Cyble-Analysis-Sugar-Ransomware-Conducting-Low-Profile-Attacks

Analysis – Sugar Ransomware

New Ransomware group conducting low-profile attacks

Ransomware operations are highly lucrative for cybercriminals. The impact of cyber-attacks has been increasing, which has put law enforcement agencies on high alert, leading to the arrests of Threat Actors (TAs) via their cryptocurrency trails.

The Walmart Security Team has identified a new Ransomware-as-a-Service (RaaS) group, primarily targeting small businesses and individual systems for relatively low ransom amounts. This ransomware is named ‘Sugar’ Ransomware because the affiliate website is sugarpanel.space. The Sugar ransomware appends the extension encoded01 to the end of the encrypted file’s name; hence this ransomware is also often referred to as ‘Encoded01’ ransomware.

Sugar ransomware has not been making news because of its operational tactics. Instead of targeting large organizations and publishing data leaks on dedicated leak websites, Sugar operates quite stealthily and avoids being mentioned in the news.

Cyble Research Labs has analyzed a sample, and our findings have been presented in this blog.

The ransomware binary is a 32-bit console-based executable, as shown in Figure 1.

Figure 1 – Static Details of Sugar Ransomware Executable.

The ransomware executable imports only one DLL Kernel32.dll and has 8 Import functions, indicating that the ransomware is loading a secondary payload into the system after the initial infection. Figure 2 shows Sugar Ransomware’s imports.

Figure 2 – Imports of the Sugar Ransomware Executable.

While running from the command line, the ransomware runs in verbose mode and clearly shows the activities that it is performing. The execution of the ransomware is shown below.

Figure 3 – Command-line Execution of the Sugar Ransomware

The ransomware executable decrypts the Delphi-based final payload and loads it in the device’s memory at the time of execution. Figure 4 shows the Delphi-based payload in the memory.

Figure 4 – Unpacking of Delphi Based Payload in Memory.

The payload is a Delphi compiled 32-bit console type executable, as shown in Figure 5.

Figure 5 – Static Details of Delphi-Based Payload.

The Delphi binary imports 10 libraries and 51 APIs. This indicates that the Delphi payload performs the final ransomware activity. Imported libraries are shown in Figure 6.

Figure 6 – Imports of the Delphi Based Payload.

After initial execution, the ransomware performs certain pre-encryption activities, including getting the operating system version, creating the ransom note, creating the registry keys, etc.

Initially, the ransomware tries to connect to URLs to gain the geolocation of the system using the IP address of the infected system. The URLs contacted by the ransomware are:

The requests created by the ransomware are shown below.

Figure 7 – Ransomware’s Network Communication.

Apart from trying to get the geolocation from the internet, the ransomware attempts to download data23072021_1.dat from the hxxp://cdn2546713.cdnmegafiles[.]com. The purpose of this file is not yet clear as it is not used in any activity by the ransomware. Figure 8 shows the request.

Figure 8 – Ransomware Downloading the .dat File.

To make reverse engineering of the ransomware difficult, the ransomware creates multiple threads. Figure 9 shows the threads created by the ransomware.

Figure 9 – Multiple Threads Created by the Ransomware.

The ransomware calls the following APIs, which retrieve the details of the drive and volume of an infected machine.

  • CreateFileW() – get the physical drive details from the infected system
  • GetLogicaldriveStringA() – extracts the system volume names from the selected physical drive
  • GetVolumeInformationW() – used for getting the individual volume details.

The ransomware creates a mutex with the name 5CC144C38A65833A12F945C66E1428BB to prohibit the execution of multiple ransomware instances, as shown below.

Figure 10 – Sugar Ransomware Creating Mutex.

The ransomware has a list of files and folders to exclude from encryption.

  • Important folders excluded from the encryption operation are windows, DRIVERS, PerfLogs, temp, and boot.
  • File extensions excluded from the encryption are BOOTNXT, bootmgr, pagefile, .exe, .dll, .sys, .lnk, .bat, .cmd, .ttf, .manifest, .ttc, .cat and.msi.

The ransomware calls the following APIs to encrypt the files in the system.

  • FindFirstFileW()
  • FindNextFileW()
  • ReadFile()
  • WriteFile()

After this, the ransomware adds the extension encoded01 to theencrypted files.A ransom note, namely BackFiles_encoded01.txt, is also dropped in the folder during encryption. Figure 11 shows the encrypted files and ransom note.

Figure 11 – Encrypted Files and Dropped Ransom Note.

Figure 12 shows the ransom note BackFiles_encoded01.txt dropped by the ransomware. The Threat Actor mentions the victim’s ID and Tor link for ransom negotiations in the ransom note.

Figure 12 – Ransom note dropped by the Sugar Ransomware.

After following the instructions, we could open the main page of the Sugar ransomware Tor website, as shown in Figure 13.

Figure 13 – Sugar Ransomware Tor Website.

The Sugar ransomware website has provided an option to decrypt 5 encrypted files and the ransom demand. The ransom demanded by the Threat Actors is extremely low compared to other well-known ransomware gangs. Figure 14 shows the details of the ransom demand page.

Figure 14 – Sample File Decryption and Ransom Demand Page.

The Ransomware gang also provided a chat page for the victims to connect to the Threat Actors, as shown below.

Figure 15 – Sugar Ransomware Chat Support.

Conclusion

With a surge in law enforcement operations against cybercriminals, Threat Actors are attempting to make their operations more low profile to avoid becoming a priority target of law enforcement agencies. In the near future, cybercriminals could move to this low-profile, low-ransom demand model resulting in an increase in the volume of attacks. One drawback to this approach could be a reduction of sophistication in ransomware.

Our Recommendations 

​We have listed essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

MITRE ATT&CK® Techniques 

​Tactic ​Technique ID ​Technique Name 
ExecutionT1059Command and Scripting Interpreter
Défense EvasionT1112
T1027
T1562.001
Modify Registry
Obfuscated Files or Information
Impair Defenses: Disable or Modify Tools
DiscoveryT1082
T1083
System Information Discovery
File and Directory Discovery
ImpactT1490
T1489
T1486
Inhibit System Recovery 
Service Stop
Data Encrypted for Impact

Indicators Of Compromise (IoCs)

​Indicators​Indicator type ​Description 
09ad72ac1eedef1ee80aa857e300161bc701a2d06105403fb7f3992cbf37c8b9SHA-256Ransomware Executable
1d4f0f02e613ccbbc47e32967371aa00f8d3dfcf388c39f0c55a911b8256f654SHA-256Ransomware Executable
315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9SHA-256Ransomware Executable
dc597b3f82053e858c7cb48ae7777616edc78701f02b571a459025304a22c0a4SHA-256Ransomware Executable
23cd18485e6cc236a17e328ef029c9702e870436999ff7ff5019d6aaf9b09d82SHA-256Ransomware Executable
e72db54eea9cacd5aeb58929c6f0937a3d9fb00e5754c1381b16523c51114cf1SHA-256Ransomware Executable
0125d8e744bb40ee8bf74beb9c43eb4ffc4e5217cf80a1843f8d19dfb888ad68SHA-256Ransomware Executable
6f1d31b6739b9eecd2deaca9d433d6eeaeb4231b6cc77cda140d97ad40915082SHA-256Ransomware Executable
b6c27f687fbb1b0e6a45bade47a843e34896934624c3130a63a787b50df149edSHA-256Ransomware Executable
c461aab15e56d817d3e2ec5c791521fdaa66acb4e65ec80dbb0639f2c624232aSHA-256Ransomware Executable

 Yara Rule

rule sugar_ransomware
{
	strings:
		$s1 = "This program cannot be run in DOS mode." fullword ascii
		$s2 = "VirtualAlloc" fullword ascii
		$s3 = "VirtualFree" fullword ascii
		$s4 = "LoadLibraryA" fullword ascii
		$s5 = "lstrcmpA" fullword ascii
		$s6 = { 33 8A ?? ?? ?? ?? 89 8A ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 4D ?? 8A 80 ?? ?? ?? ?? 88 01 }  
		
		
	condition:
		$s1 and $s2 and $s3 and $s4 and $s5 and $s6
}




Scroll to Top