Hsinchu, Taiwan – Mar 15, 2022 – Walmart Security Team discovered the Sugar ransomware first. It is a new Ransomware-as-a-Service (RaaS) operation that launched in November 2021 but did not obtained enough notices at that time. Recently, Sugar ransomware infected the devices of many individuals and people should watch out this Ransomware-as-a-Service (RaaS) operation.
Walmart Security Team found the string “sugarpanel.space” while analyzing this ransomware. Thus it is named as “Sugar”. Its ransomware note has some similarities to the note of REvil gang’s ransomware but still some differences and misspellings. Although the Russian government has successfully seized the suspects behind the notorious REvil ransomware gang on Friday, January 14, 2022.
Unlike other ransomware which is targeting big enterprise and big money, Sugar ransomware seems target consumers and small business. The Sugar ransomware gang demanded low ransom like 0.00009921 bitcoins only, worth $4.01. Their stategy is collecting small profits on a great quantity of victims.
The Sugar Ransomware
The behaviors of the Sugar ransomware after launched are summarized as follows:
- Connecting to “whatismyipaddress.com” and “ip2location.com” to get the device’s IP address and geographic location.
- Downloading the 76MB file from “http:// cdn2546713. cdnmegafiles. com/ data23072021_1. dat” (blank characters should be removed). But it is unclear how this file is used.
- Connecting to the ransomware operation’s C&C(command and control) server at ip address 179.43.160.195. The C&C server may send commands to the Sugar ransomware.
- The Sugar ransomware will keep calling back to the C&C(command and control) server. Its purpose is probably for sending back status or updating.
If the extortion command is received by a Sugar ransomware, it will begin encrypting every file by using SCOP encryption algorithm except system files. The encrypted files will have the .encoded01 extension appended to file names. Encrypting system files will cause PC to stop working. So Sugar ransomware skipped the following files and folders.
Excluded folders | Excluded files |
---|---|
\windows\ | BOOTNXT |
\DRIVERS\ | bootmgr |
\PerfLogs\ | pagefile |
\temp\ | .exe |
\boot\ | .dll |
.sys | |
.lnk | |
.bat | |
.cmd | |
.ttf | |
.manifest | |
.ttc | |
.cat | |
.msi; |
Lionic collects ransomware speedily
Lionic has many sources to collect malware. One of the important sources is the VirusTotal, a Google company, which provides a file scanning service. Users can upload a suspicious file, and then the suspicious file will be scanned by more than 50 anti-virus scanners simultaneously contributed by various partners. Lionic, one of the VirusTotal partners, has contributed one anti-virus scanner and thus have the permission to download malware samples for research purpose. These malware includes ransomware, of course.
By the accumulation of all the malware sources, Lionic can collect popular malware in a very fast way. So far, Lionic has collected several millions of ransomware.
Detecting all the several millions of ransomware can be done via the Lionic Anti-virus Cloud Service. All Lionic security technology based products can protect against most ransomware if its Lionic Anti-virus Cloud feature is enabled. Lionic Pico-UTM can block these several millions of ransomware by the Lionic Anti-virus Cloud feature, too.
Lionic has collected more than 200 Sugar ransomware instances so far. The following is the partial list of Sugar ransomware anti-virus rules -
Rule ID | Virus Name | Release Date |
---|---|---|
9261819656154343 | Trojan.Win32.Sugar.j | 2022-02-22 |
9100012559320494 | Trojan.Win32.Sugar.j | 2022-02-20 |
9017034856674003 | Trojan.Win32.Sugar.j | 2022-02-17 |
9035751899568459 | Trojan.Win32.Sugar.j | 2022-02-08 |
9028377049058028 | Trojan.Win32.Sugar.j | 2021-12-02 |
… | … | … |
Conclusion
Not surprisingly, Pico-UTM can block Sugar ransomware since Lionic is good at collecting malware and extracting them as anti-virus rules. This time, the targets of Sugar ransomware are consumers and small business. Although the ransom is low, it still brings many inconveniences if your devices are infected and did not back up previously. We recommend all people to adopt the Pico-UTM for protection. It is because the latest Lionic security technologies including signature database stuffed into the Pico-UTM. All known malware, cyber-intrusion and malicious web will be detected and blocked. Also, Pico-UTM has friendly user interface and is easy to use. Everyone can use Pico-UTM to defend against malicious content including ransomware easily.
References:
- “Sugar Ransomware, a new RaaS”, https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb
- “A look at the new Sugar ransomware demanding low ransoms”, https://www.bleepingcomputer.com/news/security/a-look-at-the-new-sugar-ransomware-demanding-low-ransoms/
- “Walmart Dissects New ‘Sugar’ Ransomware”, https://www.securityweek.com/walmart-dissects-new-sugar-ransomware
- “Russia: FSB Arrests 14 Suspected REvil Ransomware Gang Members in Recent Raid”, https://www.techtimes.com/articles/270549/20220114/russia-fsb-arrests-14-suspected-revil-ransomware-gang-members-recent.htm
- “[Long] Description of the SCOP stream cipher”, https://groups.google.com/g/sci.crypt.research/c/ZD82NIacVmU/m/WDYm8_xmzTQJ
關於Lionic Corporation
Lionic Corporation是創新的「深層數據包檢測」解決方案的全球供應商。 Lionic的技術包括完整的基於DPI的軟件引擎和相關的管理軟件,這些軟件提供可解決防病毒,防入侵,防網絡威脅的「安全解決方案」。 以及「內容管理解決方案」,用於解決應用程序標識,設備標識,基於應用程序的QoS,Web內容過濾,家長控制。
Lionic的安全和內容管理解決方案,基於雲的掃描服務和簽名訂閱服務已經在世界範圍內廣泛部署, 他們幫助服務供應商,網絡設備製造商,半導體公司等,以實現下一代家用商業路由器網關,SD WAN邊緣和雲網關,高級防火牆,UTM,智慧網卡和移動設備。 那些由Lionic支持的產品可提供更好的網絡管理和保護全球網絡免受不斷增加的安全威脅。