Cyber Analysts Find Links Between SunCrypt and QNAPCrypt Ransomware
SunCrypt, a ransomware that infected multiple targets in the last year, is believed to be an updated version of the QNAPCrypt ransomware.
According to a new malware analysis conducted by cybersecurity researcher Joakim Kennedy, SunCrypt, a ransomware strain that continued to infect several targets last year, seems to be an updated version of QNAPCrypt ransomware, targeting Linux file storage systems.
While the two ransomware are operated by distinct different threat actors on the dark web, there are strong technical connections in code reuse and techniques, linking the two ransomware to the same author. Just because a malware is a derivative of another malware does not mean it will be deployed in exactly the same way.
The QNAPCrypt, also known as Ech0raix, is a family of ransomware that targets and spreads across physical network appliances like NAS Synology or QNAP that are meant to ensure high-quality internet connections. The devices were compromised by exploiting known vulnerabilities in an attempt to encrypt the files found on the system.
Although it works similarly to other ransomware, the QNAPCrypt has a few important differences:
- Since it is a server and not an endpoint, the ransom note appears as a text file, without any message on the screen.
- A unique Bitcoin wallet is provided to every victim, thus helping the attackers to avoid being traced.
- The moment a victim is compromised, the malware seeks a wallet address and a public RSA key from the command and control server (C&C) before file encryption.
First identified in July 2019, the QNAPCrypt has since been tracked by a Russian cybercriminal group called FullOfDeep.
Meanwhile, in October 2019, SunCrypt appeared as the first Windows-based ransomware tool before being ported to the C / C ++ version in mid-2020. Besides stealing victims’ data and threatening with disclosure before encrypting files, this group also launches distributed denial of service (DDoS) attacks, which force the victim to pay the ransom.
On December 29th, 2020, ransomware was deployed to target PRP Diagnostic Imaging, an NSW radiology and nuclear medicine provider. The company reported that patient records were stolen from two managed file servers.
Although the two ransomware families have launched attacks on different operating systems (QNAPCrypt targets Linux, while SunCrypt targets Windows), there were speculations that they are somehow connected.
Encrypting of the password using the included public key in the binary.
Blockchain analytics company Chainalysis claims in their 2021 Crypto Crime Report that
(…) A connection is also supported by a privately circulated report from threat intelligence firm Intel471 claiming that representatives from SunCrypt described their strain as a “rewritten and rebranded version of a ‘well-known’ ransomware strain.” Intel471’s report also claims that SunCrypt only works with a small number of affiliates at a time, whom the SunCrypt operators interview and vet extensively. Therefore, we believe any overlap in affiliates between SunCrypt and other ransomware strains would be more likely to suggest a deeper connection between the two strains, rather than just coincidence.
According to Joakim Kennedy’s analysis of the SunCrypt binaries, ransomware not only shares the same encryption capabilities as QNAPCrypt, but also performs encrypted file types, the method used to generate encrypted passwords, and system locale checks.
The files are encrypted with AES in CFB mode. Both ransomware generates a unique 32 characters “password.” The logic for generating this code is very similar. (…) The characters in the password are randomly selected from a list of valid characters that includes all the English upper and lower characters and the numbers 0 through 9. The list is identical between the malware. The rand implementation provided the math package in the standard library is used, which means the randomness is not cryptographic. The randomness is seeded with the current time. The main difference is that SunCrypt resets the seed every time the function responsible for generating the “password” is called, while QNAPCrypt sets the seed during the initialization. SunCrypt also uses the function to generate a victim identifier.
What is also interesting is the fact that both QNAPCrypt and SunCrypt use the ransomware-as-a-service (RaaS) model. This means that affiliates can initiate ransomware attacks themselves and refund a portion of each victim’s payments to stock creators and managers, promoting tools in underground forums.
Taking into consideration the duplication and behavioral differences between the two ransomware families, Kennedy strongly believes that “Ech0raix ransomware has been transferred to the SunCrypt operator and upgraded.”