Most of you have heard of Ransomware, but many of you may not be familiar with Ransomware as a Service. You may also be even less familiar with the newest RaaS on the scene; Sugar Ransomware as a Service is a new ransomware threat currently making the rounds on the internet. It is a ransomware-as-a-service (RaaS) offering that allows anyone to participate in ransomware distribution. 

Sugar ransomware just say no

Sugar Ransomware Is Not As Sweet As It Sounds

Since Sugar RaaS is new, there’s not too much info about it. But what we do know is that this ransomware operation was first spotted last November; the malware is using the Delphi encryption algorithm; it is targeting individual computers and small businesses but leaving corporate networks alone. It also appears that its primary goal is extortion rather than destruction. What is peculiar about this type of ransomware attack is that it is not trying to extort large amounts of money, and some victims have claimed the ransom demands were less than $10. 

 

What worries us is that this may just be ramping up their ransomware operations. They may be waiting for the right time to roll out a more significant ransomware attack. This may be just the beginning, and the threat actor is just warming up.

Another thing that worries us is that the crypter and the Ransomware appear to be made by the same developer. This leads us to believe they are offering this service to their affiliates. 

Similar Ransomware as a Service model that you may be familiar with includes Cryptowall, Locky, Cerber, Petya, and WannaCry. All of which attacked enterprise networks and left a trail of destruction in their wake.

 

Sugar Ransomware History And How We Learned About It

Believe it or not, the security team at Walmart learned about Sugar Ransomware through a tip from a customer. The customer had received a message from his computer saying he needed to pay $300 to get back access to his files. He said he didn’t think anything of it until he went into his email and saw a message from someone claiming to work for Walmart. 

The ransomware note told him that he would lose all of his data forever if he did not pay within 24 hours. At that point, he knew something was wrong, so he called the number provided in the email. After speaking with the person on the other end of the line, he realized he was dealing with a scammer. 

The customer then reported the incident to Walmart’s Cyber Threat Team, where they discovered the operations affiliate site ‘sugarpanel[.]space’ and then named the exploit Sugar. 

 

lady trying to use her computer even though it has ransomware

How Does Sugar Ransomware Work?

When you receive an infected email and open the attachment, it will install itself onto your computer without asking for permission. Once installed, it will generate random filenames and extensions based on the date/time stamp on the file. If you try to access any of those files, you will get a message saying that the file cannot be opened because it has been locked by “Sugar.” You will then be prompted to pay a ransom to unlock your files.

See also  Ransomware Myths and Misconceptions: The Truth Will Surprise You

 

The Crypter

There are two different versions of the Crypter used by Sugar Ransomware as A Service. The older version uses AES encryption, while the newer one uses RSA 2048. Both are relatively simple and easy to crack.

The Ransomware encrypts all your important data, including documents, pictures, videos, music, emails, databases, etc. When the encrypted files are decrypted, the ransom note appears, along with instructions on how to decrypt them. However, if you don’t follow the instructions, you won’t recover your files.

Back view of caucasian man stealing personal data from people around the world. Dangerous hacker.

What is the RaaS model?

Ransomware as a service model is where cybercriminals rent out ransomware services to others. RaaS can be found online for as little as $5 per month. The criminal sends out spam email messages that appear to come from trusted companies or individuals. These messages contain malicious links that lead to fake websites that download malware onto the victim’s computer and encrypt their files. They then collect money from victims who pay ransoms to decrypt their files. This is similar to what we see with botnets. That is why it is SO important to train users to avoid clicking on suspicious links and always scan downloaded files before running them.

 

How Can I Tell If My Computer Has Been Infected With Sugar Ransomware?

You can tell if your computer has been affected by Ransomware by checking your desktop. If you see a ransom note, the virus has already taken control of your computer. If not, then there’s no need to worry. To know exactly what we are dealing with, we need to look a bit closer at RaaS as a whole.

Gate guard security officer on public event wearing uniform

How To Prevent Sugar Ransomware As a Service

Preventing Sugar Ransomware as Service isn’t exactly difficult. There are several things you can do to protect yourself from ransomware infections:

  1. Don’t click on links or attachments sent via email.
  2. Use anti-virus software.
  3. Update your operating system.
  4. Make sure your security updates are current and prompt.
  5. Back up your data regularly.
  6. Keep your operating system patched.

Lastly, if you think this threat has hit you, Contact your IT team immediately!

 

Conclusion

Ransomware as a service is a growing problem for businesses and consumers alike. It’s essential to educate users about the dangers of opening unknown attachments and never paying ransom to hackers. If you or anyone you know has been the victim of Ransomware and needs help, please send us a message. We hope you learned something new today, and stay safe out there!