SunCrypt, a ransomware pressure that went on to infect a number of targets very last year, could be an current variation of the QNAPCrypt ransomware, which targeted Linux-primarily based file storage techniques, according to new investigate.
“While the two ransomware [families] are operated by unique unique danger actors on the dim net, there are powerful specialized connections in code reuse and strategies, linking the two ransomware to the exact same author,” Intezer Lab researcher Joakim Kennedy mentioned in a malware assessment printed today revealing the attackers’ methods on the darkish net.
1st discovered in July 2019, QNAPCrypt (or eCh0raix) is a ransomware relatives that was identified to target Network Connected Storage (NAS) equipment from Taiwanese companies QNAP Programs and Synology. The gadgets had been compromised by brute-forcing weak qualifications and exploiting identified vulnerabilities with the target of encrypting files discovered in the technique.
The ransomware has due to the fact been tracked to a Russian cybercrime group referred to as “FullOfDeep,” with Intezer shutting down as lots of as 15 ransomware campaigns employing the QNAPCrypt variant with denial of service assaults focusing on a checklist of static bitcoin wallets that ended up produced for the categorical intent of accepting ransom payments from victims, and prevent long run bacterial infections.
SunCrypt, on the other hand, emerged as a Home windows-based ransomware software published initially in Go in Oct 2019, right before it was ported to a C/C++ version in mid-2020. In addition to stealing victims’ knowledge prior to encrypting the documents and threatening with general public disclosure, the team has leveraged dispersed denial-of-provider (DDoS) assaults as a secondary extortion tactic to pressure victims into having to pay the demanded ransom.
Most not long ago, the ransomware was deployed to concentrate on a New South Wales-based mostly healthcare diagnostics organization termed PRP Diagnostic Imaging on December 29, which associated the theft of “a modest quantity of affected individual information” from two of its administrative file servers.
Despite the fact that the two ransomware family members have directed their assaults in opposition to distinct operating techniques, reviews of SunCrypt’s connections to other ransomware groups have been earlier speculated.
Without a doubt, blockchain assessment business Chainalysis previously past thirty day period quoted a “privately circulated report” from danger intelligence agency Intel 471 that claimed representatives from SunCrypt described their strain as a “rewritten and rebranded version of a ‘well-known’ ransomware pressure.”
Now according to Intezer’s examination of the SunCrypt Go binaries, not only does the ransomware share very similar encryption features with QNAPCrypt, but also in the file types encrypted and the approaches utilized to create the encryption password as nicely as accomplish system locale checks to ascertain if the device in query is located in a disallowed state.
Also of notice is the simple fact that each QNAPCrypt and SunCrypt make use of the ransomware-as-a-support (RaaS) product to market their resources on underground message boards, whereby affiliate marketers have out the ransomware assaults them selves and pay back a proportion of every victim’s payment back again to the strain’s creators and administrators.
Getting into account the overlaps and the behavioral distinctions concerning the two teams, Intezer suspects that “the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators.”
“Though the technical centered proof strongly delivers a hyperlink between QNAPCrypt and the before version of SunCrypt, it is obvious that the two ransomware are operated by distinct people today,” the researchers concluded.
“Based on the accessible details, it is not attainable to join the exercise amongst the two actors on the discussion board. This implies that when new malware solutions derived from more mature services look, they may possibly not constantly be operated by the identical folks.”