SunCrypt is a ransomware family active since at least the end of 2019. It operated a data leak site launched in August 2020 and is associated with double-extortion activity, with reporting also describing its use in triple extortion. In October 2020, SunCrypt operators or an affiliate used distributed denial-of-service (DDoS) attacks against a victim when ransom negotiations stalled, using the disruption to pressure payment. SunCrypt has been referenced alongside other major ransomware strains in affiliate ecosystems, including reporting that a Conti affiliate later worked with SunCrypt, Monti, and LockBit strains. Mandiant observed the PowerShell dropper WARPRISM delivering SUNCRYPT, Cobalt Strike BEACON, and MIMIKATZ, with payloads loaded directly into memory to evade endpoint detection; Mandiant also noted WARPRISM may be used by multiple groups. SunCrypt appeared among notable ransomware variants in Q3 2021 with 2.5% market share. High-confidence details in the provided content identify SunCrypt primarily as a ransomware operation known for data-leak extortion and for using DDoS as an additional coercive tactic.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct techniques documented for this family, organized by ATT&CK tactic.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family whose affiliate used DDoS pressure tactics during stalled ransom negotiations.
Ransomware strain adopted by at least one former Conti affiliate after Conti’s shutdown/rebranding period.
Ransomware operation referenced as an earlier adopter of DDoS as an extortion tactic.
Ransomware family referenced as a prior user of 'triple extortion' tactics (leak site + additional pressure such as DDoS threats).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.