diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 020502c..b7d5a86 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -4019,6 +4019,4121 @@ "https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html" ] } + }, + { + "value": ".CryptoHasYou.", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "encryption": "AES(256)", + "ransomnotes": [ + "YOUR_FILES_ARE_LOCKED.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/CryptoHasYou.html" + ] + } + }, + { + "value": "777 or Sevleg", + "description": "Ransomware", + "meta": { + "extensions": [ + ".777", + "._[timestamp]_$[email]$.777", + "e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777" + ], + "encryption": "XOR", + "ransomnotes": [ + "read_this_file.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/777" + ] + } + }, + { + "value": "7ev3n or 7ev3n-HONE$T", + "description": "Ransomware", + "meta": { + "extensions": [ + ".R4A", + ".R5A" + ], + "ransomnotes": [ + "FILES_BACK.txt" + ], + "refs": [ + "https://github.com/hasherezade/malware_analysis/tree/master/7ev3n", + "https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", + "http://www.nyxbone.com/malware/7ev3n-HONE$T.html" + ] + } + }, + { + "value": "8lock8", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".8lock8" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" + ] + } + }, + { + "value": "AiraCrop", + "description": "Ransomware related to TeamXRat", + "meta": { + "extensions": [ + "._AiraCropEncrypted" + ], + "ransomnotes": [ + "How to decrypt your files.txt" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/796079699478900736" + ] + } + }, + { + "value": "Al-Namrood", + "description": "Ransomware", + "meta": { + "extensions": [ + ".unavailable", + ".disappeared" + ], + "ransomnotes": [ + "Read_Me.Txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/al-namrood" + ] + } + }, + { + "value": "ALFA Ransomware", + "description": "Ransomware Made by creators of Cerber", + "meta": { + "extensions": [ + ".bin" + ], + "ransomnotes": [ + "README HOW TO DECRYPT YOUR FILES.HTML" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" + ] + } + }, + { + "value": "Alma Ransomware", + "description": "Ransomware", + "meta": { + "extensions": [ + "random", + "random(x5)" + ], + "encryption": "AES-128", + "ransomnotes": [ + "Unlock_files_randomx5.html" + ], + "refs": [ + "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", + "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", + "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" + ] + } + }, + { + "value": "Alpha Ransomware or AlphaLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".encrypt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Read Me (How Decrypt) !!!!.txt" + ], + "refs": [ + "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", + "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", + "https://twitter.com/malwarebread/status/804714048499621888" + ] + } + }, + { + "value": "AMBA", + "description": "Ransomware Websites only amba@riseup.net", + "meta": { + "extensions": [ + ".amba" + ], + "ransomnotes": [ + "ПРОЧТИ_МЕНЯ.txt", + "READ_ME.txt" + ], + "refs": [ + "https://twitter.com/benkow_/status/747813034006020096" + ] + } + }, + { + "value": "AngleWare", + "description": "Ransomware", + "meta": { + "extensions": [ + ".AngleWare" + ], + "ransomnotes": [ + "READ_ME.txt" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/844531418474708993" + ] + } + }, + { + "value": "Anony or ngocanh", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/842047409446387714" + ] + } + }, + { + "value": "Apocalypse or Fabiansomeware", + "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", + "meta": { + "extensions": [ + ".encrypted", + ".SecureCrypted", + ".FuckYourData", + ".unavailable", + ".bleepYourFiles", + ".Where_my_files.txt", + "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", + "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" + ], + "encryption": "", + "ransomnotes": [ + "*.How_To_Decrypt.txt", + "*.Contact_Here_To_Recover_Your_Files.txt", + "*.Where_my_files.txt", + "*.Read_Me.Txt", + "*md5*.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/apocalypse", + "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" + ] + } + }, + { + "value": "ApocalypseVM", + "description": "Ransomware Apocalypse ransomware version which uses VMprotect", + "meta": { + "extensions": [ + ".encrypted", + ".locked" + ], + "ransomnotes": [ + "*.How_To_Get_Back.txt" + ], + "refs": [ + "http://decrypter.emsisoft.com/download/apocalypsevm" + ] + } + }, + { + "value": "AutoLocky", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locky" + ], + "encryption": "", + "ransomnotes": [ + "info.txt", + "info.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/autolocky" + ] + } + }, + { + "value": "Aw3s0m3Sc0t7", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "refs": [ + "https://twitter.com/struppigel/status/828902907668000770" + ] + } + }, + { + "value": "BadBlock", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Help Decrypt.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/badblock", + "http://www.nyxbone.com/malware/BadBlock.html", + "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" + ] + } + }, + { + "value": "BaksoCrypt", + "description": "Ransomware Based on my-Little-Ransomware", + "meta": { + "extensions": [ + ".adr" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/760482299007922176", + "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" + ] + } + }, + { + "value": "Bandarchor or Rakhni", + "description": "Ransomware Files might be partially encrypted", + "meta": { + "extensions": [ + ".id-1235240425_help@decryptservice.info", + ".id-[ID]_[EMAIL_ADDRESS]" + ], + "encryption": "AES-256", + "ransomnotes": [ + "HOW TO DECRYPT.txt" + ], + "refs": [ + "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/", + "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" + ] + } + }, + { + "value": "Bart or BaCrypt", + "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", + "meta": { + "extensions": [ + ".bart.zip", + ".bart", + ".perl" + ], + "ransomnotes": [ + "recover.txt", + "recover.bmp" + ], + "refs": [ + "http://now.avg.com/barts-shenanigans-are-no-match-for-avg/", + "http://phishme.com/rockloader-downloading-new-ransomware-bart/", + "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" + ] + } + }, + { + "value": "BitCryptor", + "description": "Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.", + "meta": { + "extensions": [ + ".clf" + ], + "refs": [ + "https://noransom.kaspersky.com/", + "" + ] + } + }, + { + "value": "BitStak", + "description": "Ransomware", + "meta": { + "extensions": [ + ".bitstak" + ], + "encryption": "Base64 + String Replacement", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip" + ] + } + }, + { + "value": "BlackShades Crypter or SilentShade", + "description": "Ransomware", + "meta": { + "extensions": [ + ".Silent" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Hacked_Read_me_to_decrypt_files.html", + "YourID.txt" + ], + "refs": [ + "http://nyxbone.com/malware/BlackShades.html" + ] + } + }, + { + "value": "Blocatto", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".blocatto" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" + ] + } + }, + { + "value": "Booyah or Salam!", + "description": "Ransomware EXE was replaced to neutralize threat" + }, + { + "value": "Brazilian", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".lock" + ], + "encryption": "AES-256", + "ransomnotes": [ + "MENSAGEM.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/brazilianRansom.html", + "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" + ] + } + }, + { + "value": "Brazilian Globe", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-%ID%_garryweber@protonmail.ch" + ], + "ransomnotes": [ + "HOW_OPEN_FILES.html" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/821831437884211201" + ] + } + }, + { + "value": "BrLock", + "description": "Ransomware", + "meta": { + "encryption": "AES", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + } + }, + { + "value": "Browlock", + "description": "Ransomware no local encryption, browser only" + }, + { + "value": "BTCWare Related to / new version of CryptXXX", + "description": "Ransomware", + "meta": { + "extensions": [ + ".btcware" + ], + "ransomnotes": [ + "#_HOW_TO_FIX_!.hta" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/845199679340011520" + ] + } + }, + { + "value": "Bucbi", + "description": "Ransomware no file name change, no extension", + "meta": { + "encryption": "GOST", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/" + ] + } + }, + { + "value": "BuyUnlockCode", + "description": "Ransomware Does not delete Shadow Copies", + "meta": { + "extensions": [ + "(.*).encoded.([A-Z0-9]{9})" + ], + "ransomnotes": [ + "BUYUNLOCKCODE.txt" + ] + } + }, + { + "value": "Central Security Treatment Organization", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cry" + ], + "ransomnotes": [ + "!Recovery_[random_chars].html", + "!Recovery_[random_chars].txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/" + ] + } + }, + { + "value": "Cerber", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cerber", + ".cerber2", + ".cerber3" + ], + "encryption": "AES", + "ransomnotes": [ + "# DECRYPT MY FILES #.html", + "# DECRYPT MY FILES #.txt", + "# DECRYPT MY FILES #.vbs", + "# README.hta", + "_{RAND}_README.jpg", + "_{RAND}_README.hta", + "_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg", + "_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta", + "_HELP_HELP_HELP_%random%.jpg", + "_HELP_HELP_HELP_%random%.hta", + "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta", + "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410" + ] + } + }, + { + "value": "Chimera", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt", + "4 random characters, e.g., .PzZs, .MKJL" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML", + "YOUR_FILES_ARE_ENCRYPTED.TXT", + ".gif" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", + "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" + ] + } + }, + { + "value": "Clock", + "description": "Ransomware Does not encrypt anything", + "meta": { + "refs": [ + "https://twitter.com/JakubKroustek/status/794956809866018816" + ] + } + }, + { + "value": "CoinVault", + "description": "Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!", + "meta": { + "extensions": [ + ".clf" + ], + "ransomnotes": [ + "wallpaper.jpg" + ], + "refs": [ + "https://noransom.kaspersky.com/" + ] + } + }, + { + "value": "Coverton", + "description": "Ransomware", + "meta": { + "extensions": [ + ".coverton", + ".enigma", + ".czvxce" + ], + "encryption": "AES-256", + "ransomnotes": [ + "!!!-WARNING-!!!.html", + "!!!-WARNING-!!!.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/" + ] + } + }, + { + "value": "Cryaki", + "description": "Ransomware", + "meta": { + "extensions": [ + ".{CRYPTENDBLACKDC}" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "", + "description": "Ransomware", + "meta": { + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } + }, + { + "value": "Crybola", + "description": "Ransomware", + "meta": { + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "CryFile", + "description": "Ransomware", + "meta": { + "extensions": [ + ".criptiko", + ".criptoko", + ".criptokod", + ".cripttt", + ".aga" + ], + "encryption": "Moves bytes", + "refs": [ + "SHTODELATVAM.txt", + "Instructionaga.txt" + ], + "ransomnotes": [ + "http://virusinfo.info/showthread.php?t=185396" + ] + } + }, + { + "value": "CryLocker or Cry, CSTO, Central Security Treatment Organization", + "description": "Ransomware Identifies victim locations w/Google Maps API", + "meta": { + "extensions": [ + ".cry" + ], + "ransomnotes": [ + "!Recovery_[random_chars].html", + "!Recovery_[random_chars].txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/" + ] + } + }, + { + "value": "CrypMIC", + "description": "Ransomware CryptXXX clone/spinoff", + "meta": { + "encryption": "AES-256", + "ransomnotes": [ + "README.TXT", + "README.HTML", + "README.BMP" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" + ] + } + }, + { + "value": "Crypren", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ENCRYPTED" + ], + "encryption": "", + "ransomnotes": [ + "READ_THIS_TO_DECRYPT.html" + ], + "refs": [ + "https://github.com/pekeinfo/DecryptCrypren", + "http://www.nyxbone.com/malware/Crypren.html", + "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" + ] + } + }, + { + "value": "Crypt38", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt38" + ], + "encryption": "AES", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", + "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption" + ] + } + }, + { + "value": "Cryptear or Hidden Tear", + "description": "Ransomware", + "meta": { + "encryption": "AES-256", + "refs": [ + "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" + ] + } + }, + { + "value": "Crypter", + "description": "Ransomware Does not actually encrypt the files, but simply renames them", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/802554159564062722" + ] + } + }, + { + "value": "CryptFIle2", + "description": "Ransomware", + "meta": { + "extensions": [ + ".scl", + "id[_ID]email_xerx@usa.com.scl" + ], + "encryption": "RSA", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + } + }, + { + "value": "CryptInfinite", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crinf" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "CryptoBit", + "description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.", + "meta": { + "encryption": "AES + RSA", + "ransomnotes": [ + "OKSOWATHAPPENDTOYOURFILES.TXT" + ], + "refs": [ + "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", + "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml" + ] + } + }, + { + "value": "CryptoDefense", + "description": "Ransomware no extension change", + "meta": { + "ransomnotes": [ + "HOW_DECRYPT.TXT", + "HOW_DECRYPT.HTML", + "HOW_DECRYPT.URL" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "CryptoFinancial or Ranscam", + "description": "Ransomware", + "meta": { + "refs": [ + "http://blog.talosintel.com/2016/07/ranscam.html", + "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" + ] + } + }, + { + "value": "CryptoFortress", + "description": "Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB", + "meta": { + "extensions": [ + ".frtrss" + ], + "encryption": "AES-256 + RSA-1024", + "ransomnotes": [ + "READ IF YOU WANT YOUR FILES BACK.html" + ] + } + }, + { + "value": "CryptoGraphic Locker", + "description": "Ransomware Has a GUI. Subvariants: CoinVault BitCryptor", + "meta": { + "extensions": [ + ".clf" + ], + "ransomnotes": [ + "wallpaper.jpg" + ] + } + }, + { + "value": "CryptoHost or Manamecrypt, Telograph, ROI Locker", + "description": "Ransomware RAR's victim's files has a GUI", + "meta": { + "encryption": "AES-256 (RAR implementation)", + "refs": [ + "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" + ] + } + }, + { + "value": "CryptoJoker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crjoker" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README!!!.txt", + "GetYouFiles.txt", + "crjoker.html" + ] + } + }, + { + "value": "CryptoLocker", + "description": "Ransomware no longer relevant", + "meta": { + "extensions": [ + ".encrypted", + ".ENC" + ], + "refs": [ + "https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html", + "https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/" + ] + } + }, + { + "value": "CryptoLocker 1.0.0", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/839747940122001408" + ] + } + }, + { + "value": "CryptoLocker 5.1", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/782890104947867649" + ] + } + }, + { + "value": "CryptoMix or Zeta", + "description": "Ransomware", + "meta": { + "extensions": [ + ".code", + ".scl", + ".rmd", + ".lesli", + ".rdmk", + ".CRYPTOSHIELD", + ".CRYPTOSHIEL", + ".id_(ID_MACHINE)_email_xoomx@dr.com_.code", + ".id_*_email_zeta@dr.com", + ".id_(ID_MACHINE)_email_anx@dr.com_.scl", + ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli", + "*filename*.email[*email*]_id[*id*].rdmk" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.html (CryptXXX)", + "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", + "INSTRUCTION RESTORE FILE.TXT" + ], + "refs": [ + "http://www.nyxbone.com/malware/CryptoMix.html", + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" + ] + } + }, + { + "value": "CryptoRansomeware", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/817672617658347521" + ] + } + }, + { + "value": "CryptoRoger", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crptrgr" + ], + "encryption": "AES", + "ransomnotes": [ + "!Where_are_my_files!.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/" + ] + } + }, + { + "value": "CryptoShadow", + "description": "Ransomware", + "meta": { + "extensions": [ + ".doomed" + ], + "ransomnotes": [ + "LEER_INMEDIATAMENTE.txt" + ], + "refs": [ + "https://twitter.com/struppigel/status/821992610164277248" + ] + } + }, + { + "value": "CryptoShocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "ATTENTION.url" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/" + ] + } + }, + { + "value": "CryptoTorLocker2015", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CryptoTorLocker2015!" + ], + "ransomnotes": [ + "HOW TO DECRYPT FILES.txt", + "%Temp%\\.bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/" + ] + } + }, + { + "value": "CryptoTrooper", + "description": "Ransomware", + "meta": { + "encryption": "AES", + "refs": [ + "http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml" + ] + } + }, + { + "value": "CryptoWall 1", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "DECRYPT_INSTRUCTION.HTM", + "DECRYPT_INSTRUCTION.TXT", + "DECRYPT_INSTRUCTION.URL", + "INSTALL_TOR.URL" + ] + } + }, + { + "value": "CryptoWall 2", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.TXT", + "HELP_DECRYPT.PNG", + "HELP_DECRYPT.URL", + "HELP_DECRYPT.HTML" + ] + } + }, + { + "value": "CryptoWall 3", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.TXT", + "HELP_DECRYPT.PNG", + "HELP_DECRYPT.URL", + "HELP_DECRYPT.HTML" + ], + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", + "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" + ] + } + }, + { + "value": "CryptoWall 4", + "description": "Ransomware", + "meta": { + "extensions": [ + "., e.g. ,27p9k967z.x1nep" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.HTML", + "HELP_YOUR_FILES.PNG" + ] + } + }, + { + "value": "CryptXXX or CryptProjectXXX", + "description": "Ransomware Comes with Bedep", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "de_crypt_readme.bmp, .txt, .html" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information" + ] + } + }, + { + "value": "CryptXXX 2.0 or CryptProjectXXX", + "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + ".txt, .html, .bmp" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool", + "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" + ] + } + }, + { + "value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter", + "description": "Ransomware Comes with Bedep", + "meta": { + "extensions": [ + ".crypt", + ".cryp1", + ".crypz", + ".cryptz", + "random" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", + "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" + ] + } + }, + { + "value": "CryptXXX 3.1", + "description": "Ransomware StilerX credential stealing", + "meta": { + "extensions": [ + ".cryp1" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100" + ] + } + }, + { + "value": "CryPy", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cry" + ], + "encryption": "AES", + "ransomnotes": [ + "README_FOR_DECRYPT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/" + ] + } + }, + { + "value": "CTB-Faker or Citroni", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ctbl", + ".([a-z]{6,7})" + ], + "encryption": "RSA-2048", + "ransomnotes": [ + "AllFilesAreLocked .bmp", + "DecryptAllFiles .txt", + ".html" + ] + } + }, + { + "value": "CTB-Locker WEB", + "description": "Ransomware websites only", + "meta": { + "refs": [ + "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", + "https://github.com/eyecatchup/Critroni-php" + ] + } + }, + { + "value": "CuteRansomware or my-Little-Ransomware", + "description": "Ransomware Based on my-Little-Ransomware", + "meta": { + "extensions": [ + ".已加密", + ".encrypted" + ], + "encryption": "AES-128", + "ransomnotes": [ + "你的檔案被我們加密啦!!!.txt", + "Your files encrypted by our friends !!! txt" + ], + "refs": [ + "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", + "https://github.com/aaaddress1/my-Little-Ransomware" + ] + } + }, + { + "value": "Cyber SpLiTTer Vbs or CyberSplitter", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/778871886616862720", + "https://twitter.com/struppigel/status/806758133720698881" + ] + } + }, + { + "value": "Death Bitches", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "https://twitter.com/JaromirHorejsi/status/815555258478981121" + ] + } + }, + { + "value": "DeCrypt Protect", + "description": "Ransomware", + "meta": { + "extensions": [ + ".html" + ], + "refs": [ + "http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/" + ] + } + }, + { + "value": "DEDCryptor", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".ded" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", + "http://www.nyxbone.com/malware/DEDCryptor.html" + ] + } + }, + { + "value": "Demo", + "description": "Ransomware only encrypts .jpg files", + "meta": { + "extensions": [ + ".encrypted" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.txt" + ], + "refs": [ + "https://twitter.com/struppigel/status/798573300779745281" + ] + } + }, + { + "value": "DetoxCrypto", + "description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte", + "meta": { + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/" + ] + } + }, + { + "value": "Digisom", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Digisom Readme0.txt (0 to 9)" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/829727052316160000" + ] + } + }, + { + "value": "DirtyDecrypt", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/752586334527709184" + ] + } + }, + { + "value": "DMALocker", + "description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0", + "meta": { + "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", + "ransomnotes": [ + "cryptinfo.txt", + "decrypting.txt", + "start.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/", + "https://github.com/hasherezade/dma_unlocker", + "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", + "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" + ] + } + }, + { + "value": "DMALocker 3.0", + "description": "Ransomware", + "meta": { + "encryption": "AES-256 + XPTLOCK5.0", + "refs": [ + "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", + "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" + ] + } + }, + { + "value": "DNRansomware", + "description": "Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT", + "meta": { + "extensions": [ + ".fucked" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/822500056511213568" + ] + } + }, + { + "value": "Domino", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".domino" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README_TO_RECURE_YOUR_FILES.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/Domino.html", + "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/" + ] + } + }, + { + "value": "DoNotChange", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-7ES642406.cry", + ".Do_not_change_the_filename" + ], + "encryption": "AES-128", + "ransomnotes": [ + "HOW TO DECODE FILES!!!.txt", + "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/" + ] + } + }, + { + "value": "DummyLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".dCrypt" + ], + "refs": [ + "https://twitter.com/struppigel/status/794108322932785158" + ] + } + }, + { + "value": "DXXD", + "description": "Ransomware", + "meta": { + "extensions": [ + ".dxxd" + ], + "ransomnotes": [ + "ReadMe.TxT" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", + "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/" + ] + } + }, + { + "value": "EDA2 / HiddenTear or Cryptear", + "description": "Ransomware Open sourced C#", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256" + } + }, + { + "value": "EduCrypt or EduCrypter", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".isis", + ".locked" + ], + "ransomnotes": [ + "README.txt" + ], + "refs": [ + "http://www.filedropper.com/decrypter_1", + "https://twitter.com/JakubKroustek/status/747031171347910656" + ] + } + }, + { + "value": "EiTest", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypted" + ], + "refs": [ + "https://twitter.com/BroadAnalysis/status/845688819533930497", + "https://twitter.com/malwrhunterteam/status/845652520202616832" + ] + } + }, + { + "value": "El-Polocker or Los Pollos Hermanos", + "description": "Ransomware Has a GUI", + "meta": { + "extensions": [ + ".ha3" + ], + "encryption": "", + "ransomnotes": [ + "qwer.html", + "qwer2.html", + "locked.bmp" + ] + } + }, + { + "value": "Encoder.xxxx or Trojan.Encoder.6491", + "description": "Ransomware Coded in GO", + "meta": { + "ransomnotes": [ + "Instructions.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", + "http://vms.drweb.ru/virus/?_is=1&i=8747343" + ] + } + }, + { + "value": "encryptoJJS", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "ransomnotes": [ + "How to recover.enc" + ] + } + }, + { + "value": "Enigma", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enigma", + ".1txt" + ], + "encryption": "AES-128", + "ransomnotes": [ + "enigma.hta", + "enigma_encr.txt", + "enigma_info.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/" + ] + } + }, + { + "value": "Enjey", + "description": "Ransomware Based on RemindMe", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/839022018230112256" + ] + } + }, + { + "value": "Fairware", + "description": "Ransomware Target Linux O.S.", + "meta": { + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" + ] + } + }, + { + "value": "Fakben", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "READ ME FOR DECRYPT.txt" + ], + "refs": [ + "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code" + ] + } + }, + { + "value": "FakeCryptoLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cryptolocker" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/812312402779836416" + ] + } + }, + { + "value": "Fantom or Comrad Circle", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".fantom", + ".comrade" + ], + "encryption": "AES-128", + "ransomnotes": [ + "DECRYPT_YOUR_FILES.HTML", + "RESTORE-FILES![id]" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" + ] + } + }, + { + "value": "FenixLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".FenixIloveyou!!" + ], + "ransomnotes": [ + "Help to decrypt.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/fenixlocker", + "https://twitter.com/fwosar/status/777197255057084416" + ] + } + }, + { + "value": "FILE FROZR", + "description": "Ransomware RaaS", + "meta": { + "refs": [ + "https://twitter.com/rommeljoven17/status/846973265650335744" + ] + } + }, + { + "value": "FileLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ENCR" + ], + "refs": [ + "https://twitter.com/jiriatvirlab/status/836616468775251968" + ] + } + }, + { + "value": "FireCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".firecrypt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "[random_chars]-READ_ME.html" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" + ] + } + }, + { + "value": "Flyper", + "description": "Ransomware Based on EDA2 / HiddenTear", + "meta": { + "extensions": [ + ".locked" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/773771485643149312" + ] + } + }, + { + "value": "Fonco", + "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", + "meta": { + "ransomnotes": [ + "help-file-decrypt.enc", + "/pronk.txt" + ] + } + }, + { + "value": "FortuneCookie ", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/842302481774321664" + ] + } + }, + { + "value": "Free-Freedom or Roga", + "description": "Ransomware Unlock code is: adam or adamdude9", + "meta": { + "extensions": [ + ".madebyadam" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/812135608374226944" + ] + } + }, + { + "value": "FSociety", + "description": "Ransomware Based on EDA2 and RemindMe", + "meta": { + "extensions": [ + ".fs0ciety", + ".dll" + ], + "ransomnotes": [ + "fs0ciety.html", + "DECRYPT_YOUR_FILES.HTML" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/", + "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", + "https://twitter.com/siri_urz/status/795969998707720193" + ] + } + }, + { + "value": "Fury", + "description": "Ransomware", + "meta": { + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "GhostCrypt", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".Z81928819" + ], + "encryption": "AES-256", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", + "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/" + ] + } + }, + { + "value": "Gingerbread", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/ni_fi_70/status/796353782699425792" + ] + } + }, + { + "value": "Globe v1 or Purge", + "description": "Ransomware", + "meta": { + "extensions": [ + ".purge" + ], + "encryption": "Blowfish", + "ransomnotes": [ + "How to restore files.hta" + ], + "refs": [ + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", + "http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/" + ] + } + }, + { + "value": "GNL Locker", + "description": "Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker", + "meta": { + "extensions": [ + ".locked", + ".locked, e.g., bill.!ID!8MMnF!ID!.locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "UNLOCK_FILES_INSTRUCTIONS.html and .txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/" + ] + } + }, + { + "value": "Gomasom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt", + "!___[EMAILADDRESS]_.crypt" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "Goopic", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Your files have been crypted.html" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" + ] + } + }, + { + "value": "Gopher", + "description": "Ransomware OS X ransomware (PoC)" + }, + { + "value": "Hacked", + "description": "Ransomware Jigsaw Ransomware variant", + "meta": { + "extensions": [ + ".versiegelt", + ".encrypted", + ".payrmts", + ".locked", + ".Locked" + ], + "refs": [ + "https://twitter.com/demonslay335/status/806878803507101696" + ] + } + }, + { + "value": "HappyDayzz", + "description": "Ransomware", + "meta": { + "encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4", + "refs": [ + "https://twitter.com/malwrhunterteam/status/847114064224497666" + ] + } + }, + { + "value": "Harasom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".html" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "HDDCryptor or Mamba", + "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", + "meta": { + "encryption": "Custom (net shares), XTS-AES (disk)", + "refs": [ + "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", + "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" + ] + } + }, + { + "value": "Heimdall", + "description": "Ransomware File marker: \"Heimdall---\"", + "meta": { + "encryption": "AES-128-CBC", + "refs": [ + "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" + ] + } + }, + { + "value": "Help_dcfile", + "description": "Ransomware", + "meta": { + "extensions": [ + ".XXX" + ], + "ransomnotes": [ + "help_dcfile.txt" + ] + } + }, + { + "value": "Herbst", + "description": "Ransomware", + "meta": { + "extensions": [ + ".herbst" + ], + "encryption": "AES-256", + "refs": [ + "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" + ] + } + }, + { + "value": "Hi Buddy!", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".cry" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/hibuddy.html" + ] + } + }, + { + "value": "Hitler", + "description": "Ransomware Deletes files", + "meta": { + "extensions": [ + "removes extensions" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", + "https://twitter.com/jiriatvirlab/status/825310545800740864" + ] + } + }, + { + "value": "HolyCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + "(encrypted)" + ], + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" + ] + } + }, + { + "value": "HTCryptor", + "description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/BleepinComputer/status/803288396814839808" + ] + } + }, + { + "value": "HydraCrypt", + "description": "Ransomware CrypBoss Family", + "meta": { + "extensions": [ + "hydracrypt_ID_[\\w]{8}" + ], + "ransomnotes": [ + "README_DECRYPT_HYRDA_ID_[ID number].txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/", + "http://www.malware-traffic-analysis.net/2016/02/03/index2.html" + ] + } + }, + { + "value": "iLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/817085367144873985" + ] + } + }, + { + "value": "iLockLight", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ] + } + }, + { + "value": "International Police Association", + "description": "Ransomware CryptoTorLocker2015 variant", + "meta": { + "extensions": [ + "<6 random characters>" + ], + "ransomnotes": [ + "%Temp%\\.bmp" + ], + "refs": [ + "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" + ] + } + }, + { + "value": "iRansom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".Locked" + ], + "refs": [ + "https://twitter.com/demonslay335/status/796134264744083460" + ] + } + }, + { + "value": "JagerDecryptor", + "description": "Ransomware Prepends filenames", + "meta": { + "extensions": [ + "!ENC" + ], + "ransomnotes": [ + "Important_Read_Me.html" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/757873976047697920" + ] + } + }, + { + "value": "Jeiphoos or Encryptor RaaS or Sarento", + "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", + "meta": { + "encryption": "RC6 (files), RSA 2048 (RC6 key)", + "ransomnotes": [ + "readme_liesmich_encryptor_raas.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/RaaS.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/" + ] + } + }, + { + "value": "Jhon Woddy", + "description": "Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH", + "meta": { + "extensions": [ + ".killedXXX" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", + "https://twitter.com/BleepinComputer/status/822509105487245317" + ] + } + }, + { + "value": "Jigsaw or CryptoHitMan (subvariant)", + "description": "Ransomware Has a GUI", + "meta": { + "extensions": [ + ".btc", + ".kkk", + ".fun", + ".gws", + ".porno", + ".payransom", + ".payms", + ".paymst", + ".AFD", + ".paybtcs", + ".epic", + ".xyz", + ".encrypted", + ".hush", + ".paytounlock", + ".uk-dealer@sigaint.org", + ".gefickt", + ".nemo-hacks.at.sigaint.org" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/", + "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", + "https://twitter.com/demonslay335/status/795819556166139905" + ] + } + }, + { + "value": "Job Crypter", + "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", + "meta": { + "extensions": [ + ".locked", + ".css" + ], + "encryption": "TripleDES", + "ransomnotes": [ + "Comment débloquer mes fichiers.txt", + "Readme.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/jobcrypter.html", + "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", + "https://twitter.com/malwrhunterteam/status/828914052973858816" + ] + } + }, + { + "value": "JohnyCryptor", + "description": "Ransomware" + }, + { + "value": "KawaiiLocker", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "How Decrypt Files.txt" + ], + "refs": [ + "https://safezone.cc/resources/kawaii-decryptor.195/" + ] + } + }, + { + "value": "KeRanger", + "description": "Ransomware OS X Ransomware", + "meta": { + "extensions": [ + ".encrypted" + ], + "encryption": "AES", + "refs": [ + "http://news.drweb.com/show/?i=9877&lng=en&c=5", + "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/" + ] + } + }, + { + "value": "KeyBTC", + "description": "Ransomware", + "meta": { + "extensions": [ + "keybtc@inbox_com" + ], + "ransomnotes": [ + "DECRYPT_YOUR_FILES.txt", + "READ.txt", + "readme.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "KEYHolder", + "description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address", + "meta": { + "ransomnotes": [ + "how_decrypt.gif", + "how_decrypt.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml" + ] + } + }, + { + "value": "KillerLocker", + "description": "Ransomware Possibly Portuguese dev", + "meta": { + "extensions": [ + ".rip" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/782232299840634881" + ] + } + }, + { + "value": "KimcilWare", + "description": "Ransomware websites only", + "meta": { + "extensions": [ + ".kimcilware", + ".locked" + ], + "encryption": "AES", + "refs": [ + "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", + "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/" + ] + } + }, + { + "value": "Korean", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".암호화됨" + ], + "encryption": "AES-256", + "ransomnotes": [ + "ReadMe.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/koreanRansom.html" + ] + } + }, + { + "value": "Kozy.Jozy or QC", + "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", + "meta": { + "extensions": [ + ".31392E30362E32303136_[ID-KEY]_LSBJ1", + ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" + ], + "encryption": "RSA-2048", + "ransomnotes": [ + "w.jpg" + ], + "refs": [ + "http://www.nyxbone.com/malware/KozyJozy.html", + "http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/" + ] + } + }, + { + "value": "KratosCrypt", + "description": "Ransomware kratosdimetrici@gmail.com", + "meta": { + "extensions": [ + ".kratos" + ], + "ransomnotes": [ + "README_ALL.html" + ], + "refs": [ + "https://twitter.com/demonslay335/status/746090483722686465" + ] + } + }, + { + "value": "KryptoLocker", + "description": "Ransomware Based on HiddenTear", + "meta": { + "encryption": "AES-256", + "ransomnotes": [ + "KryptoLocker_README.txt" + ] + } + }, + { + "value": "LanRan", + "description": "Ransomware Variant of open-source MyLittleRansomware", + "meta": { + "ransomnotes": [ + "@__help__@" + ], + "refs": [ + "https://twitter.com/struppigel/status/847689644854595584" + ] + } + }, + { + "value": "LeChiffre", + "description": "Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker", + "meta": { + "extensions": [ + ".LeChiffre" + ], + "ransomnotes": [ + "How to decrypt LeChiffre files.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/lechiffre", + "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/" + ] + } + }, + { + "value": "Lick", + "description": "Ransomware Variant of Kirk", + "meta": { + "extensions": [ + ".Licked" + ], + "ransomnotes": [ + "RANSOM_NOTE.txt" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/842404866614038529" + ] + } + }, + { + "value": "Linux.Encoder or Linux.Encoder.{0,3}", + "description": "Ransomware Linux Ransomware", + "meta": { + "refs": [ + "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" + ] + } + }, + { + "value": "LK Encryption", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/845183290873044994" + ] + } + }, + { + "value": "LLTP Locker", + "description": "Ransomware Targeting Spanish speaking victims", + "meta": { + "extensions": [ + ".ENCRYPTED_BY_LLTP", + ".ENCRYPTED_BY_LLTPp" + ], + "encryption": "AES-256", + "ransomnotes": [ + "LEAME.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/" + ] + } + }, + { + "value": "Locker", + "description": "Ransomware has GUI", + "meta": { + "refs": [ + "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545" + ] + } + }, + { + "value": "LockLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locklock" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_ME.TXT" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/" + ] + } + }, + { + "value": "Locky", + "description": "Ransomware Affiliations with Dridex and Necurs botnets", + "meta": { + "extensions": [ + ".locky", + ".zepto", + ".odin", + ".shit", + ".thor", + ".aesir", + ".zzzzz", + ".osiris", + "([A-F0-9]{32}).locky", + "([A-F0-9]{32}).zepto", + "([A-F0-9]{32}).odin", + "([A-F0-9]{32}).shit", + "([A-F0-9]{32}).thor", + "([A-F0-9]{32}).aesir", + "([A-F0-9]{32}).zzzzz", + "([A-F0-9]{32}).osiris" + ], + "encryption": "AES-128", + "ransomnotes": [ + "_Locky_recover_instructions.txt", + "_Locky_recover_instructions.bmp", + "_HELP_instructions.txt", + "_HELP_instructions.bmp", + "_HOWDO_text.html", + "_WHAT_is.html", + "_INSTRUCTION.html", + "DesktopOSIRIS.(bmp|htm)", + "OSIRIS-[0-9]{4}.htm" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/", + "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/" + ] + } + }, + { + "value": "Lortok", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ] + } + }, + { + "value": "LowLevel04", + "description": "Ransomware Prepends filenames", + "meta": { + "extensions": [ + "oor." + ] + } + }, + { + "value": "M4N1F3STO", + "description": "Ransomware Does not encrypt Unlock code=suckmydicknigga", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/808015275367002113" + ] + } + }, + { + "value": "Mabouia", + "description": "Ransomware OS X ransomware (PoC)" + }, + { + "value": "MacAndChess", + "description": "Ransomware Based on HiddenTear" + }, + { + "value": "Magic", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".magic" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DECRYPT_ReadMe1.TXT", + "DECRYPT_ReadMe.TXT" + ] + } + }, + { + "value": "MaktubLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + "[a-z]{4,6}" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "_DECRYPT_INFO_[extension pattern].html" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" + ] + } + }, + { + "value": "MarsJoke", + "description": "Ransomware", + "meta": { + "extensions": [ + ".a19", + ".ap19" + ], + "ransomnotes": [ + "!!! Readme For Decrypt !!!.txt", + "ReadMeFilesDecrypt!!!.txt" + ], + "refs": [ + "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", + "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker" + ] + } + }, + { + "value": "Meister", + "description": "Ransomware Targeting French victims", + "meta": { + "refs": [ + "https://twitter.com/siri_urz/status/840913419024945152" + ] + } + }, + { + "value": "Meteoritan", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "where_are_your_files.txt", + "readme_your_files_have_been_encrypted.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/844614889620561924" + ] + } + }, + { + "value": "MIRCOP or Crypt888", + "description": "Ransomware Prepends files Demands 48.48 BTC", + "meta": { + "extensions": [ + "Lock." + ], + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/", + "https://www.avast.com/ransomware-decryption-tools#!", + "http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/", + "http://www.nyxbone.com/malware/Mircop.html" + ] + } + }, + { + "value": "MireWare", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".fucked", + ".fuck" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ] + } + }, + { + "value": "Mischa or \"Petya's little brother\"", + "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", + "meta": { + "extensions": [ + ".([a-zA-Z0-9]{4})" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML", + "YOUR_FILES_ARE_ENCRYPTED.TXT " + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/" + ] + } + }, + { + "value": "MM Locker or Booyah", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + } + }, + { + "value": "Mobef or Yakes or CryptoBit", + "description": "Ransomware", + "meta": { + "extensions": [ + ".KEYZ", + ".KEYH0LES" + ], + "ransomnotes": [ + "4-14-2016-INFECTION.TXT", + "IMPORTANT.README" + ], + "refs": [ + "http://nyxbone.com/malware/Mobef.html", + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", + "http://nyxbone.com/images/articulos/malware/mobef/0.png" + ] + } + }, + { + "value": "Monument", + "description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/844826339186135040" + ] + } + }, + { + "value": "N-Splitter", + "description": "Ransomware Russian Koolova Variant", + "meta": { + "extensions": [ + ".кибер разветвитель" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/815961663644008448", + "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" + ] + } + }, + { + "value": "n1n1n1", + "description": "Ransomware Filemaker: \"333333333333\"", + "meta": { + "ransomnotes": [ + "decrypt explanations.html" + ], + "refs": [ + "https://twitter.com/demonslay335/status/790608484303712256", + "https://twitter.com/demonslay335/status/831891344897482754" + ] + } + }, + { + "value": "NanoLocker", + "description": "Ransomware no extension change, has a GUI", + "meta": { + "encryption": "AES-256 + RSA", + "ransomnotes": [ + "ATTENTION.RTF" + ], + "refs": [ + "http://github.com/Cyberclues/nanolocker-decryptor" + ] + } + }, + { + "value": "Nemucod", + "description": "Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes", + "meta": { + "extensions": [ + ".crypted" + ], + "encryption": "XOR(255) + 7zip", + "ransomnotes": [ + "Decrypted.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/nemucod", + "https://github.com/Antelox/NemucodFR", + "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", + "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/" + ] + } + }, + { + "value": "Netix or RANSOM_NETIX.A", + "description": "Ransomware", + "meta": { + "extensions": [ + "AES-256" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/" + ] + } + }, + { + "value": "Nhtnwcuf", + "description": "Ransomware Does not encrypt the files / Files are destroyed", + "meta": { + "ransomnotes": [ + "!_RECOVERY_HELP_!.txt", + "HELP_ME_PLEASE.txt" + ], + "refs": [ + "https://twitter.com/demonslay335/status/839221457360195589" + ] + } + }, + { + "value": "NMoreira or XRatTeam or XPan", + "description": "Ransomware", + "meta": { + "extensions": [ + ".maktub", + ".__AiraCropEncrypted!" + ], + "encryption": "mix of RSA and AES-256", + "ransomnotes": [ + "Recupere seus arquivos. Leia-me!.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/nmoreira", + "https://twitter.com/fwosar/status/803682662481174528" + ] + } + }, + { + "value": "NoobCrypt", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/JakubKroustek/status/757267550346641408", + "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/" + ] + } + }, + { + "value": "Nuke", + "description": "Ransomware", + "meta": { + "extensions": [ + ".nuclear55" + ], + "encryption": "AES", + "ransomnotes": [ + "!!_RECOVERY_instructions_!!.html", + "!!_RECOVERY_instructions_!!.txt" + ] + } + }, + { + "value": "Nullbyte", + "description": "Ransomware", + "meta": { + "extensions": [ + "_nullbyte" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", + "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/" + ] + } + }, + { + "value": "ODCODC", + "description": "Ransomware", + "meta": { + "extensions": [ + ".odcodc", + "C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc" + ], + "encryption": "XOR", + "ransomnotes": [ + "HOW_TO_RESTORE_FILES.txt" + ], + "refs": [ + "http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip", + "http://www.nyxbone.com/malware/odcodc.html", + "https://twitter.com/PolarToffee/status/813762510302183424", + "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png" + ] + } + }, + { + "value": "Offline ransomware or Vipasana or Cryakl", + "description": "Ransomware email addresses overlap with .777 addresses", + "meta": { + "extensions": [ + ".cbf", + "email-[params].cbf" + ], + "ransomnotes": [ + "desk.bmp", + "desk.jpg" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html" + ] + } + }, + { + "value": "OMG! Ransomware or GPCode", + "description": "Ransomware", + "meta": { + "extensions": [ + ".LOL!", + ".OMG!" + ], + "ransomnotes": [ + "how to get data.txt" + ] + } + }, + { + "value": "Operation Global III", + "description": "Ransomware Is a file infector (virus)", + "meta": { + "extensions": [ + ".EXE" + ], + "refs": [ + "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" + ] + } + }, + { + "value": "Owl or CryptoWire", + "description": "Ransomware", + "meta": { + "extensions": [ + "dummy_file.encrypted", + "dummy_file.encrypted.[extension]" + ], + "ransomnotes": [ + "log.txt" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/842342996775448576" + ] + } + }, + { + "value": "PadCrypt", + "description": "Ransomware has a live support chat", + "meta": { + "extensions": [ + ".padcrypt" + ], + "ransomnotes": [ + "IMPORTANT READ ME.txt", + "File Decrypt Help.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", + "https://twitter.com/malwrhunterteam/status/798141978810732544" + ] + } + }, + { + "value": "Padlock Screenlocker", + "description": "Ransomware Unlock code is: ajVr/G\\ RJz0R", + "meta": { + "refs": [ + "https://twitter.com/BleepinComputer/status/811635075158839296" + ] + } + }, + { + "value": "Patcher", + "description": "Ransomware Targeting macOS users", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "README!.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", + "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" + ] + } + }, + { + "value": "Petya or Goldeneye", + "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", + "meta": { + "encryption": "Modified Salsa20", + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.TXT" + ], + "refs": [ + "http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator", + "https://www.youtube.com/watch?v=mSqxFjZq_z4", + "https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/", + "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/" + ] + } + }, + { + "value": "Philadelphia", + "description": "Ransomware Coded by \"The_Rainmaker\"", + "meta": { + "extensions": [ + ".locked", + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "https://decrypter.emsisoft.com/philadelphia", + "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" + ] + } + }, + { + "value": "PizzaCrypts", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-[victim_id]-maestro@pizzacrypts.info" + ], + "refs": [ + "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip" + ] + } + }, + { + "value": "PokemonGO", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/pokemonGO.html", + "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/" + ] + } + }, + { + "value": "Polyglot", + "description": "Ransomware Immitates CTB-Locker", + "meta": { + "encryption": "AES-256", + "refs": [ + "https://support.kaspersky.com/8547", + "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" + ] + } + }, + { + "value": "PowerWare or PoshCoder", + "description": "Ransomware Open-sourced PowerShell", + "meta": { + "extensions": [ + ".locky" + ], + "encryption": "AES-128", + "refs": [ + "https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py", + "https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip", + "https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/", + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" + ] + } + }, + { + "value": "PowerWorm", + "description": "Ransomware no decryption possible, throws key away, destroys the files", + "meta": { + "encryption": "AES", + "ransomnotes": [ + "DECRYPT_INSTRUCTION.html" + ] + } + }, + { + "value": "Princess Locker", + "description": "Ransomware", + "meta": { + "extensions": [ + "[a-z]{4,6},[0-9]" + ], + "ransomnotes": [ + "!_HOW_TO_RESTORE_[extension].TXT", + "!_HOW_TO_RESTORE_[extension].html", + "!_HOW_TO_RESTORE_*id*.txt", + ".*id*", + "@_USE_TO_FIX_JJnY.txt" + ], + "refs": [ + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/" + ] + } + }, + { + "value": "PRISM", + "description": "Ransomware", + "meta": { + "refs": [ + "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" + ] + } + }, + { + "value": "Ps2exe", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/803297700175286273" + ] + } + }, + { + "value": "R", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Ransomware.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/846705481741733892" + ] + } + }, + { + "value": "R980", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "DECRYPTION INSTRUCTIONS.txt", + "rtext.txt" + ], + "refs": [ + "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" + ] + } + }, + { + "value": "RAA encryptor or RAA", + "description": "Ransomware Possible affiliation with Pony", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "!!!README!!![id].rtf" + ], + "refs": [ + "https://reaqta.com/2016/06/raa-ransomware-delivering-pony/", + "http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/" + ] + } + }, + { + "value": "Rabion", + "description": "Ransomware RaaS Copy of Ranion RaaS", + "meta": { + "refs": [ + "https://twitter.com/CryptoInsane/status/846181140025282561" + ] + } + }, + { + "value": "Radamant", + "description": "Ransomware", + "meta": { + "extensions": [ + ".RDM", + ".RRK", + ".RAD", + ".RADAMANT" + ], + "encryption": "AES-256", + "ransomnotes": [ + "YOUR_FILES.url" + ], + "refs": [ + "https://decrypter.emsisoft.com/radamant", + "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", + "http://www.nyxbone.com/malware/radamant.html" + ] + } + }, + { + "value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor", + "description": "Ransomware Files might be partially encrypted", + "meta": { + "extensions": [ + ".locked", + ".kraken", + ".darkness", + ".nochance", + ".oshit", + ".oplata@qq_com", + ".relock@qq_com", + ".crypto", + ".helpdecrypt@ukr.net", + ".pizda@qq_com", + ".dyatel@qq_com", + "_ryp", + ".nalog@qq_com", + ".chifrator@qq_com", + ".gruzin@qq_com", + ".troyancoder@qq_com", + ".encrypted", + ".cry", + ".AES256", + ".enc", + ".hb15", + ".coderksu@gmail_com_id[0-9]{2,3}", + ".crypt@india.com.[\\w]{4,12}" + ], + "ransomnotes": [ + "\\fud.bmp", + "\\paycrypt.bmp", + "\\strongcrypt.bmp", + "\\maxcrypt.bmp", + "%APPDATA%\\Roaming\\.bmp" + ], + "refs": [ + "https://support.kaspersky.com/us/viruses/disinfection/10556" + ] + } + }, + { + "value": "Ramsomeer", + "description": "Ransomware Based on the DUMB ransomware" + }, + { + "value": "Rannoh", + "description": "Ransomware", + "meta": { + "extensions": [ + "locked-.[a-zA-Z]{4}" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "RanRan", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zXz" + ], + "ransomnotes": [ + "VictemKey_0_5", + "VictemKey_5_30", + "VictemKey_30_100", + "VictemKey_100_300", + "VictemKey_300_700", + "VictemKey_700_2000", + "VictemKey_2000_3000", + "VictemKey_3000", + "zXz.html" + ], + "refs": [ + "https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", + "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" + ] + } + }, + { + "value": "Ransoc", + "description": "Ransomware Doesn't encrypt user files", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", + "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" + ] + } + }, + { + "value": "Ransom32", + "description": "Ransomware no extension change, Javascript Ransomware" + }, + { + "value": "RansomLock", + "description": "Ransomware Locks the desktop", + "meta": { + "encryption": "Asymmetric 1024 ", + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" + ] + } + }, + { + "value": "RarVault", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "RarVault.htm" + ] + } + }, + { + "value": "Razy", + "description": "Ransomware", + "meta": { + "extensions": [ + ".razy", + ".fear" + ], + "encryption": "AES-128", + "refs": [ + "http://www.nyxbone.com/malware/Razy(German).html", + "http://nyxbone.com/malware/Razy.html" + ] + } + }, + { + "value": "Rector", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vscrypt", + ".infected", + ".bloc", + ".korrektor" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/4264" + ] + } + }, + { + "value": "RektLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".rekt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Readme.txt" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/4264" + ] + } + }, + { + "value": "RemindMe", + "description": "Ransomware", + "meta": { + "extensions": [ + ".remind", + ".crashed" + ], + "ransomnotes": [ + "decypt_your_files.html " + ], + "refs": [ + "http://www.nyxbone.com/malware/RemindMe.html", + "http://i.imgur.com/gV6i5SN.jpg" + ] + } + }, + { + "value": "Rokku", + "description": "Ransomware possibly related with Chimera", + "meta": { + "extensions": [ + ".rokku" + ], + "encryption": "Curve25519 + ChaCha", + "ransomnotes": [ + "README_HOW_TO_UNLOCK.TXT", + "README_HOW_TO_UNLOCK.HTML" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" + ] + } + }, + { + "value": "RoshaLock", + "description": "Ransomware Stores your files in a password protected RAR file", + "meta": { + "refs": [ + "https://twitter.com/siri_urz/status/842452104279134209" + ] + } + }, + { + "value": "Runsomewere", + "description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/801812325657440256" + ] + } + }, + { + "value": "RussianRoulette", + "description": "Ransomware Variant of the Philadelphia ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/823925410392080385" + ] + } + }, + { + "value": "SADStory", + "description": "Ransomware Variant of CryPy", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/845356853039190016" + ] + } + }, + { + "value": "Sage 2.2", + "description": "Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.", + "meta": { + "extensions": [ + ".sage" + ], + "refs": [ + "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", + "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" + ] + } + }, + { + "value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe", + "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", + "meta": { + "extensions": [ + ".encryptedAES", + ".encryptedRSA", + ".encedRSA", + ".justbtcwillhelpyou", + ".btcbtcbtc", + ".btc-help-you", + ".only-we_can-help_you", + ".iwanthelpuuu", + ".notfoundrans", + ".encmywork", + ".VforVendetta", + ".theworldisyours", + ".Whereisyourfiles", + ".helpmeencedfiles", + ".powerfulldecrypt", + ".noproblemwedecfiles", + ".weareyourfriends", + ".otherinformation", + ".letmetrydecfiles", + ".encryptedyourfiles", + ".weencedufiles", + ".iaufkakfhsaraf", + ".cifgksaffsfyghd" + ], + "encryption": "AES(256) + RSA(2096)", + "ransomnotes": [ + "HELP_DECRYPT_YOUR_FILES.html", + "###-READ-FOR-HELLPP.html", + "000-PLEASE-READ-WE-HELP.html", + "CHECK-IT-HELP-FILES.html", + "WHERE-YOUR-FILES.html", + "HELP-ME-ENCED-FILES.html", + "WE-MUST-DEC-FILES.html", + "000-No-PROBLEM-WE-DEC-FILES.html", + "TRY-READ-ME-TO-DEC.html", + "000-IF-YOU-WANT-DEC-FILES.html", + "LET-ME-TRY-DEC-FILES.html", + "001-READ-FOR-DECRYPT-FILES.html", + "READ-READ-READ.html", + "IF_WANT_FILES_BACK_PLS_READ.html", + "READ_READ_DEC_FILES.html" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf" + ] + } + }, + { + "value": "Sanction", + "description": "Ransomware Based on HiddenTear, but heavily modified keygen", + "meta": { + "extensions": [ + ".sanction" + ], + "encryption": "AES-256 + RSA-2096", + "ransomnotes": [ + "DECRYPT_YOUR_FILES.HTML" + ] + } + }, + { + "value": "Sanctions", + "description": "Ransomware", + "meta": { + "extensions": [ + ".wallet" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "RESTORE_ALL_DATA.html" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/" + ] + } + }, + { + "value": "Sardoninir", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/835955409953357825" + ] + } + }, + { + "value": "Satana", + "description": "Ransomware", + "meta": { + "extensions": [ + "Sarah_G@ausi.com___" + ], + "ransomnotes": [ + "!satana!.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", + "https://blog.kaspersky.com/satana-ransomware/12558/" + ] + } + }, + { + "value": "Scraper", + "description": "Ransomware", + "meta": { + "refs": [ + "http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/" + ] + } + }, + { + "value": "Serpico", + "description": "Ransomware DetoxCrypto Variant", + "meta": { + "encryption": "AES", + "refs": [ + "http://www.nyxbone.com/malware/Serpico.html" + ] + } + }, + { + "value": "Shark or Atom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Readme.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", + "http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/" + ] + } + }, + { + "value": "ShinoLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".shino" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/760560147131408384", + "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/" + ] + } + }, + { + "value": "Shujin or KinCrypt", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "文件解密帮助.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/chineseRansom.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" + ] + } + }, + { + "value": "Simple_Encoder", + "description": "Ransomware", + "meta": { + "extensions": [ + ".~" + ], + "encryption": "AES", + "ransomnotes": [ + "_RECOVER_INSTRUCTIONS.ini" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/" + ] + } + }, + { + "value": "SkidLocker / Pompous", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/", + "http://www.nyxbone.com/malware/SkidLocker.html" + ] + } + }, + { + "value": "Smash!", + "description": "Ransomware", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" + ] + } + }, + { + "value": "Smrss32", + "description": "Ransomware", + "meta": { + "extensions": [ + ".encrypted" + ], + "ransomnotes": [ + "_HOW_TO_Decrypt.bmp" + ] + } + }, + { + "value": "SNSLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".RSNSlocked", + ".RSplited" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_Me.txt" + ], + "refs": [ + "http://nyxbone.com/malware/SNSLocker.html", + "http://nyxbone.com/images/articulos/malware/snslocker/16.png" + ] + } + }, + { + "value": "Sport", + "description": "Ransomware", + "meta": { + "extensions": [ + ".sport" + ] + } + }, + { + "value": "Stampado", + "description": "Ransomware Coded by \"The_Rainmaker\" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Random message includes bitcoin wallet address with instructions" + ], + "refs": [ + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", + "http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/", + "https://decrypter.emsisoft.com/stampado", + "https://cdn.streamable.com/video/mp4/kfh3.mp4", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/" + ] + } + }, + { + "value": "Strictor", + "description": "Ransomware Based on EDA2, shows Guy Fawkes mask", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/Strictor.html" + ] + } + }, + { + "value": "Surprise", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".surprise", + ".tzu" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DECRYPTION_HOWTO.Notepad" + ] + } + }, + { + "value": "Survey", + "description": "Ransomware Still in development, shows FileIce survey", + "meta": { + "ransomnotes": [ + "ThxForYurTyme.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" + ] + } + }, + { + "value": "SynoLocker", + "description": "Ransomware Exploited Synology NAS firmware directly over WAN" + }, + { + "value": "SZFLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".szf" + ], + "refs": [ + "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/" + ] + } + }, + { + "value": "TeamXrat", + "description": "Ransomware", + "meta": { + "extensions": [ + ".___xratteamLucked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Como descriptografar os seus arquivos.txt" + ], + "refs": [ + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + ] + } + }, + { + "value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt", + "description": "Ransomware Factorization", + "meta": { + "extensions": [ + ".vvv", + ".ecc", + ".exx", + ".ezz", + ".abc", + ".aaa", + ".zzz", + ".xyz" + ], + "ransomnotes": [ + "HELP_TO_SAVE_FILES.txt", + "Howto_RESTORE_FILES.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.talosintel.com/teslacrypt_tool/" + ] + } + }, + { + "value": "TeslaCrypt 3.0+", + "description": "Ransomware 4.0+ has no extension", + "meta": { + "extensions": [ + ".micro", + ".xxx", + ".ttt", + ".mp3" + ], + "encryption": "AES-256 + ECHD + SHA1", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" + ] + } + }, + { + "value": "TeslaCrypt 4.1A", + "description": "Ransomware", + "meta": { + "encryption": "AES-256 + ECHD + SHA1", + "ransomnotes": [ + "RECOVER<5_chars>.html", + "RECOVER<5_chars>.png", + "RECOVER<5_chars>.txt", + "_how_recover+.txt or .html", + "help_recover_instructions+.BMP or .html or .txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", + "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", + "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", + "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", + "HELP_TO_SAVE_FILES.txt or .bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", + "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" + ] + } + }, + { + "value": "TeslaCrypt 4.2", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "RECOVER<5_chars>.html", + "RECOVER<5_chars>.png", + "RECOVER<5_chars>.txt", + "_how_recover+.txt or .html", + "help_recover_instructions+.BMP or .html or .txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", + "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", + "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", + "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", + "HELP_TO_SAVE_FILES.txt or .bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", + "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" + ] + } + }, + { + "value": "Threat Finder", + "description": "Ransomware Files cannot be decrypted Has a GUI", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.HTML" + ] + } + }, + { + "value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac", + "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", + "meta": { + "extensions": [ + ".Encrypted", + ".enc" + ], + "encryption": "AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt", + "ransomnotes": [ + "HOW_TO_RESTORE_FILES.html", + "DECRYPT_INSTRUCTIONS.html", + "DESIFROVANI_POKYNY.html", + "INSTRUCCIONES_DESCIFRADO.html", + "ISTRUZIONI_DECRITTAZIONE.html", + "ENTSCHLUSSELN_HINWEISE.html", + "ONTSLEUTELINGS_INSTRUCTIES.html", + "INSTRUCTIONS_DE_DECRYPTAGE.html", + "SIFRE_COZME_TALIMATI.html", + "wie_zum_Wiederherstellen_von_Dateien.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", + "https://twitter.com/PolarToffee/status/804008236600934403", + "http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" + ] + } + }, + { + "value": "TowerWeb", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Payment_Instructions.jpg" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/" + ] + } + }, + { + "value": "Toxcrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".toxcrypt" + ], + "ransomnotes": [ + "tox.html" + ] + } + }, + { + "value": "Trojan or BrainCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".braincrypt" + ], + "ransomnotes": [ + "!!! HOW TO DECRYPT FILES !!!.txt" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip", + "https://twitter.com/PolarToffee/status/811249250285842432" + ] + } + }, + { + "value": "Troldesh orShade, XTBL", + "description": "Ransomware May download additional malware after encryption", + "meta": { + "extensions": [ + ".breaking_bad", + ".better_call_saul", + ".xtbl", + ".da_vinci_code", + ".windows10", + ".no_more_ransom" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README.txt", + "nomoreransom_note_original.txt" + ], + "refs": [ + "https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf", + "http://www.nyxbone.com/malware/Troldesh.html", + "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/" + ] + } + }, + { + "value": "TrueCrypter", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/" + ] + } + }, + { + "value": "Turkish", + "description": "Ransomware", + "meta": { + "extensions": [ + ".sifreli" + ], + "refs": [ + "https://twitter.com/struppigel/status/821991600637313024" + ] + } + }, + { + "value": "Turkish Ransom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" + ], + "refs": [ + "http://www.nyxbone.com/malware/turkishRansom.html" + ] + } + }, + { + "value": "UmbreCrypt", + "description": "Ransomware CrypBoss Family", + "meta": { + "extensions": [ + "umbrecrypt_ID_[VICTIMID]" + ], + "encryption": "AES", + "ransomnotes": [ + "README_DECRYPT_UMBRE_ID_[victim_id].jpg", + "README_DECRYPT_UMBRE_ID_[victim_id].txt", + "default32643264.bmp", + "default432643264.jpg" + ], + "refs": [ + "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware" + ] + } + }, + { + "value": "UnblockUPC", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Files encrypted.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/" + ] + } + }, + { + "value": "Ungluk", + "description": "Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key", + "meta": { + "extensions": [ + ".H3LL", + ".0x0", + ".1999" + ], + "encryption": "AES", + "ransomnotes": [ + "READTHISNOW!!!.txt", + "Hellothere.txt", + "YOUGOTHACKED.TXT" + ] + } + }, + { + "value": "Unlock92 ", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CRRRT", + ".CCCRRRPPP" + ], + "ransomnotes": [ + "READ_ME_!.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/839038399944224768" + ] + } + }, + { + "value": "VapeLauncher", + "description": "Ransomware CryptoWire variant", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/839771195830648833" + ] + } + }, + { + "value": "VaultCrypt or CrypVault, Zlader", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vault", + ".xort", + ".trun" + ], + "encryption": "uses gpg.exe", + "ransomnotes": [ + "VAULT.txt", + "xort.txt", + "trun.txt", + ".hta | VAULT.hta" + ], + "refs": [ + "http://www.nyxbone.com/malware/russianRansom.html" + ] + } + }, + { + "value": "VBRANSOM 7", + "description": "Ransomware", + "meta": { + "extensions": [ + ".VBRANSOM" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/817851339078336513" + ] + } + }, + { + "value": "VenusLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".Venusf", + ".Venusp" + ], + "encryption": "AES-256", + "ransomnotes": [ + "ReadMe.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", + "http://www.nyxbone.com/malware/venusLocker.html" + ] + } + }, + { + "value": "Virlock", + "description": "Ransomware Polymorphism / Self-replication", + "meta": { + "extensions": [ + ".exe" + ], + "refs": [ + "http://www.nyxbone.com/malware/Virlock.html", + "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" + ] + } + }, + { + "value": "Virus-Encoder or CrySiS", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CrySiS", + ".xtbl", + ".crypt", + ".DHARMA", + ".id-########.decryptformoney@india.com.xtbl", + ".[email_address].DHARMA" + ], + "encryption": "AES-256", + "ransomnotes": [ + "How to decrypt your data.txt" + ], + "refs": [ + "http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/", + "http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip", + "http://www.nyxbone.com/malware/virus-encoder.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/" + ] + } + }, + { + "value": "WannaCry", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/846241982347427840" + ] + } + }, + { + "value": "WildFire Locker or Hades Locker", + "description": "Ransomware Zyklon variant", + "meta": { + "extensions": [ + ".wflx" + ], + "ransomnotes": [ + "HOW_TO_UNLOCK_FILES_README_().txt" + ], + "refs": [ + "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" + ] + } + }, + { + "value": "Xorist", + "description": "Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length", + "meta": { + "extensions": [ + ".EnCiPhErEd", + ".73i87A", + ".p5tkjw", + ".PoAr2w", + ".fileiscryptedhard", + ".encoderpass", + ".zc3791", + ".antihacker2017" + ], + "encryption": "XOR or TEA", + "ransomnotes": [ + "HOW TO DECRYPT FILES.TXT" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/2911", + "https://decrypter.emsisoft.com/xorist" + ] + } + }, + { + "value": "XRTN ", + "description": "Ransomware VaultCrypt family", + "meta": { + "extensions": [ + ".xrtn" + ] + } + }, + { + "value": "You Have Been Hacked!!!", + "description": "Ransomware Attempt to steal passwords", + "meta": { + "extensions": [ + ".Locked" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/808280549802418181" + ] + } + }, + { + "value": "Zcrypt or Zcryptor", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zcrypt" + ], + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/" + ] + } + }, + { + "value": "Zeta or CryptoMix", + "description": "Ransomware", + "meta": { + "extensions": [ + ".code", + ".scl", + ".rmd" + ], + "ransomnotes": [ + "# HELP_DECRYPT_YOUR_FILES #.TXT" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/804009831518572544" + ] + } + }, + { + "value": "Zimbra", + "description": "Ransomware mpritsken@priest.com", + "meta": { + "extensions": [ + ".crypto" + ], + "ransomnotes": [ + "how.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/" + ] + } + }, + { + "value": "Zlader / Russian or VaultCrypt, CrypVault", + "description": "Ransomware VaultCrypt family", + "meta": { + "extensions": [ + ".vault" + ], + "encryption": "RSA", + "refs": [ + "http://www.nyxbone.com/malware/russianRansom.html" + ] + } + }, + { + "value": "Zorro", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zorro" + ], + "ransomnotes": [ + "Take_Seriously (Your saving grace).txt" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/844538370323812353" + ] + } + }, + { + "value": "Zyklon or GNL Locker", + "description": "Ransomware Hidden Tear family, GNL Locker variant", + "meta": { + "extensions": [ + ".zyklon" + ] + } + }, + { + "value": "vxLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vxLock" + ] + } } ], "authors": [