Open in app

Sign in

Write

Sign in

Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction

S2W
S2W BLOG
Published in
5 min readSep 9, 2021

Hotsauce | S2W TALON

Executive Summary

  • In May 2021. The United state’s D company was infected by the Suncrypt ransomware, and after a long negotiation of about 3 weeks, the victim paid the ransom with Bitcoin, and Suncrypt finally deleted the leaked data and informed security report, and the negotiations were finished.
  • As a result of tracking the Bitcoin paid by the victim, it was sent to the Binance, OKEX, Huobi exchange and confirmed the circumstances of ChipMixer Mixing.

Detailed analysis

1. About Suncrypt ransomware

  • Suncrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate program on the dark web and first appeared in October 2019.
  • Suncrypt says “The Suncrypt group is a huge fan of a Win-Win style of negotiations and the minimal damage policy” and they provide a security report when the negotiation is complete, emphasizing that they are a reliable “business” rather than a ransomware “hack”.

2. Analysis of Suncrypt Ransomware Negotiation

  • Suncrypt ransomware left a HTML type ransom note on the infected PC with information on key points and how to access the 1:1 negotiation page.
  • You can start negotiating with Suncrypt by accessing the 1:1 negotiation page guided by the ransom note.

Victim company

  • In May 2021, an American company D was infected with the Suncrypt ransomware.
  • On the 1:1 negotiation page, Suncrypt said that after 72 hours the exfiltrated data will be posted at our news website and DDoS attack will be stopped only after progress is made in the negotiation.
  • Suncrypt requested 1,200,000 USD as a payment amount, presenting sample files and listings as proof and guaranteeing to provide the following three items upon completion of the negotiation.
  1. The decryptor
  2. The erasure log
  3. The security report in order to avoid this kind of situations in future
  • Suncrypt seems to have separate roles of negotiator and technician, as a person who appears to be a technician/developer who calls himself Tech (purple chat) participates in the negotiation.
  • During the negotiations, the victim company gave a link to a posted on Marketo / Twitter and protested why they were already selling our data.
  • Suncrypt said “During the negotiation period the data is secured and there were no single case of the leak. We would try to sell your data in case if we will fail negotiations with you. That just don’t make sense. We would not put the future negotiations at risk because of this incident.” and denied it had nothing to do with us.
  • Marketo is a marketplace of stolen data, first appeared in April 202.
  • Leaked data is selling publicly by bidding auctions.
  • Selling leak data of victim companies uploaded to Marketo.
  • Since the victim company does not have files encrypted with extensions other than Suncrypt, it seems that Marketo only stole data without separate encryption, and it is possible that leaked by Suncrypt and Marketo both.
  • Suncrypt’s Tech said that they start DDoS attack to Marketo.
  • After several price negotiations, the victim company paid 182,000 USD, demanding even to delete the post on Marketo.
  • Suncrypt closes the negotiation by providing erasure log and security report after confirming Bitcoin deposit.

Security Report — same contents are provided in case of other victim company that were infected at around the same time

  • Erasure Log — erasure logs to prove that Suncrypt has deleted all files stolen from the victim company.
  • Suncrypt said that we are trying to bring down the fake post or getting a proof that data is fake, but leak data posted on Marketo have not yet been deleted and are still on selling.

3. Analysis of payment address

  • Tracking the bitcoins paid by the victim company
  • Payment address : bc1qx6wa9x9gdnah9jfdt0ps8c6z8vwt2mz9mpwdcr
  • Amounts : 5.03350949 BTC
  • Transaction date : 2021–06–02
  • The 5.03350949 BTC paid by the victim company was divided into several branches and each performed ChipMixer Mixing, transferred to Binance, OKEX, Huobi wallet

3.1 Money Laundering with ChipMixer Mixing

  • After several addresses, approximately 4 BTC was laundered through ChipMixer Mixing

Bitcoin Address

  • 1ME2WHjsa1TPjuWTUN2JRsAxJsCs62gSk7
  • 112oLSTUE4PvVD4K88ANpwnRsw8e19ea7q
  • 17pYQVxhPSGkiLwoJhaAM3DxG86VHtiBLn

3.2 Transactions to Exchange wallet

  • After several addresses, approximately 1 BTC was withdrawn to Binance, OKEX, Huobi exchange

Bitcoin Address

  • 1Bb9AX3yM8WsFhZHFsVjWW79o6KFMiA3gE
  • 3CBDnbKDhgaEHDzoBiJrGza2FC6vv3GLej
  • 37Z8s6MQsWsRQTX7gPcFaAdo2qFsQm7RGr

Conclusion

  • Following the recent Suncrypt analysis case, the Suncrypt ransomware mainly uses ChipMixer for bitcoin laundering
  • Judging from the negotiation chat content, suncrypt seems to be divided into Ransomware operator, Negotiation manager, Tech manager, etc.
Ransomware
Darkweb
Cyber Threat Intelligence
Cybersecurity
Data Breach

--

--

S2W
S2W BLOG

Written by S2W

624 Followers
Editor for

S2W is specializing in cybersecurity data analysis for cyber threat intelligence.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams