We all have seen the destruction caused by the Maze Group in terms of financial and publicly exposed data of the victims. Recently, a new ransomware group known as SunCrypt has joined the Maze group according to a recent article by BleepingComputer. As per this article the threat actors behind SunCrypt claim to have been asked by the Maze threat actors to join the cartel as they are lacking to hold on to the huge volume they currently have.
Shout-out to GrujaRS for the sample of this new ally of the Maze group. SunCrypt deploys with a heavily obfuscated powershell script with almost about 1,23,883 lines of code.
The powershell script launches the csc.exe (Visual C# Command Line Compiler) and feeds the parameters stored in the a file at: %temp% directory with .cmdline extension. This step compiles the .cs file and drops the main SunCrypt DLL using the compiler present at the victims .NET Framework directory. Contents of the command line parameters are shown below:
All dropped files are stored temporarily in the users %temp% directory and are named randomly on each run. It can be seen that the target is set to library for the Visual C# Command Line Compiler to compile and drop the main dll. Currently, SunCryt is deployed as a DLL service.
Then the encryption of this ransomware starts along with dropping a html ransom note in every directory being traversed. The ransom note is named as: "YOUR_FILES_ARE_ENCRYPTED.HTML"
Here is a snapshot of this html ransom page:
SunCrypt encrypts and appends a HEX value as an extension to the files of the victim. The ransom note contains the link to its .onion domain where it publicly lists its victim and threatens to leak the data on a public platform, obviously this is expected as they are now hand-in-hand with the Maze Group. The ransomware POSTs the data to the very well known Maze infrastructure: 91.218.114[.]31
Seems like they are even sharing their resources and infrastructure for carrying out the attacks.
You can see in the above screenshot the files are being encrypted with a HEX extension and a html ransom note is dropped in the directory. Below you can see that their. onion website asks for the key that uniquely identifies the victims, they also have the Chat room that allows a victim to negotiate the ransom value:
Currently the site has listed 5 victims of their ransomware attack along with the total size of the data seized.
Indicators of Compromise:
- 3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
- 91.218.114[.]31
Comments
Post a Comment