Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work, some similarities between other ransomware samples such as Ever101, Medusa Locker, Curator, and Payment45 were found.
The main actions executed by SunnyDay during its execution are:
- Deletes shadow copies (VSS)
- Terminates and stops target processes and services
- Generates a key to encrypt files by using SALSA20 stream cipher
- The key is also encrypted with the RSA public key blob and appended at the end of the encrypted files
- The extension “.sunnyday” is appended (name.extension.sunnyday) to the damaged files
- It also contains a self-removing feature