Menu
Browse

Cyber Threat Actor: SunCrypt

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
4 incidents
Profile

SunCrypt operates as a ransomware group that is also known by the alias SunCrypt and has been linked to Russia based on available location information. Research from Minerva Labs notes that the group typically targets organizations in the technology and retail sectors, indicating a focus on those industries for its activities. The group’s observed behavior shows a financial motive, as it steals data before encryption and threatens public release to pressure victims into paying a ransom, as seen in incidents involving a Migros subsidiary and a school district. SunCrypt has also claimed responsibility for attacks on healthcare providers, though it previously stated it would avoid interfering with hospital operations, suggesting a tactical choice rather than a strategic objective.

The group’s tactics include using the TrickBot trojan as an initial access vector, with an employee infection preceding the University Hospital New Jersey compromise. Once inside a network, SunCrypt deploys its own ransomware payload, often delivered via a PowerShell script named after the victim and placed on the Windows domain controller, which is then executed across machines through a pushed batch file. The ransomware encrypts files and leaves a ransom note titled YOUR_FILES_ARE_ENCRYPTED.HTML that directs victims to a Tor‑based payment site. In later versions, the ransomware adds capabilities to terminate processes and wipe evidence of its presence, and it routinely steals unencrypted data prior to encryption for leak‑based extortion.

Representative operations attributed to SunCrypt include the 2020 University Hospital New Jersey breach that leaked approximately 48,000 documents containing personal health information, the 2020 Haywood County School District attack in North Carolina where a 5 GB archive of stolen data was published after the ransom was refused, and the 2022 Oklahoma City Indian Clinic incident that disrupted pharmacy services and prompted a claim of over 350 GB of exfiltrated files. While the group’s infrastructure has shown overlaps with prior Maze activity, no explicit state affiliation or criminal consortium linkage is publicly documented in the supplied material.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
3 sources