Sunny day Ransomware
Segurança-Informatica published an analysis of SunnyDay ransomware. Few similarities foind between other ransomware samples such as Ever101, Medusa Locker, Curator, and Payment45 were found.
The main actions executed by SunnyDay during its execution are:
- Deletes shadow copies (VSS)
- Terminates and stops target processes and services
- Generates a key to encrypt files by using SALSA20 stream cipher
- The key is also encrypted with the RSA public key blob and appended at the end of the encrypted files
- The extension “.sunnyday” is appended (name.extension.sunnyday) to the damaged files
- It also contains a self-removing feature
SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher. SALSA20 is easy to recognize, as it uses well-known values for its internal cryptographic operations.
The ransomware sample comes with an RSA public key blob embedded to encrypt a generated key used by the SALSA20 algorithm that will damage all the available files on the machine during its execution. As observed, the blob is a 2048-bit key with the exponent 65537 and ALGID: CALG_RSA_KEYX.
One of the reasons criminals are using SALSA20 is because it offers speeds of around 4–14 cycles per byte in software on modern x86 processors and reasonable hardware performance.
The ransomware uses a single SALSA20 key to encrypt all the files on a specific machine. The key is generated via CryptoGenRandom() call and next it is encrypted with the RSA 2048-bit key present on the ransomware samples. Finally, the SALSA20 key with 512 bytes is appended at the end of the encrypted files.
SunnyDay creates a ransomware note file called “!-Recovery_Instructions-!.txt” that is dropped in each folder with the instructions to recover the damaged files.
Information collected during the ransomware execution, namely:
- machine name
- total RAM
- total of physical volumes
- total of encrypted files
- number of CPUs
This data is then grouped into a large string that would be sent to a removed server presumably hosted over the TOR network. No hardcoded URLs and .onion addresses were observed.
Once data encryption process terminates, the malware removes itself from the disk. Due to which artifacts on disk are left, preventing, the binaries can be shared on online sandboxes and automatically submitted by AV/EDRs.
This piece of malware takes advantage of the CryptoPP library to use the SALSA20 stream cipher during the encryption process that speed up the entire operation.
By using a hardcoded public RSA blob, it encrypts a random SALSA20 key and appends it at the end of each encrypted file. This blob of 512 bytes is accessed during the decryption process that will use a private key to decrypt the SALSA20 key and then recover the original files.
Indicators of Compromise