Hsinchu, Taiwan – Mar 15, 2022 – Walmart Security Team discovered the Sugar ransomware first. It is a new Ransomware-as-a-Service (RaaS) operation that launched in November 2021 but did not obtained enough notices at that time. Recently, Sugar ransomware infected the devices of many individuals and people should watch out this Ransomware-as-a-Service (RaaS) operation.

Walmart Security Team found the string “sugarpanel.space” while analyzing this ransomware. Thus it is named as “Sugar”. Its ransomware note has some similarities to the note of REvil gang’s ransomware but still some differences and misspellings. Although the Russian government has successfully seized the suspects behind the notorious REvil ransomware gang on Friday, January 14, 2022.

Unlike other ransomware which is targeting big enterprise and big money, Sugar ransomware seems target consumers and small business. The Sugar ransomware gang demanded low ransom like 0.00009921 bitcoins only, worth $4.01. Their stategy is collecting small profits on a great quantity of victims.

The Sugar Ransomware

The behaviors of the Sugar ransomware after launched are summarized as follows:

1. Connecting to “whatismyipaddress.com” and “ip2location.com” to get the device’s IP address and geographic location.
2. Downloading the 76MB file from “http:// cdn2546713. cdnmegafiles. com/ data23072021_1. dat” (blank characters should be removed). But it is unclear how this file is used.
3. Connecting to the ransomware operation’s C&C(command and control) server at ip address 179.43.160.195. The C&C server may send commands to the Sugar ransomware.
4. The Sugar ransomware will keep calling back to the C&C(command and control) server. Its purpose is probably for sending back status or updating.

If the extortion command is received by a Sugar ransomware, it will begin encrypting every file by using SCOP encryption algorithm except system files. The encrypted files will have the .encoded01 extension appended to file names. Encrypting system files will cause PC to stop working. So Sugar ransomware skipped the following files and folders.

Lionic collects ransomware speedily

Lionic has many sources to collect malware. One of the important sources is the VirusTotal, a Google company, which provides a file scanning service. Users can upload a suspicious file, and then the suspicious file will be scanned by more than 50 anti-virus scanners simultaneously contributed by various partners. Lionic, one of the VirusTotal partners, has contributed one anti-virus scanner and thus have the permission to download malware samples for research purpose. These malware includes ransomware, of course.

By the accumulation of all the malware sources, Lionic can collect popular malware in a very fast way. So far, Lionic has collected several millions of ransomware.

Detecting all the several millions of ransomware can be done via the Lionic Anti-virus Cloud Service. All Lionic security technology based products can protect against most ransomware if its Lionic Anti-virus Cloud feature is enabled. Lionic Pico-UTM can block these several millions of ransomware by the Lionic Anti-virus Cloud feature, too.

Lionic has collected more than 200 Sugar ransomware instances so far. The following is the partial list of Sugar ransomware anti-virus rules -

Conclusion

Not surprisingly, Pico-UTM can block Sugar ransomware since Lionic is good at collecting malware and extracting them as anti-virus rules. This time, the targets of Sugar ransomware are consumers and small business. Although the ransom is low, it still brings many inconveniences if your devices are infected and did not back up previously. We recommend all people to adopt the Pico-UTM for protection. It is because the latest Lionic security technologies including signature database stuffed into the Pico-UTM. All known malware, cyber-intrusion and malicious web will be detected and blocked. Also, Pico-UTM has friendly user interface and is easy to use. Everyone can use Pico-UTM to defend against malicious content including ransomware easily.

References:

1. “Sugar Ransomware, a new RaaS”, https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb
2. “A look at the new Sugar ransomware demanding low ransoms”, https://www.bleepingcomputer.com/news/security/a-look-at-the-new-sugar-ransomware-demanding-low-ransoms/
3. “Walmart Dissects New ‘Sugar’ Ransomware”, https://www.securityweek.com/walmart-dissects-new-sugar-ransomware
4. “Russia: FSB Arrests 14 Suspected REvil Ransomware Gang Members in Recent Raid”, https://www.techtimes.com/articles/270549/20220114/russia-fsb-arrests-14-suspected-revil-ransomware-gang-members-recent.htm
5. “[Long] Description of the SCOP stream cipher”, https://groups.google.com/g/sci.crypt.research/c/ZD82NIacVmU/m/WDYm8_xmzTQJ