From 26e8176f50d9244184aa3825a785cf875775d3e6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 15 May 2017 09:38:55 +0200 Subject: [PATCH] update Wannacry ransomware --- clusters/ransomware.json | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 31d64d8..6059d52 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3590,7 +3590,8 @@ "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", - "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe" + "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", + "https://twitter.com/struppigel/status/846241982347427840" ], "ransomnotes": [ "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", @@ -3998,6 +3999,23 @@ "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet", "value": "Erebus Ransomware" }, + { + "meta": { + "synonyms": [ + "WannaCrypt", + "WannaCry", + "WanaCrypt0r", + "WCrypt", + "WCRY" + ], + "refs": [ + "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" + ], + "date": "May 2017" + }, + "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", + "value": "WannaCry" + }, { "value": ".CryptoHasYou.", "description": "Ransomware", @@ -7954,15 +7972,6 @@ ] } }, - { - "value": "WannaCry", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/struppigel/status/846241982347427840" - ] - } - }, { "value": "WildFire Locker or Hades Locker", "description": "Ransomware Zyklon variant", @@ -8117,7 +8126,7 @@ "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", - "version": 1, + "version": 2, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" }