Retail giant Walmart’s threat intelligence team has dissected a new ransomware family dubbed Sugar, which is availableto cybercriminals as RaaS.
The Sugar ransomware family is written in Delphi and borrows objects from other ransomware families out there. Sugar mainly targets individual computers rather than enterprise networks, but that doesn’t make it less dangerous, especially since it is offered as a RaaS.
The most interesting features of Sugar is its crypter. It employs a modified version of the RC4 encryption, and the code from the crypter is being reused in the ransomware itself. Both the crypter and sugar ransomware are the work from same developer or crypter has been delivered as a part of affiliate network
The ransomware’s analysis shows a similarities with the ransom note employed by REvil ransomware operators but also differences and misspellings and similarities between Sugar’s decryptor page and that of Cl0p. Also their existed a similarities with GPLib, a library that contains procedures and functions for encryption and decryption operations.
These RaaS operations have a lot of space to prosper and even become established threats due to service shot downs of major Ransomware groups
Indicators of Compromise