SunCrypt (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.suncrypt (Back to overview)

SunCrypt

VTCollection

According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.

References

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-04-12 ⋅ LIFARS ⋅ Vlad Pasca
A Detailed Analysis of The SunCrypt Ransomware
SunCrypt

2022-04-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams
The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt

2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas
SunCrypt ransomware is still alive and kicking in 2022
SunCrypt

2022-03-28 ⋅ Minerva Labs ⋅ Natalie Zargarov
SunCrypt Ransomware Gains New Capabilities in 2022
SunCrypt

2021-09-09 ⋅ Medium s2wlab ⋅ S2W TALON
Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction
SunCrypt

2021-07-22 ⋅ S2W LAB Inc. ⋅ Denise Dasom Kim, Jungyeon Lim, Sujin Lim, Yeonghyeon Jeong
W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER

2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER

2021-03-28 ⋅ PC's Xcetra Support ⋅ David Ledbetter
SunCrypt, PowerShell obfuscation, shellcode and more yara
SunCrypt

2021-03-02 ⋅ Intezer ⋅ Joakim Kennedy
When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
QNAPCrypt SunCrypt

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-04 ⋅ Chainanalysis ⋅ Chainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-12 ⋅ Medium Sapphirex00 ⋅ Sapphire
Diving into the Sun — SunCrypt: A new neighbour in the ransomware mafia
SunCrypt

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-08 ⋅ Tesorion ⋅ Gijs Rijnders
Shining a light on SunCrypt’s curious file encryption mechanism
SunCrypt

2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-08-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
SunCrypt Ransomware sheds light on the Maze ransomware cartel
SunCrypt

Yara Rules

[TLP:WHITE] win_suncrypt_auto (20241030 | Detects win.suncrypt.)

rule win_suncrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.suncrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75f3 56 8b35???????? ffd6 ff75bc ffd6 ff75b8 }
            // n = 7, score = 200
            //   75f3                 | jne                 0xfffffff5
            //   56                   | push                esi
            //   8b35????????         |                     
            //   ffd6                 | call                esi
            //   ff75bc               | push                dword ptr [ebp - 0x44]
            //   ffd6                 | call                esi
            //   ff75b8               | push                dword ptr [ebp - 0x48]

        $sequence_1 = { 837dfc00 c745cc00000000 0f86c9020000 8975d8 f6460c02 }
            // n = 5, score = 200
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0
            //   0f86c9020000         | jbe                 0x2cf
            //   8975d8               | mov                 dword ptr [ebp - 0x28], esi
            //   f6460c02             | test                byte ptr [esi + 0xc], 2

        $sequence_2 = { ffd7 6808020000 6a00 68???????? a3???????? e8???????? 83c40c }
            // n = 7, score = 200
            //   ffd7                 | call                edi
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   68????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { 51 68???????? ffd3 3bc6 75db 3bd7 75d7 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   68????????           |                     
            //   ffd3                 | call                ebx
            //   3bc6                 | cmp                 eax, esi
            //   75db                 | jne                 0xffffffdd
            //   3bd7                 | cmp                 edx, edi
            //   75d7                 | jne                 0xffffffd9

        $sequence_4 = { c6857efeffff6d c6857ffeffff69 c68580feffff3a c68581feffff54 c68582feffff4e c68583feffff3a c68584feffff2b }
            // n = 7, score = 200
            //   c6857efeffff6d       | mov                 byte ptr [ebp - 0x182], 0x6d
            //   c6857ffeffff69       | mov                 byte ptr [ebp - 0x181], 0x69
            //   c68580feffff3a       | mov                 byte ptr [ebp - 0x180], 0x3a
            //   c68581feffff54       | mov                 byte ptr [ebp - 0x17f], 0x54
            //   c68582feffff4e       | mov                 byte ptr [ebp - 0x17e], 0x4e
            //   c68583feffff3a       | mov                 byte ptr [ebp - 0x17d], 0x3a
            //   c68584feffff2b       | mov                 byte ptr [ebp - 0x17c], 0x2b

        $sequence_5 = { 8a4616 240f 3c0a 7519 8b4508 66394608 }
            // n = 6, score = 200
            //   8a4616               | mov                 al, byte ptr [esi + 0x16]
            //   240f                 | and                 al, 0xf
            //   3c0a                 | cmp                 al, 0xa
            //   7519                 | jne                 0x1b
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   66394608             | cmp                 word ptr [esi + 8], ax

        $sequence_6 = { 894f34 8b4b1c 0f299d70ffffff 0f29ad40ffffff 0f29a550ffffff 0f29bdc0fdffff }
            // n = 6, score = 200
            //   894f34               | mov                 dword ptr [edi + 0x34], ecx
            //   8b4b1c               | mov                 ecx, dword ptr [ebx + 0x1c]
            //   0f299d70ffffff       | movaps              xmmword ptr [ebp - 0x90], xmm3
            //   0f29ad40ffffff       | movaps              xmmword ptr [ebp - 0xc0], xmm5
            //   0f29a550ffffff       | movaps              xmmword ptr [ebp - 0xb0], xmm4
            //   0f29bdc0fdffff       | movaps              xmmword ptr [ebp - 0x240], xmm7

        $sequence_7 = { 0f100e 894df4 8b4df0 660fefc8 0f104610 0f110a 0f104f10 }
            // n = 7, score = 200
            //   0f100e               | movups              xmm1, xmmword ptr [esi]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   660fefc8             | pxor                xmm1, xmm0
            //   0f104610             | movups              xmm0, xmmword ptr [esi + 0x10]
            //   0f110a               | movups              xmmword ptr [edx], xmm1
            //   0f104f10             | movups              xmm1, xmmword ptr [edi + 0x10]

        $sequence_8 = { 6800020000 51 50 e8???????? 0fa4c209 c1e009 898338810200 }
            // n = 7, score = 200
            //   6800020000           | push                0x200
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   0fa4c209             | shld                edx, eax, 9
            //   c1e009               | shl                 eax, 9
            //   898338810200         | mov                 dword ptr [ebx + 0x28138], eax

        $sequence_9 = { 41 83f810 72ef 5f }
            // n = 4, score = 200
            //   41                   | inc                 ecx
            //   83f810               | cmp                 eax, 0x10
            //   72ef                 | jb                  0xfffffff1
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 172032
}

Download all Yara Rules

SunCrypt Propose Change

References

Yara Rules

SunCrypt