Skip to content
Ransomware group

SUNCRYPT

SunCrypt is a ransomware family active since at least the end of 2019.

Profile source: Mallory opens in a new tab

SUNCRYPT

Family profile

SunCrypt is a ransomware family active since at least the end of 2019. It operated a data leak site launched in August 2020 and is associated with double-extortion activity, with reporting also describing its use in triple extortion. In October 2020, SunCrypt operators or an affiliate used distributed denial-of-service (DDoS) attacks against a victim when ransom negotiations stalled, using the disruption to pressure payment. SunCrypt has been referenced alongside other major ransomware strains in affiliate ecosystems, including reporting that a Conti affiliate later worked with SunCrypt, Monti, and LockBit strains. Mandiant observed the PowerShell dropper WARPRISM delivering SUNCRYPT, Cobalt Strike BEACON, and MIMIKATZ, with payloads loaded directly into memory to evade endpoint detection; Mandiant also noted WARPRISM may be used by multiple groups. SunCrypt appeared among notable ransomware variants in Q3 2021 with 2.5% market share. High-confidence details in the provided content identify SunCrypt primarily as a ransomware operation known for data-leak extortion and for using DDoS as an additional coercive tactic.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

SUNCRYPT in ATT&CK

2 distinct techniques

Reporting

Research mentioning SUNCRYPT

Mar 25
Mandiant Threat Intelligence

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat | Mandiant | Google Cloud Blog

WARPRISM is a PowerShell dropper that has been observed by Mandiant delivering SUNCRYPT...

Feb 21
Medium S Lontzetidis

Understanding the Ransomware Ecosystem | by Efstratios Lontzetidis | Medium

In October 2020, a SunCrypt ransomware affiliate bombarded a victim with distributed denial-of-service (DDoS) attacks when payment negotiations stalled.

Jan 19
Chainalysis

Ransomware Revenue Down As More Victims Refuse to Pay - Chainalysis

...a Conti affiliate who began working with the Suncrypt, Monti, and Lockbit strains.

Jan 16
Analyst1

Ransomware Diaries: Volume 1 | Analyst1

You see, SunCrypt, another ransomware gang, used the DDoS tactic as a form of extortion back in 2020...

Jan 31
Dark Reading

Aggressive BlackCat Ransomware on the Rise

...triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt in the past.

Jan 28
Zdnet Zero Day

BlackCat ransomware targeting US, European retail, construction and transportation orgs | ZDNET

"...triple extortion, a tactic that was observed being used by groups like Avaddon and Suncrypt in the past"

Oct 21
Coveware

Ransomware attackers down shift to 'Mid-Game' hunting in Q3 2021

Suncrypt was new in the top variants in Q3 2021, with 2.5% market share.

Apr 29
Fireeye

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

WARPRISM is a PowerShell dropper that has been observed by Mandiant delivering SUNCRYPT, BEACON, and MIMIKATZ.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.