Intezer Lab says SunCrypt ransomware that infected several targets last year may be an updated version of the QNAPCrypt ransomware that targeted Linux file storage systems.
Intezer Lab researcher Joakim Kennedy said in a blog post that while the two ransomware families are operated by different threat actors, there are strong technical similarities in code reuse and techniques. The researcher believes the two ransomware can be attributed to one author.
QNAPCrypt (aka eCh0raix) was first described in July 2019. The ransomware targeted Network Attached Storage (NAS) devices of two Taiwanese companies QNAP Systems and Synology. The malware was used to compromise devices by brute-forcing credentials and to exploit known vulnerabilities with the goal of encrypting the victim’s files. A Russian cybercrime group “FullOfDeep” is believed to operate the ransomware.
SunCrypt, which first emerged in October 2019, is a Windows-based ransomware tool written in Go, and later ported to a C/C++ version. It’s been used to steal victims’ data, encrypt files, and to distribute denial-of-service (DDoS) attacks.
According to Intezer’s analysis of the SunCrypt Go code, the two strands of ransomware share similar encryption functions with QNAPCrypt, encrypt similar file types, and use the same methods to generate the encryption password and perform system locale checks.
Besides that, both QNAPCrypt and SunCrypt advertise their tools as the ransomware-as-a-service (RaaS) on hacker forums.
Intezer concludes that “the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators… While the technical-based evidence strongly provides a link between QNAPCrypt and the earlier version of SunCrypt, it is clear that both ransomware are operated by different individuals,” the researchers say.