The Maze Cartel Grows Bigger, SunCrypt Joins the Family
The infamous Maze ransomware has been one of the most active malware in recent times. Besides targeting a large number of organizations, it has been actively working to expand its syndicate by forming new partnerships.
What’s going on?
A new ransomware named SunCrypt has joined the Maze cartel, which other groups such as LockBit and Ragnar Locker are already a part of.
- In August 2020, SunCrypt operators disclosed that they have joined the Maze ransomware cartel, and will be working with them on a revenue-sharing model.
- SunCrypt utilizes the Maze infrastructure to target its victims.
A brief about SunCrypt
As per recent reports, SunCrypt is an independently run ransomware that was first observed in October 2019.
- The ransomware is distributed as a DLL file and is installed via a heavily obfuscated PowerShell script.
- After encrypting files, a hexadecimal hash is appended at the end of the file name, and a ransom note titled ‘YOUR_FILES_ARE_ENCRYPTED.HTML’ is created in each targeted folder. It contains information about the breach and a link to the Tor payment site.
- The hardcoded Tor link points to a Tor payment site contains a chat screen, probably for communicating with the operators.
SunCrypt’s use of a common IP address for malicious activities suggests that Maze is now either sharing their infrastructure with its cartel members or is opening up and white-labeling their technology. Moreover, according to SunCrypt’s disclosure, they joined the cartel because Maze is unable to handle all the field of operations. This provides a clear indication that Maze operators are in a phase of rapid expansion, which may be a concerning factor for security teams around the globe.