Analysis of the SunnyDay ransomware


SunnyDay ransomware

Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work, some similarities between other ransomware samples such as Ever101, Medusa Locker, Curator, and Payment45 were found. 

The main actions executed by SunnyDay during its execution are:

  • Deletes shadow copies (VSS)
  • Terminates and stops target processes and services
  • Generates a key to encrypt files by using SALSA20 stream cipher
  • The key is also encrypted with the RSA public key blob and appended at the end of the encrypted files
  • The extension “.sunnyday” is appended (name.extension.sunnyday) to the damaged files
  • It also contains a self-removing feature

Read more…