mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
add some ransomwares
This commit is contained in:
parent
e6bae7165c
commit
397b37dcc8
1 changed files with 105 additions and 10 deletions
|
@ -666,7 +666,8 @@
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html"
|
"https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png",
|
"https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png",
|
||||||
|
@ -1068,7 +1069,9 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html",
|
"https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html",
|
||||||
"https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/",
|
"https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/",
|
||||||
"https://twitter.com/PolarToffee/status/824705553201057794"
|
"https://twitter.com/PolarToffee/status/824705553201057794",
|
||||||
|
"https://twitter.com/demonslay335/status/1004351990493741057",
|
||||||
|
"https://twitter.com/demonslay335/status/1004803373747572736"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"How decrypt files.hta",
|
"How decrypt files.hta",
|
||||||
|
@ -2431,7 +2434,9 @@
|
||||||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/",
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/",
|
||||||
"https://twitter.com/fwosar/status/812421183245287424",
|
"https://twitter.com/fwosar/status/812421183245287424",
|
||||||
"https://decrypter.emsisoft.com/globeimposter",
|
"https://decrypter.emsisoft.com/globeimposter",
|
||||||
"https://twitter.com/malwrhunterteam/status/809795402421641216"
|
"https://twitter.com/malwrhunterteam/status/809795402421641216",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
|
||||||
|
"https://twitter.com/GrujaRS/status/1004661259906768896"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg",
|
"https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg",
|
||||||
|
@ -2439,7 +2444,8 @@
|
||||||
],
|
],
|
||||||
"encryption": "AES",
|
"encryption": "AES",
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".crypt"
|
".crypt",
|
||||||
|
".emilysupp"
|
||||||
],
|
],
|
||||||
"date": "December 2016"
|
"date": "December 2016"
|
||||||
},
|
},
|
||||||
|
@ -9454,11 +9460,13 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/",
|
"https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/",
|
||||||
"https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/"
|
"https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/",
|
||||||
|
"https://twitter.com/demonslay335/status/1005133410501787648"
|
||||||
],
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".ihsdj",
|
".ihsdj",
|
||||||
".kgpvwnr"
|
".kgpvwnr",
|
||||||
|
".ndpyhss"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"READ_ME_FOR_DECRYPT_[id].txt",
|
"READ_ME_FOR_DECRYPT_[id].txt",
|
||||||
|
@ -9565,7 +9573,9 @@
|
||||||
"https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/",
|
"https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/",
|
||||||
"https://twitter.com/malwrhunterteam/status/923847744137154560",
|
"https://twitter.com/malwrhunterteam/status/923847744137154560",
|
||||||
"https://twitter.com/struppigel/status/926748937477939200",
|
"https://twitter.com/struppigel/status/926748937477939200",
|
||||||
"https://twitter.com/demonslay335/status/968552114787151873"
|
"https://twitter.com/demonslay335/status/968552114787151873",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
|
||||||
|
"https://twitter.com/malwrhunterteam/status/1004048636530094081"
|
||||||
],
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".Encrypted[BaYuCheng@yeah.net].XiaBa",
|
".Encrypted[BaYuCheng@yeah.net].XiaBa",
|
||||||
|
@ -9602,7 +9612,8 @@
|
||||||
".XiaoBa31",
|
".XiaoBa31",
|
||||||
".XiaoBa32",
|
".XiaoBa32",
|
||||||
".XiaoBa33",
|
".XiaoBa33",
|
||||||
".XiaoBa34"
|
".XiaoBa34",
|
||||||
|
".AdolfHitler"
|
||||||
],
|
],
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg",
|
"https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg",
|
||||||
|
@ -9610,7 +9621,9 @@
|
||||||
"_@XiaoBa@_.bmp",
|
"_@XiaoBa@_.bmp",
|
||||||
"_@Explanation@_.hta",
|
"_@Explanation@_.hta",
|
||||||
"_XiaoBa_Info_.hta",
|
"_XiaoBa_Info_.hta",
|
||||||
"_XiaoBa_Info_.bmp"
|
"_XiaoBa_Info_.bmp",
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg",
|
||||||
|
"# # DECRYPT MY FILE # #.bmp"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "ef094aa6-4465-11e8-81ce-739cce28650b"
|
"uuid": "ef094aa6-4465-11e8-81ce-739cce28650b"
|
||||||
|
@ -9743,12 +9756,94 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 "
|
"uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 "
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "DiskDoctor",
|
||||||
|
"description": "new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
|
||||||
|
],
|
||||||
|
"extensions": [
|
||||||
|
".DiskDoctor"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"HOW TO RECOVER ENCRYPTED FILES.TXT",
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Scarab-DiskDoctor"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "aa66e0c2-6fb5-11e8-851d-4722b7b3e9b9"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "RedEye",
|
||||||
|
"description": "Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
|
||||||
|
"https://twitter.com/JakubKroustek/status/1004463935905509376",
|
||||||
|
"https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html"
|
||||||
|
],
|
||||||
|
"extensions": [
|
||||||
|
".RedEye"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "e675e8fa-7065-11e8-95e0-cfdc107099d8"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "Aurora Ransomware",
|
||||||
|
"description": "Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
|
||||||
|
"https://twitter.com/demonslay335/status/1004435398687379456"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"#RECOVERY-PC#.txt",
|
||||||
|
"==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #=========================="
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "3ee0664e-706d-11e8-800d-9f690298b437"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "PGPSnippet Ransomware",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://twitter.com/demonslay335/status/1005138187621191681"
|
||||||
|
],
|
||||||
|
"extensions": [
|
||||||
|
".digiworldhack@tutanota.com"
|
||||||
|
],
|
||||||
|
"ransomnotes": [
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "682ff7ac-7073-11e8-8c8b-bf1271b8800b"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "Spartacus Ransomware",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://twitter.com/demonslay335/status/1005136022282428419"
|
||||||
|
],
|
||||||
|
"extensions": [
|
||||||
|
".SF"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "fe42c270-7077-11e8-af82-d7bf7e6ab8a9"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"source": "Various",
|
"source": "Various",
|
||||||
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
|
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
|
||||||
"name": "Ransomware",
|
"name": "Ransomware",
|
||||||
"version": 23,
|
"version": 24,
|
||||||
"type": "ransomware",
|
"type": "ransomware",
|
||||||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
|
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue