The cyber threat researchers’ team at retail giant Walmart has found a new variant of ransomware named Sugar, which is available to threat actors as a ransomware-as-a-service (RaaS).
Ransomware as a Service (RaaS) is a way for threat actors to make a lot of money from ransomware while reducing their own efforts.
According to the data, this new variant of ransomware was initially dictated in November 2021, but the organization had no technical details before.
The Sugar ransomware format is written in Delphi and also borrows objects from the other families of ransomware.
Furthermore, unlike the other ransomware families, the new variant Sugar primarily targets individual computers instead of entire enterprises networks, but it is equally dangerous, especially since it is offered as a RaaS.
Walmart said in its findings that the threat actors are using crypter which is one of the most interesting features of Sugar.
The crypter is being used because it has code reuse from the ransomware itself which makes it significantly more interesting than your typical crypter. It also employs a modified version of the RC4 encryption. Because of that, the team of researchers thinks there are possibilities that the Sugar ransomware and its crypter are controlled by the same threat group, or the crypter is being offered to affiliates as part of the service.
“The malware is written in Delphi but the interesting part […] was the reuse of the same routine from the crypter as part of the string decoding in the malware, this would lead us to believe that they have the same dev and the crypter is probably part of the build process or some service the main actor offers to their affiliates,” Walmart’s researchers noted.
Why is Ransomware as a Service so dangerous?
In just a few years Ransomware as a Service (RaaS) has become very prevalent among cybercriminals since its first attack, Cryptolocker, was identified in 2013. Researchers said that 3-4 new ransomware families are now being distributed through RaaS channels.
It has been observed that the number of cases has been increased in recent years and at large numbers, networks are being compromised, which is a highly alarming behavior that indicates the involvement of professional malicious actors.