Threat Research

Sugar Ransomware, a new RaaS

Securonix

Sugar RaaS describes a new ransomware-as-a-service model focusing on individual machines and reusing components from other ransomware families. The article details the crypter, a Delphi-based ransomware sample, ransom notes, and IOCs including domains, an onion service, IPs, and file hashes. #SugarRaaS #Crypter

Keypoints

  • Sugar RaaS appears to target individual computers rather than whole enterprises, while reusing objects from other ransomware families.
  • The crypter’s encoding is a modified RC4 with SBOX/KSA/PRGA and an apparent data prepended with a key, followed by decompression.
  • The ransomware sample is Delphi-based, with the crypter’s routines reused in the malware’s string decoding, suggesting a shared development or affiliate setup.
  • Ransomware notes imitate Revil-style messaging but introduce unique twists and warnings, and they reference TOR/VPN access to decryption sites.
  • A broad set of IOCs is documented, including domains, an onion service, an IP address pair, and numerous file hashes.
  • The article includes unpacking code and custom KSA/PRGA steps, illustrating how strings and payloads are decoded prior to encryption.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The crypter uses a modified RC4 encoding and data preparation: “The encoded data can be seen with the key prepended to the data:”
  • [T1140] Deobfuscate/Decode Files or Information – The article describes unpacking code and a custom KSA/PRGA process used to decode strings: “Unpacking code:”
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files to render them inaccessible: “Your files are encrypted, and currently unavailable.”

Indicators of Compromise

  • [Domain] bottomcdnfiles.com, cdnmegafiles.com, and sugarpanel.space
  • [IP Address] 179.43.160.195, 82.146.53.237
  • [Onion Domain] chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion
  • [Hash] 15a7fb45f703d5315320eef132f3151873055161, 5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145, and 10 more hashes

Read more: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint