From 81cef767aae3b4faa0bf55b3164fe6349cf21d3d Mon Sep 17 00:00:00 2001 From: rmkml Date: Fri, 22 Nov 2019 22:27:20 +0100 Subject: [PATCH] Fix Add FTCode Ransomware --- clusters/ransomware.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 04bf70b..42d3cc0 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13557,6 +13557,19 @@ "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", "value": "Desync" }, + { + "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.", + "meta": { + "encryption": "ChaCha20 and RSA", + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" + ] + }, + "uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "value": "Maze" + }, { "description": "A targeted email campaign has been spotted distributing the JasperLoader to victims. While the JasperLoader was originally used to then install Gootkit, Certego has observed it now being used to infect victims with a new ransomware dubbed FTCODE. Using an invoice-themed email appearing to target Italian users, the attackers attempt to convince users to allow macros in a Word document. The macro is used to run PowerShell to retrieve additional PowerShell code.", "meta": {