{
	"id": "df5be009-af3c-43f9-9b9e-8f02df93588c",
	"created_at": "2026-04-06T00:09:47.7156Z",
	"updated_at": "2026-04-10T13:11:27.981639Z",
	"deleted_at": null,
	"sha1_hash": "469a25966585ad967c10b1792f83fc4a8f22e925",
	"title": "Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2383782,
	"plain_text": "Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin\r\nTransaction\r\nBy S2W\r\nPublished: 2021-09-09 · Archived: 2026-04-05 17:37:29 UTC\r\nHotsauce | S2W TALON\r\nExecutive Summary\r\nIn May 2021. The United state’s D company was infected by the Suncrypt ransomware, and after a long\r\nnegotiation of about 3 weeks, the victim paid the ransom with Bitcoin, and Suncrypt finally deleted the\r\nleaked data and informed security report, and the negotiations were finished.\r\nAs a result of tracking the Bitcoin paid by the victim, it was sent to the Binance, OKEX, Huobi exchange\r\nand confirmed the circumstances of ChipMixer Mixing.\r\nDetailed analysis\r\n1. About Suncrypt ransomware\r\nSuncrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate program on the dark web and\r\nfirst appeared in October 2019.\r\nSuncrypt says “The Suncrypt group is a huge fan of a Win-Win style of negotiations and the minimal\r\ndamage policy” and they provide a security report when the negotiation is complete, emphasizing that they\r\nare a reliable “business” rather than a ransomware “hack”.\r\n2. Analysis of Suncrypt Ransomware Negotiation\r\nSuncrypt ransomware left a HTML type ransom note on the infected PC with information on key points\r\nand how to access the 1:1 negotiation page.\r\nYou can start negotiating with Suncrypt by accessing the 1:1 negotiation page guided by the ransom note.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 1 of 8\n\nVictim company\r\nIn May 2021, an American company D was infected with the Suncrypt ransomware.\r\nOn the 1:1 negotiation page, Suncrypt said that after 72 hours the exfiltrated data will be posted at our\r\nnews website and DDoS attack will be stopped only after progress is made in the negotiation.\r\nSuncrypt requested 1,200,000 USD as a payment amount, presenting sample files and listings as proof and\r\nguaranteeing to provide the following three items upon completion of the negotiation.\r\n1. The decryptor\r\n2. The erasure log\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 2 of 8\n\n3. The security report in order to avoid this kind of situations in future\r\nSuncrypt seems to have separate roles of negotiator and technician, as a person who appears to be a\r\ntechnician/developer who calls himself Tech (purple chat) participates in the negotiation.\r\nPress enter or click to view image in full size\r\nDuring the negotiations, the victim company gave a link to a posted on Marketo / Twitter and protested\r\nwhy they were already selling our data.\r\nSuncrypt said “During the negotiation period the data is secured and there were no single case of the\r\nleak. We would try to sell your data in case if we will fail negotiations with you. That just don’t make\r\nsense. We would not put the future negotiations at risk because of this incident.” and denied it had\r\nnothing to do with us.\r\nPress enter or click to view image in full size\r\nMarketo is a marketplace of stolen data, first appeared in April 202.\r\nLeaked data is selling publicly by bidding auctions.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 3 of 8\n\nSelling leak data of victim companies uploaded to Marketo.\r\nPress enter or click to view image in full size\r\nSince the victim company does not have files encrypted with extensions other than Suncrypt, it seems that\r\nMarketo only stole data without separate encryption, and it is possible that leaked by Suncrypt and\r\nMarketo both.\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 4 of 8\n\nSuncrypt’s Tech said that they start DDoS attack to Marketo.\r\nPress enter or click to view image in full size\r\nAfter several price negotiations, the victim company paid 182,000 USD, demanding even to delete the post\r\non Marketo.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nPress enter or click to view image in full size\r\nSuncrypt closes the negotiation by providing erasure log and security report after confirming Bitcoin\r\ndeposit.\r\nSecurity Report — same contents are provided in case of other victim company that were infected at around the\r\nsame time\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 5 of 8\n\nErasure Log — erasure logs to prove that Suncrypt has deleted all files stolen from the victim company.\r\nPress enter or click to view image in full size\r\nSuncrypt said that we are trying to bring down the fake post or getting a proof that data is fake, but leak\r\ndata posted on Marketo have not yet been deleted and are still on selling.\r\nPress enter or click to view image in full size\r\n3. Analysis of payment address\r\nTracking the bitcoins paid by the victim company\r\nPayment address : bc1qx6wa9x9gdnah9jfdt0ps8c6z8vwt2mz9mpwdcr\r\nAmounts : 5.03350949 BTC\r\nTransaction date : 2021–06–02\r\nThe 5.03350949 BTC paid by the victim company was divided into several branches and each performed\r\nChipMixer Mixing, transferred to Binance, OKEX, Huobi wallet\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 6 of 8\n\n3.1 Money Laundering with ChipMixer Mixing\r\nAfter several addresses, approximately 4 BTC was laundered through ChipMixer Mixing\r\nBitcoin Address\r\n1ME2WHjsa1TPjuWTUN2JRsAxJsCs62gSk7\r\n112oLSTUE4PvVD4K88ANpwnRsw8e19ea7q\r\n17pYQVxhPSGkiLwoJhaAM3DxG86VHtiBLn\r\n3.2 Transactions to Exchange wallet\r\nAfter several addresses, approximately 1 BTC was withdrawn to Binance, OKEX, Huobi exchange\r\nBitcoin Address\r\n1Bb9AX3yM8WsFhZHFsVjWW79o6KFMiA3gE\r\n3CBDnbKDhgaEHDzoBiJrGza2FC6vv3GLej\r\n37Z8s6MQsWsRQTX7gPcFaAdo2qFsQm7RGr\r\nConclusion\r\nFollowing the recent Suncrypt analysis case, the Suncrypt ransomware mainly uses ChipMixer for bitcoin\r\nlaundering\r\nJudging from the negotiation chat content, suncrypt seems to be divided into Ransomware operator,\r\nNegotiation manager, Tech manager, etc.\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 7 of 8\n\nHomepage: https://www.s2wlab.com\r\nFacebook: https://www.facebook.com/S2W\r\nTwitter: https://twitter.com/s2w\r\nSource: https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nhttps://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc"
	],
	"report_names": [
		"case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/469a25966585ad967c10b1792f83fc4a8f22e925.pdf",
		"text": "https://archive.orkl.eu/469a25966585ad967c10b1792f83fc4a8f22e925.txt",
		"img": "https://archive.orkl.eu/469a25966585ad967c10b1792f83fc4a8f22e925.jpg"
	}
}