{ "id": "c8328bfe-cbfb-43e2-8059-5c19254c3657", "created_at": "2026-04-06T00:11:47.415121Z", "updated_at": "2026-04-10T03:23:57.219668Z", "deleted_at": null, "sha1_hash": "33d671ffe13db298b34ae0bf46e9f142650e68e5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49751, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:12:26 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SunCrypt\n Tool: SunCrypt\nNames SunCrypt\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Intezer) SunCrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate\nprogram on the dark web. The history of this RaaS can be traced back to circa October\n2019. In October 2019, a new ransomware was found in-the-wild\n(5657abdb9d99cd5aec433099f8d6f53d). The new ransomware was written in Go and\ntargeted Windows machines. This version of SunCrypt was not reported in many attacks\nand it wasn’t until mid-2020 when a new version of the ransomware written in C/C++ was\ndiscovered, that attacks started to increase. It is an interesting shift of retooling from Go to\nC/C++ when other groups are instead retooling from C/C++ to Go.\nWhile the RaaS didn’t appear until October 2019, these ransomware share connections\nwith another ransomware, called QNAPCrypt (also known as eCh0raix), that was used to\ntarget Network Attached Storage (NAS) devices back in July 2019. Both families share\nidentical code logic for the file encryption, which we can conclude with high certainty has\nbeen compiled from the same source code.\nInformation\nMalpedia AlienVault OTX Last change to this tool card: 04 April 2022\nDownload this tool card in JSON format\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=878abf22-c447-4e44-8df7-1a63625de2e9\nPage 1 of 2\n\nAll groups using tool SunCrypt\r\nChanged Name Country Observed\r\nAPT groups\r\n  SunCrypt Gang [Unknown] 2019-Oct 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=878abf22-c447-4e44-8df7-1a63625de2e9\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=878abf22-c447-4e44-8df7-1a63625de2e9\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=878abf22-c447-4e44-8df7-1a63625de2e9" ], "report_names": [ "listgroups.cgi?u=878abf22-c447-4e44-8df7-1a63625de2e9" ], "threat_actors": [ { "id": "1df26eff-cd77-48dc-9425-95a4ec34bebe", "created_at": "2022-10-25T16:07:24.24501Z", "updated_at": "2026-04-10T02:00:04.9102Z", "deleted_at": null, "main_name": "SunCrypt Gang", "aliases": [], "source_name": "ETDA:SunCrypt Gang", "tools": [ "SunCrypt", "WARPRISM" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434307, "ts_updated_at": 1775791437, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33d671ffe13db298b34ae0bf46e9f142650e68e5.pdf", "text": "https://archive.orkl.eu/33d671ffe13db298b34ae0bf46e9f142650e68e5.txt", "img": "https://archive.orkl.eu/33d671ffe13db298b34ae0bf46e9f142650e68e5.jpg" } }