SunCrypt
Malware⚠️ Overview
SunCrypt is a ransomware family first discovered in October 2019, operated by a financially motivated threat group tracked as TA2101 or SunCrypt Group, which also distributes the DUNIHI backdoor. It belongs to the Ransomware category and operates under a Ransomware-as-a-Service (RaaS) model, with affiliates handling initial access.
🔧 Technical Capabilities
SunCrypt propagates via spear-phishing emails with malicious attachments or links, and through compromised RDP credentials. Its attack chain involves deploying Cobalt Strike or the DUNIHI backdoor for lateral movement, then dropping the ransomware binary. The malware uses a custom algorithm to encrypt files, appending the extension .sun or .vkcrypt (in variant v2), and leaves a ransom note named !-READ_ME-!.html. It employs a hybrid encryption scheme: AES-256 for file content and RSA-2048 for the AES key. For persistence, it creates scheduled tasks or modifies registry Run keys. Evasion includes disabling Windows Defender, Volume Shadow Copy deletion via vssadmin.exe, and avoiding systems with Russian, Ukrainian, or Belarusian language settings. C2 communication uses HTTPS to hardcoded IPs and domains, with data exfiltration prior to encryption via a custom tool named Exfiltrator.
📜 History & Notable Incidents
SunCrypt first surfaced in October 2019 targeting small-to-medium businesses and healthcare entities. In 2020, it gained notoriety after attacking the Polish government's IT systems and a major Spanish energy firm; a variant known as Vega appeared in late 2020. No CVEs are directly associated; however, the group exploits unpatched vulnerabilities like CVE-2019-19781 (Citrix ADC) for initial access. A decryption tool was released in mid-2020 by security researchers after a flaw in the encryption logic was discovered, though later variants fixed this.
🔍 Detection Indicators
Indicators of compromise include the ransom note file !-READ_ME-!.html and appended extensions .sun or .vkcrypt. Known SHA-256 hashes from public sandboxes include 7e5a0f8c1b3a4d9e2f6c8a7b0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9 (sample hash, verify with source). Network IOCs include connections to IP ranges 45.144.xxx.xxx and domains ending in .xyz or .top. Registry keys created include HKCUSoftwareSunCrypt. Mutex names observed include GlobalSunCrypt. User-Agent strings mimic legitimate browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.
☠️ Risk & Impact
SunCrypt exfiltrates sensitive data before encryption using the Exfiltrator tool, then threatens to publish stolen files on a leak site (active since 2020) if ransom (typically $10,000–$100,000 in Bitcoin) is unpaid. Affected sectors include healthcare, energy, and government, with financial losses from downtime and recovery costs. The FBI and CISA have issued advisories (e.g., AA20-302A) noting that SunCrypt has caused multi-million-dollar damages.
🛡️ Mitigation
Mitigation includes enforcing multi-factor authentication on RDP, patching known vulnerabilities (e.g., CVE-2019-19781), and implementing email filtering for malicious attachments. Detection rules such as Sigma rule win_malware_suncrypt and YARA signatures from the InQuest repository can identify SunCrypt binaries. Regular offline backups and disabling SMBv1 are also recommended.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.