Ransomware Research

Suncrypt 2020 Ransomware

Suncrypt 2020 is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on August 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Haywood.

Quick Facts

Ransomware Family
Suncrypt 2020
First Seen
August 1, 2020
Known Aliases
Haywood

How Suncrypt 2020 Ransomware Works

Targeted Files

Encrypts first 0x8000 bytes https://sapphirex00.medium.com/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83

File Encryption Patterns

Suncrypt 2020 modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

./\.[A-F0-9]{64}/

Ransom Note and Payment Demands

After encrypting files, Suncrypt 2020 displays ransom notes demanding payment for file recovery:

fileYOUR_FILES_ARE_ENCRYPTED.HTML

Ransom message:

notes/YOUR_FILES_ARE_ENCRYPTED.HTML

Note locations:

EveryFolder
fileDecryptFiles.TXT

Ransom message:

notes/DecryptFiles.TXT

Technical Indicators

Associated Executable Files

The following executable files are associated with Suncrypt 2020 ransomware:

  • haywood.ps1
  • 1.exe
  • load.ps1
  • 321.ps1
  • ca5751036a12d0.exe
  • ddcgroup.com 5M$_cryptor.exe_org

Elastio Can Help You

Don't let Suncrypt 2020 ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Suncrypt 2020 ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Suncrypt 2020.

Last updated: July 30, 2025

Suncrypt 2020 Ransomware - Detectable by Elastio