{
	"id": "2e4a938c-8296-4bf1-be0d-28d43a70b86f",
	"created_at": "2026-04-06T00:10:13.597185Z",
	"updated_at": "2026-04-10T13:12:54.19169Z",
	"deleted_at": null,
	"sha1_hash": "8ce5cf3ec95ad5866f21fb8324a37022c4c74019",
	"title": "Sugar Ransomware, a new RaaS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1802187,
	"plain_text": "Sugar Ransomware, a new RaaS\r\nBy Jason Reaves\r\nPublished: 2022-02-01 · Archived: 2026-04-05 20:44:56 UTC\r\n8 min read\r\nFeb 1, 2022\r\nBy: Joshua Platt, Jonathan Mccay and Jason Reaves\r\nPress enter or click to view image in full size\r\nAn actor recently has been starting up a RaaS solution that appears to primarily focus on individual computers\r\ninstead of entire enterprises but is also reusing objects from other ransomware families. Not a lot has been\r\ndiscussed about this ransomware but we did find a tweet mentioning one of the samples[3] during our research.\r\nCrypter\r\nWe will go over the crypter being used because it has code reuse from the ransomware itself which makes it\r\nsignificantly more interesting than your typical crypter. The crypter has what initially looks like RC4 encryption\r\nleading to APLib decompression but as we dug in it turns out to be a modified version of RC4.\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 1 of 15\n\nThe encoded data can be seen with the key prepended to the data:\r\nAs we mentioned above the encryption algorithm first looks like RC4, it sets up the SBOX:\r\nPress enter or click to view image in full size\r\nSBOX initialization\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 2 of 15\n\nHowever starting with the KSA block is where things change:\r\nCustom KSA\r\nThe algorithm cycles through the SBOX during KSA from back to front, it also leverages a simple bitwise OR\r\nloop to build a value which is used to bitwise AND against the working value from the key, if the value is greater\r\nthan or equal to the current SBOX iteration then it will continue to the next value in the key. Afterwards it begins a\r\ncustom version of PRGA that involves some extra shuffling based on four values from the post KSA SBOX.\r\nAfter custom KSA\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 3 of 15\n\nCustom PRGA\r\nUnpacking code:\r\nimport yara\r\nfrom pefile import PE\r\nfrom struct import unpack\r\nfrom aplib import Decompress\r\nfrom io import BytesIO\r\nfrom sys import argvdef main():\r\n filepath = argv[1]\r\n readbin = open(filepath, 'rb').read()\r\n rule = yara.compile(\r\n source='rule sugar_RaaS_crypter { strings: '\r\n '$57B = { C7 [1] 08 04 00 00 05 00 00 00 A1 [4] C7 [1] 0C 04 00 00 07 00 00 00 A1 [4] C7 [1]\r\n '$EP = { C2 04 00 6A 00 E8 [4] 33 [1] C2 04 } '\r\n '$AP = { E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F } '\r\n 'condition: filesize \u003c 200KB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x4550 and $\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 4 of 15\n\n)\r\n yara_match = rule.match(data=readbin)\r\nif yara_match != {}:\r\n try:\r\n pe = PE(filepath)\r\n except:\r\n print('not valid PE')\r\n exit() dsect = [\r\n pe.sections[i].get_data() for i in range(len(pe.sections)) if pe.sections[i].Name.rsplit\r\n ][0]\r\n klen = unpack('I', dsect[:4])[0]\r\n key = dsect[4:4+klen]\r\n elen = unpack('I', dsect[4+klen:8+klen])[0]\r\n ebin = dsect[klen+8:klen+8+elen]\r\n apbin = custom_decryption(key, ebin)\r\n decrypted_bin = Decompress(BytesIO(apbin)).do()\r\n fspl = filepath.split('/')[-1]\r\n fn = fspl.split('.')[0] + '_unpacked.' + fspl.split('.')[1] if '.' in fspl else fspl + '_unpa\r\n fp = '/'.join(filepath.split('/')[:-1]) + '/' + fn\r\n out = open(fp, 'wb')\r\n out.write(decrypted_bin)\r\ndef custom_decryption(key, data):\r\n sbox = [i for i in range(256)]\r\n kb = [key[i % len(key)] for i in range(256)] c = 255\r\n j = 0\r\n t = 0\r\n o = b''\r\n while c \u003e 0:\r\n v = 1\r\n while v \u003c c:\r\n v = (v|1) + v\r\n d = (t + kb[j % 256]) % 256\r\n b = (d \u0026 v) % 256\r\n j += 1\r\n if b \u003e c:\r\n t = d\r\n continue\r\n sbox[c], sbox[b] = sbox[b], sbox[c]\r\n t = d\r\n c -= 1\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 5 of 15\n\neb = sbox + [sbox[1]] + [sbox[3]] + [sbox[5]] + [sbox[7]] + [sbox[t]] for i in range(len(data\r\n eb[257] = (eb[257] + eb[eb[256]]) % 256\r\n eb[256] = (eb[256] + 1) % 256\r\n b1 = eb[eb[260]]\r\n eb[eb[260]] = eb[eb[257]]\r\n eb[eb[257]] = eb[eb[259]]\r\n eb[eb[259]] = eb[eb[256]]\r\n eb[eb[256]] = b1\r\n eb[258] = (eb[b1] + eb[258]) % 256\r\n b1 = (((eb[eb[258]] + eb[eb[259]]) % 256) + eb[eb[260]]) % 256\r\n eb[260] = data[i]\r\n v = (eb[eb[256]] + eb[eb[257]]) % 256\r\n x1 = eb[v] ^ eb[eb[b1]]\r\n x2 = x1 ^ data[i]\r\n eb[259] = x2\r\n o += bytes([x2])\r\n return o\r\nmain()\r\nRansomware Sample\r\nThe malware is written in Delphi but the interesting part from a RE perspective was the reuse of the same routine\r\nfrom the crypter as part of the string decoding in the malware, this would lead us to believe that they have the\r\nsame dev and the crypter is probably part of the build process or some service the main actor offers to their\r\naffiliates.\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 6 of 15\n\nAfter the SBOX is initialized same as we previously discussed in the crypter we can see the same customized\r\nprocess for RC4 KSA and PRGA performed as was shown in the crypter section.\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 7 of 15\n\nCustom KSA\r\nBecause of the way Delphi lays out their strings decoding them is a pretty straight forward process using the same\r\nsort of code as the crypter, we just need to find each string and key pair.\r\nif __name__ == \"__main__\":\r\n data = open(sys.argv[1], 'rb').read()\r\n curr = 0\r\n t = data.find(b'\\xff\\xff\\xff\\xff')\r\n done = False\r\n while not done and t:\r\n curr += t\r\n (a,b) = struct.unpack_from('\u003cII', data[curr:])\r\n if b \u003e 1000:\r\n continue\r\n key = data[curr+8:curr+8+b]\r\n next = data[curr+8+b:].find(b'\\xff\\xff\\xff\\xff')\r\n curr += 8+b+next\r\n (a2,b2) = struct.unpack_from('\u003cII', data[curr:])\r\n if b2 \u003e 1000:\r\n continue\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 8 of 15\n\nblob = data[curr+8:curr+8+b2]\r\n curr += 8+b2\r\n try:\r\n print(decode_data(key,data))\r\n except:\r\n pass\r\n t = data[curr:].find(b'\\xff\\xff\\xff\\xff')\r\n if t == -1:\r\n done = True\r\nConvert above to python3\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDecoded strings:\r\nbrowser\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nnotepad.exe\r\ndesktop\r\n--c=show\r\n--net=0\r\n[+] Process started.\r\nsoftware\\\r\n.txt\r\nsingle\r\nnetwork\r\n-data=\r\n\\cmd.txt\r\nc:\\\r\nYour ID:\r\nYour support onion(TOR) url:\r\n[+] Preconfig done:\r\n Work type -\r\n[+] Network communication started - 1.\r\n[+] Network communication started - 2.\r\n[+] Main encryption started.\r\nRansom Note Comparison\r\nThe ransomware note has some striking similarities to Revil[1] but also some differences and misspellings:\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 9 of 15\n\n---=== Welcome. Again. ===---\r\n[-] Whats HapPen? [-]\r\nYour files are encrypted, and currently unavailable. You can check it: all files on your system has e\r\nBy the way, everything is possible to recover (restore), but you need to follow our instructions. Oth\r\n[+] What guarantees? [+]\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If\r\nTo check the ability of returning files, You should go to our website. There you can decrypt one file\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time\r\n[+] How to get access on website? [+]\r\nYou have two ways:\r\n1) [Recommended] Using a TOR browser!\r\n a) Download and install TOR browser from this site:\r\n b) Open our website:\r\n2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:\r\n a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)\r\n b) Open our secondary website:\r\nWarning: secondary website can be blocked, thats why first variant much better and more available.\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\n-----------------------------------------------------------------------------------------\r\n!!! DANGER !!!\r\nDON'T try to change files by yourself, DON'T use any third party software for restoring your data or\r\n!!! !!! !!!\r\nONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists\r\n!!! !!! !!!\r\nThis new RaaS ransom note from\r\nsample(4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058):\r\n[+] Whats Happen? [+]\r\nYour files are encrypted, and currently unavailable. You can check it: all files on your system has e\r\nBy the way, everything is possible to recover (restore), but you need to follow our instructions. Oth\r\nreturn your data (NEVER).\r\n[+] What guarantees? [+]\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If\r\nwork and liabilities - nobody will not cooperate with us. Its not in our interests.\r\nTo check the ability of returning files, You should go to our website. There you can decrypt 1-5 file\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 10 of 15\n\nour guarantee.\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time\r\njust we have the private key. In practise - time is much more valuable than money.\r\n[+] How to get access on website? [+]\r\nYou can open our site by the shortcut \u0026quot;SUPPORT (TOR_BROWSER)\u0026quot; created on the desktop.\r\nAlso as the second option you can install the tor browser:\r\n a) Download and install TOR browser from this site: https://torproject.org/\r\n b) Open our website. Full link will be provided below.\r\n-----------------------------------------------------------------------------------------\r\n!!! DANGER !!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or an\r\nits may entail damge of the private key and, as result, The Loss all data.\r\n!!! !!! !!!\r\nONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists\r\nfor restoring, but please should not interfere.\r\n!!! !!! !!!\r\n-----------------------------------------------------------------------------------------\r\nAnother similarity we can find but to a different ransomware family is to Cl0p, below is the Cl0p decryptor\r\npage[2].\r\nComparing it to this new RaaS shows a striking similarity:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 11 of 15\n\nThe file encryption piece for samples we analyzed appear to be using SCOP encryption algorithm.\r\nFrom the ransomware sample:\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 12 of 15\n\nSCOP from GPLib[4]:\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 13 of 15\n\nIOCs\r\nbottomcdnfiles.com\r\ncdnmegafiles.com\r\n179.43.160.195\r\nchat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion\r\n82.146.53.237\r\nsugarpanel.space15a7fb45f703d5315320eef132f3151873055161\r\n5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145\r\n320eefd378256d6e495cbd2e59b7f205d5101e7f\r\n18cb9b218bd23e936128a37a90f2661f72c820581e4f4303326705b2103714a9\r\ne835de2930bf2708a3a57a99fe775c48f851fa8f\r\n1318aeaea4f2f4299c21699279ca4ea5c8fa7fc38354dd2b80d539f21836df5a\r\n98137dd04e4f350ee6d2f5da613f365b223a4f49\r\naa41e33d3f184cedaaaabb5e16c251e90a6c4ff721a599642dc5563a57550822\r\na4854ce87081095ab1f1b26ff16817e446d786af\r\n4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 14 of 15\n\nc31a0e58ae70f571bf8140db8a1ab20a7f566ab5\r\n315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9\r\nReferences\r\n1:https://raw.githubusercontent.com/cado-security/DFIR_Resources_REvil_Kaseya/main/Config/Ransomware_Note.txt\r\n2:https://malwarewarrior.com/how-to-remove-cl0p-ransomware-and-decrypt-cl0p-files/\r\n3:https://twitter.com/avman1995/status/1459915441766211601\r\n4:https://torry.net/pages.php?id=519\r\nSource: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nhttps://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb"
	],
	"report_names": [
		"sugar-ransomware-a-new-raas-a5d94d58d9fb"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ce5cf3ec95ad5866f21fb8324a37022c4c74019.pdf",
		"text": "https://archive.orkl.eu/8ce5cf3ec95ad5866f21fb8324a37022c4c74019.txt",
		"img": "https://archive.orkl.eu/8ce5cf3ec95ad5866f21fb8324a37022c4c74019.jpg"
	}
}