Sugar Ransomware is powerful ransomware that works as-a-service (RaaS) malware threat. Unlike most major ransomware, Sugar appears to be focused on infecting individual users rather than corporate targets. Another distinguishing feature of this threat is that it often borrows from other ransomware groups.
Details about the threat were published in a report by the Walmart Cyber Threat Team. According to the findings of Infosec researchers, the Sugar Ransomware is written using the Delphi programming language and appeared in the wild no later than November 2021.
Similarities to REvil
However, in its code, it uses various objects obtained from other ransomware families. The ransom note delivered to sugar ransomware-infected systems is the same as the threat ransom note from REvil Ransomware, with minor differences and the addition of various typos.
The most interesting feature that was discovered during the analysis of Sugar Ransomware is its cryptor. It uses modified RC4 encryption, but more importantly, parts of its code can be reused in the ransomware threat string decryption procedure itself. This led the researchers to the conclusion that the same group of cybercriminals could be the creators of the threat and the ransomware. In addition, the ransomware could potentially be part of a service that the main threat actor offers to its affiliates.
How Does Sugar Ransomware Operate?
Sugar ransomware encrypts the files on the compromised machine and adds the “.encoded01” extension to them. The malware then displays a ransom note, prompting victims to visit the attacker’s TOR page to pay the ransom to recover encrypted files. Attackers offer to decrypt up to five files to prove that encrypted files can be recovered for ransom.
The TOR site used by the sugar ransomware is very similar to the Cl0p ransomware site. However, there is no evidence that the sugar ransomware group is linked to the threat actors REvil and Cl0p. According to Cyclonis, the recent ransomware functions as ransomware as a service, which means anyone can partner with file-locking hackers to profit from the use.
Link Ransomware and Download File
The Walmart security team first encountered this threat in November 2021. Since then, it has affected many personal devices, mostly from small networks and people. Once the Sugar ransomware is launched, it will directly link to whatismyipaddress.com. Next, the system location and IP address will be obtained from the specific device via ip2location.com. After obtaining the IP address the hackers want, the ransomware will prompt you to download a small file. At the time of going to print, there is no clear explanation of the purpose of said file.
Having set up an attack, it will connect to the control server and specifically by command 188.8.131.52. The operation will start when the data has been sent and received by the other party. After the successful launch of the ransomware, the command and control server and the command will be launched. This can be compared to providing hackers with information about the current state of the circuit.
Regarding encryption, the bleeping computer reported that the sugar ransomware converts all files into code, except for the following folders and file formats. At the same time, the excluded files include BOOTNXT, bootmgr, swap file, .exe, .dll., Sys, .lnk, .bat, .cmd, .ttf, .manifest., Ttc, .cat. Bleeping Computer explained in detail that file encryption is based on the SCOP encryption algorithm.
Installation of Ransomware
Once this process is complete, the file will receive the extension “.encode01”. This will encourage attackers to install the ransom note in a specific folder. They also reportedly had information on how victims paid the ransom. In addition to the file, the victim ID and TOR link will be provided.
They will be directed to chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion. After this step, the target person will see a page and a chat section where they can send the corresponding ransom. Transactions include low-cost redemptions that can be as high as $4.01 or 0.00009921 bitcoin.
Currently, cybersecurity experts have not figured out how to decrypt the infected files. Meanwhile, Tech Times reports that the TrickBot malware is now back, offering additional protections that make it harder to control. The notorious banking trojan can now ignore live network injections.