Researchers from Intezer Labs have found some similarities between the SunCrypt and QNAPCrypt ransomware suggesting that the two malware strains may have been written by the same author.
"While the two ransomware [families] are operated by distinct different threat actors on the dark web, there are strong technical connections in code reuse and techniques, linking the two ransomware to the same author," the researchers wrote in a new report.
SunCrypt is a Ransomware as a Service (RaaS) that began operating back in October 2019. The first version of the ransomware was written in Go and targeted Windows machines. In mid-2020 a new version of SunCrypt emerged written in C/C++, which did not have any shared code with the earlier version from 2019. However, both variants exhibit similar behavior - they both designed to encrypt and steal data.
QNAPCrypt (or eCh0raix), which was first discovered in July 2019, is a ransomware family that was observed in attacks targeting Network Attached Storage (NAS) devices from Taiwanese companies QNAP Systems and Synology. The devices were compromised by brute-forcing weak credentials and exploiting known vulnerabilities with the goal of encrypting files found in the system.
The researchers believe that the latest version of SunCrypt released in 2021 is potentially a beta release of the RaaS. While analyzing the malware they found a file called “aes.go” with two functions one of which had a typo in the name, “EncEAS” instead of “EncAES.” The same typo was discovered in similar file that was part of another malware family, QNAPCrypt, indicating that the typo is unique and potentially shared code between the two ransomware families.
“In addition to the shared code between the two malware families for the functionality responsible for the file encryption, the two families also have other similarities. The similarities on their own do not indicate a connection, but the collection of all of them does. The presentation of them is to strengthen the connection indicated by the shared code,” Intezer said.
“Both ransomware are designed to not run on some of the Commonwealth of Independent States (CIS). QNAPCrypt will not perform any encryption of files if it believes it is running on a Belarusian, Russian or Ukrainian machine. SunCrypt does the same, but also includes Kyrgyzstan and Syria in the list.”
SunCrypt and QNAPCrypt both have command and control (C2) infrastructure hosted as Tor hidden services. The first version of QNAPCrypt reached out to the C2 to fetch information for the ransom note, including the Bitcoin wallet used for the campaign. SunCrypt sends campaign information and uploads stolen files to the C2 server. To access the hidden service, both families use a public available SocksV5 proxy.
“With technical analysis, it is possible to link the currently active version of SunCrypt back to QNAPCrypt, a ransomware that was used to target NAS devices back in the Summer of 2019. While the technical based evidence strongly provides a link between QNAPCrypt and the earlier version of SunCrypt, it is clear that both ransomware are operated by different individuals. Based on the available data, it is not possible to connect the activity between the two actors on the forum. This suggests that when new malware services derived from older services appear, they may not always be operated by the same people,” the report concludes.