Sugar Ransomware-as-a-Service Operations Target Individual Devices With Low Ransom Demands

Joseph Henry, Tech Times 04 February 2022, 11:02 pm

The ransomware operations over the past years have been steadily increasing as more enterprises go digital. Oftentimes, the hackers ask for millions of dollars to the victims as ransom. However, that's not the case for all cyberattacks.

Recently, Walmart researchers discovered a new form of ransomware that appears to be distant from others. Apparently, the Sugar ransomware does not focus on attacking huge corporations. Instead, it only compromises the systems of small businesses and consumers.

How Sugar Ransomware Operates

Sugar Ransomware-as-a-Service Operations Target Individual Devices With Low Ransom Demands

(Photo : Sharon McCutcheon from Unsplash)

According to Cyclonis, the recent ransomware is working as a ransomware-as-a-service which means that anyone can collaborate with the file-locking hackers to earn profits out of using it.

The Walmart Security Team first encountered this threat in November 2021. Since then, it affected many individual devices which mostly came from small networks and people.

Upon launching Sugar ransomware, it will directly be linked to whatismyipaddress.com. After that, the system's location and IP address will be obtained from a particular device through ip2location.com.

After retrieving the IP address that the hackers need, the ransomware will prompt a small file download. From https://cdn2546713.cdnmegafiles[.]com/data23072021_1.dat, a 76 MB file will be required to download.

As of press time, there's no clear explanation about the purpose of the said file.

Setting up the attack, it will proceed in connecting to the control server and command particularly at 179.43.160.195. The operation will begin by the time the data has been transmitted and received on the other end.

Once the execution of the ransomware is successful, the control server and the command will be called back. This can be compared to giving the hackers a pinch of updates about the current status of the scheme.

When it comes to encryption, Bleeping Computer reported that the Sugar ransomware will convert all files into a code except for the following folders and file formats.

Excluded folders

\windows\
\DRIVERS\
\PerfLogs\
\temp\
\boot\

Meanwhile the excluded files include BOOTNXT, bootmgr, pagefile, .exe, .dll.,sys, .lnk, .bat,.cmd, .ttf, .manifest., ttc, .cat. and msi.

Sugar Ransomware Relies on Low Ransom Demand

Bleeping Computer detailed out that the file encryption relies on the SCOP encryption algorithm. After undergoing such a process, the files will adopt an extension ".encode01."

This would prompt the attackers to establish ransom notes in a particular folder. In addition, they reportedly have the information on how the victim can pay his/her ransom.

In addition to the files, the victim's ID and a TOR link will be given. They will be directed at chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion. Following this step, the targeted individual will see a page and a chat section where he/she can send a corresponding ransom.

The operations involve low-cost ransoms which could reach up to $4.01 or 0.00009921 bitcoins. As of the moment, cybersecurity experts have not yet discovered how to decrypt the infected files.

Meanwhile, Tech Times reported that TrickBot Malware now returned with extra protections, making it harder to control. The notorious banking trojan can now ignore real-time web injections.

Elsewhere, another trojan dubbed "BazarBackdoor" utilized CSV text tiles to infect systems, the researchers said regarding a new phishing strategy.

This article is owned by Tech Times

Written by Joseph Henry