{
	"id": "d1527a15-2fea-44f4-aba9-ce49458857bd",
	"created_at": "2026-04-06T00:15:12.389629Z",
	"updated_at": "2026-04-10T03:20:59.092102Z",
	"deleted_at": null,
	"sha1_hash": "8be1378618299cc71b3a41ccf7d7e75201bca333",
	"title": "SunCrypt adopts attacking techniques from NetWalker and Maze ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73361,
	"plain_text": "SunCrypt adopts attacking techniques from NetWalker and Maze\r\nransomware\r\nArchived: 2026-04-05 18:17:36 UTC\r\nSummary\r\nDiscovered in October 2019\r\nClaims to be a member of the Maze ransomware cartel and uses some of the Maze techniques\r\nSimilar to Netwalker, SunCrypt starts with an obfuscated PowerShell loader\r\nUses the custom FNV hash function to hide strings in the code and configuration. The original values of\r\nthe parameters can only be brute-forced.\r\nUses ChaCha20 as a cryptographic algorithm to encrypt the user's files.\r\nThis ransomware family was first spotted in October 2019, but it was not very active at that time. The group\r\nbehind it was independent in the beginning, but they recently joined the so-called Maze cartel – combining forces\r\nto rob individuals and companies around the world. This cartel included Maze and LockBit when it first started,\r\nbut later welcomed Ragnar Locker and now SunCrypt.\r\nPowerShell Loader\r\nSuncrypt starts by launching an obfuscated PowerShell script containing about 130,000 rows. It uses the ‘Add-Type’ cmdlet to define a Microsoft .NET Core class to use VirtualAlloc() and EnumDesktopsW() functions.\r\nSunCrypt analysis 01\r\nThe PowerShell code is heavily obfuscated with junk if-else statements, functions, and variable assignments to\r\ncomplicate the code analysis.\r\nSunCrypt analysis 03\r\nSunCrypt analysis 02\r\nAfter removing the junk code, the script has been shrunk to a few lines. The deobfuscated code is as follows:\r\nSunCrypt analysis 04\r\nThe SunCrypt starts the script with the execution policy (‘-ep’) set to ‘bypass’ mode — nothing is blocked and\r\nthere are no warnings or prompts.\r\nThen the loader calls an EnumDesktopsW() function to execute the ransomware payload by exploiting the\r\nmechanism of callbacks.\r\nEnumDesktopsW() takes three parameters:\r\nhttps://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nPage 1 of 6\n\nhwinsta - A handle to the window station whose desktops are to be enumerated, which is equal to zero,\r\nwhich means to use the current desktop.\r\nlpEnumFunc - A pointer to an application-defined EnumDesktopProc callback function.\r\nlParam - An application-defined value to be passed to the callback function.\r\nThe EnumDesktops function repeatedly invokes the lpEnumFunc callback function until the last desktop is\r\nenumerated or the callback function returns FALSE.\r\nIn other words, the EnumDesktopsW() function calls the shellcode by the address provided in lpEnumFunc\r\nparameter. This shellcode then loads the SunCrypt PE file (SHA256:\r\nE3DEA10844AEBC7D60AE330F2730B7ED9D18B5EEC02EF9FD4A394660E82E2219), the address to which\r\nis sent via lParam parameter.\r\nSunCrypt analysis 05\r\nOperation modes\r\nThe ransomware checks for the command line arguments that are used to enable specific operation modes. There\r\nare five modes, which are almost the same as Maze ransomware uses:\r\n-log — enables console output to log ransomware`s activity\r\n-noshares — disables encryption for network shares\r\n-path — indicates a directory which will be encrypted\r\n-noreport — does not transfer user data to the server\r\n-nomutex — enables running multiple copies of the ransomware.\r\nTo hide the strings in the code, SunCrypt uses the custom FNV hash function. For example, the following hashes\r\nare used for the mentioned above command-line arguments:\r\n‘-log’ is ‘1000C912h’\r\n‘-noshares’ is ;’3A1B96F1h’\r\n‘-path’ is ‘0B71AC6EDh’\r\n‘-noreport’ is ‘D6A47853h’\r\n‘-nomutex’ is ‘1ACB53D2h’\r\nFNV hash function\r\nFNV (Fowler–Noll–Vo) is a non-cryptographic hash function created by Glenn Fowler, Landon Curt Noll, and\r\nKiem-Phong Vo. It is pretty simple and has two primary operations: XOR and multiplication. The pseudocode is\r\nas follows:\r\nalgorithm fnv-1 is\r\n    hash := FNV_offset_basis do\r\n    for each byte_of_data to be hashed\r\nhttps://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nPage 2 of 6\n\nhash := hash × FNV_prime\r\n        hash := hash XOR byte_of_data\r\n    return hash\r\nGoing back to SunCrypt, the realization of the custom FNV algorithm is close to FNV32a, but it proceeds the\r\nstrings in the reverse order, starting with ‘0x00’ byte. As a result, there are no online databases possible to decrypt\r\nit.\r\nSunCrypt analysis 06\r\nEncryption\r\nStatic analysis of the ransomware is sufficiently complicated and does not give much information, as the strings\r\nand API functions are encrypted and decrypted during the runtime. The algorithms used for strings encryption are\r\nnot complicated, but they vary for each string.\r\nSunCrypt analysis 07\r\nBefore we go to file encryption, it is necessary to highlight some of the ransomware’s tricks.\r\nThe first one is specifying a hashed list of blacklist extensions. After taking a file extension, the hashing function\r\nis applied and then the hash of the extension is compared with an array of the hashed extensions. If it is matched,\r\nthe file starts to be encrypted. If not, the current value in the array is being compared with the string “13:19:00” to\r\ncheck the end of the array.\r\nIt impossible to see the actual extensions during the ransomware analysis but they can be brute-forced by\r\ncalculating the hashes for all possible extensions and comparing with the hashes in the list.\r\nSome of the file extensions that SunCrypt looks for to encrypt files are as follows:\r\n.x3f .wpd .srw .srf .sr2 .sdf .rwl .raf .qbx .qbw .qba .py .pdd .p7c .p7b .oth .orf .odm .nrw .mef .kdc .kdbx .jpe\r\n.ibank .erf .eml .dxg .dng .der .crw .bpw .bay .backup .accdt .3fr .stm .pdb .log\r\n.dat .bin .xlk .qbb .ptx .pfx .pef .odc .nsf .indd .fdb .dcr .cr2 .cdf .bkp .act .xlam .xla .wps .rw2 .r3d .ps .eps .dot .cdr\r\n.arw .ai .idx .html .dxf .dwg .csv .css .config .cfg .cer .aspx .accdb\r\n.7zip .xls .rtf .prf .ppt .doc .dbx .m4a .m3u .wma .flv .mp4 .mov .avi .wmv .wav .mp3 .vdi .vmdk .vmx .wallet .upk\r\n.sav .re4 .ltx .litemod .lbf .iwi .forge .das .d3dbsp .bsa .bik .asset .apk .gpg .aes .tar.bz2  \r\n.bak .tar .tgz .7z .rar .zip .svg .png .gif .raw .jpeg .jpg .psd .bat .sh .java .rb .asp .cs .pl .js .cpp .php .ldf .mdf .odb\r\n.dbf .db .mdb .sql .asmx .config .3ds .3fr .7z .accdb .accdt .act\r\n.ai .arw .asp .aspx .avi .backup .bak .max .mdb .mdf .mef .mov .mp3 .mp4 .nrw .nsf .txt .wallet .wav .wb2 .wmv\r\n.wpd .wps .x3f .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .zip\r\nhttps://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nPage 3 of 6\n\n.sr2 .srf .srw .svg .sxc .tib .py .qba .qbb .qbw .qbx .r3d .raf .rar .raw .rtf .rw2 .rwl .sdf .sldm .sldx .sql .pdd .pdf .pef\r\n.pem .pfx .php .php5 .phtml .pl .png .pot .potm .potx .ppam .pps .ppsm\r\n.ppsx .ppt .pptm .pptx .prf .ps .psd .pst .ptx .odb .odc .odm .odp .ods .odt .orf .oth .p12 .p7b .p7c .pdb .h .htm .html\r\n.ibank .idx .indd .java .jpe .jpeg .jpg .jsp .kdbx .kdc .key .doc .docm .docx  \r\n.dot .dotm .dotx .dwg .dxf .dxg .eml .eps .erf .fdb .flv .cpp .cr2 .crt .crw .cs .csv .bay .bik .bkf .bkp .bpw .c .cdf .cdr\r\n.cer .der .dng .db .dcr .dbf .dbx .sln .mdb\r\nSunCrypt analysis 09\r\nSunCrypt analysis 08\r\nThe encryption scheme has three layers that use file, session, and master keys.\r\n1. Files encryption with ChaCha symmetric crypto algorithm\r\n2. File keys and IV are encrypted with the Session RSA public key and added to the encrypted files.\r\n3. Encryption of the Session RSA private key is done with the Master RSA public key. The encrypted Session\r\nRSA private key is then stored in the ransom note.\r\nSunCrypt generates 32 random bytes using SystemFunction036() which stands for RtlGenRandom() from\r\nadvapi32.dll, which is used for generating a random extension for a file and for creating the ChaCha20 file key.\r\nSunCrypt analysis 10\r\nIf the file size is less than 512 bytes, it is skipped during the encryption process.\r\nSunCrypt analysis 11\r\nThe file encryption code:\r\nSunCrypt analysis 12\r\nC\u0026C Server\r\nThe user’s data is sent to one of the following IP addresses that belong to the Maze ransomware cartel’s subnet\r\n(91.218.114.0), located in Moscow, Russia:\r\n91.218.114.30\r\n91.218.114.31\r\nChecking the IP information of the first one, which is actively used now, it belongs to Russia and was created on\r\nJune 25, 2019.\r\nSunCrypt analysis 13\r\nDecryption service\r\nhttps://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nPage 4 of 6\n\nThe ransom note is titled ‘YOUR_FILES_ARE_ENCRYPTED.HTML’ and is available in five languages:\r\nEnglish, German, French, Spanish, and Japanese. It contains a secret user message which identifies an infected\r\nsystem, the link to the website with the published companies’ data in the Tor network (nbzzb6sa6xuura2z.onion),\r\nand the chat with the SunCrypt operators (http://ebwexiymbsib4rmw.onion/chat.html?6a1dcf2506-24d447c336-\r\n052b4f4dd4-a66e12e526-918eb97c22-28ca2d80dd-df62bf2289-ba05daa71c).\r\nSunCrypt analysis 14\r\nThe tab ‘News’ is created to publicly publish the private data of companies infected by SunCrypt that refused to\r\npay a ransom for a decryptor.\r\nSunCrypt analysis 15\r\nThe public chat connects with SunCrypt operators who work from 10 AM to 6 PM CST. They even provided a\r\ndiscount during the COVID pandemic.\r\nSunCrypt analysis 16\r\nSunCrypt analysis 17\r\nGoing through the chat, there are few disclosed BTC wallets where the operator is asked to transfer the money. At\r\nthe time of writing, none of these wallets had any transactions received:\r\n1HAJPBNuqJYX6WNnaZr44UHetA1boUvGG5\r\n1AyUcys5UehMz6wFAG7ZpQ2xUsu6DGW9Ta\r\n1CDrZGKAUkZGgiEtBn8hPZ1G7Dox9xubpg\r\nDetection by Acronis\r\nAcronis Cyber Protection Solutions – such as Acronis Cyber Protect or Acronis True Image 2021 – that have our\r\nintegrated advanced antimalware and Acronis Active Protection technologies enabled successfully block SunCrypt\r\nand restore the encrypted files.\r\nAcronis antimalware stops SunCrypt Ransomware 1\r\nAcronis antimalware stops SunCrypt Ransomware 2\r\nIoCs\r\nYOUR_FILES_ARE_ENCRYPTED.HTML\r\nebwexiymbsib4rmw.onion nbzzb6sa6xuura2z.onion\r\nMutex = {72 72 74 75 28 74 28 25 25 25 28 20 21 24 70 23 21 25 23 24 73 25 74 72 20 77 23 77 22 28 21\r\n20 25 20 27 28 26 23 26 23 20 74 26 26 20 28 75 27 72 29 26 29 74 23 20 21 21 75 23 28 23 75 27 70 20\r\n27 75 24 20 20 28 74 77 72 74 77 21 25 24 23 11 00 00 00 45 BB 00 00 79 65 65 61 2B 3E 3E 28 20 3F 23\r\n20 29 3F 20 20 25 3F 22 20 2A 79 65 65 61 2B 3E 3E 28 20 3F 23 20 29 3F 20 20 25 3F 22}\r\nhttp://91.218.114.31\r\nhttp://91.218.114.30\r\nhttps://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nPage 5 of 6\n\nDLL payload SHA256:\r\nE3DEA10844AEBC7D60AE330F2730B7ED9D18B5EEC02EF9FD4A394660E82E2219\r\nPowerhsel loader MD5: d87fcd8d2bf450b0056a151e9a116f72 SHA1:\r\n48cb6bdbe092e5a90c778114b2dda43ce3221c9f SHA256:\r\n3090BFF3D16B0B150444C3BFB196229BA0AB0B6B826FA306803DE0192BEDDB80\r\nSource: https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nhttps://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware"
	],
	"report_names": [
		"suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8be1378618299cc71b3a41ccf7d7e75201bca333.pdf",
		"text": "https://archive.orkl.eu/8be1378618299cc71b3a41ccf7d7e75201bca333.txt",
		"img": "https://archive.orkl.eu/8be1378618299cc71b3a41ccf7d7e75201bca333.jpg"
	}
}