The SunCrypt ransomware is still out in the wild despite inactivity

April 4, 2022
SunCrypt Ransomware Malware Fraud Prevention Extortion Windows OS DDOS

A prominent ransomware-as-a-service (RaaS) operation called SunCrypt is still active in 2022 despite being idle for some time. The ransomware developers have been working on updating it with new features and capabilities to be used in attacks.

The ransomware came to light after being one of the first threat groups to utilise the triple extortion technique during attacks, including file encryption, threatening victims to leak their data, and launching DDoS on victims who refuse to pay.

The SunCrypt ransomware has failed to develop over the years and remained a small-scale threat operation within a limited-membered group. Nevertheless, their lack of progress did not stop the operators from bettering the ransomware strain until this year.

 

The new SunCrypt ransomware features for 2022 include wiping out an infected device clean, terminating system processes, and stopping services.

 

Other ransomware strains may have long been equipped with the new features present in SunCrypt. For this reason, security researchers believe that it is still in its early development stages.

The process termination feature is comprised of a process based on heavy resources that can block the encryption of open-data files like documents, databases, and email software.

Once the encryption routine is finished, the cleaning feature of the ransomware will be activated using two API calls that will wipe all the victims’ device log records. Upon the erasure of all the logs, the ransomware will then delete itself using Windows’ cmd.exe system file.

Some old features of the SunCrypt ransomware are still retained in its latest version, including using the I/O completion ports utilised for sharper encryption via process threading. The ransomware also retained encrypting the local volumes and network shares of an infected device and the maintenance of allowlist for Windows directory, dll files, boot.ini, and more significant items that can terminate a computer’s function once encrypted.

Despite the ransomware operators’ limited activities, cybersecurity researchers have discovered a few encryption movements from SunCrypt, targeting large entities and negotiating with them privately to avoid the attention of authorities and the media.

About the author

Leave a Reply