{
	"id": "624abb3a-9761-4e9e-a8c1-2c92c0aa4074",
	"created_at": "2026-04-06T00:21:23.662145Z",
	"updated_at": "2026-04-10T03:21:20.113275Z",
	"deleted_at": null,
	"sha1_hash": "1e2702a79eefa704979193c7defe8dd0d7f8045a",
	"title": "When Viruses Mutate: Did SunCrypt Evolve from QNAPCrypt?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3950352,
	"plain_text": "When Viruses Mutate: Did SunCrypt Evolve from QNAPCrypt?\r\nBy Joakim Kennedy\r\nPublished: 2021-03-02 · Archived: 2026-04-05 18:49:40 UTC\r\nDov Lerner from Cybersixgill contributed to this report\r\nIntro\r\nProgrammers frequently reuse code, as recycling something that is already written and functional is much more\r\nefficient than writing from scratch. Malware authors are no different; functions and modules from one malware\r\ncan be reused in the next. Because of this, code reuse analysis can connect different malware to the same author.\r\nWhen performing code reuse analysis, it is important to ensure that the code is unique to the specific developer\r\nand not common code that, for example, is part of an open-source library since open-source code can be used by\r\nmany and cannot be tied to a specific author. If this is handled correctly, code reuse is a very powerful method for\r\nattributing malware to a specific malware author.\r\nThere is a constant churn of new actors and malware families. However, sometimes a seemingly new threat actor\r\nis just a “rebranding” or a new group formed by known actors. For example, in May 2019, the GandCrab group\r\nannounced that they were retiring from their ransomware activity. Not long after, researchers connected a new\r\nransomware called REvil (also known as Sodinokibi) to the then defunct GandCrab ransomware. REvil shared\r\nunique code similarities with GandCrab. This suggested that when GandCrab was closing down, the malware\r\nauthors switched to develop a new ransomware using some of the code from GandCrab in a new collaboration\r\nwith other threat actors.\r\nThis report uses both dark web research and malware analysis to investigate the connection between the affiliate\r\nransomware service known as SunCrypt and the QNAPCrypt ransomware, the latter of which was used against\r\nQNAP and Synology devices back in 2019. While the two ransomware are operated by distinct different threat\r\nactors on the dark web, there are strong technical connections in code reuse and techniques, linking the two\r\nransomware to the same author. Just because a malware is a derivative of another malware does not mean it will\r\nbe deployed in exactly the same way. A new operator may use different targets, tactics, techniques and procedures\r\n(TTPs), which can include new evasion techniques. Defenders must remain vigilant.\r\nTechnical Connection\r\nSunCrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate program on the dark web. The history\r\nof this RaaS can be traced back to circa October 2019. In October 2019, a new ransomware was found in-the-wild\r\n(5657abdb9d99cd5aec433099f8d6f53d). The new ransomware was written in Go and targeted Windows\r\nmachines. This version of SunCrypt was not reported in many attacks and it wasn’t until mid-2020 when a new\r\nversion of the ransomware written in C/C++ was discovered, that attacks started to increase. It is an interesting\r\nshift of retooling from Go to C/C++ when other groups are instead retooling from C/C++ to Go.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 1 of 17\n\nWhile the RaaS didn’t appear until October 2019, these ransomware share connections with another ransomware,\r\ncalled QNAPCrypt (also known as eCh0raix), that was used to target Network Attached Storage (NAS)\r\ndevices back in July 2019. Both families share identical code logic for the file encryption, which we can conclude\r\nwith high certainty has been compiled from the same source code.\r\nSunCrypt 2020 and SunCrypt 2019\r\nThe SunCrypt variant that was released in 2020 is written in C. Due to this, it does not have any shared code with\r\nthe earlier version from 2019. The functionality of SunCrypt has been well-documented and some of the behaviors\r\nare similar between the two variants. For example, both variants are designed to encrypt and steal data. This,\r\ntogether with the name, is not enough to link the two variants together. Instead, we have to look at other data\r\npoints.\r\nAfter the ransomware has stolen and encrypted the files on the infected machine, the user is presented with a\r\nransom note. The ransom note for the 2020 variant is shown in Figure 1 below. The note can be read in English,\r\nGerman, French, Spanish or Japanese. It has an input box that when the user enters the unique ID, sends the user\r\nto a chat interface.\r\nFigure 1: Ransom note pages for SunCrypt. Left is showing the original ransom note and right is showing the\r\ncurrent ransom note used. Both share the same typos and structure. The current ransom note provides a link to the\r\nleak site while the original note does not.\r\nThe ransom note for the 2019 variant is very similar. It has essentially the same text. The background color is\r\ndifferent. The major difference is that the 2019 version does not include the text of leaking the stolen data if the\r\nransom is not paid, as can be seen in Figure 1.\r\nConnection to QNAPCrypt\r\nThe 2021 variant is potentially a beta release of the RaaS. The version included in the PDB path is “0.1” as can be\r\nseen in Figure 2. The figure is showing a partial output of redress, a tool used to analyze Go binaries. As part of\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 2 of 17\n\nthe output, we can see a file called “aes.go” with two functions. Note that one of the functions has a typo in the\r\nname, “EncEAS” instead of “EncAES.” A similar file has been found being part of another malware family,\r\nQNAPCrypt. This typo was included in two samples of version 2 of QNAPCrypt\r\n(8dd59345cc034317630b2ac2ee19b362 and 516291d10b370c7be3863335cf5d57eb). An output generated by\r\nredress from one of the QNAPCrypt samples is shown in Figure 3. After searching both our data set of malware\r\nand a retro hunt on VirusTotal, only these three samples have the two function names. From this, we can conclude\r\nthat the typo is unique and potentially shared code between the two ransomware families.\r\nFigure 2: Partial output of redress for SunCrypt 2019 variant. One of the functions has the typo EAS instead of\r\nAES.\r\nFigure 3: Output from redress for a version of QNAPCrypt with the same typo.\r\nA deeper analysis of the function confirms that they are derived from the same source. A flow graph of “EncFile”\r\nis shown in Figure 4 and a flow graph for “EncEAS” is shown in Figure 5.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 3 of 17\n\nFigure 4: Flow graphs for EncFile function. The flow is identical.\r\nThe samples are compiled for different operating systems and architectures using different versions of the Go\r\ncompiler which results in a slight difference in the generated assembly code. The function opens a file handler to\r\nthe file to be encrypted. It uses the “Stat” function provided by Go’s standard library to determine the file size.\r\nBased on the size, the flow splits into two different branches.\r\nFor SunCrypt, if the file is larger than 100 MB it goes down one branch while QNAPCrypt uses a cutoff of 10\r\nMB. Files smaller than the cutoff size goes down to the second branch. In the large file branch, the SunCrypt reads\r\nin the first 100 MB using the “ReadAtLeast” function that is part of the standard library “io” package.\r\nQNAPCrypt does the same but in the first 10 MB instead.\r\nFor the smaller files, both families use the “ReadFile” function from the “io” package. The read-in data is passed\r\nto the “EncEAS” function that encrypts the data. The content is finally written to disk as a new file with an\r\nextension appended while the original file is removed. Except for the size cutoff, the function logic in the two\r\nfamilies is identical.\r\nThe “EncEAS” function encrypts the data using AES in Cipher Feedback (CFB) mode. A comparison between the\r\nflow graphs is shown in Figure 5 below. As with the “EncFile” function, the “EncEAS” function has an identical\r\nlogic and it can be confirmed that it was compiled from a very similar source code.\r\nFigure 5: Flow graph comparison between SunCrypt and QNAPCrypt’s “EncEAS” function.\r\nOther Similarities\r\nIn addition to the shared code between the two malware families for the functionality responsible for the file\r\nencryption, the two families also have other similarities. The similarities on their own do not indicate a\r\nconnection, but the collection of all of them does. The presentation of them is to strengthen the connection\r\nindicated by the shared code. Figure 6 is showing functions in QNAPCrypt that share similarities with functions in\r\nSunCrypt.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 4 of 17\n\nFigure 6: Functions with similarities between QNAPCrypt and SunCrypt. File encryption logic is identical while\r\nthe key generation and the encryption of the key is very similar. Both malware use the locale of the machine and\r\nGeoIP to determine the location of the machine.\r\nBoth ransomware are designed to not run on some of the Commonwealth of Independent States (CIS).\r\nQNAPCrypt will not perform any encryption of files if it believes it is running on a Belarusian, Russian or\r\nUkrainian machine. SunCrypt does the same, but also includes Kyrgyzstan and Syria in the list.\r\nThe way the ransomware tries to determine this is very similar, both use two sources for this information. One of\r\nthe sources is the locale of the machine. As QNAPCrypt is targeting Linux machines and SunCrypt targets\r\nWindows machines, the way of obtaining this information is different. The second source is via geolocation based\r\non the external IP address of the machine. Both ransomware reaches out to an external service to get this\r\ninformation, “ip-api.com” for SunCrypt and “ipapi.co” for QNAPCrypt. While the families use different services,\r\nthey both use the locale on the machine and the geoip information to determine if the machine is located in a\r\ndisallowed country.\r\nAs discussed in the section covering the file encryption code, the files are encrypted with AES in CFB mode. Both\r\nransomware generates a unique 32 characters “password.” The logic for generating this code is very similar. A\r\ncomparison of the logic is shown in Figure 7. The characters in the password are randomly selected from a list of\r\nvalid characters that includes all the English upper and lower characters and the numbers 0 through 9. The list is\r\nidentical between the malware. The rand implementation provided the math package in the standard library is\r\nused, which means the randomness is not cryptographic. The randomness is seeded with the current time. The\r\nmain difference is that SunCrypt resets the seed every time the function responsible for generating the “password”\r\nis called, while QNAPCrypt sets the seed during the initialization. SunCrypt also uses the function to generate a\r\nvictim identifier.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 5 of 17\n\nFigure 7: Generation of the encryption password. The function loops 32 times and uses “rand.Intn” to pick a\r\nrandom character from the list of valid characters. When the loop is done, the byte slice of characters is converted\r\nto a string.\r\nThe encryption password is encrypted with a public RSA key included in the binary. The logic for this code is\r\nsimilar as can be seen in Figure 8. The code uses the “EncryptPKCS1v15” function that is part of the “crypto/rsa”\r\npackage.\r\nFigure 8: Encrypting of the password using the included public key in the binary.\r\nBoth ransomware families have command and control (C2) infrastructure hosted as Tor hidden services. The first\r\nversion of QNAPCrypt reached out to the C2 to fetch information for the ransom note, including the Bitcoin\r\nwallet used for the campaign. SunCrypt sends campaign information and uploads stolen files to the C2 server. To\r\naccess the hidden service, both families use a public available SocksV5 proxy. QNAPCrypt connects directly to an\r\nIP address (192.99.206[.]61) while the proxy used by SunCrypt is accessed via the domain vie8hoos[.]xyz.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 6 of 17\n\nThe file types encrypted by the ransomware are also similar. Both families have a list of file extensions that they\r\nuse to determine if the file should be encrypted. In total, SunCrypt has a list of 589 file extensions. If we compare\r\nthe SunCrypt list to the list used by the first version of QNAPCrypt we can see that SunCrypt’s list has added four\r\nnew entries and removed 19 entries. The lists are not sorted in any way so the extract lists appear exactly in the\r\nsame order as they appeared in the malware. The code snippet below shows the “diff” between the two lists.\r\n$ diff suncrypt_ext.lst qnap_ext_20190705.lst\r\n460d459\r\n\u003c .mp4\r\n562, 564d560\r\n\u003c .java\r\n\u003c .swift\r\n\u003c .go\r\n589a586, 604\r\n\u003e .gcode\r\n\u003e .ngc\r\n\u003e .sldprt\r\n\u003e .sldasm\r\n\u003e .x_t\r\n\u003e .step\r\n\u003e .fits\r\n\u003e .cat\r\n\u003e .ctlg\r\n\u003e .fit\r\n\u003e .rsn\r\n\u003e .eml\r\n\u003e .vhdx\r\n\u003e .cfg\r\n\u003e .plist\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 7 of 17\n\n\u003e .bckup\r\n\u003e .far\r\n\u003e .tbz\r\n\u003e .abf\r\nIf we compare SunCrypt’s list to the list used by the second version of QNAPCrypt from August the same year,\r\nthe overlap is even bigger. The “diff” output is shown in the snippet below. The difference is that SunCrypt has\r\nadded three entries and removed two. This results in a string similarity of 0.991 which is a strong similarity.\r\n$ diff suncrypt-files.lst qnap_ext_20190801.lst\r\n562, 564d561\r\n\u003c .java\r\n\u003c .swift\r\n\u003c .go\r\n589a587, 588\r\n\u003e .gcode\r\n\u003e .ngc\r\nDark Web Activity\r\nNot long after the public reports on QNAPCrypt/eCh0raix, a new forum user named eCh0raix became active and\r\nstarted promoting the ransomware. Later, a SunCrypt user account promoted a new ransomware affiliate service.\r\nWhile both actors operated on the same popular Russian-language dark web forum, this is where the similarities\r\nend.\r\neCh0raix\r\nThe actor behind eCh0raix first posted on August 31, 2019, announcing an affiliate program for a ransomware\r\ntargeting Linux, Figure 9. This includes a diagram showing how the program works.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 8 of 17\n\nFigure 9: Announcement post made by the eCh0raix actor on the dark web.\r\nIn the post (Figure 10), eCh0raix cites research by threat researchers (from Anomali and Trend Micro), a\r\nmarketing technique often used by RaaS providers in order to bolster credibility.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 9 of 17\n\nFigure 10: The threat actor referring to public research on his ransomware.\r\nFrom this initial post until June 20, 2020, the actor posted 27 new threads on the forum and another 77 replies to\r\nexisting threads. They were quite gregarious, jumping into threads and sharing expertise and advice. While the\r\nactor did not give any updates on eCh0raix ransomware, all of the posts concluded with a signature that included\r\nthe citation from the threat researchers.\r\nThe actor’s catalogue of posts dealt with a broad variety of topics. On December 25, 2019, eCh0raix offered a\r\nsecond service called DirBuster (Figure 11), for scanning domains, subdomains, pages, and scripts, which appears\r\nto have been rebranded as Masscan a few months later:\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 10 of 17\n\nFigure 11: Forum post by the threat actor announcing port scanning service called Masscan.\r\nThe actor was also interested in virtualization, network access, and databases. They posted a lengthy account of\r\nhacking a Magento site, sold SSH root access/web shell access to a Costa Rican ad network and to an American IT\r\ncompany, and a database dump from a Canadian cannabis store.\r\nIn his final post (Figure 12) on the forum, the actor was looking to purchase a Shodan account from which to\r\nexport IP addresses. Like every post before it, this post concluded with the same announcement of eCh0raix\r\nransomware that had been used ten months prior.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 11 of 17\n\nFigure 12: Final post by the threat actor.\r\nSince this was posted on June 20, 2020, without any reason or indication the account has been inactive.\r\nSunCrypt\r\nOn August 12, 2020, the actor behind SunCrypt posted on the same forum for the first time. In a post titled\r\n[PARTNERSHIP PROGRAM] SunCrypt Ransomware (Figure 13), the actor posted characteristics of the\r\nransomware and issued a call for five affiliates to spread the ransomware. The actor noted that once the affiliate\r\nprogram was full, “we will go into private again.”\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 12 of 17\n\nFigure 13: Forum post announcing the SunCrypt partnership program.\r\nThe actor posted 11 more times, all on this single thread and having to do with searching for affiliates or\r\nanswering technical questions about the ransomware. On August 29, the actor announced that the affiliate program\r\nwas full. Then on September 3, they announced that a position was vacated.\r\nOn September 19, an actor posted on the thread (Figure 14), “Even hospitals are scammed by these scum,” and\r\ncited a Bleeping Computer article about a SunCrypt attack against University Hospital New Jersey (UHNJ).\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 13 of 17\n\nFigure 14: Another threat actor posts in the SunCrypt thread about how the ransomware has been used in attacks\r\nagainst hospitals.\r\nSunCrypt wrote defensively (Figure 15), “how can I see you are the most honest here…. Mother Teresa” a\r\nstretched take on “Let he who is without attacking a hospital with ransomware cast the first stone.”\r\nThe actor continued, blaming the hospital attack on a new affiliate, who was reportedly punished, since “we don’t\r\ndo hospitals, government agencies, airports, and so on.”\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 14 of 17\n\nFigure 15: The actor behind SunCrypt response to the hospital attack allegation.\r\nLater that day, another actor posted a lengthy technical analysis of the ransomware. The SunCrypt actor angrily\r\nresponded, “Tell me, why are you posting this here?” and requested that the moderator erase the post (Figure 16).\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 15 of 17\n\nFigure 16: The threat actor’s angry response to a technical analysis of the ransomware.\r\nAs of the date of this publication, the actor has not posted again. It is unclear why.\r\nSunCrypt’s dedicated leak site (DLS) soon wound down. Starting on August 1, there were 15 posts of data from\r\ntargeted organizations. After September 19, there were only three more over the next 10 days. Even though\r\nnew samples of SunCrypt ransomware had surfaced in VirusTotal, it appears that SunCrypt’s public campaign on\r\ndark web forums and management of a DLS went dark.\r\nIt is unclear why the forum thread went silent and why the DLS site suspended operations, but the timing indicates\r\nthat it was related to the hospital attack. SunCrypt’s operators may have been afraid that unwanted notoriety\r\nwould attract law enforcement actions or security researchers, so they decided to keep a lower profile until the\r\nattention subsided.\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 16 of 17\n\nSuddenly, on February 16, SunCrypt’s DLS listed a new victim: PRP Diagnostic Imaging. It appears that\r\nSunCrypt has returned to the business of public ransomware breaches.\r\nIt is notable that PRP provides “an extensive range of diagnostic [medical] imaging services,” such as MRIs,\r\nultrasounds, and mammograms. Thus, while attacking a hospital may have forced the actor to suspend operations\r\nfor several months, SunCrypt has returned and continues to target healthcare providers. These, despite the actor’s\r\nprotest that “we don’t do hospitals.”\r\nComparing the Actors\r\nDespite the code similarities between the two ransomwares, the actors behind them exhibited very different\r\nbehaviors. The eCh0raix actor mentioned his ransomware in passing, but it was hardly their only focus. They\r\nlaunched other initiatives, shared advice, and participated in unrelated conversations in the forum.\r\nMeanwhile, the SunCrypt actor was solely focused on a single purpose: advertising the ransomware in order to\r\nrecruit affiliates. During his five weeks of activity, they were active in one thread only. SunCrypt operated a DLS\r\nsite, indicating a more sophisticated operation, while eCh0raix did not.\r\nConsidering these behavioral differences, it is our assessment that the eCh0raix and SunCrypt accounts are\r\noperated by different individuals/groups. Perhaps the eCh0raix actor, overwhelmed by their many initiatives,\r\ndecided that they did not have the resources to operate it and sold it to an affiliate. Maybe they were approached\r\nby a stranger asking to procure the source code. While we may never know the full story, it appears that the\r\neCh0raix ransomware was transferred to and upgraded by the SunCrypt operators.\r\nConclusion\r\nWith technical analysis, it is possible to link the currently active version of SunCrypt back to QNAPCrypt, a\r\nransomware that was used to target NAS devices back in the Summer of 2019. While the technical based evidence\r\nstrongly provides a link between QNAPCrypt and the earlier version of SunCrypt, it is clear that both ransomware\r\nare operated by different individuals. Based on the available data, it is not possible to connect the activity between\r\nthe two actors on the forum. This suggests that when new malware services derived from older services appear,\r\nthey may not always be operated by the same people.\r\nWith this in mind, security officials should note that just because one malware family is an iteration of another, it\r\ndoes not mean that the new family will be deployed in exactly the same way. If a malware is exchanged, whether\r\nto an affiliate or over the dark web, then the new operators may choose different procedures, attack vectors, and\r\ntargets. They might invest considerably in the new malware, adding features and evasion techniques. Defenders\r\nmust remain vigilant.\r\nTrack SunCrypt, QNAPCrypt and other ransomware families in Intezer Analyze to get the latest samples detected\r\nby code reuse.\r\nSource: https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nhttps://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt\r\nPage 17 of 17\n\n https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt     \n Figure 15: The actor behind SunCrypt response to the hospital attack allegation. \nLater that day, another actor posted a lengthy technical analysis of the ransomware. The SunCrypt actor angrily\nresponded, “Tell me, why are you posting this here?” and requested that the moderator erase the post (Figure 16).\n   Page 15 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt"
	],
	"report_names": [
		"when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e2702a79eefa704979193c7defe8dd0d7f8045a.pdf",
		"text": "https://archive.orkl.eu/1e2702a79eefa704979193c7defe8dd0d7f8045a.txt",
		"img": "https://archive.orkl.eu/1e2702a79eefa704979193c7defe8dd0d7f8045a.jpg"
	}
}