SunCrypt Ransomware Takes Extortion Threats to Next Level

In November 2019, Maze ransomware operators started a new trend of stealing victims’ data and threatening to leak it in case the ransom was not paid. This trend was soon followed by several other groups, such as DoppelPaymer and REvil. Recently, the SunCrypt ransomware utilized a new tactic to extort its victims, which may be the beginning of yet another new trend in ransomware threats.

What happened?

SunCrypt ransomware recently started to target its victims with DDoS attack threats to force its victims into a negotiation for restoring the encrypted data.
  • During a recent ransomware attack on an unnamed organization, when negotiations stalled, affiliates of SunCrypt ransomware started a DDoS attack on the victim's website.
  • During the attack, the ransomware’s Tor payment link displayed a message that the DDoS was carried out by SunCrypt and will continue until the victim completes the negotiations.
  • When negotiations restarted, the ransomware operator agreed to turn off the DDoS attack. In this specific incident, this tactic eventually forced the victim to pay the ransom.

Recent attacks by SunCrypt

  • In mid-September, SunCrypt ransomware targeted the University Hospital New Jersey, breaching around 240 GB data and leaked 1.7 GB (around 48,000 documents).
  • At the beginning of September, the Haywood County School district disclosed that it was targeted by SunCrypt, who had published 5 GB of the stolen data after failed negotiation.

The Maze conflict

In August, SunCrypt claimed to be joining the Maze cartel sharing attack infrastructure. However, the Maze group later denied this claim, stating that they had no affiliation with SunCrypt.

Ending notes

Any victim organization is pressurized to pay the ransom when their data is locked, leaked, and eventually when the infrastructure is hit by DDoS attacks. Ransomware operators are trying out all possible tricks, which is a concerning factor for security agencies around the globe.