{
	"id": "ea788f52-ed02-4302-a121-dbe076f5cd59",
	"created_at": "2026-04-06T00:22:07.516828Z",
	"updated_at": "2026-04-10T03:23:57.221358Z",
	"deleted_at": null,
	"sha1_hash": "9ecf592465a6440f8b952fbd95e2bf6ee0e70814",
	"title": "The Curious Case of SunCrypt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 938486,
	"plain_text": "The Curious Case of SunCrypt\r\nBy Tomas Meskauskas\r\nPublished: 2020-09-18 · Archived: 2026-04-05 22:54:00 UTC\r\nToward the end of August, the gang behind the SunCrypt ransomware strain announced they had joined the Maze\r\ncartel of ransomware operators, which currently boasts Maze, LockBit and Ragnar Locker. After that\r\nannouncement, reports began emerging of the first high-profile victim of the gang. However, not all is as it seems\r\nwith the gang and questions have been raised as to whether they are indeed the newest members of the Maze\r\ncartel.\r\nSunCrypt in the Spotlight\r\nSome reports suggest that group activity of the gang, initially discovered by GrujaRS, can be traced back to\r\nOctober 2019. Fortunately, GrujaRS was recently able to retrieve a sample, shining a light on how the ransomware\r\nitself infects and encrypts data. The malware itself is installed from a heavily obfuscated PowerShell script and\r\nonce executed it will connect to the URL http://91.218.114[.]31. Once the malware has successfully connected\r\nwith the IP address it begins to send information regarding the victim’s machine as well as other data. When it\r\ncomes time to encrypt data, the encryption module will append a hexadecimal hash to the end of each file name,\r\nfor example, the file “1.jpg” will be renamed to\r\n“1.jpg.F3F2420C68439B451670486B17EF6D1B0188A7982E7A9DBD9327E7F967C15767” once it has been\r\nencrypted.\r\nScreenshot of SunCrypt ransomware encrypted files:\r\nhttps://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/\r\nPage 1 of 5\n\nOnce files are encrypted, a ransom note titled “YOUR_FILES_ARE_ENCRYPTED.HTML” will be dropped and\r\nis available in English, German, French, Spanish and Japanese. Given the wide array of languages, it would seem\r\nthat the gang is not content to target one specific geographical area but has Europe, much of the Americas and\r\nJapan in its sights for future campaigns. As has been seen in many other ransomware strains the ransom note\r\ncontains a TOR link to a website controlled by the attackers. This site has been hardcoded into the note, meaning\r\nthat all victims will be redirected to a site that contains a chat service to negotiate the ransom amount.\r\nScreenshot of SunCrypt ransom demanding message:\r\nhttps://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/\r\nPage 2 of 5\n\nAgain SunCrypt plays off the same playbook as other major ransomware families and threatens to leak\r\ninformation if the ransom is not paid in time. To this extent, a special leak website has also been set up to better\r\nfacilitate this and is similar in approach to the other ransomware families that do the same thing, including Ako,\r\nAvaddon, Clop, Conti, CryLock, DoppelPaymer, Maze, MountLocker, Nemty, Nephilim, Netwalker,\r\nPysa/Mespinoza, Ragnar Locker, REvil, Sekhmet, Snatch and Snake.\r\nDistribution\r\nCurrently, the ransomware is distributed via a dynamic link library, or DLL. This is not the first nor the last\r\nransomware family to use this method of distribution. Famously, Locky and CryptoMix have been distributed this\r\nway. A DLL, simply put, is a code library that can be used by more than one program at the same time. It was\r\nintended to allow the creation of more modular code that can be reused, thus promoting better memory efficiency.\r\nHowever, similar to a lot of useful features found within an OS, hackers will look to adopt new tactics to abuse\r\nthese features. Ransomware strains will typically abuse the DLL protocols to download and install the main\r\nransomware payload. The DLL is typically held within a downloader specifically designed to fetch, download and\r\ninstall the ransomware payload. Locky was seen adopting these tactics as early as 2016. One of the advantages\r\nthis offers to hackers is it can help evade detection by behavior monitoring heuristics found on many security\r\nsoftware packages as standard. The use of DLLs to distribute ransomware is often coupled with another layer of\r\nencryption which is also meant to make detection and prevention harder.\r\nhttps://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/\r\nPage 3 of 5\n\nWhile this attack method has been successful in bypassing detection, it is not unpreventable. For those developing\r\nprograms that use DLL downloads, it is recommended that any code that is written is secure and loads a DLL from\r\na specific path. Further, it is also recommended that only signed DLLs are used or accessed and enabling\r\nSafeDllSearchMode to prevent attackers from exploiting the search path should be done where possible. To\r\nfurther protect devices, security firms advise endpoint users to “… ensure that all validated and clean applications\r\nare installed in administrator-protected directories. This step restricts write and execute permissions to user folders\r\nand implements least-privilege access.”\r\nIs SunCrypt In or Out?\r\nAs mentioned above, the first time SunCrypt made headlines was when it announced it had joined the Maze cartel.\r\nGiven that it is well-known that Maze has partnered with both LockBit and Ragnar Locker, this was readily\r\naccepted as a distinct possibility by the InfoSec community. At first glance, this appeared to be true, as around the\r\nsame time frame reports began to emerge that the Conti gang had also joined forces under the Maze cartel\r\numbrella. The evidence for Conti’s new partnership rests on the fact that Conti published data about two victims\r\nthat were on Maze’s published victim list. What’s more troubling is that some researchers believe Conti may be a\r\nreplacement for Ryuk, one of the big players in the ransomware game at the moment. This belief is not without\r\ngrounds, as Conti shares code with Ryuk, drops the same ransom note and utilizes the same infrastructure.\r\nReturning to the question of whether SunCrypt is a member of the group, the group itself stated that it had indeed\r\njoined the cartel and made statements to the effect that Maze could not handle all the “work” available and needed\r\nhelp. It can be assumed that this partnership was based on a shared revenue scheme. That being said, Maze has\r\nnever elaborated on its partnerships to the press so the exact details are unknown.\r\nIt was not just the word of SunCrypt that lead researchers and journalists to believe that they had joined the cartel;\r\nthe IP address mentioned above is one of several IP addresses also used by Maze and its partners. In the past,\r\nresearchers have noted that the IP address used by SunCrypt has been used by Maze to transmit information\r\nduring attacks. The shared use of an IP address normally indicates two things: First, the sharing of infrastructure\r\nresources and, second, the white-labeling of ransomware resources to other groups so no new attacks are\r\nhampered by unintended blacklisting.\r\nAll this presents a strong case for the belief that SunCrypt joined the cartel. Here is where things take a turn for\r\nthe strange. Speaking to Bleeping Computer Maze stated, “We do not have any connections with SunCrypt, it is a\r\nlie,” and, “We do not know why SunCrypt does it, but we believe it is a PR strategy, to send links to companies in\r\nchat that they are working with us as a pressure.”\r\nSince Maze’s bombshell, SunCrypt stopped responding to requests for information. However, the use of the\r\nshared IP address has been confirmed by researchers and has many scratching their heads as to what the scenario\r\nis between the two ransomware gangs. More research is needed, given SunCrypt’s new arrival as a ransomware\r\nthreat looking to adopt all the successful tactics of its predecessors. Guessing at this point as to motives and\r\narrangements would likely leave egg on the face of anyone making the guess.\r\nNorth Carolina School District Struck by SunCrypt\r\nhttps://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/\r\nPage 4 of 5\n\nReports emerged in September that the Haywood County School district in North Carolina had suffered a\r\nransomware incident. No information was provided regarding the ransomware used, but it appeared that the attack\r\nbegan Aug. 17, with the announcement made Aug. 24. The attack rendered most remote learning facilities offline;\r\nremote learning facilities becoming available again Aug. 31. Further, the attack led to a data breach. The school\r\ndistrict announced,\r\n“In announcing the ransomware attack on Monday, we wanted everyone to understand a data breach\r\nwas possible. We have now confirmed a data breach occurred. We are taking every possible step to\r\neliminate any potential harm to staff, students, and affiliates. At this point, the forensic work has not\r\ndetermined the extent of specific data that was stolen. We ask staff, students, and parents to monitor for\r\nany suspicious activity.”\r\nIt was later learned that the school district suffered an attack by the SunCrypt gang. On the gang’s data publishing\r\nwebsite 5GB of data from the Haywood incident was released due to non-payment by the school district. This is in\r\nline with the gang’s tactic and the data released contains sensitive information that can be considered personally\r\nidentifiable. A tactic started by Maze in late 2019 of releasing data to apply more pressure to victims has now\r\nalmost become an industry standard with many new ransomware families adopting the tactic without question.\r\nWhile there is little in the way of positives that can be taken from the incident, a silver lining did emerge in that\r\nresearchers were able to get more information about the malware and how it was deployed. In this instance, as\r\nwell as some prior, the gang created a PowerShell script named after the intended victim. When executed, the\r\nmalware encrypts data and drops the ransom note. This can prove a vital bit of information when looking to\r\nidentify the culprit. To launch the script on all the Windows machines on the network, the gang creates a batch file\r\nthat is pushed to those machines. The batch file will then run the executable PowerShell script on all the machines\r\nit was pushed to. This allows the gang to quietly compromise the network, steal important data and quickly\r\nencrypt the Windows machines on the network in one go. The encryption process appends a hexadecimal hash to\r\neach file encrypted and drops the same note discovered earlier by researchers. As of it, there are no known\r\nweaknesses within the code or the encryption process, so file recovery with a decryption tool is not possible.\r\nA Curious Case\r\nSunCrypt has presented researchers with several perplexing questions, including the mysterious case of the IP\r\naddress shared by both SunCrypt and Maze. Despite the curiosity the ransomware gang has created, the North\r\nCarolina School District incident proves that the gang is not to be underestimated, as they are capable of\r\neffectively targeting a network and encrypting multiple devices simultaneously. This ability combined with the\r\ngang’s willingness to steal and publish sensitive data means that SunCrypt can be classified along with other\r\nhuman-operated ransomware strains as a real danger to organizations.\r\nRecent Articles By Author\r\nSource: https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/\r\nhttps://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/"
	],
	"report_names": [
		"the-curious-case-of-suncrypt"
	],
	"threat_actors": [
		{
			"id": "1df26eff-cd77-48dc-9425-95a4ec34bebe",
			"created_at": "2022-10-25T16:07:24.24501Z",
			"updated_at": "2026-04-10T02:00:04.9102Z",
			"deleted_at": null,
			"main_name": "SunCrypt Gang",
			"aliases": [],
			"source_name": "ETDA:SunCrypt Gang",
			"tools": [
				"SunCrypt",
				"WARPRISM"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434927,
	"ts_updated_at": 1775791437,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ecf592465a6440f8b952fbd95e2bf6ee0e70814.pdf",
		"text": "https://archive.orkl.eu/9ecf592465a6440f8b952fbd95e2bf6ee0e70814.txt",
		"img": "https://archive.orkl.eu/9ecf592465a6440f8b952fbd95e2bf6ee0e70814.jpg"
	}
}