A North Carolina school district recently suffered a major cyber security event that not only encrypted the district’s network, but also resulted in data being extracted from the district network.  The culprit of the attack, according to reports, was the SunCrypt variant of ransomware.

The attack brought operations to a halt for the Haywood County School District and forced the affiliated schools to shut down remote learning operations for a couple weeks.  Remote learning was eventually able to resume on August 31st, but many technology-based services were still down according to student and parent reports.

This attack follows a ransomware trend SpearTip has been observing more and more recently.  SunCrypt’s tactics, much like Maze and REvil, greatly increases the likelihood victims will pay the ransom demands.  Not only are victim files encrypted, but the Threat Actors further their extortion efforts by threating to release stolen data if the ransom isn’t paid.  This tactic has been a game changer in the ransomware market.

Before, if a company experienced a ransomware event and they were lucky to have good back-ups stored offline, they could restore from back-ups and not be forced to pay the ransom.  Now, organizations have to consider the repercussions of having stolen data leaked on the dark web and the public relations consequences of such an event. In Haywood County School District’s case, they decided not to pay the ransom demand.  The Threat Actors then made good on their promise and proceeded to publish 5GB worth of data stolen during the attack.

SpearTip was able to obtain a sample copy of a PowerShell script responsible for SunCrypt ransomware for our own analysis.  The PowerShell script is heavily obfuscated and contains over 123,000 lines of code.

Indicators of Compromise

File: Haywood.ps1

MD5: d87fcd8d2bf450b0056a151e9a116f72

SHA1: 48cb6bdbe092e5a90c778114b2dda43ce3221c9f

Contacted IP Address: 91.218.114[.]31 – Russia

Once the malicious PowerShell script is executed, it launches the Microsoft software component csc.exe (Visual C# Command Line Compiler) and loads parameters stored in a temp file with the file extension .cmdline. The file is then compiled and drops a malicious DLL file on the victim’s system.

SpearTip’s proprietary ShadowSpear Platform was able to detect and prevent the malicious PowerShell script before it could successfully create and drop the DLL file responsible for the malicious encryption.

SunCrypt’s use of double extortion raises the stakes for network defenders and business leaders in organizations around the world.  Companies can no longer rely on an effective back-up solution to mitigate the need to pay ransom demands.  The threat of releasing stolen data unless the ransom is paid will greatly increase the profit potential of ransomware gangs and highlights the importance of a reliable EDR tool that can prevent attacks before they start.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.