Rewterz Threat Alert – Sugar Ransomware – Active IOCs

Severity

High

Analysis Summary

The crypter being used reuses the code from the ransomware itself. According to the security Researchers, the crypter is a modified form of RC4 encryption and written in Delphi. 

Ransom Note:

—=== Welcome. Again. ===—

[-] Whats HapPen? [-]

Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension csruj.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.

[+] How to get access on website? [+]

You have two ways:

1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: 
b) Open our website: 

2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: 

Warning: secondary website can be blocked, thats why first variant much better and more available.

When you open our website, put the following data in the input form:
Key:



—————————————————————————————–

!!! DANGER !!!
DON’T try to change files by yourself, DON’T use any third party software for restoring your data or antivirus solutions – its may entail damage of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!

Researchers believe that the ransomware is linked to REvil Ransomware group. 

The interface is similar to the Cl0p ransomware. 

Impact

• Data Theft
• File Encryption
• Financial Loss
• Security Bypass

Indicators of Compromise

MD5

• b4a21f70b96a9ad103ba88891565d52b
• 74f9814d4b11432a3e133742f2466b5d
• f439ece4d70bd8bc6db13b78bfb32f16

SHA-256

• 13fcf77f769deddae2821881f102b9d38095e3f1a3e24ef9b4f325c4d9403f4f
• 14b981fd366958d50d0ea8bf8ed398354d3ed4ae7bc41ce2f2a6a943ecbf0c66
• 1761e180a8ca1bba2ca0ba449faf376d1fcb377cb055fe04af9de6470e1ada9b

SHA-1

• acf4c93a624faba5eb1fe9c7182c14c72c9078b5
• c531e5b9f26c7ea162441df517c5b1f928b39402
• 6eb6c32327adf9a28a6ee908a052f0c2ed0773d7

Remediation

• Never open attachments or links received by unknown senders.
• Emails from unknown senders should always be treated with caution.
• Look for IOCs in your surroundings.
• At your respective controls, disable all threat indicators.