article featured image


One of the first groups to use “triple extortion” tactics in their attacks was SunCrypt. This group is a RaaS (Ransomware as a Service) group.

SunCrypt doesn’t have a big affiliate program like other RaaS groups. Instead, it has a small and private affiliate program. GO was used to write the first version of this ransomware, but after it was written in C and C++, the group became much more active. A lot of businesses in the Services, Technology, and Retail sectors are affected by SunCrypt.

A research by Minerva Labs claims that this stalemate hasn’t deterred malware developers from developing a new and improved version of their strain, which the analysts then examined to identify what had changed.

What Has Recently Changed?

The additional features of the SunCrypt 2022 edition include the ability to terminate processes, halt services, and wipe the computer clean in preparation for ransomware execution.

These characteristics have been present in other ransomware strains for a long time, however, they are relatively new additions to SunCrypt, and this gives the impression that the RaaS is still in the early stages of development.

While the 2022 SunCrypt version has gained new capabilities, it seems like the ransomware is still under development. New capabilities allow the ransomware to terminate processes, stop services and clean the machine from any evidence of the ransomware execution. The ransomware also uses a winlogon.exe access token and sets it to its main thread by using SetThreadToken API call. 

There also appears to be an Anti-VM feature that is not present in our sample but might be added in future versions. We noticed that 2022 version lacks C&C connection capabilities, while there is still an option to pass an argument that will stop the reporting to C&C. 


There are a number of resource-intensive processes terminated, including WordPad (documents), SQLWriter (databases), and Outlook, which may prevent the encryption of open data files from being completed (emails).

In accordance with data from submissions to ID Ransomware, which offers an excellent indication of ransomware strain activity, SunCrypt is still encrypting victims but seems to be engaged in just a small amount of activity.

As BleepingComputer explained, it is possible that the organization is targeting high-value entities while keeping the ransom payment discussions confidential in order to avoid attracting the attention of law authorities and media coverage.

Minerva names Migros as one of SunCrypt’s recent victims, which is Switzerland’s biggest retail chain with over 100,000 employees, as one of the company’s recent victims.

In conclusion, SunCrypt is unquestionably a serious danger that has not yet been defeated, but whether or not the RaaS will develop into something more substantial needs to be seen.

How Can Heimdal™ Help?

Prevention is the best cybersecurity strategy that will protect your valuable assets in the first place. That is why your company needs efficient cybersecurity solutions like Heimdal Ransomware Encryption Protection which keeps ransomware encryption attempts away and thus protects you against data loss and data exfiltration.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.