June 5, 2023

Retail giant Walmart’s threat intelligence team has dissected a new ransomware family dubbed Sugar, which is availableto cybercriminals as RaaS.

The Sugar ransomware family is written in Delphi and borrows objects from other ransomware families out there. Sugar mainly targets individual computers rather than enterprise networks, but that doesn’t make it less dangerous, especially since it is offered as a RaaS.

Advertisements

The most interesting features of Sugar is its crypter. It employs a modified version of the RC4 encryption, and the code from the crypter is being reused in the ransomware itself. Both the crypter and sugar ransomware are the work from same developer or crypter has been delivered as a part of affiliate network

The ransomware’s analysis shows a similarities with the ransom note employed by REvil ransomware operators but also differences and misspellings and similarities between Sugar’s decryptor page and that of Cl0p. Also their existed a similarities with GPLib, a library that contains procedures and functions for encryption and decryption operations.

These RaaS operations have a lot of space to prosper and even become established threats due to service shot downs of major Ransomware groups

Advertisements

Indicators of Compromise

  • bottomcdnfiles.com
  • cdnmegafiles.com
  • 179.43.160.195
  • chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion
  • 82.146.53.237
  • sugarpanel.space15a7fb45f703d5315320eef132f3151873055161
  • 5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145
  • 320eefd378256d6e495cbd2e59b7f205d5101e7f
  • 18cb9b218bd23e936128a37a90f2661f72c820581e4f4303326705b2103714a9
  • e835de2930bf2708a3a57a99fe775c48f851fa8f
  • 1318aeaea4f2f4299c21699279ca4ea5c8fa7fc38354dd2b80d539f21836df5a
  • 98137dd04e4f350ee6d2f5da613f365b223a4f49
  • aa41e33d3f184cedaaaabb5e16c251e90a6c4ff721a599642dc5563a57550822
  • a4854ce87081095ab1f1b26ff16817e446d786af
  • 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
  • c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
  • 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
Tags:

Leave a Reply

You may have missed

BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
Gigabyte Motherboards Backdoor’ed

Gigabyte Motherboards Backdoor’ed

June 3, 2023
MOVEit Vulnerability Exploited in Wild

MOVEit Vulnerability Exploited in Wild

June 2, 2023
%d bloggers like this: