Sugar Ransomware, a new RaaS in the threat landscape

Cyber security team at retail giant Walmart dissected a new ransomware family dubbed Sugar, which implements a ransomware-as-a-service model.

The cyber threat team at retail giant Walmart has analyzed a new ransomware family dubbed Sugar, which is offered through a ransomware-as-a-service (RaaS) model.

Unlike other ransomware operations, Sugar ransomware appears to primarily focus on individual computers instead of entire enterprises. The Sugar malware was first discovered in the wild in November 2021, it is a Delphi malware that borrows code from other ransomware families.

One of the most interesting components of the new malware family is the crypter that uses a modified version of RC4 algorithm and the reuse of the same routine from the crypter as part of the string decoding in the malware.

This suggests that the Sugar ransomware and its crypter were developed by the same team, another scenario sees the crypter that is being offered by a threat actor to a network of affiliates.

“The malware is written in Delphi but the interesting part from a RE perspective was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates.” reads the analysis published by Walmart.

The experts also noticed some similarities between the ransomware of Sugar and the REvil‘s one, while the decryptor page is similar to the one used by Clop operators.

Other similarities were found by the experts in the GPLib library used for encryption/decryption operations.

The researchers also published Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

New AT&T data breach exposed call logs of almost all customers

AT&T disclosed a new data breach that exposed phone call and text message records for…

19 hours ago

Critical flaw in Exim MTA could allow to deliver malware to users’ inboxes

A critical vulnerability in Exim mail server allows attackers to deliver malicious executable attachments to…

21 hours ago

Palo Alto Networks fixed a critical bug in the Expedition tool

Palo Alto Networks addressed five vulnerabilities impacting its products, including a critical authentication bypass issue. Palo…

1 day ago

Smishing Triad Is Targeting India To Steal Personal and Payment Data at Scale

Resecurity has identified a new campaign by the Smishing Triad that is targeting India to…

1 day ago

October ransomware attack on Dallas County impacted over 200,000 people

The ransomware attack that hit Dallas County in October 2023 has impacted more than 200,000…

1 day ago

CrystalRay operations have scaled 10x to over 1,500 victims

A threat actor known as CrystalRay targeted 1,500 victims since February using tools like SSH-Snake…

2 days ago

This website uses cookies.