Sugar Ransomware, a new RaaS By Jason Reaves Published: 2022-02-01 · Archived: 2026-04-05 20:44:56 UTC 8 min read Feb 1, 2022 By: Joshua Platt, Jonathan Mccay and Jason Reaves Press enter or click to view image in full size An actor recently has been starting up a RaaS solution that appears to primarily focus on individual computers instead of entire enterprises but is also reusing objects from other ransomware families. Not a lot has been discussed about this ransomware but we did find a tweet mentioning one of the samples[3] during our research. Crypter We will go over the crypter being used because it has code reuse from the ransomware itself which makes it significantly more interesting than your typical crypter. The crypter has what initially looks like RC4 encryption leading to APLib decompression but as we dug in it turns out to be a modified version of RC4. https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 1 of 15 The encoded data can be seen with the key prepended to the data: As we mentioned above the encryption algorithm first looks like RC4, it sets up the SBOX: Press enter or click to view image in full size SBOX initialization https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 2 of 15 However starting with the KSA block is where things change: Custom KSA The algorithm cycles through the SBOX during KSA from back to front, it also leverages a simple bitwise OR loop to build a value which is used to bitwise AND against the working value from the key, if the value is greater than or equal to the current SBOX iteration then it will continue to the next value in the key. Afterwards it begins a custom version of PRGA that involves some extra shuffling based on four values from the post KSA SBOX. After custom KSA https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 3 of 15 Custom PRGA Unpacking code: import yara from pefile import PE from struct import unpack from aplib import Decompress from io import BytesIO from sys import argvdef main(): filepath = argv[1] readbin = open(filepath, 'rb').read() rule = yara.compile( source='rule sugar_RaaS_crypter { strings: ' '$57B = { C7 [1] 08 04 00 00 05 00 00 00 A1 [4] C7 [1] 0C 04 00 00 07 00 00 00 A1 [4] C7 [1] '$EP = { C2 04 00 6A 00 E8 [4] 33 [1] C2 04 } ' '$AP = { E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F } ' 'condition: filesize < 200KB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x4550 and $ https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 4 of 15 ) yara_match = rule.match(data=readbin) if yara_match != {}: try: pe = PE(filepath) except: print('not valid PE') exit() dsect = [ pe.sections[i].get_data() for i in range(len(pe.sections)) if pe.sections[i].Name.rsplit ][0] klen = unpack('I', dsect[:4])[0] key = dsect[4:4+klen] elen = unpack('I', dsect[4+klen:8+klen])[0] ebin = dsect[klen+8:klen+8+elen] apbin = custom_decryption(key, ebin) decrypted_bin = Decompress(BytesIO(apbin)).do() fspl = filepath.split('/')[-1] fn = fspl.split('.')[0] + '_unpacked.' + fspl.split('.')[1] if '.' in fspl else fspl + '_unpa fp = '/'.join(filepath.split('/')[:-1]) + '/' + fn out = open(fp, 'wb') out.write(decrypted_bin) def custom_decryption(key, data): sbox = [i for i in range(256)] kb = [key[i % len(key)] for i in range(256)] c = 255 j = 0 t = 0 o = b'' while c > 0: v = 1 while v < c: v = (v|1) + v d = (t + kb[j % 256]) % 256 b = (d & v) % 256 j += 1 if b > c: t = d continue sbox[c], sbox[b] = sbox[b], sbox[c] t = d c -= 1 https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 5 of 15 eb = sbox + [sbox[1]] + [sbox[3]] + [sbox[5]] + [sbox[7]] + [sbox[t]] for i in range(len(data eb[257] = (eb[257] + eb[eb[256]]) % 256 eb[256] = (eb[256] + 1) % 256 b1 = eb[eb[260]] eb[eb[260]] = eb[eb[257]] eb[eb[257]] = eb[eb[259]] eb[eb[259]] = eb[eb[256]] eb[eb[256]] = b1 eb[258] = (eb[b1] + eb[258]) % 256 b1 = (((eb[eb[258]] + eb[eb[259]]) % 256) + eb[eb[260]]) % 256 eb[260] = data[i] v = (eb[eb[256]] + eb[eb[257]]) % 256 x1 = eb[v] ^ eb[eb[b1]] x2 = x1 ^ data[i] eb[259] = x2 o += bytes([x2]) return o main() Ransomware Sample The malware is written in Delphi but the interesting part from a RE perspective was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates. https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 6 of 15 After the SBOX is initialized same as we previously discussed in the crypter we can see the same customized process for RC4 KSA and PRGA performed as was shown in the crypter section. https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 7 of 15 Custom KSA Because of the way Delphi lays out their strings decoding them is a pretty straight forward process using the same sort of code as the crypter, we just need to find each string and key pair. if __name__ == "__main__": data = open(sys.argv[1], 'rb').read() curr = 0 t = data.find(b'\xff\xff\xff\xff') done = False while not done and t: curr += t (a,b) = struct.unpack_from(' 1000: continue key = data[curr+8:curr+8+b] next = data[curr+8+b:].find(b'\xff\xff\xff\xff') curr += 8+b+next (a2,b2) = struct.unpack_from(' 1000: continue https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 8 of 15 blob = data[curr+8:curr+8+b2] curr += 8+b2 try: print(decode_data(key,data)) except: pass t = data[curr:].find(b'\xff\xff\xff\xff') if t == -1: done = True Convert above to python3 Get Jason Reaves’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in Decoded strings: browser Software\Microsoft\Windows\CurrentVersion\Run notepad.exe desktop --c=show --net=0 [+] Process started. software\ .txt single network -data= \cmd.txt c:\ Your ID: Your support onion(TOR) url: [+] Preconfig done: Work type - [+] Network communication started - 1. [+] Network communication started - 2. [+] Main encryption started. Ransom Note Comparison The ransomware note has some striking similarities to Revil[1] but also some differences and misspellings: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 9 of 15 ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has e By the way, everything is possible to recover (restore), but you need to follow our instructions. Oth [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If To check the ability of returning files, You should go to our website. There you can decrypt one file If you will not cooperate with our service - for us, its does not matter. But you will lose your time [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: b) Open our website: 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists !!! !!! !!! This new RaaS ransom note from sample(4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058): [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has e By the way, everything is possible to recover (restore), but you need to follow our instructions. Oth return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 file https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 10 of 15 our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or an its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Another similarity we can find but to a different ransomware family is to Cl0p, below is the Cl0p decryptor page[2]. Comparing it to this new RaaS shows a striking similarity: Press enter or click to view image in full size https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 11 of 15 The file encryption piece for samples we analyzed appear to be using SCOP encryption algorithm. From the ransomware sample: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 12 of 15 SCOP from GPLib[4]: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 13 of 15 IOCs bottomcdnfiles.com cdnmegafiles.com 179.43.160.195 chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion 82.146.53.237 sugarpanel.space15a7fb45f703d5315320eef132f3151873055161 5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145 320eefd378256d6e495cbd2e59b7f205d5101e7f 18cb9b218bd23e936128a37a90f2661f72c820581e4f4303326705b2103714a9 e835de2930bf2708a3a57a99fe775c48f851fa8f 1318aeaea4f2f4299c21699279ca4ea5c8fa7fc38354dd2b80d539f21836df5a 98137dd04e4f350ee6d2f5da613f365b223a4f49 aa41e33d3f184cedaaaabb5e16c251e90a6c4ff721a599642dc5563a57550822 a4854ce87081095ab1f1b26ff16817e446d786af 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058 https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 14 of 15 c31a0e58ae70f571bf8140db8a1ab20a7f566ab5 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9 References 1:https://raw.githubusercontent.com/cado-security/DFIR_Resources_REvil_Kaseya/main/Config/Ransomware_Note.txt 2:https://malwarewarrior.com/how-to-remove-cl0p-ransomware-and-decrypt-cl0p-files/ 3:https://twitter.com/avman1995/status/1459915441766211601 4:https://torry.net/pages.php?id=519 Source: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb Page 15 of 15