The researchers reported that ,”Sugar ransomware appears to target individual computers rather than entire enterprises, in contrast to other ransomware operations. Sugar malware was discovered for the first time in November 2021; it is a Delphi malware that steals code from other ransomware families.
This suggests that the Sugar ransomware and its crypter were created by the same team; another scenario involves a threat actor offering a crypter to a network of affiliates. The experts also noticed some similarities between the Sugar ransomware and the REvil’s ransomware, as well as the decryptor page and the one used by Clop operators.
The crypter, which uses a modified version of the RC4 algorithm and reuses the same routine from the crypter as part of the malware’s string decoding, is one of the most intriguing components of the new malware family.
Experts discovered additional similarities in the GPLib library, which is used for encryption/decryption operations.
Finally the researchers concluded that ,”The malware is written in Delphi, but the interesting part from a RE standpoint was the reuse of the same routine from the crypter as part of the string decoding in the malware, leading us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates.”
Indicator Of Compromise
bottomcdnfiles.com cdnmegafiles.com 18.104.22.168 chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion 22.214.171.124 sugarpanel.space15a7fb45f703d5315320eef132f3151873055161 5816a77bf4f8485bfdab1803d948885f76e0c926fed9da5ac02d94e62af8b145 320eefd378256d6e495cbd2e59b7f205d5101e7f 18cb9b218bd23e936128a37a90f2661f72c820581e4f4303326705b2103714a9 e835de2930bf2708a3a57a99fe775c48f851fa8f 1318aeaea4f2f4299c21699279ca4ea5c8fa7fc38354dd2b80d539f21836df5a 98137dd04e4f350ee6d2f5da613f365b223a4f49 aa41e33d3f184cedaaaabb5e16c251e90a6c4ff721a599642dc5563a57550822 a4854ce87081095ab1f1b26ff16817e446d786af 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058 c31a0e58ae70f571bf8140db8a1ab20a7f566ab5 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9