SunCrypt, a ransomware strain that went on to infect several targets last year, may be an updated version of the QNAPCrypt ransomware, which targeted Linux-based file storage systems. They are related on code level in dark web
QNAPCrypt (or eCh0raix) is a ransomware family that was found to target Network Attached Storage (NAS) devices from Taiwanese companies QNAP Systems and Synology. The devices were compromised by brute-forcing weak credentials and exploiting known vulnerabilities with the goal of encrypting files found in the system.The ransomware has since been tracked to a Russian cybercrime group referred to as FullOfDeep
SunCrypt,a Windows-based ransomware tool written originally in Go in October 2019, before it was ported to a C/C++ version in mid-2020. Besides stealing victims’ data prior to encrypting the files and threatening with public disclosure, the group has leveraged distributed denial-of-service (DDoS) attacks as a secondary extortion tactic to pressure victims into paying the demanded ransom.
Most recently, the ransomware was deployed to target a New South Wales-based medical diagnostics company called PRP Diagnostic Imaging , which involved the theft of “a small volume of patient records” from two of its administrative file servers.
Two ransomware families have directed their attacks against different operating systems, reports of SunCrypt’s connections to other ransomware groups have been previously speculated.
SunCrypt Go binaries, not only does the ransomware share similar encryption functions with QNAPCrypt, but also in the file types encrypted and the methods used to generate the encryption password as well as perform system locale checks to determine if the machine in question is located in a disallowed country.
QNAPCrypt and SunCrypt make use of the ransomware-as-a-service (RaaS) model to advertise their tools on underground forums, wherein affiliates carry out the ransomware attacks themselves and pay a percentage of each victim’s payment back to the strain’s creators and administrators.
“While the technical based evidence strongly provides a link between QNAPCrypt and the earlier version of SunCrypt, it is clear that both ransomware are operated by different individuals,” the researchers concluded.