The Maze Cartel Grows Bigger, SunCrypt Joins the Family

The infamous Maze ransomware has been one of the most active malware in recent times. Besides targeting a large number of organizations, it has been actively working to expand its syndicate by forming new partnerships.

What’s going on?

A new ransomware named SunCrypt has joined the Maze cartel, which other groups such as LockBit and Ragnar Locker are already a part of.
  • In August 2020, SunCrypt operators disclosed that they have joined the Maze ransomware cartel, and will be working with them on a revenue-sharing model.
  • SunCrypt utilizes the Maze infrastructure to target its victims.

A brief about SunCrypt

As per recent reports, SunCrypt is an independently run ransomware that was first observed in October 2019. 
  • The ransomware is distributed as a DLL file and is installed via a heavily obfuscated PowerShell script.
  • After encrypting files, a hexadecimal hash is appended at the end of the file name, and a ransom note titled ‘YOUR_FILES_ARE_ENCRYPTED.HTML’ is created in each targeted folder. It contains information about the breach and a link to the Tor payment site.
  • The hardcoded Tor link points to a Tor payment site contains a chat screen, probably for communicating with the operators.


Key takeaways

SunCrypt’s use of a common IP address for malicious activities suggests that Maze is now either sharing their infrastructure with its cartel members or is opening up and white-labeling their technology. Moreover, according to SunCrypt’s disclosure, they joined the cartel because Maze is unable to handle all the field of operations. This provides a clear indication that Maze operators are in a phase of rapid expansion, which may be a concerning factor for security teams around the globe.