SunCrypt—a RaaS that came to prominence in mid-2020—was one of the first threat actors to implement triple extortion in its campaigns. It is a small RaaS, operating with a close circle of affiliates. However, Minerva Labs has found that this limited circle has not stopped SunCrypt from expanding. 

Diving into details 

SunCrypt came up with a new variant whose functionalities include terminating services and processes and wiping the system clean post malware execution. Since these are not novel features, researchers surmise that this variant is still in its early development stages. 
  • Process termination blocks the encryption of open data files.
  • The cleaning function is activated via two API calls to delete all logs. Once the logs are wiped, the ransomware deletes itself from the disk. 
  • An anti-VM feature is present, which might be added to future strains. 

Why this matters

SunCrypt still encrypts both local volumes and network shares. While it is encrypting victims, it is maintaining a low profile to evade detection by law enforcement. Although the latest variant is still in development, it highlights that the threat actor intends to increase its victim list and compete with other ransomware groups. 

Latest attack

  • Migros, Switzerland’s largest supermarket chain, became the latest victim of SunCrypt. The retail firm employs more than 100,000 people. 
  • The gang is reportedly behind the attack on Oklahoma City Indian Clinic. The attack disrupted the network, leaving providers and clinicians unable to access particular computer systems. 

The bottom line

SunCrypt is a potent threat and the RaaS might expand in the near future. The ransomware operators are slowly adding victims to their lists and hence, it is recommended to implement appropriate security defenses to stay safe.

Cyware Publisher