SunCrypt, a ransomware pressure that went on to contaminate a number of targets final yr, could also be an up to date model of the QNAPCrypt ransomware, which focused Linux-based file storage programs, in line with new analysis.
“Whereas the 2 ransomware [families] are operated by distinct totally different risk actors on the darkish net, there are robust technical connections in code reuse and methods, linking the 2 ransomware to the identical writer,” Intezer Lab researcher Joakim Kennedy stated in a malware evaluation printed in the present day revealing the attackers’ ways on the darkish net.
First recognized in July 2019, QNAPCrypt (or eCh0raix) is a ransomware household that was discovered to focus on Community Hooked up Storage (NAS) gadgets from Taiwanese corporations QNAP Programs and Synology. The gadgets have been compromised by brute-forcing weak credentials and exploiting recognized vulnerabilities with the purpose of encrypting information discovered within the system.
The ransomware has since been tracked to a Russian cybercrime group known as “FullOfDeep,” with Intezer shutting down as many as 15 ransomware campaigns utilizing the QNAPCrypt variant with denial of service assaults focusing on a listing of static bitcoin wallets that have been created for the categorical intent of accepting ransom funds from victims, and stop future infections.
SunCrypt, however, emerged as a Home windows-based ransomware device written initially in Go in October 2019, earlier than it was ported to a C/C++ model in mid-2020. Moreover stealing victims’ information previous to encrypting the information and threatening with public disclosure, the group has leveraged distributed denial-of-service (DDoS) assaults as a secondary extortion tactic to stress victims into paying the demanded ransom.
Most just lately, the ransomware was deployed to focus on a New South Wales-based medical diagnostics firm referred to as PRP Diagnostic Imaging on December 29, which concerned the theft of “a small quantity of affected person information” from two of its administrative file servers.
Though the 2 ransomware households have directed their assaults in opposition to totally different working programs, reviews of SunCrypt’s connections to different ransomware teams have been beforehand speculated.
Certainly, blockchain evaluation firm Chainalysis earlier final month quoted a “privately circulated report” from risk intelligence agency Intel 471 that claimed representatives from SunCrypt described their pressure as a “rewritten and rebranded model of a ‘well-known’ ransomware pressure.”
Now in line with Intezer’s evaluation of the SunCrypt Go binaries, not solely does the ransomware share related encryption features with QNAPCrypt, but additionally within the file varieties encrypted and the strategies used to generate the encryption password in addition to carry out system locale checks to find out if the machine in query is situated in a disallowed nation.
Additionally of observe is the truth that each QNAPCrypt and SunCrypt make use of the ransomware-as-a-service (RaaS) mannequin to promote their instruments on underground boards, whereby associates perform the ransomware assaults themselves and pay a proportion of every sufferer’s cost again to the pressure’s creators and directors.
Considering the overlaps and the behavioral variations between the 2 teams, Intezer suspects that “the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators.”
“Whereas the technical based mostly proof strongly offers a hyperlink between QNAPCrypt and the sooner model of SunCrypt, it’s clear that each ransomware are operated by totally different people,” the researchers concluded.
“Primarily based on the accessible information, it isn’t attainable to attach the exercise between the 2 actors on the discussion board. This means that when new malware providers derived from older providers seem, they could not at all times be operated by the identical individuals.”