{
	"id": "cf2badc3-d030-430d-a983-094639ae8edd",
	"created_at": "2026-04-06T00:16:39.639116Z",
	"updated_at": "2026-04-10T13:11:23.018864Z",
	"deleted_at": null,
	"sha1_hash": "51fe79665a6722f292f94c5506c24fab163dcf1c",
	"title": "SunCrypt Ransomware sheds light on the Maze ransomware cartel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4728750,
	"plain_text": "SunCrypt Ransomware sheds light on the Maze ransomware cartel\r\nBy Lawrence Abrams\r\nPublished: 2020-08-26 · Archived: 2026-04-05 17:05:32 UTC\r\nA ransomware named SunCrypt has joined the 'Maze cartel,' and with their membership, we get insight into how these\r\ngroups are working together.\r\nIn June, we broke the story that the Maze threat actors created a cartel of ransomware operations to share information and\r\ntechniques to help each other extort their victims.\r\nWhen first started, this cartel included Maze and LockBit, but soon expanded to include Ragnar Locker.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nWhen Maze first formed this group, they refused to answer our questions on how members of their cartel benefited, and if\r\nthere was a monetary benefit to Maze.\r\nSunCrypt joins the Maze ransomware cartel\r\nIn an email sent to BleepingComputer, the operators of a ransomware named SunCrypt stated that they are a new member of\r\nthe Maze Ransomware cartel.\r\nBased on submissions statistics to ID-Ransomware, this ransomware family began operating in October 2019, but was not\r\nvery active. \r\nSunCrypt told BleepingComputer that they are an independently run ransomware operation from Maze, but as part of the\r\ncartel, they have \"two-way communication channels with them,\"\r\nWhen asked why they joined this 'cartel,' we were told that Maze could not handle the volume and needed outside help.\r\n\"They just can't handle all the available field of operations. Our main specialization is ransomware attacks,\" - SunCrypt\r\nransomware operators.\r\nAfter further questions, they eventually told us that they \"share revenue from the successful operation,\" but did not provide\r\nany details about what Maze provided to earn that revenue share.\r\nBased on their statement that they were brought in because Maze can't handle all of the potential attacks, Maze may provide\r\ncompromised network access to cartel members in exchange for a revenue share.\r\nFrom a ransomware sample seen by BleepingComputer, it looks like cartel members get more for their money.\r\nMaze shares its resources with cartel members\r\nYesterday, GrujaRS was finally able to find a sample of the SunCrypt ransomware so we can get a better glimpse into how\r\nthe ransomware works.\r\nThe SunCrypt Ransomware sample is installed via a heavily obfuscated PowerShell script, shown below.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 3 of 8\n\nObfuscated PowerShell script\r\nWhen the ransomware is executed, it will connect to the URL http://91.218.114[.]31 and transmit information about the\r\nattack and its victim.\r\nThe use of this IP address provides another big clue as to what services the Maze threat actors provide their cartel members.\r\nFor months, Maze has been hosting a data leak site and launching attacks from known public IP addresses. Yet in all this\r\ntime, their services remain intact and have not been taken down by law enforcement.\r\nThe 91.218.114.31 address is one of the addresses that the Maze operation uses as part of its campaign. Even more similar,\r\nMaze infections also transmit information to this IP address during an attack.\r\nThis shared IP address means one of the two things; Maze is sharing their infrastructure or white-labeling their ransomware\r\ntechnology to other groups.\r\nThis sharing of resources would also explain why they would earn a revenue share for each ransom payment.\r\nUpdate 8/31/2020: The Maze threat actors have told BleepingComputer that they are not affiliated with the SunCrypt\r\nransomware operators.\r\n\"We do not have any connections with SunCrypt, it is a lie.\"\r\n\"We do not know why SunCrypt does it, but we believe it is a PR strategy, to send links to companies in chat that they are\r\nworking with us as a pressure,\" Maze told BleepingComputer.\r\nAdvanced Intel's Vitali Kremez has told BleepingComputer that in addition to connecting to http://91.218.114[.]31, the\r\nSunCrypt ransomware will also connect to http://91.218.114[.]30.\r\nBoth of these IP addresses are on the same address space.\r\nAs previously stated, 91.218.114[.]31 has been used by Maze in the past.\r\nSunCrypt is no longer responding to our queries with follow up questions.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 4 of 8\n\nThe SunCrypt Ransomware\r\nThe SunCrypt ransomware itself is still being analyzed, but we can provide a basic overview of the ransomware.\r\nThe ransomware is currently being distributed as a DLL that, when executed, will encrypt a computer's files.\r\nWhen encrypting files, it will append a hexadecimal hash to the end of each file name. It is not known what this hash\r\nrepresents.\r\nSunCrypt encrypted files\r\nIn every folder a ransom note named YOUR_FILES_ARE_ENCRYPTED.HTML is created that contains information on\r\nwhat happened to a victim's files and a link to the Tor payment site.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 5 of 8\n\nSunCrypt ransom note\r\nThe Tor link enclosed in a ransom note is hardcoded into the ransomware executable. This means that every victim\r\nencrypted by a particular SunCrypt executable will have the same Tor payment site link. \r\nThe Tor payment site does not have automated features and simply contains a chat screen where a victim can negotiate a\r\nransom with the SunCrypt threat actors. \r\nFurthermore, every ransom note contains a link to the SunCrypt data leak site that the threat actors warn will be used to\r\npublish the victim's data.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 6 of 8\n\nSunCrypt data leak site\r\nAt this time, there are approximately five victims listed on the SunCrypt data leak site.\r\nOther ransomware operations that run data leak sites or have stolen unencrypted files to extort their victims include Ako,\r\nAvaddon, Clop, Conti, CryLock, DoppelPaymer, Maze, MountLocker, Nemty, Nephilim, Netwalker, Pysa/Mespinoza,\r\nRagnar Locker, REvil, Sekhmet, Snatch, and Snake.\r\nSunCrypt is currently being analyzed for weaknesses, and it is not known if it is possible to recover files for free.\r\nUpdate 8/31/20: The Maze operators deny having any affiliation with SunCrypt.\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nhttps://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/"
	],
	"report_names": [
		"suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel"
	],
	"threat_actors": [],
	"ts_created_at": 1775434599,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51fe79665a6722f292f94c5506c24fab163dcf1c.pdf",
		"text": "https://archive.orkl.eu/51fe79665a6722f292f94c5506c24fab163dcf1c.txt",
		"img": "https://archive.orkl.eu/51fe79665a6722f292f94c5506c24fab163dcf1c.jpg"
	}
}