From cfaadb0c71266c3d2d9ee7deb5820964e4bf7825 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 15 Dec 2017 09:57:39 +0100 Subject: [PATCH 1/2] add OSX.Pirrit --- clusters/tool.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 4d7ca66..6196580 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3146,6 +3146,20 @@ "TRITON" ] } + }, + { + "value": "OSX.Pirrit", + "description": "macOS adware strain ", + "meta": { + "refs": [ + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "https://www2.cybereason.com/research-osx-pirrit-mac-adware", + "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" + ], + "synonyms": [ + "OSX/Pirrit" + ] + } } ] } From 91e2d56d4d7ffc2d952d1fb23cba14a7fea4349d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 15 Dec 2017 10:21:23 +0100 Subject: [PATCH 2/2] add file spider ransomware --- clusters/ransomware.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 1b50550..aacf9d4 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8667,6 +8667,22 @@ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" ] } + }, + { + "value": "File Spider", + "description": "A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like\"Potrazivanje dugovanja\", which translates to \"Debt Collection\" and whose message, according to Google Translate, appear to be in Serbian.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/" + ], + "extensions": [ + ".spider" + ], + "ransomnotes": [ + "HOW TO DECRYPT FILES.url", + "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." + ] + } } ], "source": "Various",