SunCrypt is a RaaS (Ransomware as a Service) group that was first seen in October 2019, and was one of the first groups to apply triple extortion* tactics to their attacks. Unlike other RaaS groups, SunCrypt runs a small and closed affiliate program. The first version of this ransomware was written in GO, but after C and C++ versions were released in mid-2020, the group became much more active. SunCrypt mostly affects the Services, Technology, and Retail industries. Our researchers recently identified an updated version of this ransomware which includes additional capabilities.
SunCrypt often uses the PowerShell loader for delivery and deployment. Our sample was dropped by .zip file. This is not a very sophisticated or fast ransomware, but differs from others with its unique encryption routine which barely makes any use of the system API. Almost all of the API functions used by SunCrypt are statically imported, with a small number that are dynamically imported.
As in most ransomware cases, the encryption routine runs in several threads. It uses an I/O Completion Ports model to achieve faster encryption. According to Microsoft: “I/O completion ports provide an efficient threading model for processing multiple asynchronous I/O requests on a multiprocessor system. When a process creates an I/O completion port, the system creates an associated queue object for requests whose sole purpose is to service these requests. Processes that handle many concurrent asynchronous I/O requests can do so more quickly and efficiently by using I/O completion ports in conjunction with a pre-allocated thread pool than by creating threads at the time they receive an I/O request.”
There are several files and directories that are whitelisted by SunCrypt:
- Windows directory
- $Recycle.bin directory
- System Volume Information directory
- .exe extension files
- .dll extension files
- .ocx extension files
- .sys extension files
- AppData directory
- Application Data directory
- YOUR_FILES_ARE_ENCRYPTED.HTML – ransom note
- Bootmgr directory
- ..\Efi\microsoft\boot\bootmgr.efi file
Encrypted files are renamed to add random 64-byte hex string extensions:
As its previous versions, SunCrypt encrypts the local volumes as well as found network shares. It also creates a “\Sessions\2\BaseNamedObjects\0c91c96fd7124f21a0193cf842e3495f6daf84a394f44013e92a87ad9d2ef4a0ceec9dd2e2eca22e” mutex on the infected machine.
While the 2022 SunCrypt version has gained new capabilities, it seems like the ransomware is still under development. New capabilities allow the ransomware to terminate processes, stop services and clean the machine from any evidence of the ransomware execution. The ransomware also uses a winlogon.exe access token and sets it to its main thread by using SetThreadToken API call.
There also appears to be an Anti-VM feature that is not present in our sample but might be added in future versions. We noticed that 2022 version lacks C&C connection capabilities, while there is still an option to pass an argument that will stop the reporting to C&C.
SunCrypt uses an undocumented “ProcessIOPriority” (0x21) information class to increase an I/O priority of the process to “High”, which will to speed up its execution:
SunCrypt terminates the following processes before initiating the encryption routine:
While the service stopping code is present in our sample, it doesn’t appear to be used. In addition, there is no service list to be stopped that is present in the sample.
At the end of the encryption routine, SunCrypt clears the event log using ClearEventLogA and a combination of EvtOpenChannelEnum/EvtNextChannelPath/EvtClearLog API calls. Just using one of these techniques is usually enough, as each of them works for different OS versions, but in our sample, the author decide to use both techniques irrespective of the OS version. After clearing the event log, the ransomware deletes itself from disk by executing cmd.exe with the following command:
cmd.exe /C ping 127.0.0.1 -n 10 > nul & del /f /q “path to the currently running process” > nul”
Figure 3 – Event Log Clear
Upon initial execution, the ransomware checks the command line arguments that were passes to the process. There are eight arguments that were defined by the ransomware authors in our version:
- -noshares – if this argument is passed, the ransomware only encrypts local volumes.
- -nomutex – in older versions, passing this parameter skips the mutex check, but in our version, it does not seem to affect the execution flow at all.
- -noreport – based on older versions, if this argument is passed, the ransomware stops reporting to the C&C.
- -noservices – apparenrly, if this argument passed, the ransomware does not stop services.
- -vm – we do not know yet if this argument is supposed to activate or deactivate VM checks as we did not find any VM detection capabilities in our sample.
- -path – if this argument is passed, the ransomware will only encrypt the files under a passed path.
- -justcrypt – if this argument is passed, the ransomware does not terminate processes, duplicate winlogon.exe token, prioritize the running process and as we assume, stop services.
- -keep_exe – if this argument is passed, the ransomware executable is not be deleted at the end of the flow.
Figure 4 – Arguments that might be passed to the ransomware
SunCrypt, much like most ransomware groups nowadays, claims to exfiltrate victim data before encrypting it and offer the victim the option of uploading an encrypted file to prove decryption capabilities:
Figure 5 – Ransom Note
One of the most recent victims is Migros, Switzerland’s largest retail company and largest supermarket chain with over 100K employees.
While our sample looks like a “work in progress” it might indicate the threat actor’s intent to significantly increase their victims list and catch up with already familiar capabilities of other competing ransomware groups.
* Triple extortion is a relatively new practice among ransomware operators where the first two extortions of file encryption and publication to the world are not enough. In this case, if the victim still fails to comply and pay the ransom, the ransomware operator will DDOS the victim, making it even more difficult for them to return to operation.
- “\Sessions\2\BaseNamedObjects\0c91c96fd7124f21a0193cf842e3495f6daf84a394f44013e92a87ad9d2ef4a0ceec9dd2e2eca22e “