[MART] - Daily Diary #448 - Sugar Ransomware Attacking Individuals

CTAS-MAT ctas-mat at appgate.com
Tue Feb 8 23:48:02 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

02/08/2022 - Diary entry #448:

A new Ransomware written in Delphi language was disclosed. This threat was named "Sugar", after the Command and Control domain used by its operator during an attack: "sugarpanel[.]space".

After infecting the victims, it makes requests to two different web services to obtain the victim's IP address and geographic location. Next, it encrypts all the victim's files using an encryption algorithm called SCOP and drops a ransom note named "BackFiles_encoded01.txt" with a Darknet URL containing a unique id to negotiate with the criminals. Two different Sugar samples dropped similar ransom notes. One of them has similarities with REvil's ransom note and the other one with Clop Ransomware.

This particular Ransomware strain curiously was observed targeting individuals instead of companies like other Ransomware operations. We believe it's a strategy to not attract too much attention, and infect as many as possible victims. The ransomware was also observed downloading an unknown additional file which can suggest that Sugar is able to deploy additional payloads, acting as a Malware-as-a-service as well.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220208/71d92f09/attachment.htm>

More information about the MART mailing list