New Ransomware group conducting low-profile attacks
Ransomware operations are highly lucrative for cybercriminals. The impact of cyber-attacks has been increasing, which has put law enforcement agencies on high alert, leading to the arrests of Threat Actors (TAs) via their cryptocurrency trails.
The Walmart Security Team has identified a new Ransomware-as-a-Service (RaaS) group, primarily targeting small businesses and individual systems for relatively low ransom amounts. This ransomware is named ‘Sugar’ Ransomware because the affiliate website is sugarpanel.space. The Sugar ransomware appends the extension encoded01 to the end of the encrypted file’s name; hence this ransomware is also often referred to as ‘Encoded01’ ransomware.
Sugar ransomware has not been making news because of its operational tactics. Instead of targeting large organizations and publishing data leaks on dedicated leak websites, Sugar operates quite stealthily and avoids being mentioned in the news.
Cyble Research & Intelligence Labs has analyzed a sample, and our findings have been presented in this blog.
The ransomware binary is a 32-bit console-based executable, as shown in Figure 1.
The ransomware executable imports only one DLL Kernel32.dll and has 8 Import functions, indicating that the ransomware is loading a secondary payload into the system after the initial infection. Figure 2 shows Sugar Ransomware’s imports.
While running from the command line, the ransomware runs in verbose mode and clearly shows the activities that it is performing. The execution of the ransomware is shown below.
The ransomware executable decrypts the Delphi-based final payload and loads it in the device’s memory at the time of execution. Figure 4 shows the Delphi-based payload in the memory.
The payload is a Delphi compiled 32-bit console type executable, as shown in Figure 5.
The Delphi binary imports 10 libraries and 51 APIs. This indicates that the Delphi payload performs the final ransomware activity. Imported libraries are shown in Figure 6.
After initial execution, the ransomware performs certain pre-encryption activities, including getting the operating system version, creating the ransom note, creating the registry keys, etc.
Initially, the ransomware tries to connect to URLs to gain the geolocation of the system using the IP address of the infected system. The URLs contacted by the ransomware are:
- http://www.whatismyip[.]com/ip-address-lookup/
- http://www.ip2location[.]com
- Whatismyipaddress[.]com
- Checkip.dyndns[.]org
- cdn2546713.cdnmegafiles[.]com /data23072021_1[.]dat
The requests created by the ransomware are shown below.
Apart from trying to get the geolocation from the internet, the ransomware attempts to download data23072021_1.dat from the hxxp://cdn2546713.cdnmegafiles[.]com. The purpose of this file is not yet clear as it is not used in any activity by the ransomware. Figure 8 shows the request.
To make reverse engineering of the ransomware difficult, the ransomware creates multiple threads. Figure 9 shows the threads created by the ransomware.
The ransomware calls the following APIs, which retrieve the details of the drive and volume of an infected machine.
- CreateFileW() – get the physical drive details from the infected system
- GetLogicaldriveStringA() – extracts the system volume names from the selected physical drive
- GetVolumeInformationW() – used for getting the individual volume details.
The ransomware creates a mutex with the name 5CC144C38A65833A12F945C66E1428BB to prohibit the execution of multiple ransomware instances, as shown below.
The ransomware has a list of files and folders to exclude from encryption.
- Important folders excluded from the encryption operation are windows, DRIVERS, PerfLogs, temp, and boot.
- File extensions excluded from the encryption are BOOTNXT, bootmgr, pagefile, .exe, .dll, .sys, .lnk, .bat, .cmd, .ttf, .manifest, .ttc, .cat and.msi.
The ransomware calls the following APIs to encrypt the files in the system.
- FindFirstFileW()
- FindNextFileW()
- ReadFile()
- WriteFile()
After this, the ransomware adds the extension encoded01 to theencrypted files.A ransom note, namely BackFiles_encoded01.txt, is also dropped in the folder during encryption. Figure 11 shows the encrypted files and ransom note.
Figure 12 shows the ransom note BackFiles_encoded01.txt dropped by the ransomware. The Threat Actor mentions the victim’s ID and Tor link for ransom negotiations in the ransom note.
After following the instructions, we could open the main page of the Sugar ransomware Tor website, as shown in Figure 13.
The Sugar ransomware website has provided an option to decrypt 5 encrypted files and the ransom demand. The ransom demanded by the Threat Actors is extremely low compared to other well-known ransomware gangs. Figure 14 shows the details of the ransom demand page.
The Ransomware gang also provided a chat page for the victims to connect to the Threat Actors, as shown below.
Conclusion
With a surge in law enforcement operations against cybercriminals, Threat Actors are attempting to make their operations more low profile to avoid becoming a priority target of law enforcement agencies. In the near future, cybercriminals could move to this low-profile, low-ransom demand model resulting in an increase in the volume of attacks. One drawback to this approach could be a reduction of sophistication in ransomware.
Our Recommendations
​We have listed essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.​
MITRE ATT&CK® Techniques
| ​Tactic | ​Technique ID | ​Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Défense Evasion | T1112 T1027 T1562.001 | Modify Registry Obfuscated Files or Information Impair Defenses: Disable or Modify Tools |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
| Impact | T1490 T1489 T1486 | Inhibit System Recovery Service Stop Data Encrypted for Impact |
Indicators Of Compromise (IoCs)
| ​Indicators | ​Indicator type | ​Description |
| 09ad72ac1eedef1ee80aa857e300161bc701a2d06105403fb7f3992cbf37c8b9 | SHA-256 | Ransomware Executable |
| 1d4f0f02e613ccbbc47e32967371aa00f8d3dfcf388c39f0c55a911b8256f654 | SHA-256 | Ransomware Executable |
| 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9 | SHA-256 | Ransomware Executable |
| dc597b3f82053e858c7cb48ae7777616edc78701f02b571a459025304a22c0a4 | SHA-256 | Ransomware Executable |
| 23cd18485e6cc236a17e328ef029c9702e870436999ff7ff5019d6aaf9b09d82 | SHA-256 | Ransomware Executable |
| e72db54eea9cacd5aeb58929c6f0937a3d9fb00e5754c1381b16523c51114cf1 | SHA-256 | Ransomware Executable |
| 0125d8e744bb40ee8bf74beb9c43eb4ffc4e5217cf80a1843f8d19dfb888ad68 | SHA-256 | Ransomware Executable |
| 6f1d31b6739b9eecd2deaca9d433d6eeaeb4231b6cc77cda140d97ad40915082 | SHA-256 | Ransomware Executable |
| b6c27f687fbb1b0e6a45bade47a843e34896934624c3130a63a787b50df149ed | SHA-256 | Ransomware Executable |
| c461aab15e56d817d3e2ec5c791521fdaa66acb4e65ec80dbb0639f2c624232a | SHA-256 | Ransomware Executable |
Yara Rule
rule sugar_ransomware
{
strings:
$s1 = "This program cannot be run in DOS mode." fullword ascii
$s2 = "VirtualAlloc" fullword ascii
$s3 = "VirtualFree" fullword ascii
$s4 = "LoadLibraryA" fullword ascii
$s5 = "lstrcmpA" fullword ascii
$s6 = { 33 8A ?? ?? ?? ?? 89 8A ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 4D ?? 8A 80 ?? ?? ?? ?? 88 01 }
condition:
$s1 and $s2 and $s3 and $s4 and $s5 and $s6
}
