From 81d304345f2e35dffb634d6eb3724773894559f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 26 Jul 2017 14:57:14 +0200 Subject: [PATCH] Remove duplicates --- clusters/ransomware.json | 38 ++------------------------------------ clusters/rat.json | 15 +++------------ 2 files changed, 5 insertions(+), 48 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f8aabb0..569b69d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -384,11 +384,11 @@ "ransomnotes": [ "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" ], - "encryption": "AES", + "encryption": "AES-256+RSA", "extensions": [ ".locked" ], - "date": "March 2017" + "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "value": "FabSysCrypto Ransomware" @@ -712,20 +712,6 @@ "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", "value": "AvastVirusinfo Ransomware" }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" - ], - "encryption": "AES-256+RSA", - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "FabSysCrypto Ransomware" - }, { "meta": { "refs": [ @@ -1916,26 +1902,6 @@ "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.", "value": "Netflix Ransomware" }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/cryptoshield-ransomware.html", - "https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/" - ], - "ransomnotes": [ - "# RESTORING FILES #.txt", - "# RESTORING FILES #.html", - "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" - ], - "encryption": "AES-256", - "extensions": [ - ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMixfamily.", - "value": "CryptoShield 1.0 Ransomware" - }, { "meta": { "synonyms": [ diff --git a/clusters/rat.json b/clusters/rat.json index 2385aae..b15930b 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -307,17 +307,6 @@ "description": "jSpy is a Java RAT. ", "value": "jSpy" }, - { - "meta": { - "refs": [ - "http://lost-door.blogspot.lu/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/", - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat" - ] - }, - "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. ", - "value": "Lost Door" - }, { "meta": { "refs": [ @@ -820,7 +809,9 @@ { "meta": { "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" + "http://lost-door.blogspot.lu/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat" ] }, "description": "Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.",