Employees of the Ministry of Internal Affairs of Russia, with the support of specialists from F. A. C. C. T., a Russian developer of technologies to combat cybercrime, identified and detained members of the criminal group of SugarLocker ransomware. The attackers worked under the guise of a legitimate IT company that offers services for developing landing pages, mobile applications, and online stores.
According to the investigation, the SugarLocker ransomware (aka Encoded01) appeared in early 2021, but at first it was not actively used. In November of the same year, an announcement was posted on the underground RAMP forum from a participant under the nickname "gustavedore" about the launch of an affiliate program based on the RaaS model (from the English Ransomware-as-a-Service, "ransomware as a service") and the recruitment of partners to the group of ransomware that used the SugarLocker cryptographer. The essence of the RaaS model is that developers sell or lease malware to their partners to further hack the network and deploy ransomware.
The announcement stated that the hacker group attacks targets via networks and the remote desktop RDP protocol, does not work across the CIS countries, and is ready to immediately start working with partners on the following terms: The partner gets 70% of the revenue, and SugarLocker gets 30%. If the revenue exceeds $5 million, the profit will be distributed on more favorable terms: 90% to 10%, respectively.
Final print by GustaveDore
In early January 2022, F. A. C. C. T. experts found that some elements of the SugarLocker infrastructure were located on Russian hosting sites. Due to the fact that the attackers made a mistake in the configuration of the web server, they managed to detect SugarPanel-the control panel of the ransomware program.
During the investigation, several defendants were identified who not only promoted their cryptographer, but also developed custom malicious software, created phishing sites for online stores, and drove user traffic to fraudulent schemes popular in Russia and the CIS.
It is interesting that the attackers worked under the guise of a legal IT company Shtazi-IT, which offers services for developing landing pages, mobile applications, scripts, parsers, and online stores. The company openly posted ads for hiring new developer employees, and the Telegram account of the same @GustaveDore was indicated in the contacts. All the information collected by the F. A. C. C. T. experts was passed to the police-BSTM of the Ministry of Internal Affairs of Russia.
In January 2024, three members of the SugarLocker group were detained by BSTM officers of the Ministry of Internal Affairs of Russia with the participation of specialists from the F. A. C. C. T. company.During the search, the suspects were found to have laptops, mobile phones, traces of correspondence, and other digital evidence confirming their illegal activities. So, for example, after the appearance in the public domain of information about the research of a new family of cryptographers SugarLocker, one of the defendants shared with the accomplices a joke " Guys, I'm going to Siberia, I definitely need it." And it was prophetic. Among the detainees was the owner of the nicknames blade_runner, GistaveDore, GustaveDore, JimJones.
The defendants have already been charged under Article 273 of the Criminal Code of the Russian Federation “Creation, use and distribution of malicious computer programs". An investigation is underway.
• Source: https://www.facct.ru/media-center/p...aign=sugarlocker-ransomware&utm_medium=social
According to the investigation, the SugarLocker ransomware (aka Encoded01) appeared in early 2021, but at first it was not actively used. In November of the same year, an announcement was posted on the underground RAMP forum from a participant under the nickname "gustavedore" about the launch of an affiliate program based on the RaaS model (from the English Ransomware-as-a-Service, "ransomware as a service") and the recruitment of partners to the group of ransomware that used the SugarLocker cryptographer. The essence of the RaaS model is that developers sell or lease malware to their partners to further hack the network and deploy ransomware.
The announcement stated that the hacker group attacks targets via networks and the remote desktop RDP protocol, does not work across the CIS countries, and is ready to immediately start working with partners on the following terms: The partner gets 70% of the revenue, and SugarLocker gets 30%. If the revenue exceeds $5 million, the profit will be distributed on more favorable terms: 90% to 10%, respectively.
Final print by GustaveDore
In early January 2022, F. A. C. C. T. experts found that some elements of the SugarLocker infrastructure were located on Russian hosting sites. Due to the fact that the attackers made a mistake in the configuration of the web server, they managed to detect SugarPanel-the control panel of the ransomware program.
During the investigation, several defendants were identified who not only promoted their cryptographer, but also developed custom malicious software, created phishing sites for online stores, and drove user traffic to fraudulent schemes popular in Russia and the CIS.
It is interesting that the attackers worked under the guise of a legal IT company Shtazi-IT, which offers services for developing landing pages, mobile applications, scripts, parsers, and online stores. The company openly posted ads for hiring new developer employees, and the Telegram account of the same @GustaveDore was indicated in the contacts. All the information collected by the F. A. C. C. T. experts was passed to the police-BSTM of the Ministry of Internal Affairs of Russia.
In January 2024, three members of the SugarLocker group were detained by BSTM officers of the Ministry of Internal Affairs of Russia with the participation of specialists from the F. A. C. C. T. company.During the search, the suspects were found to have laptops, mobile phones, traces of correspondence, and other digital evidence confirming their illegal activities. So, for example, after the appearance in the public domain of information about the research of a new family of cryptographers SugarLocker, one of the defendants shared with the accomplices a joke " Guys, I'm going to Siberia, I definitely need it." And it was prophetic. Among the detainees was the owner of the nicknames blade_runner, GistaveDore, GustaveDore, JimJones.
The defendants have already been charged under Article 273 of the Criminal Code of the Russian Federation “Creation, use and distribution of malicious computer programs". An investigation is underway.
• Source: https://www.facct.ru/media-center/p...aign=sugarlocker-ransomware&utm_medium=social
