Sugar Ransomware : Nothing sweet about it

Below is an article by Jovi Umawing from Malwarebytes February Newsletter

“We absolutely do not care about you”: Sugar ransomware targets individuals

Posted: February 8, 2022 by Jovi Umawing
Last updated: February 10, 2022

Ransomware tends to target organizations. Corporations not only house a trove of valuable data they can’t function without, but they are also expected to cough up a considerable amount of ransom money in exchange for their encrypted files. And while corporations struggle to keep up with attacks, ransomware groups have left the average consumer relatively untouched—until now.

Sugar ransomware, a new strain recently discovered by the Walmart Security Team, is a ransomware-as-a-service (RaaS) that targets single computers and (likely) small businesses, too. Sugar, also known to many as Encoded01, has been in operation since November 2021.

Bleeping Computer notes that the Walmart Security Team got the name ‘Sugar’ from a site belonging to an affiliate of the ransomware operation:

As with many ransomware strains, the authors aren’t holding back in their note which is dropped onto the system as BackFiles_encoded01.txt:

Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our] work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut “SUPPORT (TOR_BROWSER)” created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: b) Open our website. Full link will be provided below. ---------------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions- ints may entail damge of the private key and, as result, THE Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interest to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ---------------------------------------------------------------------------------------------- Your ID: {redacted}

How it works

Once executed, Sugar connects to two URLs, and, to identify the device’s IP address and geographic location. It then downloads a 76MB file, the use of which is currently unclear.

Sugar then connects to its command & control (C2) server where it transmits and receives data related to its attack. It then encrypts files located in the below folders:

  • \boot\
  • \PerfLogs\
  • \temp\
  • \windows\

However, it avoids the following files:

  • .exe
  • .dll
  • .sys
  • .lnk
  • .bat
  • .cmd
  • .ttf
  • .manifest
  • .ttc
  • .cat
  • .msi;
  • bootmgr
  • pagefile

The files are encrypted using the SCOP encryption algorithm, a stream cipher created in 1997 by Simeon Maltchev and Peter Antonov for Pentium processors but also runs very fast on other 32-bit processors. Furthermore, modifying SCOP to create a cipher optimized for 64-bit processors, which most machines run nowadays, is easy, according to Maltchev’s research. This modification will double the cipher’s speed.

Sugar is also called Encoded01 because this is the extension it appends to names of files it has encrypted. For example, after encoding a file called 1.jpg, the resulting filename is now 1.jpg.encoded01.

Shot of Sugar-encrypted files (Courtesy of Marcelo Rivero)

The ransomware note points victims at a Tor site which contains a page with the amount they have to pay in Bitcoin, a chat feature they can use to negotiate with the cybercriminals, and an offer to have five files decrypted for free.

Screenshot of a victim’s personal Tor ransom site (Courtesy of Marcelo Rivero)

According to BleepingComputer, the ransom amount is automatically generated based on the number of files Sugar successfully encrypts. The amount tends to be relatively affordable, usually a few hundred dollars, making it more likely that people will stump up the cash for their files.

Borrowed content

Several researchers have noted Sugar’s similarities with other ransomware families. The ransom note, for example, is reminiscent of REvil’s ransom note.

REvil’s ransom note (Source: Malwarebytes)

The Tor site the victim sees, on the other hand, is a lookalike of the page Cl0p used in its attacks.

Cl0p’s Tor site to their victims (Source: Walmart Security Team)

How to protect yourself from ransomware

We don’t know yet how Sugar lands onto systems. So, as ever, we should continue to remain vigilant whatever we do online.

  • Keep your system up to date. Cybercriminals take advantage of known vulnerabilities to infect computers. Make sure you apply patches as soon as they’re available, whether they’re for your operating system, your apps, or your browser.
  • Back up your files. If you get infected with ransomware, you’re going to want to get hold of those backups. Make sure you back up offline to somewhere the attackers can’t reach.
  • Don’t reuse your passwords, and make sure to choose strong ones for each account. Password managers can help with this.
  • Be careful of unsolicited messages on social media, emails, online games, or anywhere else. Never click on a link sent in the message, and never enable macros in documents sent to you this way.
  • Make sure all computers are protected with security protection. (Malwarebytes can help with this.)

Current users of Malwarebytes are protected from Sugar/Encoded01 ransomware. We detect is as Ransom.Encoded01.

Stay safe!


Not one I had hear of. Thanks Mike.


Sounds like more of an annoyance, than anything to be worried about.
Not going to encrypt any files that would kill the Windows system, and not going to touch any application data unless you were crazy enough to have applications and or data in Windows system directories. Or really?, in \temp\

1 Like

This. It is ignoring personal files from the \documents\ and other \user\ directories. That said, I would recommend wiping everything and reinstalling if you are infected by any malware - you just do not know what else it may have done that is waiting in the background to be activated.

Keep offline backups.



Like a biological virus, it can mutate. Just because that article says that it excludes particular directories and file types, doesn’t mean that the particular virus that attacks your computer, behaves exactly like that. It may for example exclude those file types but process all directories or vice versa process all file types but process only the listed directories.

In addition to the good advice above, one thing that I do is:

  • don’t grant yourself access that you don’t need

For example, if I have a good sized music collection that is only infrequently added to but much more frequently accessed (for playing) then I don’t need write access to those files on an ongoing basis. If I don’t have write access then even if I am silly enough to download a malicious program and run it, either knowingly or unknowingly, that program will not be able to encrypt those files.


Why do you think ransomware malware would use your userid and priviledges?
It is going to be running as full administrator.


It depends of course. I specifically said: if I am silly enough to download a malicious program and run it

If it is a really bad exploit that operates independently of me then, yes, it could have administrator rights.

In my case, even admin rights will not suffice to write read-only files because the read-only files are shared over the local network read-only. So the exploit would first have to spread from my computer to the server (which is certainly not impossible but does create barriers that don’t exist if you don’t try).

1 Like

Doesn’t matter if you are silly enough to download some malware. These things exploit the holes in Windows protection and gain full access. Most home Windows installs are wide open to exploits, and so too plenty of business installs.
Doesn’t matter if directories or files are set read only, admin authority can change that with one command.
For shared network file systems, invariably there are writable user directories that malware can be written to, and away we go.

Yes. Quite so. There will be some folders that are shared read-write. However you can limit the damage (and potentially increase the chances of detection before any damage is caused) by following the principle of: don’t grant yourself access that you don’t need

In this specific case

We don’t know yet how Sugar lands onto systems.

So we don’t know whether it relies on user Remote Code Execution (RCE) or user RCE + Privilege Escalation or privileged RCE. Or it might be none of those.

Administrator access isn’t needed. For ransomware in general it should target your personal files, which you are likely to have read-write access to without a privilege escalation rather than targeting the Windows system folders.

If it wipes out Windows and you have no backup, it’s an inconvenience. You can reinstall.

If it wipes out your personal files and you have no backup, it’s a disaster. You might pay up.

Ransomware is a business, just trying to maximise revenue.

Have a backup. :slight_smile:

From what I’ve read, yes. Users are not always vigilant about keeping their computers updated. The OP recommended that as first bullet point.

My guess is that Sugar is using a well-known exploit and taking advantage of unpatched computers.


Wasn’t there a “fix” if you caught the encoding early on?
You could right-click on the encoded file - Properties - Previous Versions and there was the file before being encoded and restoring it removed the encoding.
Does this still work?
This was tedious and time-consuming but surely a .bat file could be written to do this automatically?

1 Like

A small technical question if I may.

I use NAS on my home network to back up data, docs and emails every night. I have always assumed that coz it, NAS, is part of the network the bad guys can get to it if they get into my system. Is this correct? These same files I save to the cloud using a commercial backup app which encrypts them first. A bit slow but I do that on weekends.

Are there any simple ways I can make my system more resistant to malware?


Yes, that is correct. Any storage connected to a network may be susceptible to a ransomware attack. This website explains it in detail.

This website also provides some useful information on how to maximise the protection of data stored on a NAS.

1 Like

Simple ways abound.

Practice good computer ‘hygiene’.
Never insert a storage device like a USB memory stick, or an optical disk, onto your computer unless you trust where it came from, and have autoruns turned off.
Never click on any link in a WEB site or an email unless you trust the site or sender.
Never give a program install admin priviledges unless you trust the source of the program.
Never accept browser addons or plugins, unless you are specifically wanting that, and have sourced it from a trusted place.
Never download free games.

If you have Windows, get to know Windows security (aka defender) and explore its features and turn on malware / ransomware detection.

1 Like

This applies to anything that connects via USB. The device tells the system what it is, and the system responds accordingly. So do you really trust that USB-powered fan not to also have a little bit of storage capacity and the ability to infect your system with whatever payload it carries?

Turning off autorun is one step, but it does not stop the initial communication and possibility of compromise.

What, never?! I have been playing Path of Exile for three or four years now. It is free to play (with micro-transactions), and was a directly crowd-funded project. The team is based in New Zealand, and I play via the STEAM client (a free app).

Never try to get a game for free that costs money in the real world, is what I would suggest. (This does not apply to giving away of game keys, where the game is hosted on a reputable platform and people buying game bundles end up with keys they do not want.)


Yes, never.
Primary payload for malware, annoyware, crippleware, adware, and yes, ransomware.

Unless you had a computer only used for playing games, and therefore separated from other activities.
It could be a physical computer, or a virtual computer facilitated by a VM operating system supervisor, like VMware.

Yes. Any backup you make should be isolated from the source system immediately after being made.

In that respect, backing up to NAS and backing up to the cloud (whether encrypted or not, in either case) both have a potential weakness.

It may be OK to back up to a connected destination provided that the destination is “append only” i.e. once the backup is made it cannot be altered (or deleted) from the source system. You can only ever add new backups from the source system.

While not directly relevant to your question, it is also a good idea to verify the usability of a backup. There is no point religiously doing backup if it turns out that the backup cannot be used to restore from. You don’t want to find out that the restore process fails for some reason or the backup is not usable for some reason on the first occasion that you are actually trying to restore.

1 Like

Backups won’t help necessarily.
If your computer has malware on it, then you could be backing up the bad files along with the good ones.
If you recover from a backup, you could just put bad files back on the computer.


That is certainly true, particularly in certain situations.

You always have to

a) have a way of detecting that the computer contains malware, and
b) restore the most recent backup that does not contain malware.

In a vanilla end-user ransomware scenario, backup should be OK. The extortionists announce pretty quickly (same day) that they have encrypted all your files - and if they didn’t announce it then you would notice pretty quickly anyway. They just want to get paid. So a recent backup is likely to be OK.

If it’s the Chinese government hacking your computer then they may have compromised your computer months or even years before you notice (since they won’t “announce” to you that they have hacked your computer) and in that case either no available backup is clean or even if you can find a clean backup, it may be so old as to be more or less useless - in which case the effort to recover will be much higher.

The actual scenario could be anywhere in between those two extremes.

Another concern is that even if you successfully restore a recent clean backup, if the underlying security vulnerability that was exploited to gain access in the first place has not been fixed then the hackers can get straight back in and do it all again.

So you may need to look at offline patching, or bringing the system back online under a temporary identity or network for long enough to access a patch online, assuming that a fix is even available.

If no fix is available then you may need to look at mitigation e.g. disabling an unpatched component, and bringing the system back online with reduced functionality.


This is a great point. I suspect many only keep one backup, a copy of the files when the backup is taken… without keeping historical backups say over many months. Some backup software allows incremental or differential backups rather than creating a complete backup each time. Incremental/differential backups saves disk space and potentially allows one to store historical changes to files better.


An allied topic is

It should be noted the links in that first post go to current reviews. I can attest to the quality of the current top rated package having used it for many years.