{
	"id": "c989e20e-7c5f-4bdb-a19b-c8c85793f033",
	"created_at": "2026-04-06T00:09:47.387944Z",
	"updated_at": "2026-04-10T03:21:16.869199Z",
	"deleted_at": null,
	"sha1_hash": "0e56ee70f31f13c7520c2e6dc577ce8d4f00b3a7",
	"title": "SunCrypt ransomware is still alive and kicking in 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3808531,
	"plain_text": "SunCrypt ransomware is still alive and kicking in 2022\r\nBy Bill Toulas\r\nPublished: 2022-03-28 · Archived: 2026-04-05 18:03:40 UTC\r\nSunCrypt, a ransomware as service (RaaS) operation that reached prominence in mid-2020, is reportedly still active, even if\r\nbarely, as its operators continue to work on giving its strain new capabilities.\r\nSunCrypt was one of the early pioneers of triple extortion, including file encryption, threat to publish stolen data, and DDoS\r\n(distributed denial of service) attacks on non-paying victims.\r\nDespite this and the lack of ethic-minded targeting restrictions within the affiliate program, SunCrypt has failed to grow\r\nlarger than a small private RaaS of a closed circle of affiliates.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to a report by Minerva Labs, this stagnation hasn't stopped the malware authors from working on a new and\r\nbetter version of their strain, which the analysts analyzed to determine what changed.\r\nNew SunCrypt features\r\nThe new capabilities of the 2022 SunCrypt variant include process termination, stopping services, and wiping the machine\r\nclean for ransomware execution.\r\nThese features have long existed on other ransomware strains, but for SunCrypt, they are very recent additions. As Minerva\r\ncomments, this makes it seem like it's still in an early development phase.\r\nThe process termination includes resource-heavy processes that can block the encryption of open data files, such as\r\nWordPad (documents), SQLWriter (databases), and Outlook (emails).\r\nThe cleaning feature is activated at the end of the encryption routine, using two API calls to wipe all logs. Although one\r\nwould be enough, the author probably used two for redundancy. After all the logs are erased, the ransomware deletes itself\r\nfrom the disk using cmd.exe.\r\nAPI calls that clear the event log (Minerva)\r\nOne of the important old features retained in the newest version is the use of I/O completion ports for faster encryption\r\nthrough process threading.\r\nAlso, SunCrypt continues to encrypt both local volumes and network shares, and still maintains an allowlist for the\r\nWindows directory, boot.ini, dll files, the recycle bin, and other items that render a computer inoperable if they're encrypted.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/\r\nPage 3 of 5\n\nLatest ransom note used by SunCrypt (Minerva)\r\nActivity and outlook\r\nAccording to stats from submissions to ID Ransomware, which provides a good idea of ransomware strain activity,\r\nSunCrypt is still encrypting victims but appears to have limited activity.\r\nSunCrypt submissions on ID Ransomware\r\nThe group may be targeting high-value entities and keeping the ransom payment negotiations private, not drawing law\r\nenforcement attention and media coverage.\r\nMinerva mentions Migros as one of SunCrypt's recent victims, which Switzerland's largest supermarket chain employing\r\nover 100,000 people.\r\nIn summary, SunCrypt is undoubtedly a real threat that hasn't been cracked yet, but whether or not the RaaS will grow into\r\nsomething more significant remains to be seen.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/"
	],
	"report_names": [
		"suncrypt-ransomware-is-still-alive-and-kicking-in-2022"
	],
	"threat_actors": [],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e56ee70f31f13c7520c2e6dc577ce8d4f00b3a7.pdf",
		"text": "https://archive.orkl.eu/0e56ee70f31f13c7520c2e6dc577ce8d4f00b3a7.txt",
		"img": "https://archive.orkl.eu/0e56ee70f31f13c7520c2e6dc577ce8d4f00b3a7.jpg"
	}
}