Walmart recently reported on a new ransomware as a service (RaaS) called Sugar ransomware. The threat actors behind Sugar ransomware appear to be targeting individuals rather than enterprises and demand a low ransom amount, based on the number of files encrypted.
Sugar ransomware is written in Delphi and has been in the wild since at least November 2021. According to Walmart, the Sugar ransomware crypter is interesting in that it reuses code from the ransomware itself. The crypter uses a modified RC4 encryption algorithm.
When launched, Sugar obtains the victim machine’s IP address and location information. It then downloads a 76MB file, whose purpose is currently being investigated. Next, it connects to the C2 at 179.43.160[.]195 to exfiltrate information and receive commands.
The ransomware itself uses the SCOP encryption algorithm, and encrypted files are appended with the .encoded01 extension. Sugar excludes the following folders and file types from encryption: windows, drivers, perflogs, temp, boot, bootnxt, bootmgr, pagefile, .exe, .dll, .sys, .lnk, .bat, .cmd, .ttf, .manifest, .ttc, .cat, and .msi. The ransom amount demanded is generated based on the number of files encrypted.
Sugar seems to be fairly unsophisticated. The malware and crypter reuse code, potentially indicating the same developer created both. The ransom note reportedly bears similarity to those used by REvil, with a few differences and misspellings. Sugar’s decryptor page is also similar to the one used by Cl0p. Analysis published by Cyble stated Sugar creates multiple threads in an attempt to make reverse engineering more difficult.
PolySwarm currently has over 200 samples of Sugar Ransomware.