From b100b0cedd09ea749059881d11040d98cbcb9faf Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 13 Aug 2018 15:50:09 +0200
Subject: [PATCH 1/4] add KEYPASS ransomware

---
 clusters/android.json    |  2 +-
 clusters/ransomware.json | 22 +++++++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/clusters/android.json b/clusters/android.json
index 2ff9c0e..22baca2 100644
--- a/clusters/android.json
+++ b/clusters/android.json
@@ -4299,7 +4299,7 @@
           "https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/"
         ]
       },
-      "uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf651adaf"
+      "uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf6s51adaf"
     },
     {
       "value": "Skygofree",
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 2b82c1b..5b384ca 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10070,12 +10070,32 @@
         ]
       },
       "uuid": "b48a7d62-9bc4-11e8-a7c5-47d13fad265f"
+    },
+    {
+      "value": "KEYPASS",
+      "description": "A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/"
+        ],
+        "synonyms": [
+          "KeyPass"
+        ],
+        "ransomnotes": [
+          "!!!KEYPASS_DECRYPTION_INFO!!!.txt",
+          "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]"
+        ],
+        "extensions": [
+          ".KEYPASS"
+        ]
+      },
+      "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c"
     }
   ],
   "source": "Various",
   "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
   "name": "Ransomware",
-  "version": 27,
+  "version": 28,
   "type": "ransomware",
   "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }

From a646a835fe2db85071b8ec7a7baa03cc2b38a823 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 14 Aug 2018 10:09:26 +0200
Subject: [PATCH 2/4] add Rosenbridge backdoor

---
 clusters/backdoor.json   | 15 ++++++++++++++-
 clusters/ransomware.json |  3 +++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index c0d2adb..e232d52 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -2,7 +2,7 @@
   "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
   "description": "A list of backdoor malware.",
   "source": "Open Sources",
-  "version": 1,
+  "version": 2,
   "values": [
     {
       "meta": {
@@ -14,6 +14,19 @@
       "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
       "value": "WellMess",
       "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
+    },
+    {
+      "value": "Rosenbridge",
+      "description": "The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.",
+      "meta": {
+        "date": "August 2018",
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/",
+          "https://github.com/xoreaxeaxeax/rosenbridge",
+          "https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf"
+        ]
+      },
+      "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786"
     }
   ],
   "authors": [
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 5b384ca..4ff8a75 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10090,6 +10090,9 @@
         ]
       },
       "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c"
+    },
+    {
+      "value": "STOP Ransomware"
     }
   ],
   "source": "Various",

From 7829e0fab675048a5cb7048b9c4f264a3af90696 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 14 Aug 2018 11:41:06 +0200
Subject: [PATCH 3/4] fix typo and missing uuid

---
 clusters/android.json    | 2 +-
 clusters/ransomware.json | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/clusters/android.json b/clusters/android.json
index 22baca2..2ff9c0e 100644
--- a/clusters/android.json
+++ b/clusters/android.json
@@ -4299,7 +4299,7 @@
           "https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/"
         ]
       },
-      "uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf6s51adaf"
+      "uuid": "53e2e7e8-70a8-11e8-b0f8-33fcf651adaf"
     },
     {
       "value": "Skygofree",
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 4ff8a75..f5b062d 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10092,7 +10092,8 @@
       "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c"
     },
     {
-      "value": "STOP Ransomware"
+      "value": "STOP Ransomware",
+      "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
     }
   ],
   "source": "Various",

From a28c50203e5272c0c57f6d8b4ac55cf90e14cd27 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 14 Aug 2018 12:07:12 +0200
Subject: [PATCH 4/4] fix

---
 clusters/backdoor.json   | 8 +++-----
 clusters/ransomware.json | 8 --------
 2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index ddd6177..c2ae5bf 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -5,7 +5,7 @@
   "description": "A list of backdoor malware.",
   "name": "Backdoor",
   "source": "Open Sources",
-  "version": 2,
+  "version": 1,
   "type": "backdoor",
   "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
   "values": [
@@ -17,7 +17,6 @@
           "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
         ]
       },
-      "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
       "value": "WellMess",
       "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
     },
@@ -33,7 +32,6 @@
         ]
       },
       "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786"
-      }
-  ],
-  "version": 1
+    }
+  ]
 }
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index d740718..c6d46da 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10371,13 +10371,5 @@
       "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
     }
   ],
-  "source": "Various",
-  "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
-  "name": "Ransomware",
-  "version": 28,
-  "type": "ransomware",
-  "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
-    }
-  ],
   "version": 28
 }