Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware

Cyber Security News

SunCrypt, a ransomware pressure that went on to infect a number of targets very last calendar year, might be an up-to-date model of the QNAPCrypt ransomware, which focused Linux-centered file storage programs, in accordance to new exploration.

“Although the two ransomware [families] are operated by distinct distinct menace actors on the dark web, there are solid technical connections in code reuse and procedures, linking the two ransomware to the very same author,” Intezer Lab researcher Joakim Kennedy mentioned in a malware examination posted currently revealing the attackers’ strategies on the dark web.

1st determined in July 2019, QNAPCrypt (or eCh0raix) is a ransomware spouse and children that was found to target Network Connected Storage (NAS) products from Taiwanese businesses QNAP Devices and Synology. The equipment have been compromised by brute-forcing weak credentials and exploiting acknowledged vulnerabilities with the intention of encrypting documents identified in the method.

The ransomware has because been tracked to a Russian cybercrime group referred to as “FullOfDeep,” with Intezer shutting down as several as 15 ransomware campaigns making use of the QNAPCrypt variant with denial of services attacks concentrating on a listing of static bitcoin wallets that had been produced for the categorical intent of accepting ransom payments from victims, and protect against foreseeable future bacterial infections.

SunCrypt, on the other hand, emerged as a Windows-centered ransomware resource published at first in Go in October 2019, right before it was ported to a C/C++ version in mid-2020. Apart from stealing victims’ information prior to encrypting the data files and threatening with general public disclosure, the group has leveraged dispersed denial-of-company (DDoS) assaults as a secondary extortion tactic to tension victims into shelling out the demanded ransom.

Most recently, the ransomware was deployed to goal a New South Wales-based medical diagnostics company known as PRP Diagnostic Imaging on December 29, which involved the theft of “a compact volume of affected individual data” from two of its administrative file servers.

Even though the two ransomware households have directed their attacks against unique functioning units, studies of SunCrypt’s connections to other ransomware teams have been formerly speculated.

In fact, blockchain evaluation enterprise Chainalysis previously last month quoted a “privately circulated report” from threat intelligence agency Intel 471 that claimed associates from SunCrypt explained their pressure as a “rewritten and rebranded version of a ‘well-known’ ransomware pressure.”

Now according to Intezer’s analysis of the SunCrypt Go binaries, not only does the ransomware share identical encryption capabilities with QNAPCrypt, but also in the file types encrypted and the methods applied to produce the encryption password as very well as complete system locale checks to figure out if the machine in dilemma is situated in a disallowed country.

Also of observe is the point that the two QNAPCrypt and SunCrypt make use of the ransomware-as-a-assistance (RaaS) design to publicize their applications on underground community forums, wherein affiliate marketers carry out the ransomware assaults themselves and shell out a share of each victim’s payment again to the strain’s creators and directors.

Taking into account the overlaps and the behavioral dissimilarities amongst the two teams, Intezer suspects that “the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators.”

“While the specialized dependent proof strongly delivers a website link between QNAPCrypt and the before variation of SunCrypt, it is apparent that both ransomware are operated by unique individuals,” the scientists concluded.

“Centered on the available information, it is not attainable to link the action concerning the two actors on the forum. This indicates that when new malware expert services derived from more mature products and services show up, they may not normally be operated by the similar people.”

Found this report fascinating? Observe THN on Fb, Twitter  and LinkedIn to examine more exceptional written content we submit.