Analysis of the SunnyDay ransomware

The analysis of a recent sample SunnyDay ransomware revealed some similarities with other ransomware, such as Ever101, Medusa Locker, Curator, and Payment45.

Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work, some similarities between other ransomware samples such as Ever101, Medusa Locker, Curator, and Payment45 were found. 

The main actions executed by SunnyDay during its execution are:

• Deletes shadow copies (VSS)
• Terminates and stops target processes and services
• Generates a key to encrypt files by using SALSA20 stream cipher
• The key is also encrypted with the RSA public key blob and appended at the end of the encrypted files
• The extension “.sunnyday” is appended (name.extension.sunnyday) to the damaged files
• It also contains a self-removing feature

According to the analysis, “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize, as it uses well-known values for its internal cryptographic operations.

The ransomware sample comes with an RSA public key blob embedded to encrypt a generated key used by the SALSA20 algorithm that will damage all the available files on the machine during its execution. As observed, the blob is a 2048-bit key with the exponent 65537 and ALGID: CALG_RSA_KEYX.

One of the reasons criminals are using SALSA20 is because it offers speeds of around 4–14 cycles per byte in software on modern x86 processors and reasonable hardware performance.

The ransomware uses a single SALSA20 key to encrypt all the files on a specific machine. The key is generated via CryptoGenRandom() call and next it is encrypted with the RSA 2048-bit key present on the ransomware samples. Finally, the SALSA20 key with 512 bytes is appended at the end of the encrypted files.

SunnyDay creates a ransomware note file called “!-Recovery_Instructions-!.txt” that is dropped in each folder with the instructions to recover the damaged files.

More details about this research can be found in the original publication here.

About the author  Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SunnyDay ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]