685dcfeffff29 c685ddfeffff2c c685defeffff3a c685dffeffff5f c685e0feffff7e }
            // n = 7, score = 200
            //   c685dafeffff2d       | mov                 byte ptr [ebp - 0x126], 0x2d
            //   c685dbfeffff34       | mov                 byte ptr [ebp - 0x125], 0x34
            //   c685dcfeffff29       | mov                 byte ptr [ebp - 0x124], 0x29
            //   c685ddfeffff2c       | mov                 byte ptr [ebp - 0x123], 0x2c
            //   c685defeffff3a       | mov                 byte ptr [ebp - 0x122], 0x3a
            //   c685dffeffff5f       | mov                 byte ptr [ebp - 0x121], 0x5f
            //   c685e0feffff7e       | mov                 byte ptr [ebp - 0x120], 0x7e

        $sequence_1 = { 33c9 c68557ffffff77 c68558ffffff6f c68559ffffff4a }
            // n = 4, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   c68557ffffff77       | mov                 byte ptr [ebp - 0xa9], 0x77
            //   c68558ffffff6f       | mov                 byte ptr [ebp - 0xa8], 0x6f
            //   c68559ffffff4a       | mov                 byte ptr [ebp - 0xa7], 0x4a

        $sequence_2 = { 0f1145c8 e8???????? 83c408 33c0 8be5 }
            // n = 5, score = 200
            //   0f1145c8             | movups              xmmword ptr [ebp - 0x38], xmm0
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp

        $sequence_3 = { 56 ff15???????? 85c0 7416 8b4df0 8b4508 83e10f }
            // n = 7, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7416                 | je                  0x18
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83e10f               | and                 ecx, 0xf

        $sequence_4 = { c68501ffffff00 50 56 ffd7 6808020000 6a00 }
            // n = 6, score = 200
            //   c68501ffffff00       | mov                 byte ptr [ebp - 0xff], 0
            //   50                   | push                eax
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   6808020000           | push                0x208
            //   6a00                 | push                0

        $sequence_5 = { 0fbec0 2bc8 eb1b 8a4f16 8ac1 2430 }
            // n = 6, score = 200
            //   0fbec0               | movsx               eax, al
            //   2bc8                 | sub                 ecx, eax
            //   eb1b                 | jmp                 0x1d
            //   8a4f16               | mov                 cl, byte ptr [edi + 0x16]
            //   8ac1                 | mov                 al, cl
            //   2430                 | and                 al, 0x30

        $sequence_6 = { 85c0 7404 8b00 eb03 8b4718 89471c 80e10f }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   eb03                 | jmp                 5
            //   8b4718               | mov                 eax, dword ptr [edi + 0x18]
            //   89471c               | mov                 dword ptr [edi + 0x1c], eax
            //   80e10f               | and                 cl, 0xf

        $sequence_7 = { c3 8b531c 85d2 7517 52 52 56 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8b531c               | mov                 edx, dword ptr [ebx + 0x1c]
            //   85d2                 | test                edx, edx
            //   7517                 | jne                 0x19
            //   52                   | push                edx
            //   52                   | push                edx
            //   56                   | push                esi

        $sequence_8 = { 41 81f900010000 72d4 c78568feffff1a000000 c6856cfeffff57 c6856dfeffff75 }
            // n = 6, score = 200
            //   41                   | inc                 ecx
            //   81f900010000         | cmp                 ecx, 0x100
            //   72d4                 | jb                  0xffffffd6
            //   c78568feffff1a000000     | mov    dword ptr [ebp - 0x198], 0x1a
            //   c6856cfeffff57       | mov                 byte ptr [ebp - 0x194], 0x57
            //   c6856dfeffff75       | mov                 byte ptr [ebp - 0x193], 0x75

        $sequence_9 = { 8bc3 85c9 7411 660f1f440000 803800 740b 47 }
            // n = 7, score = 200
            //   8bc3                 | mov                 eax, ebx
            //   85c9                 | test                ecx, ecx
            //   7411                 | je                  0x13
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   803800               | cmp                 byte ptr [eax], 0
            //   740b                 | je                  0xd
            //   47                   | inc                 edi

    condition:
        7 of them and filesize < 172032
}

Download all Yara Rules

SunCrypt Propose Change

References

Yara Rules

SunCrypt