# Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction **[medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc](https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc)** S2W September 9, 2021 [S2W](https://medium.com/@s2w?source=post_page-----43a2194ac0bc--------------------------------) Sep 9, 2021 5 min read ## Hotsauce | S2W TALON Executive Summary In May 2021. The United state’s company was infected by the Suncrypt ransomware, and after a long negotiation of about 3 weeks, the victim paid the ransom with Bitcoin, and Suncrypt finally deleted the leaked data and informed security report, and the negotiations were finished. As a result of tracking the Bitcoin paid by the victim, it was sent to the Binance, OKEX, Huobi exchange and confirmed the circumstances of ChipMixer Mixing. ## Detailed analysis 1. About Suncrypt ransomware Suncrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate program on the dark web and first appeared in October 2019. Suncrypt says “The Suncrypt group is a huge fan of a Win-Win style of negotiations and the minimal damage policy” and they provide a security report when the negotiation is complete, emphasizing that they are a reliable “business” rather than a ransomware “hack”. ## 2. Analysis of Suncrypt Ransomware Negotiation Suncrypt ransomware left a HTML type ransom note on the infected PC with information on key points and how to access the 1:1 negotiation page. ----- You can start negotiating with Suncrypt by accessing the 1:1 negotiation page guided by the ransom note. ## Victim company ----- 1. 2. 3. In May 2021, an American company D was infected with the Suncrypt ransomware. On the 1:1 negotiation page, Suncrypt said that after 72 hours the exfiltrated data will be posted at our news website and DDoS attack will be stopped only after progress is made in the negotiation. Suncrypt requested 1,200,000 USD as a payment amount, presenting sample files and listings as proof and guaranteeing to provide the following three items upon completion of the negotiation. Suncrypt seems to have separate roles of negotiator and technician, as a person who appears to be a technician/developer who calls himself Tech (purple chat) participates in the negotiation. During the negotiations, the victim company gave a link to a posted on Marketo / Twitter and protested why they were already selling our data. Suncrypt said and denied it had nothing to do with us. Marketo is a marketplace of stolen data, first appeared in April 202. Leaked data is selling publicly by bidding auctions. ----- Selling leak data of victim companies uploaded to Marketo. ----- Since the victim company does not have files encrypted with extensions other than Suncrypt, it seems that Marketo only stole data without separate encryption, and it is possible that leaked by Suncrypt and Marketo both. Suncrypt’s Tech said that they start DDoS attack to Marketo. After several price negotiations, the victim company paid 182,000 USD, demanding even to delete the post on Marketo. Suncrypt closes the negotiation by providing erasure log and security report after confirming Bitcoin deposit. **[Security Report — same contents are provided in case of other victim company that were](https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a)** infected at around the same time — erasure logs to prove that Suncrypt has deleted all files stolen from the victim company. ----- Suncrypt said that we are trying to bring down the fake post or getting a proof that data is fake, but leak data posted on Marketo have not yet been deleted and are still on selling. ## 3. Analysis of payment address Tracking the bitcoins paid by the victim company Payment address : bc1qx6wa9x9gdnah9jfdt0ps8c6z8vwt2mz9mpwdcr Amounts : 5.03350949 BTC Transaction date : 2021–06–02 The 5.03350949 BTC paid by the victim company was divided into several branches and each performed ChipMixer Mixing, transferred to Binance, OKEX, Huobi wallet ----- ## 3.1 Money Laundering with ChipMixer Mixing After several addresses, approximately 4 BTC was laundered through ChipMixer Mixing **Bitcoin Address** 1ME2WHjsa1TPjuWTUN2JRsAxJsCs62gSk7 112oLSTUE4PvVD4K88ANpwnRsw8e19ea7q 17pYQVxhPSGkiLwoJhaAM3DxG86VHtiBLn ## 3.2 Transactions to Exchange wallet After several addresses, approximately 1 BTC was withdrawn to Binance, OKEX, Huobi exchange **Bitcoin Address** 1Bb9AX3yM8WsFhZHFsVjWW79o6KFMiA3gE 3CBDnbKDhgaEHDzoBiJrGza2FC6vv3GLej 37Z8s6MQsWsRQTX7gPcFaAdo2qFsQm7RGr ## Conclusion , the Suncrypt ransomware mainly uses ChipMixer for bitcoin laundering Judging from the negotiation chat content, suncrypt seems to be divided into Ransomware operator, Negotiation manager, Tech manager, etc. ----- -----