Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

QNAPCrypt targets Linux, SunCrypt targets Windows and both have different methodologies of distribution and tactics - but researchers say they started life as the same thing and there's lessons to be learned from this.
Written by Danny Palmer, Senior Writer

Two very different forms of ransomware with different methods targeting two different operating systems likely to have started off as one kind of ransomware, before those working on it split apart, demonstrating how ransomware is constantly evolving and how new threats continue to pose a risk to potential victims.

Cybersecurity researchers at Intezer analysed two forms of ransomware -- QNAPCrypt and SunCrypt -- and have concluded that one evolved from the other.

QNAPCrypt first emerged in mid-2019 and targets network-attached storage devices running on Linux. Meanwhile. SunCrypt ransomware first appeared in October 2019 and targets Windows systems, but it didn't really gain notoriety until attacks increased in the middle of 2020, following an update.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

At first glance, QNAPCrypt and SunCrypt appear unrelated -- they're two different forms of ransomware, distributed by two different groups and they target two forms of operating system.

The two ransomware-as-a-service operations are also run in different ways, with the distributor behind QNAPCrypt rarely posting about their ransomware on underground forums.

Meanwhile, the operator behind SunCrypt appears to be purely focused on advertising their product, repeatedly posting messages to recruit affiliates in order to make as much money from receiving percentages of ransom payments as possible. The operators of SunCrypt also favour the double extortion technique, threatening to leak stolen data of victims that don't pay ransom demands -- as well as targeting hospitals.

But while it's clear that the two campaigns are very different and operated by different individuals, analysis of both forms of ransomware reveals that QNAPCrypt and the early version SunCrypt share identical code logic for file encryption, leading researchers to conclude with "high certainty" that both forms of ransomware were compiled from the same source code.

Researchers also identified similarities in key generation and how the code is written and deployed for checking the geographic location of the infected victim. Both QNAPCrypt and SunCrypt will cease encryption operations if running on a Belarusian, Russian or Ukrainian machine -- while SunCrypt also adds Kyrgyzstan and Syria to the list.

SunCrypt has evolved since being released and is more distinct now, but the analysis of the older code makes it clear that the two forms of ransomware started life as one and the same thing -- although how this ended up as two distinct variants and two different campaigns remains a mystery.

"They may have collaborated with the initial version of SunCrypt and the collaboration fell apart and they went their separate ways. Another theory is that the QNAPCrypt actor was hired to create the initial ransomware to launch the first version of the service," Joakim Kennedy, security researcher at Intezer told ZDNet.

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

What the discovery of the two forms of ransomware being related does teach us, however, is that ransomware is constantly evolving and just because one family of ransomware is related to another, they don't necessarily act in the same way -- and that could be in ways that make one family more dangerous.

"If a malware is exchanged, whether to an affiliate or over the dark web, then the new operators may choose different procedures, attack vectors, and targets. They might invest considerably in the new malware, adding features and evasion techniques," said Kennedy.

Both QNAPCrypt and SunCrypt remain active in 2021, with QNAPCrypt in particular targeting systems that haven't had security patches applied and that are secured with weak passwords. Applying the appropriate security patches and applying strong passwords -- and multi-factor authentication -- can go a long way towards protecting against falling victim to ransomware attacks.


Editorial standards