SunCrypt Ransomware Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on SunCrypt ransomware, new member of the Maze ransomware cartel, adopts attack techniques from Maze.
Updated on
April 19, 2023
Published on
October 7, 2020
Subscribe to the latest industry news, threats and resources.
SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script (Fig. 1) which is similar to Netwalker. [caption id="attachment_8278" align="aligncenter" width="624"]Fig. 1: Obfuscated PowerShell script Fig. 1: Obfuscated PowerShell script[/caption] Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware. Once SunCrypt is installed, it connects to the IP address and transmits information about the attack and the victim. This ransomware prevents victims from accessing files by encrypting them with the ChaCha20 cryptographic algorithm.  It renames all encrypted files and creates a ransom note (Fig. 2). It also renames encrypted files by appending a string of random characters as a new extension. For example, SunCrypt would rename a file named "1.jpg" to “1.jpg.F3F2420C68439B451670486B17EF6D1B0188A -7982E7A9DBD9327E7F967C15767."  Once the infection is complete, all files on the device will be encrypted and the operators of SunCrypt demand a ransom for the decryptor. Additional password-stealing trojans and malware infections are also installed together with the ransomware, at times, to log the user’s activities. [caption id="attachment_8279" align="aligncenter" width="599"]Fig. 2: SunCrypt ransom note Fig. 2: SunCrypt ransom note[/caption]

Indicators of Compromise

    • ebwexiymbsib4rmw.onion
    • nbzzb6sa6xuura2z.onion
    • SHA256: E3DEA10844AEBC7D60AE330F2730B7ED9D18B5EEC02EF9FD4A394660E82E2219
  • PowerShell loader
    • MD5: d87fcd8d2bf450b0056a151e9a116f72
    • SHA1: 48cb6bdbe092e5a90c778114b2dda43ce3221c9f
    • SHA256: 3090BFF3D16B0B150444C3BFB196229BA0AB0B6B826FA306803DE0192BEDDB80


  • Major outcome of the ransomware attack is unavailability of the data due to encryption.
  • The ransom demanded is oftentimes hefty. The operators base their demands on the value of the target organisation.
  • Client lawsuits and compliance fines lead to loss of reputation and goodwill of the company.
  • Service downtime will affect the company financially and downgrade relationships with the clients.


  1. Do not open suspicious and irrelevant emails, especially those received from unknown/ suspect senders.
  2. Block the installation of programs from unknown sources.
  3. Download from relevant and trusted sources.
  4. Do a regular backup of your data.
  5. Use a trusted scanner to detect the malware.
  6. Disable Windows PowerShell, which is a task automation framework.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations