"While the two ransomware [families] are operated by distinct different threat actors on the dark web, there are strong technical connections in code reuse and techniques, linking the two ransomware to the same author," Intezer Lab researcher Joakim Kennedy said in a malware analysis published today revealing the attackers' tactics on the dark web.
First identified in July 2019, QNAPCrypt (or eCh0raix) is a ransomware family that was found to target Network Attached Storage (NAS) devices from Taiwanese companies QNAP Systems and Synology. The devices were compromised by brute-forcing weak credentials and exploiting known vulnerabilities with the goal of encrypting files found in the system.
The ransomware has since been tracked to a Russian cybercrime group referred to as "FullOfDeep," with Intezer shutting down as many as 15 ransomware campaigns using the QNAPCrypt variant with denial of service attacks targeting a list of static bitcoin wallets that were created for the express intent of accepting ransom payments from victims, and prevent future infections.
SunCrypt, on the other hand, emerged as a Windows-based ransomware tool written originally in Go in October 2019, before it was ported to a C/C++ version in mid-2020. Besides stealing victims' data prior to encrypting the files and threatening with public disclosure, the group has leveraged distributed denial-of-service (DDoS) attacks as a secondary extortion tactic to pressure victims into paying the demanded ransom.
Most recently, the ransomware was deployed to target a New South Wales-based medical diagnostics company called PRP Diagnostic Imaging on December 29, which involved the theft of "a small volume of patient records" from two of its administrative file servers.
Although the two ransomware families have directed their attacks against different operating systems, reports of SunCrypt's connections to other ransomware groups have been previously speculated.
Indeed, blockchain analysis company Chainalysis earlier last month quoted a "privately circulated report" from threat intelligence firm Intel 471 that claimed representatives from SunCrypt described their strain as a "rewritten and rebranded version of a 'well-known' ransomware strain."
Now according to Intezer's analysis of the SunCrypt Go binaries, not only does the ransomware share similar encryption functions with QNAPCrypt, but also in the file types encrypted and the methods used to generate the encryption password as well as perform system locale checks to determine if the machine in question is located in a disallowed country.
Also of note is the fact that both QNAPCrypt and SunCrypt make use of the ransomware-as-a-service (RaaS) model to advertise their tools on underground forums, wherein affiliates carry out the ransomware attacks themselves and pay a percentage of each victim's payment back to the strain's creators and administrators.
Taking into account the overlaps and the behavioral differences between the two groups, Intezer suspects that "the eCh0raix ransomware was transferred to and upgraded by the SunCrypt operators."
"While the technical based evidence strongly provides a link between QNAPCrypt and the earlier version of SunCrypt, it is clear that both ransomware are operated by different individuals," the researchers concluded.
"Based on the available data, it is not possible to connect the activity between the two actors on the forum. This suggests that when new malware services derived from older services appear, they may not always be operated by the same people."