A ransomware called "SunCrypt" has joined the "Maze ransomware cartel", and information has been revealed about how these two groups connect and work together. The hackers behind the Maze, set up a business ransomware cartel to share information and techniques, with the aim of helping each other blackmail their potential victims. When this cartel started, it included the Maze and the LockBit, but soon expanded even further with the inclusion of Ragnar Locker.
In a e-mail sent to BleepingComputer, SunCrypt ransomware operators reported that it is a new member of the Maze ransomware cartel. It is estimated that this ransomware family started operating in October 2019, but is not very active. The SunCrypt team also stated that it is an independent ransomware company from Maze but, as a member of the cartel, they have two-way channels for communication between them.
Asked why he joined the cartel, SunCrypt members said the Maze ransomware team needed outside help, as it could not handle the entire business and operating space on its own. SunCrypt ransomware operators also added that they specialize in ransomware attacks. In addition, they revealed that they share the income from the successful business, but did not provide more details about their collaboration with the Maze team. Based on their statement that they decided to join the cartel because the Maze team cannot handle all possible attacks, Maze operators may provide to members of the cartel access in breached networks, in exchange for profit sharing.
Ο GrujaRS discovered a sample of SunCrypt ransomware, thus providing a taste of how it works. Specifically, the SunCrypt ransomware sample is installed via a PowerShell script, which looks very vague.
When ransomware runs, it logs in to the address URL http://18.104.22.168 and conveys information about the attack and its victim. Using this IP address provides another indication of what services provided by Maze hackers to the members of the cartel.
In addition, for months now, the Maze team has had a leak site data and attacks from known public IP addresses. However, throughout this period, the group's services remain intact and have not been suppressed by the authorities.
The address 22.214.171.124 is one of the addresses used by Maze operators as part of it campaign their. Also, Maze infections carry information to it address IP during an attack. This shared IP address can mean two things - either that Maze operators are sharing their infrastructure, or that they are "witnessing" their ransomware tactics and technology to other groups. Also, this allocation of resources would give an explanation as to why they would earn a share of each ransom payment.
In particular, with regard to SunCrypt ransomware, it is distributed as a DLL that, when run, encrypts the archives of a computer. When encrypting files, it adds a hexadecimal hash to the end of each file name. However, it is not known exactly what this fragmentation represents.
In addition, a payment notice is created in each envelope ransoms by name YOUR_FILES_ARE_ENCRYPTED.HTML, which contains information about what exactly happened in a victim's files, as well as a link to the Tor payment site. The Tor link contained in a ransom note is encoded in the executable ransomware. This means that any victim encrypted by a specific executable SunCrypt will have the same Tor payment site link. The Tor payment site contains a chat screen, where a victim can negotiate the ransom with SunCrypt operators. In addition, each ransom note contains a link to the SunCrypt team's data leak site, where hackers warn that they will disclose data obtained from a victim.
It is worth noting that so far there are five victims reported on the data leak site of the SunCrypt team.
Other ransomware groups that have leaked sites or stolen unencrypted files to blackmail their victims include: CryLock, DoppelPaymer, Maze, MountLocker, Ako, Avaddon, Clop, Conti, Nemty, Nephilim, Netwalker, Pysa / Mespinoza, Ragnar Locker, REvil, Sekhmet, Snatch and Snake.
Finally, SunCrypt is being investigated and analyzed for vulnerabilities, and it is not yet known if free file recovery is possible.