SunCrypt, a ransomware pressure that went on to contaminate a number of targets final yr, could also be an up to date model of the QNAPCrypt ransomware, which focused Linux-based file storage methods, in response to new analysis.
“Whereas the 2 ransomware [families] are operated by distinct totally different risk actors on the darkish net, there are robust technical connections in code reuse and methods, linking the 2 ransomware to the identical creator,” Intezer Lab researcher Joakim Kennedy mentioned in a malware evaluation revealed at present revealing the attackers’ techniques on the darkish net.
First recognized in July 2019, QNAPCrypt (or eCh0raix) is a ransomware household that was discovered to focus on Community Hooked up Storage (NAS) units from Taiwanese corporations QNAP Methods and Synology. The units had been compromised by brute-forcing weak credentials and exploiting identified vulnerabilities with the aim of encrypting recordsdata discovered within the system.
The ransomware has since been tracked to a Russian cybercrime group known as “FullOfDeep,” with Intezer shutting down as many as 15 ransomware campaigns utilizing the QNAPCrypt variant with denial of service assaults concentrating on an inventory of static bitcoin wallets that had been created for the specific intent of accepting ransom funds from victims, and forestall future infections.
SunCrypt, then again, emerged as a Home windows-based ransomware instrument written initially in Go in October 2019, earlier than it was ported to a C/C++ model in mid-2020. In addition to stealing victims’ knowledge previous to encrypting the recordsdata and threatening with public disclosure, the group has leveraged distributed denial-of-service (DDoS) assaults as a secondary extortion tactic to stress victims into paying the demanded ransom.
Most just lately, the ransomware was deployed to focus on a New South Wales-based medical diagnostics firm known as PRP Diagnostic Imaging on December 29, which concerned the theft of “a small quantity of affected person information” from two of its administrative file servers.
Though the 2 ransomware households have directed their assaults towards totally different working methods, stories of SunCrypt’s connections to different ransomware teams have been beforehand speculated.
Certainly, blockchain evaluation firm Chainalysis earlier final month quoted a “privately circulated report” from risk intelligence agency Intel 471 that claimed representatives from SunCrypt described their pressure as a “rewritten and rebranded model of a ‘well-known’ ransomware pressure.”
Now in response to Intezer’s evaluation of the SunCrypt Go binaries, not solely does the ransomware share comparable encryption capabilities with QNAPCrypt, but additionally within the file sorts encrypted and the strategies used to generate the encryption password in addition to carry out system locale checks to find out if the machine in query is positioned in a disallowed nation.
Additionally of be aware is the truth that each QNAPCrypt and SunCrypt make use of the ransomware-as-a-service (RaaS) mannequin to promote their instruments on underground boards, whereby associates perform the ransomware assaults themselves and pay a share of every sufferer’s cost again to the pressure’s creators and directors.
Making an allowance for the overlaps and the behavioral variations between the 2 teams, Intezer suspects that “the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators.”
“Whereas the technical based mostly proof strongly offers a hyperlink between QNAPCrypt and the sooner model of SunCrypt, it’s clear that each ransomware are operated by totally different people,” the researchers concluded.
“Based mostly on the out there knowledge, it isn’t attainable to attach the exercise between the 2 actors on the discussion board. This implies that when new malware companies derived from older companies seem, they might not at all times be operated by the identical individuals.”