fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

A Look at the New Sugar Ransomware Demanding Low Ransoms

A Look at the New Sugar Ransomware Demanding Low Ransoms

A new Sugar Ransomware operation actively targets individual computers, rather than corporate networks, with low ransom demands.

First discovered by the Walmart Security Team, ‘Sugar’ is a new Ransomware-as-a-Service (RaaS) operation that launched in November 2021 but has slowly been picking up speed.

The name of the ransomware is based on the operation’s affiliate site discovered by Walmart at ‘sugarpanel[.]space’.

Unlikely most ransomware operations you read about in the news, Sugar does not appear to be targeting corporate networks but rather individual devices, likely belonging to consumers or small businesses.

As such, it is not clear how the ransomware is being distributed or infecting victims.

Also Read: 5 Best practices for protecting corporate data when an employee leaves

The Sugar Ransomware

When launched, the Sugar Ransomware will connect to whatismyipaddress.com and ip2location.com to get the device’s IP address and geographic location.

It will then proceed to download a 76MB file from http://cdn2546713.cdnmegafiles[.]com/data23072021_1.dat, but it is unclear how this file is used.

Finally, it will connect to the ransomware operation’s command and control server at 179.43.160.195, where it transmits and receives data related to the attack. The ransomware will continue to call  back to the command and control server as it is executed, likely updating the RaaS with the status of the attack.

Network traffic generated by the Sugar Ransomware
Network traffic generated by the Sugar Ransomware
Source: BleepingComputer

When encrypting files, the ransomware will encrypt every file except those listed in the following folders or have the following file names:

Excluded folders:

\windows\
\DRIVERS\
\PerfLogs\
\temp\
\boot\

Excluded files:

BOOTNXT
bootmgr
pagefile
.exe
.dll
.sys
.lnk
.bat
.cmd
.ttf
.manifest
.ttc
.cat
.msi;

The Walmart researchers say that the ransomware encrypts files using the SCOP encryption algorithm. The encrypted files will have the .encoded01 extension appended to file names, as shown below.

Also Read: The necessity of conducting penetration testing and vulnerability assessment

Sugar encrypted files with the .encoded01 extension
Sugar encrypted files with the .encoded01 extension
Source: BleepingComputer

The ransomware will also create ransom notes named BackFiles_encoded01.txt in each folder that was scanned for files on the computer.

This ransom note contains information on what happened to the victim’s files, a unique ID, and a link to a Tor site with information on how to pay the ransom. The Tor site is located at chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion.

Sugar ransom note
Sugar ransom note
Source: BleepingComputer

When visiting the Tor site, the victim will be presented with their own page that contains the bitcoin address to send a ransom, a chat section, and the ability to decrypt five files for free.

Sugar Tor payment site
Sugar Tor payment site
Source: BleepingComputer

The ransom demands by this operation are very low, with attacks seen by BleepingComputer demanding only a few hundred dollars to receive a key. Strangely, on our test box, the resulting ransom demand was only 0.00009921 bitcoins, worth $4.01.

As BleepingComputer tested the ransomware on a virtual machine with a small number of files, it could indicate that the ransomware is generating ransom amounts based on the number of encrypted files.

Ransom demand from Sugard ransomware test
Source: BleepingComputer

Unlike most ransomware infections, the malware executable runs even after encryption has finished. However, no auto-start setting is created, and it does not appear to continue encrypting new documents.

At this time, it is unclear if the ransomware has any weaknesses that could allow decryption for free. We will update this article as more information becomes available.

Furthermore, if you are affected by this ransomware, please let us know how you became infected.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us