Offline anti-ransomware.
Detects in seconds. Recovers without paying.
Ransomware hits. Sunshine sees it in under a second, kills the process, isolates the network, and hands you back the original files. No cloud. No signature updates. No ransom.
Your backups are the first thing they encrypt
Modern ransomware groups don't go for production data first. They go for your backups — because if you can't recover, you have to pay. Traditional backup appliances sitting on the same network as production are reachable, discoverable, and encryptable with the same compromised credentials.
Offline by design
Every commercial anti-ransomware product assumes a cloud. Sunshine does not. Detection, recovery, updates, threat intel — all local. Because ransomware networks are the first thing to go dark.
Recovers without paying
Live Key Extraction dumps the ransomware process memory during containment and rebuilds the AES/ChaCha key. Encrypted files get decrypted back. No backup restore. No ransom.
Mutex Vaccine — the stealth kill
16 ransomware families check a specific mutex before running. Sunshine claims them all at boot. The malware runs to main() and quits on its own — before it encrypts anything.
No browser dependency
Competitors say "open your browser to the dashboard." What if the browser just got encrypted? Sunshine ships its own embedded Edge WebView2 viewer. The dashboard opens even when Chrome is toast.
Tamper-resistant without kernel drivers
Mini-filter drivers need Microsoft kernel signing. Sunshine skips the driver. Network containment uses system-level netsh, which runs as SYSTEM and cannot be reverted from user-mode.
USB Gossip Protocol
Air-gapped fleets share threat intelligence via thumbdrive. Sunshine is purpose-built for the OT plants, regulated facilities, and bank branches where cloud telemetry is not an option.
The 20-Phase Detection Engine
No single trick. Twenty layers. A ransomware author who beats one still trips four others.
| # | Phase | What it does |
|---|---|---|
| 1 | Sentinel Hash Scan | Every 500 ms, re-hashes honeypot canaries. Mismatch = ransomware, period. |
| 2 | ReadDirectoryChangesW | Kernel-level file event stream. Zero polling overhead. |
| 3 | Sort-First Canary Naming | Files prefixed !, _, 0_ — alphabetical enumerators hit them first. |
| 4 | Two-Stage Honeypots | 1,000 canaries at install (fast boot), 19,000 more in background. |
| 5 | Entropy Delta | Measures Shannon entropy before and after writes. Encryption spikes it. |
| 6 | Extension Churn | Counts rename-with-new-extension per second. Classic lock behaviour. |
| 7 | Mass Write Velocity | Throttles on N writes/sec across M directories. |
| 8 | CryptoAPI ETW Trace | Listens on Microsoft-Windows-Crypto events. BCrypt/NCrypt calls from unsigned binaries = flag. |
| 9 | Mutex Vaccine | Pre-claims mutexes of 16 known families (LockBit, Conti, Ryuk, BlackCat…). They exit without running. |
| 10 | Live Key Extraction | Dumps suspect process memory, scavenges AES/ChaCha keys, decrypts files post-facto. Recovery without ransom. |
| 11 | Net-Use / Drive-Map Hook | LockBit maps Z:\ before encrypting shares. We watch for it. |
| 12 | Shadow Copy Guard | Traps vssadmin delete shadows and wmic shadowcopy delete. |
| 13 | BCDEdit Tamper Guard | Blocks recovery-mode disablement. |
| 14 | Registry Persistence Watch | Run keys, Winlogon, Image File Execution Options. |
| 15 | Process Ancestry | Office → PowerShell → cmd → unknown.exe = high suspicion. |
| 16 | Signed-Binary Abuse | rundll32, mshta, regsvr32 spawning crypto calls. |
| 17 | TPM 2.0 Root of Trust | Own binaries attested via TBS.dll. Attacker can't swap our EXEs. |
| 18 | DPAPI Safe Room | Encrypted mirror of critical user files. Survives the attack. |
| 19 | Ed25519 License Authority | Signed config. Attacker can't flip detection off by editing a file. |
| 20 | USB Gossip Protocol | Air-gapped fleets share threat intel via thumbdrive. No cloud needed. |
Effectiveness against real ransomware families
Tested against live samples in a controlled sandbox. Weighted effectiveness improved from 78% in V8.2 to 87% in V9.0.3 — five of seven prior blind spots closed.
| Ransomware Family | V8.2 | V9.0.3 |
|---|---|---|
| LockBit 3.0 | ✓ | ✓ |
| Conti | ✓ | ✓ |
| Ryuk | ✓ | ✓ |
| BlackCat (ALPHV) | ◐ | ✓ |
| REvil | ✓ | ✓ |
| Maze | ◐ | ✓ |
| Cl0p | ✕ | ✓ |
| Hive | ◐ | ✓ |
| Play | ✕ | ✓ |
| DarkSide | ✓ | ✓ |
| Vice Society | ✕ | ◐ |
| Rhysida | ✕ | ◐ |
Aggregate detection rate: 87% and rising.
Eight independent processes — kill one, the rest keep guarding
Watchdog-supervised, self-healing, HIGH_PRIORITY_CLASS throughout. The detector always wins the scheduler race — even when ransomware spikes to 100% CPU.
monit.exeWatchdog. Respawns any dead component.runtime_guard.exeCore detection daemon.honeypot_guard.exeSentinel hash scanner.tray_agent.exeUser control (PyQt5).dashboard_web.exeLocal dashboard server (Flask).dashboard_viewer.exeEmbedded Edge WebView2 browser.cleanup_worker.exeSafe Room maintenance.syslog_forwarder.exeOptional SIEM export.What using Sunshine actually looks like
Install
Double-click the installer, enter licence, done in under 60 seconds. 1,000 canaries placed immediately; 19,000 more fill in the background.
Running
Tray icon. Green = healthy, amber = degraded, red = under attack. No pop-ups. No noise.
Attack
Toast notification. Dashboard opens automatically. Attacker process terminated. Network disabled. All within one second.
Recovery
Click "Restore Network" in the tray. If files were encrypted, Safe Room + Live Key Extraction rebuild them.
What Sunshine is not
We believe in setting expectations clearly. Sunshine is a ransomware-specific tripwire and kill switch — not a replacement for your broader security stack.
- Not a signature-based antivirus. It does not scan for known-bad hashes. Pair it with your existing AV.
- Not a cloud-dependent service. No telemetry leaves the box unless you enable syslog forwarding.
- Not a file backup tool. Safe Room mirrors critical files but is not a full backup solution.
- Not a VPN, firewall, or full EDR. It does one job, extremely well.
Evaluate Sunshine for your organisation
Info Security Solution is Sunshine's India distribution and deployment partner. We provision licences, deploy across your fleet, and support you end-to-end — from pilot to enterprise roll-out.