fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

SunCrypt Ransomware Sheds Light On The Maze Ransomware Cartel

SunCrypt Ransomware Sheds Light On The Maze Ransomware Cartel

A ransomware named SunCrypt has joined the ‘Maze cartel,’ and with their membership, we get insight into how these groups are working together.

In June, we broke the story that the Maze threat actors created a cartel of ransomware operations to share information and techniques to help each other extort their victims.

When first started, this cartel included Maze and LockBit, but soon expanded to include Ragnar Locker.

When Maze first formed this group, they refused to answer our questions on how members of their cartel benefited, and if there was a monetary benefit to Maze.

SunCrypt joins the Maze ransomware cartel

In an email sent to BleepingComputer, the operators of a ransomware named SunCrypt stated that they are a new member of the Maze Ransomware cartel.

Based on submissions statistics to ID-Ransomware, this ransomware family began operating in October 2019, but was not very active. 

SunCrypt told BleepingComputer that they are an independently run ransomware operation from Maze, but as part of the cartel, they have “two-way communication channels with them,”

When asked why they joined this ‘cartel,’ we were told that Maze could not handle the volume and needed outside help.

“They just can’t handle all the available field of operations. Our main specialization is ransomware attacks,” – SunCrypt ransomware operators.

After further questions, they eventually told us that they “share revenue from the successful operation,” but did not provide any details about what Maze provided to earn that revenue share.

Based on their statement that they were brought in because Maze can’t handle all of the potential attacks, Maze may provide compromised network access to cartel members in exchange for a revenue share.

From a ransomware sample seen by BleepingComputer, it looks like cartel members get more for their money.

Maze shares its resources with cartel members

Yesterday, GrujaRS was finally able to find a sample of the SunCrypt ransomware so we can get a better glimpse into how the ransomware works.

The SunCrypt Ransomware sample is installed via a heavily obfuscated PowerShell script, shown below.

Obfuscated PowerShell script

When the ransomware is executed, it will connect to the URL http://91.218.114.31 and transmit information about the attack and its victim.

The use of this IP address provides another big clue as to what services the Maze threat actors provide their cartel members.

For months, Maze has been hosting a data leak site and launching attacks from known public IP addresses. Yet in all this time, their services remain intact and have not been taken down by law enforcement.

The 91.218.114.31 address is one of the addresses that the Maze operation uses as part of its campaign. Even more similar, Maze infections also transmit information to this IP address during an attack.

This shared IP address means one of the two things; Maze is sharing their infrastructure or white-labeling their ransomware technology to other groups.

This sharing of resources would also explain why they would earn a revenue share for each ransom payment.

Also read: Top 3 Simple Data Backup Singapore and Recovery Methods

The SunCrypt Ransomware

The SunCrypt ransomware itself is still being analyzed, but we can provide a basic overview of the ransomware.

The ransomware is currently being distributed as a DLL that, when executed, will encrypt a computer’s files.

When encrypting files, it will append a hexadecimal hash to the end of each file name. It is not known what this hash represents.

SunCrypt encrypted files

In every folder a ransom note named YOUR_FILES_ARE_ENCRYPTED.HTML is created that contains information on what happened to a victim’s files and a link to the Tor payment site.

SunCrypt ransom note

The Tor link enclosed in a ransom note is hardcoded into the ransomware executable. This means that every victim encrypted by a particular SunCrypt executable will have the same Tor payment site link. 

The Tor payment site does not have automated features and simply contains a chat screen where a victim can negotiate a ransom with the SunCrypt threat actors. 

Furthermore, every ransom note contains a link to the SunCrypt data leak site that the threat actors warn will be used to publish the victim’s data.

SunCrypt data leak site

At this time, there are approximately five victims listed on the SunCrypt data leak site.

Other ransomware operations that run data leak sites or have stolen unencrypted files to extort their victims include Ako, Avaddon, Clop, Conti, CryLock, DoppelPaymer, Maze, MountLocker, Nemty, Nephilim, Netwalker, Pysa/Mespinoza, Ragnar Locker, REvil, Sekhmet, Snatch, and Snake.

SunCrypt is currently being analyzed for weaknesses, and it is not known if it is possible to recover files for free.

Also read: How to Make Data Protection Addendum Template in Simple Way

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us