Insights, news, education and announcements from PolySwarm

Sugar Ransomware Targets Individuals Instead of Enterprises

Written by PolySwarm Tech Team | Mar 3, 2022 7:59:22 PM



Background

Walmart recently reported on a new ransomware as a service (RaaS) called Sugar ransomware. The threat actors behind Sugar ransomware appear to be targeting individuals rather than enterprises and demand a low ransom amount, based on the number of files encrypted.


Details

Sugar ransomware is written in Delphi and has been in the wild since at least November 2021. According to Walmart, the Sugar ransomware crypter is interesting in that it reuses code from the ransomware itself. The crypter uses a modified RC4 encryption algorithm.


When launched, Sugar obtains the victim machine’s IP address and location information. It then downloads a 76MB file, whose purpose is currently being investigated. Next, it connects to the C2 at 179.43.160[.]195 to exfiltrate information and receive commands.

The ransomware itself uses the SCOP encryption algorithm, and encrypted files are appended with the .encoded01 extension. Sugar excludes the following folders and file types from encryption: windows, drivers, perflogs, temp, boot, bootnxt, bootmgr, pagefile, .exe, .dll, .sys, .lnk, .bat, .cmd, .ttf, .manifest, .ttc, .cat, and .msi. The ransom amount demanded is generated based on the number of files encrypted.

Sugar seems to be fairly unsophisticated. The malware and crypter reuse code, potentially indicating the same developer created both. The ransom note reportedly bears similarity to those used by REvil, with a few differences and misspellings. Sugar’s decryptor page is also similar to the one used by Cl0p. Analysis published by Cyble stated Sugar creates multiple threads in an attempt to make reverse engineering more difficult.

IOCs

PolySwarm currently has over 200 samples of Sugar Ransomware.


Hashes

0125d8e744bb40ee8bf74beb9c43eb4ffc4e5217cf80a1843f8d19dfb888ad68 

0329a7ec26e9a76e729a45e73dffd80e1e91f9bc6449d8557913cb52fe83e0f6 

036d5608101b352f119180d2dabb8261fd43d134aca84137c4f6ad1ae289b10a 

06812b8d48f1bb00b49bd2366031a471598e093ff117e7403b5bdc87dbc189fa 

06cce1044e58ebfa48fe2399857e82519d47773f112a81c053455d0dd6955de4 

07fab613fd41f52673bf67e84cecba39c719d724769cfe8f37afbd0d6ff45860 

089cc9981931e492dfea30fdbdb9381db2f3467208192179983c7520d53b690b 

094997ed8543b42a78aa0ce9aaef8e2caca2a882c5b21832d50844f38a7d2973 

09ad72ac1eedef1ee80aa857e300161bc701a2d06105403fb7f3992cbf37c8b9 

0a38130da830fc1b164e963894fb869b5aa8b225fb4ffab730c7e08dabe5bb10 

0abc7d41f326b4a5915d2656a142daf809391f2275f148b31f96b4e3be641f89 

0bdb3a563c28d818d5b6cc3057d60878283ac28bffff9954449b2384b68e60b6 

0f05b893b67c4fc8680f2040b4069eba81e144253a7f6e20507eaa4d2576461d 

0f61649fca3c5a8570421d5a241fee3fafabcef70f1ea6a81ff2dd26c7d07874 

106a4cb3f251e6d15e749769ed2071a34b78b0d0b6b9b17bd0743a724af9e0d8 

4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058

5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145

18cb9b218bd23e936128a37a90f2661f72c820581e4f4303326705b2103714a9

1318aeaea4f2f4299c21699279ca4ea5c8fa7fc38354dd2b80d539f21836df5a

Aa41e33d3f184cedaaaabb5e16c251e90a6c4ff721a599642dc5563a57550822

4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058

 


Contact us for additional Sugar ransomware IOCs and samples

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports