Intezer Researchers Link SunCrypt and QNAPCrypt Ransomware

Intezer Researchers Link SunCrypt and QNAPCrypt Ransomware

Intezer Lab says SunCrypt ransomware that infected several targets last year may be an updated version of the QNAPCrypt ransomware that targeted Linux file storage systems.

Intezer Lab researcher Joakim Kennedy said in a blog post that while the two ransomware families are operated by different threat actors, there are strong technical similarities in code reuse and techniques. The researcher believes the two ransomware can be attributed to one author.

QNAPCrypt (aka eCh0raix) was first described in July 2019. The ransomware targeted Network Attached Storage (NAS) devices of two Taiwanese companies QNAP Systems and Synology. The malware was used to compromise devices by brute-forcing credentials and to exploit known vulnerabilities with the goal of encrypting the victim’s files. A Russian cybercrime group “FullOfDeep” is believed to operate the ransomware. 

SunCrypt, which first emerged in October 2019, is a Windows-based ransomware tool written in Go, and later ported to a C/C++ version. It’s been used to steal victims’ data, encrypt files, and to distribute denial-of-service (DDoS) attacks.

According to Intezer’s analysis of the SunCrypt Go code, the two strands of ransomware share similar encryption functions with QNAPCrypt, encrypt similar file types, and use the same methods to generate the encryption password and perform system locale checks.

Besides that, both QNAPCrypt and SunCrypt advertise their tools as the ransomware-as-a-service (RaaS) on hacker forums.

Intezer concludes that “the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators… While the technical-based evidence strongly provides a link between QNAPCrypt and the earlier version of SunCrypt, it is clear that both ransomware are operated by different individuals,” the researchers say.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.