An analysis of two ransomware, namely QNAPCrypt and SunCrypt, has revealed some interesting similarities and differences altogether. The analysis has concluded that one of these malware has evolved from the other, despite the fact that these two malware are designed to target two different operating systems.

A bit of history

QNAPCrypt first emerged in mid-2019, meanwhile, SunCrypt ransomware first appeared in October 2019. Although the latter gained notoriety only after attacks increased in the middle of 2020, following an update.


  • According to researchers at Intezer, QNAPCrypt and the early version SunCrypt share identical code logic for file encryption, leading to the conclusion that both forms of ransomware were compiled from the same source code.
  • The similarities in key generation, along with the code writing techniques and geographical-specific deployment, are also notable.
  • Both QNAPCrypt and SunCrypt avoid encryption operations on a Belarusian, Russian, or Ukrainian machine.


Although the earlier code similarities link the two ransomware together, yet the existing variants are way too different from each other.
  • While QNAPCrypt targets Linux, SunCrypt targets Windows.
  • Unlike QNAPCrypt, SunCrypt also launches DDoS attacks to force victims to pay the ransom.
  • QNAPCrypt distributors rarely post about their ransomware on underground forums, however, SunCrypt operators appear to be purely focused on advertising their product.


The code reuse or recycling procedure helps the developers of new malware to inherit more efficient functionalities and modules. Even after having the same origin, the malware operators may choose different procedures, attack vectors, and targets. QNAPCrypt and SunCrypt are two malware of similar origin, which have successfully chosen their own unique paths.

Cyware Publisher