Sugar Ransomware Borrows Content from Infamous File-lockers
Many of the notable ransomware operations focus on infiltrating enterprise networks, as this allows them to ask for ludicrous ransom fees – often worth millions of dollars. However, there are always some outliers – like the Sugar Ransomware. This ransomware family has been active since the end of 2021, and it appears to target individual computers almost exclusively. However, this certainly does not make it less dangerous, or less sophisticated. It appears to be a very secure file-encryption Trojan whose attack is difficult to recover from – this is why taking preventive security measures is strongly recommended.
Although the project appears to target individual systems, it seems to share similarities with notable file-lockers that went after large enterprises. According to malware researchers, some of the crypter's code resembled the one found in the REvil Ransomware, while their TOR-based payment page is oddly similar to the one that the Clop Ransomware used to have.
Furthermore, the Sugar Ransomware is being rented out to affiliates – ransomware-as-a-service. This means that anyone who is willing to share a portion of the profits with the developers of the file-locker can get to use it. It seems that all affiliates get a similar version of the Sugar Ransomware that uses the '.encoded01' suffix to mark the names of locked files. After this, it drops a text ransom note, which advises victims to visit a TOR-based payment page for more instructions. Unfortunately, there are no free decryption options for this file-locker family. Our advice to victims is to use an up-to-date security tool at all times in ordered to prevent dangerous malware like this one from ever infecting their system.