From 82f4a633c0195a1b50e7df74054b69795a43f62b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Tue, 2 May 2017 10:00:00 +0200 Subject: [PATCH] reformat ransomware galaxy --- clusters/ransomware.json | 2352 +++++++++++++++++++++++++------------- 1 file changed, 1573 insertions(+), 779 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 28608c2..edcee13 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -2,868 +2,1662 @@ "authors": [ "Various" ], - "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", + "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar", "type": "ransomware", "version": 1, "name": "Ransomware", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "values": [ { - "description": "AES(256); .enc; ", - "value": ".CryptoHasYou." + "value": "Nhtnwcuf Ransomware (Fake)", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + "RANDOM 3 LETTERS ARE ADDED" + ], + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html" + ] + } }, { - "description": "Sevleg; XOR; .777; ._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777; ", - "value": "777" + "value": "CryptoJacky Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + "RANDOM 3 LETTERS ARE ADDED" + ], + "encryption": "AES", + "ransomnotes": [ + "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html" + ] + } }, { - "description": "7ev3n-HONE$T; .R4A .R5A; ", - "value": "7ev3n" + "value": "Kaenlupuf Ransomware", + "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "encryption": "AES-128", + "ransomnotes": [ + "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html" + ] + } }, { - "description": "AES; .7h9r; ", - "value": "7h9r" + "value": "EnjeyCrypter Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + "example:.encrypted.contact_here_me@india.com.enjey" + ], + "encryption": "AES-256", + "ransomnotes": [ + "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/", + "https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/" + ] + } }, { - "description": "AES (256); .8lock8; ", - "value": "8lock8" + "value": "Dangerous Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "encryption": "AES-128", + "ransomnotes": [ + "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html" + ] + } }, { - "description": ".bin; ", - "value": "Alfa Ransomware" + "value": "Vortex Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "encryption": "", + "ransomnotes": [ + "Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html" + ] + } }, { - "description": "AES(128); random; random(x5); ", - "value": "Alma Ransomware" + "value": "GC47 Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".fuck_you" + ], + "encryption": "AES-128", + "ransomnotes": [ + "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html" + ] + } }, { - "description": "AlphaLocker; AES(256); .encrypt; ", - "value": "Alpha Ransomware" + "value": "RozaLocker Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", + "meta": { + "date": "March 2017", + "extensions": [ + ".enc" + ], + "encryption": "AES-128", + "ransomnotes": [ + "OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html" + ] + } }, { - "description": ".amba; ", - "value": "AMBA" + "value": "CryptoMeister Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".enc" + ], + "encryption": "AES-128", + "ransomnotes": [ + "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" + ] + } }, { - "description": ".adk; ", - "value": "Angry Duck" + "value": "GG Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016", + "meta": { + "date": "March 2017", + "extensions": [ + ".GG" + ], + "encryption": "AES-128", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html" + ] + } }, { - "description": "Fabiansomeware; .encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt; ", - "value": "Apocalypse" + "value": "Project34 Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".Project34" + ], + "encryption": "AES-128", + "ransomnotes": [ + "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html" + ] + } }, { - "description": ".encrypted .locked; ", - "value": "ApocalypseVM" + "value": "PetrWrap Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "encryption": "AES-128", + "ransomnotes": [ + "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html", + "https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/" + ] + } }, { - "description": ".locky; ", - "value": "AutoLocky" + "value": "Karmen Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".grt" + ], + "encryption": "AES-128", + "ransomnotes": [ + "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", + "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html" + ] + } }, { + "value": "Revenge Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".REVENGE" + ], + "encryption": "AES-256 + RSA-1024", + "ransomnotes": [ + "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", + "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail." + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", + "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" + ] + } + }, + { + "value": "Turkish FileEncryptor Ransomware", + "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".encrypted" + ], + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", + "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss." + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", + "https://twitter.com/JakubKroustek/status/842034887397908480" + ] + } + }, + { + "value": "Kirk Ransomware & Spock Decryptor", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".kirked" + ], + "encryption": "AES+RSA", + "ransomnotes": [ + "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png", + "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", + "https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/", + "http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html", + "http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges", + "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/" + ] + } + }, + { + "value": "ZinoCrypt Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".ZINO" + ], + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", + "https://twitter.com/demonslay335?lang=en" + ] + } + }, + { + "value": "Crptxxx Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".crptxxx" + ], + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", + "http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc" + ] + } + }, + { + "value": "MOTD Ransomware", + "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".enc" + ], + "encryption": "", + "ransomnotes": [ + "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/" + ] + } + }, + { + "value": "CryptoDevil Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".devil" + ], + "encryption": "AES", + "ransomnotes": [ + "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", + "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html" + ] + } + }, + { + "value": "FabSysCrypto Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html" + ] + } + }, + { + "value": "Lock2017 Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + "[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is" + ], + "encryption": "AES+RSA", + "ransomnotes": [ + "https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html" + ] + } + }, + { + "value": "RedAnts Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".Horas-Bah" + ], + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html" + ] + } + }, + { + "value": "ConsoleApplication1 Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html" + ] + } + }, + { + "value": "KRider Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "extensions": [ + ".kr3" + ], + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html" + ] + } + }, + { + "value": "CYR-Locker Ransomware (FAKE)", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", + "meta": { + "date": "February 2017", + "refs": [ + "https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50" + ] + } + }, + { + "value": "DotRansomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", + "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html" + ] + } + }, + { + "value": "Unlock26 Ransomware", + "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".locked-[3_random_chars]" + ], + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", + "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html" + ] + } + }, + { + "value": "PickelsRansomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".EnCrYpTeD" + ], + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html" + ] + } + }, + { + "value": "Vanguard Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file.", + "meta": { + "date": "February 2017", + "encryption": "ChaCha20 and Poly1305", + "ransomnotes": [ + "NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety." + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html" + ] + } + }, + { + "value": "PyL33T Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".d4nk" + ], + "encryption": "ChaCha20 and Poly1305", + "ransomnotes": [ + "ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** " + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html" + ] + } + }, + { + "value": "TrumpLocker Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg", + "meta": { + "date": "February 2017", + "extensions": [ + ".trumplockerf" + ], + "encryption": "AES-128", + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", + "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/" + ] + } + }, + { + "value": "Damage Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".damage" + ], + "encryption": "AES-128", + "ransomnotes": [ + "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html" + ] + } + }, + { + "value": "XYZWare Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + "your files get marked with: “youarefucked”" + ], + "encryption": "AES-128", + "ransomnotes": [ + "All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html" + ] + } + }, + { + "value": "YouAreFucked Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + "your files get marked with: “youarefucked”" + ], + "encryption": "AES-128", + "ransomnotes": [ + "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" + ], + "refs": [ + "https://www.enigmasoftware.com/youarefuckedransomware-removal/" + ] + } + }, + { + "value": "CryptConsole 2.0 Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" + ] + } + }, + { + "value": "BarRax  Ransomware or BarRaxCrypt  Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".barRex" + ], + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html" + ] + } + }, + { + "value": "CryptoLocker by NTK Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html" + ] + } + }, + { + "value": "UserFilesLocker Ransomware or CzechoSlovak Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".ENCR" + ], + "encryption": "AES-256+RSA", + "ransomnotes": [ + "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", + "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html" + ] + } + }, + { + "value": "AvastVirusinfo Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", + "meta": { + "date": "February 2017", + "extensions": [ + ".A9v9Ahu4-000" + ], + "encryption": "AES-256+RSA", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017_03_01_archive.html", + "https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html" + ] + } + }, + { + "value": "FabSysCrypto Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "encryption": "AES-256+RSA", + "ransomnotes": [ + "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html" + ] + } + }, + { + "value": "SuchSecurity Ransomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html" + ] + } + }, + { + "value": "PleaseRead Ransomware or VHDLocker Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "encryption": "AES-256", + "ransomnotes": [ + "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html" + ] + } + }, + { + "value": "Kasiski Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + "[KASISKI]" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", + "https://twitter.com/MarceloRivero/status/832302976744173570", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" + ] + } + }, + { + "value": "Fake Locky Ransomware or Locky Impersonator Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/", + "https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/" + ] + } + }, + { + "value": "CryptoShield 1.0 Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.", + "meta": { + "date": "January 2017", + "extensions": [ + ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" + ], + "encryption": "AES-256", + "ransomnotes": [ + "# RESTORING FILES #.txt", + "# RESTORING FILES #.html", + "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html", + "https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/" + ] + } + }, + { + "value": "Hermes Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", + "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" + ] + } + }, + { + "value": "LoveLock Ransomware or Love2Lock Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".hasp" + ], + "encryption": "AES", + "ransomnotes": [ + "https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html" + ] + } + }, + { + "value": "Wcry Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".wcry" + ], + "encryption": "AES", + "ransomnotes": [ + "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html" + ] + } + }, + { + "value": "DUMB Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", + "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html", + "https://twitter.com/bleepincomputer/status/816053140147597312?lang=en" + ] + } + }, + { + "value": "X-Files", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "February 2017", + "extensions": [ + ".b0C", + ".b0C.x" + ], + "encryption": "AES", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017_02_01_archive.html", + "https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html" + ] + } + }, + { + "value": "Polski Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.", + "meta": { + "date": "February 2017", + "extensions": [ + ".aes" + ], + "encryption": "AES-256", + "ransomnotes": [ + "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html" + ] + } + }, + { + "value": "YourRansom Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)", + "meta": { + "date": "February 2016", + "extensions": [ + ".yourransom" + ], + "encryption": "AES-256", + "ransomnotes": [ + "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", + "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/" + ] + } + }, + { + "value": "Ranion RaasRansomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below).", + "meta": { + "date": "February 2016", + "encryption": "AES-256", + "ransomnotes": [ + "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html", + "https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/" + ] + } + }, + { + "value": "Potato Ransomware", + "description": "Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.", + "meta": { + "date": "January 2017", + "extensions": [ + ".potato" + ], + "encryption": "AES-256", + "ransomnotes": [ + "How to recover my files.txt", + "README.png", + "README.html", + "https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html" + ] + } + }, + { + "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)", + "description": "This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", + "meta": { + "date": "December 2016/January 2017", + "extensions": [ + ".-opentoyou@india.com" + ], + "encryption": "RC4", + "ransomnotes": [ + "!!!.txt", + "1.bmp", + "1.jpg", + "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg", + "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" + ] + } + }, + { + "value": "RansomPlus", + "description": "Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", + "meta": { + "date": "January 2017", + "extensions": [ + ".encrypted" + ], + "encryption": "AES", + "ransomnotes": [ + "YOUR FILES ARE ENCRYPTED!!!.txt", + "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", + "YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool." + ], + "refs": [ + "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", + "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html" + ] + } + }, + { + "value": "CryptConsole", + "description": "This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files", + "meta": { + "date": "January 2017", + "extensions": [ + ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", + ".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters" + ], + "encryption": "AES", + "ransomnotes": [ + "How decrypt files.hta", + "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html" + ] + } + }, + { + "value": "ZXZ Ramsomware", + "description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A", + "meta": { + "date": "January 2017", + "extensions": [ + ".zxz" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310", + "https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html" + ] + } + }, + { + "value": "", "description": "", - "value": "BadBlock" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { - "description": ".adr; ", - "value": "BaksoCrypt" + "value": "VxLock Ransomware", + "description": "Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc", + "meta": { + "date": "January 2017", + "extensions": [ + ".vxlock" + ], + "encryption": "AES+RSA", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html" + ] + } }, { - "description": "Rakhni; AES(256); .id-[ID]_[EMAIL_ADDRESS]; ", - "value": "Bandarchor" + "value": "FunFact Ransomware", + "description": "Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.", + "meta": { + "date": "January 2017", + "encryption": "AES+RSA", + "ransomnotes": [ + "note.iti", + "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", + "http://www.enigmasoftware.com/funfactransomware-removal/" + ] + } }, { - "description": "BaCrypt; .bart.zip .bart .perl; ", - "value": "Bart" + "value": "ZekwaCrypt Ransomware", + "description": "First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", + "meta": { + "date": "January 2017", + "extensions": [ + ".<7_random_letters>" + ], + "encryption": "AES+RSA", + "ransomnotes": [ + "encrypted_readme.txt", + "__encrypted_readme.txt", + "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", + "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", + "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" + ] + } }, { - "description": ".clf; ", - "value": "BitCryptor" + "value": "Sage 2.0 Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected.", + "meta": { + "date": "January 2017", + "extensions": [ + ".sage" + ], + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", + "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", + "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", + "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom" + ] + } }, { - "description": "Base64 + String Replacement; .bitstak; ", - "value": "BitStak" + "value": "CloudSword Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", + "meta": { + "date": "January 2017", + "encryption": "AES", + "ransomnotes": [ + "Warning警告.html", + "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html", + "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/" + ] + } }, { - "description": "SilentShade; AES (256); .Silent; ", - "value": "BlackShades Crypter" + "value": "DN or DoNotOpen Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!", + "meta": { + "date": "January 2017", + "extensions": [ + ".killedXXX" + ], + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", + "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html" + ] + } }, { - "description": "AES (256); .blocatto; ", - "value": "Blocatto" + "value": "GarryWeber Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".id-_garryweber@protonmail.ch" + ], + "encryption": "AES", + "ransomnotes": [ + "HOW_OPEN_FILES.html", + "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg", + "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/garryweber.html" + ] + } }, { - "description": "Salam!; ", - "value": "Booyah" + "value": "Satan Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif", + "meta": { + "date": "January 2017", + "extensions": [ + ".stn" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", + "https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "https://twitter.com/Xylit0l/status/821757718885236740", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/" + ] + } }, { - "description": "AES(256); .lock; ", - "value": "Brazilian" + "value": "Havoc or HavocCrypt Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".HavocCrypt" + ], + "encryption": "AES", + "ransomnotes": [ + "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html" + ] + } }, { - "description": "AES; ", - "value": "BrLock" + "value": "CryptoSweetTooth Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.", + "meta": { + "date": "January 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "IMPORTANTE_LEER.html", + "RECUPERAR_ARCHIVOS.html", + "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html", + "http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/" + ] + } }, { + "value": "Kaandsona Ransomware or RansomTroll Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia.", + "meta": { + "date": "January 2017", + "extensions": [ + ".kencf" + ], + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", + "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html" + ] + } + }, + { + "value": "LambdaLocker Ransomware", + "description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".lambda_l0cked" + ], + "encryption": "AES", + "ransomnotes": [ + "READ_IT.hTmL", + "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" + ], + "refs": [ + "Sources: + https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html", + "http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/" + ] + } + }, + { + "value": "NMoreia 2.0 Ransomware or HakunaMatataRansomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".HakunaMatata" + ], + "encryption": "AES", + "ransomnotes": [ + "Recovers files yako.html", + "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html", + "https://id-ransomware.blogspot.co.il/2016_03_01_archive.html" + ] + } + }, + { + "value": "Marlboro Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)", + "meta": { + "date": "January 2017", + "extensions": [ + ".oops" + ], + "encryption": "XOR", + "ransomnotes": [ + "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", + "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html" + ] + } + }, + { + "value": "Spora Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png", + "meta": { + "date": "January 2017", + "extensions": [ + "" + ], + "encryption": "AES+RSA", + "ransomnotes": [ + "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html" + ] + } + }, + { + "value": "CryptoKill Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.", + "meta": { + "date": "January 2017", + "extensions": [ + ".crypto" + ], + "encryption": "AES+RSA", + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html" + ] + } + }, + { + "value": "All_Your_Documents Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + "AES+RSA" + ], + "encryption": "", + "ransomnotes": [ + "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html" + ] + } + }, + { + "value": "SerbRansom 2017 Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.", + "meta": { + "date": "January 2017", + "extensions": [ + ".velikasrbija" + ], + "encryption": "AES", + "ransomnotes": [ + "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", + "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html", + "https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/" + ] + } + }, + { + "value": "Fadesoft Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.", + "meta": { + "date": "January 2017", + "encryption": "AES", + "ransomnotes": [ + "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html" + ] + } + }, + { + "value": "HugeMe Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".encypted" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html", + "https://www.ozbargain.com.au/node/228888?page=3", + "https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html" + ] + } + }, + { + "value": "DynA-Crypt Ransomware or DynA CryptoLocker Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".crypt" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html" + ] + } + }, + { + "value": "Serpent 2017 Ransomware or Serpent Danish Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".crypt" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html" + ] + } + }, + { + "value": "Erebus 2017 Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "encryption": "ROT-23", + "ransomnotes": [ + "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html" + ] + } + }, + { + "value": "Cyber Drill Exercise or Ransomuhahawhere", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "January 2017", + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html" + ] + } + }, + { + "value": "Cancer Ransomware FAKE", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.", + "meta": { + "date": "February 2017", + "extensions": [ + ".cancer" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html", + "https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/" + ] + } + }, + { + "value": "UpdateHost Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.", + "meta": { + "date": "January 2017", + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html", + "https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html" + ] + } + }, + { + "value": "Nemesis Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.", + "meta": { + "date": "January 2017", + "extensions": [ + ".v8dp" + ], + "encryption": "AES", + "ransomnotes": [ + "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html" + ] + } + }, + { + "value": "Evil Ransomware or File0Locked KZ Ransomware", "description": "", - "value": "Browlock" - }, - { - "description": "GOST; ; ", - "value": "Bucbi" - }, - { - "description": "(.*).encoded.([A-Z0-9]{9}); ", - "value": "BuyUnlockCode" - }, - { - "description": ".cry; ", - "value": "Central Security Treatment Organization" - }, - { - "description": "AES; .cerber .cerber2 .cerber3; ", - "value": "Cerber" - }, - { - "description": ".crypt 4 random characters, e.g., .PzZs, .MKJL; ", - "value": "Chimera" - }, - { - "description": ".clf; ", - "value": "CoinVault" - }, - { - "description": "AES(256); .coverton .enigma .czvxce; ", - "value": "Coverton" - }, - { - "description": ".{CRYPTENDBLACKDC}; ", - "value": "Cryaki" + "meta": { + "date": "January 2017", + "extensions": [ + ".file0locked" + ], + "encryption": "AES", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "Crybola" - }, - { - "description": "Moves bytes; .criptiko .criptoko .criptokod .cripttt .aga; ", - "value": "CryFile" - }, - { - "description": "Cry, CSTO; .cry; ", - "value": "CryLocker" - }, - { - "description": "AES(256); ", - "value": "CrypMIC" - }, - { - "description": ".ENCRYPTED; ", - "value": "Crypren" - }, - { - "description": "AES; .crypt38; ", - "value": "Crypt38" - }, - { - "description": "Hidden Tear; AES(256); ", - "value": "Cryptear" - }, - { - "description": "RSA; .scl; id[_ID]email_xerx@usa.com.scl; ", - "value": "CryptFIle2" - }, - { - "description": ".crinf; ", - "value": "CryptInfinite" - }, - { - "description": "AES and RSA; ", - "value": "CryptoBit" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "CryptoDefense" - }, - { - "description": "Ranscam; ", - "value": "CryptoFinancial" - }, - { - "description": "AES (256), RSA (1024); .frtrss; ", - "value": "CryptoFortress" - }, - { - "description": ".clf; ", - "value": "CryptoGraphic Locker" - }, - { - "description": "Manamecrypt, Telograph, ROI Locker; AES(256) (RAR implementation); ", - "value": "CryptoHost" - }, - { - "description": "AES-256; .crjoker; ", - "value": "CryptoJoker" - }, - { - "description": ".encrypted .ENC; ", - "value": "CryptoLocker" - }, - { - "description": "[A-F0-9]{8}_luck; ", - "value": "CryptoLuck / YafunnLocker" - }, - { - "description": "Zeta; .code .scl; .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl; ", - "value": "CryptoMix" - }, - { - "description": "AES; .crptrgr; ", - "value": "CryptoRoger" - }, - { - "description": "AES; .locked; ", - "value": "CryptoShocker" - }, - { - "description": ".CryptoTorLocker2015!; ", - "value": "CryptoTorLocker2015" - }, - { - "description": "no filename change; ", - "value": "CryptoWall 1" - }, - { - "description": "no filename change; ", - "value": "CryptoWall 2" - }, - { - "description": "no filename change; ", - "value": "CryptoWall 3" - }, - { - "description": "., e.g., 27p9k967z.x1nep; ", - "value": "CryptoWall 4" - }, - { - "description": "CryptProjectXXX; .crypt; ", - "value": "CryptXXX" - }, - { - "description": "CryptProjectXXX; .crypt; ", - "value": "CryptXXX 2.0" - }, - { - "description": "UltraDeCrypter UltraCrypter; .crypt .cryp1 .crypz .cryptz random; ", - "value": "CryptXXX 3.0" - }, - { - "description": ".cryp1; ", - "value": "CryptXXX 3.1" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "CTB-Faker" - }, - { - "description": "Citroni; RSA(2048); .ctbl ; .([a-z]{6,7}); ", - "value": "CTB-Locker" - }, - { - "description": "AES(256); ", - "value": "CTB-Locker WEB" - }, - { - "description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ", - "value": "CuteRansomware" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "Deadly for a Good Purpose" - }, - { - "description": ".html; ", - "value": "DeCrypt Protect" - }, - { - "description": "AES-256; .ded; ", - "value": "DEDCryptor" - }, - { - "description": "Based on Detox: Calipso We are all Pokemons Nullbyte; AES; ", - "value": "DetoxCrypto" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "DirtyDecrypt" - }, - { - "description": "AES(256) in ECB mode, Version 2-4 also RSA; ", - "value": "DMALocker" - }, - { - "description": "AES(256); ", - "value": "DMALocker 3.0" - }, - { - "description": "AES(256); .domino; ", - "value": "Domino" - }, - { - "description": "Cryptear; AES(256); .locked; ", - "value": "EDA2 / HiddenTear" - }, - { - "description": "EduCrypter; .isis .locked; ", - "value": "EduCrypt" - }, - { - "description": "Los Pollos Hermanos; .ha3; ", - "value": "El-Polocker" - }, - { - "description": "Trojan.Encoder.6491; ", - "value": "Encoder.xxxx" - }, - { - "description": "AES (128); .enigma .1txt; ", - "value": "Enigma" - }, - { - "description": ".exotic; ", - "value": "Exotic" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "Fairware" - }, - { - "description": ".locked; ", - "value": "Fakben" - }, - { - "description": "Variants: Comrade Circle; AES(128); .fantom; ", - "value": "Fantom" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "Fonco" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "FSociety" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } }, { + "value": "", "description": "", - "value": "Fury" - }, - { - "description": "AES (256); .Z81928819; ", - "value": "GhostCrypt" - }, - { - "description": "Purge; Blowfish; .purge; ", - "value": "Globe v1" - }, - { - "description": "Purge; Blowfish; .. e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg; ", - "value": "Globe v2" - }, - { - "description": "Purge; RC4; .globe or random; ", - "value": "Globe v3" - }, - { - "description": "Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker; AES (256); .locked; .locked, e.g., bill.!ID!8MMnF!ID!.locked; ", - "value": "GNL Locker" - }, - { - "description": ".crypt; !___[EMAILADDRESS]_.crypt; ", - "value": "Gomasom" - }, - { - "description": "", - "value": "Goopic" - }, - { - "description": "", - "value": "Gopher" - }, - { - "description": ".html; ", - "value": "Harasom" - }, - { - "description": "Mamba; Custom (net shares), XTS-AES (disk); ", - "value": "HDDCryptor" - }, - { - "description": ".herbst; ", - "value": "Herbst" - }, - { - "description": "AES(256); .cry ; ", - "value": "Hi Buddy!" - }, - { - "description": "removes extensions; ", - "value": "Hitler" - }, - { - "description": "AES; (encrypted); ", - "value": "HolyCrypt" - }, - { - "description": "Hungarian Locky (Hucky); AES, RSA (hardcoded); .locky; [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky; ", - "value": "Hucky" - }, - { - "description": "hydracrypt_ID_[\\w]{8}; ", - "value": "HydraCrypt" - }, - { - "description": ".crime; ", - "value": "iLock" - }, - { - "description": ".crime; ", - "value": "iLockLight" - }, - { - "description": "<6 random characters>; ", - "value": "International Police Association" - }, - { - "description": "!ENC; ", - "value": "JagerDecryptor" - }, - { - "description": "Encryptor RaaS, Sarento; RC6 (files), RSA 2048 (RC6 key); ", - "value": "Jeiphoos" - }, - { - "description": "CryptoHitMan (subvariant); AES(256); .btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz; ", - "value": "Jigsaw" - }, - { - "description": "TripleDES; .locked .css; ", - "value": "Job Crypter" - }, - { - "description": "AES; .encrypted; ", - "value": "KeRanger" - }, - { - "description": "keybtc@inbox_com ; ", - "value": "KeyBTC" - }, - { - "description": "", - "value": "KEYHolder" - }, - { - "description": ".rip; ", - "value": "Killer Locker" - }, - { - "description": "AES; .kimcilware .locked; ", - "value": "KimcilWare" - }, - { - "description": "AES(256); .암호화됨; ", - "value": "Korean" - }, - { - "description": ".kostya; ", - "value": "Kostya" - }, - { - "description": "QC; RSA(2048); .31392E30362E32303136_[ID-KEY]_LSBJ1; .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}); ", - "value": "Kozy.Jozy" - }, - { - "description": ".kratos; ", - "value": "KratosCrypt" - }, - { - "description": "AES(256); ", - "value": "KryptoLocker" - }, - { - "description": ".LeChiffre; ", - "value": "LeChiffre" - }, - { - "description": "Linux.Encoder.{0,3}; ", - "value": "Linux.Encoder" - }, - { - "description": "", - "value": "Locker" - }, - { - "description": "AES(128); .locky .zepto .odin .shit .thor .asier .zzzzz .osiris; ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris; ", - "value": "Locky" - }, - { - "description": ".lock93; ", - "value": "Lock93" - }, - { - "description": ".crime; ", - "value": "Lortok" - }, - { - "description": "oor.; ", - "value": "LowLevel04" - }, - { - "description": "", - "value": "Mabouia" - }, - { - "description": "AES(256); .magic; ", - "value": "Magic" - }, - { - "description": "AES(256), RSA (2048); [a-z]{4,6}; ", - "value": "MaktubLocker" - }, - { - "description": "Crypt888; AES; Lock.; ", - "value": "MIRCOP" - }, - { - "description": "AES(256); .fucked, .fuck; ", - "value": "MireWare" - }, - { - "description": "\"Petya's little brother\"; .([a-zA-Z0-9]{4}); ", - "value": "Mischa" - }, - { - "description": "Booyah; AES(256); .locked; ", - "value": "MM Locker" - }, - { - "description": "Yakes CryptoBit; .KEYZ .KEYH0LES; ", - "value": "Mobef" - }, - { - "description": "", - "value": "n1n1n1" - }, - { - "description": "", - "value": "Nagini" - }, - { - "description": "AES (256), RSA; ", - "value": "NanoLocker" - }, - { - "description": "XOR(255) 7zip; .crypted; ", - "value": "Nemucod" - }, - { - "description": "", - "value": "NoobCrypt" - }, - { - "description": "XOR; .odcodc; C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc; ", - "value": "ODCODC" - }, - { - "description": "Vipasana, Cryakl; .cbf; email-[params].cbf; ", - "value": "Offline ransomware" - }, - { - "description": "GPCode; .LOL! .OMG!; ", - "value": "OMG! Ransomware" - }, - { - "description": "", - "value": "Onyx" - }, - { - "description": ".EXE; ", - "value": "Operation Global III" - }, - { - "description": ".padcrypt; ", - "value": "PadCrypt" - }, - { - "description": "XOR; ", - "value": "PClock" - }, - { - "description": "Goldeneye; Modified Salsa20; ", - "value": "Petya" - }, - { - "description": "AES(256); .locked; .locked; ", - "value": "Philadelphia" - }, - { - "description": ".id-[victim_id]-maestro@pizzacrypts.info; ", - "value": "PizzaCrypts" - }, - { - "description": "AES(256); .locked; ", - "value": "PokemonGO" - }, - { - "description": "AES(256); .filock; ", - "value": "Popcorn Time" - }, - { - "description": "AES(256); ", - "value": "Polyglot" - }, - { - "description": "PoshCoder; AES(128); .locky; ", - "value": "PowerWare" - }, - { - "description": "AES, but throws key away, destroys the files; ", - "value": "PowerWorm" - }, - { - "description": "", - "value": "PRISM" - }, - { - "description": ".crypt; ", - "value": "R980" - }, - { - "description": "RAA; .locked; ", - "value": "RAA encryptor" - }, - { - "description": "AES(256); .RDM .RRK .RAD .RADAMANT; ", - "value": "Radamant" - }, - { - "description": "Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor; .locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15; .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\\w]{4,12}; ", - "value": "Rakhni" - }, - { - "description": "locked-.[a-zA-Z]{4}; ", - "value": "Rannoh" - }, - { - "description": "", - "value": "Ransom32" - }, - { - "description": "Asymmetric 1024 ; ", - "value": "RansomLock" - }, - { - "description": ".vscrypt .infected .bloc .korrektor; ", - "value": "Rector" - }, - { - "description": "AES(256); .rekt; ", - "value": "RektLocker" - }, - { - "description": ".remind .crashed; ", - "value": "RemindMe" - }, - { - "description": "Curve25519 + ChaCha; .rokku; ", - "value": "Rokku" - }, - { - "description": "samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe; AES(256) + RSA(2096); .encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork; ", - "value": "Samas-Samsam" - }, - { - "description": "AES(256) + RSA(2096); .sanction; ", - "value": "Sanction" - }, - { - "description": "Sarah_G@ausi.com___; ", - "value": "Satana" - }, - { - "description": "", - "value": "Scraper" - }, - { - "description": "AES; ", - "value": "Serpico" - }, - { - "description": "Atom; .locked; ", - "value": "Shark" - }, - { - "description": ".shino; ", - "value": "ShinoLocker" - }, - { - "description": "KinCrypt; ", - "value": "Shujin" - }, - { - "description": "AES; .~; ", - "value": "Simple_Encoder" - }, - { - "description": "AES(256); .locked; ", - "value": "SkidLocker / Pompous" - }, - { - "description": ".encrypted; ", - "value": "Smrss32" - }, - { - "description": "AES(256); .RSNSlocked .RSplited; ", - "value": "SNSLocker" - }, - { - "description": ".sport; ", - "value": "Sport" - }, - { - "description": "AES(256); .locked; ", - "value": "Stampado" - }, - { - "description": "AES(256); .locked; ", - "value": "Strictor" - }, - { - "description": "AES(256); .surprise .tzu; ", - "value": "Surprise" - }, - { - "description": "", - "value": "Survey" - }, - { - "description": "", - "value": "SynoLocker" - }, - { - "description": ".szf; ", - "value": "SZFLocker" - }, - { - "description": "Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic; .xcri; ", - "value": "TeleCrypt" - }, - { - "description": "AlphaCrypt; .vvv .ecc .exx .ezz .abc .aaa .zzz .xyz; ", - "value": "TeslaCrypt 0.x - 2.2.0" - }, - { - "description": "AES(256) + ECHD + SHA1; .micro .xxx .ttt .mp3; ", - "value": "TeslaCrypt 3.0+" - }, - { - "description": "AES(256) + ECHD + SHA1; ", - "value": "TeslaCrypt 4.1A" - }, - { - "description": "", - "value": "TeslaCrypt 4.2" - }, - { - "description": "", - "value": "Threat Finder" - }, - { - "description": "Crypt0L0cker (subvariant); AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt; .Encrypted .enc; ", - "value": "TorrentLocker" - }, - { - "description": "", - "value": "TowerWeb" - }, - { - "description": ".toxcrypt; ", - "value": "Toxcrypt" - }, - { - "description": "Shade XTBL; AES(256); .better_call_saul .xtbl .da_vinci_code .windows10; ", - "value": "Troldesh" - }, - { - "description": "AES(256); .enc; ", - "value": "TrueCrypter" - }, - { - "description": "AES(256); .locked; ", - "value": "Turkish Ransom" - }, - { - "description": "AES; umbrecrypt_ID_[VICTIMID]; ", - "value": "UmbreCrypt" - }, - { - "description": "AES; .H3LL .0x0 .1999; ", - "value": "Ungluk" - }, - { - "description": ".CRRRT .CCCRRRPPP; ", - "value": "Unlock92" - }, - { - "description": "CrypVault Zlader; uses gpg.exe; .vault .xort .trun; ", - "value": "VaultCrypt" - }, - { - "description": "", - "value": "VenisRansomware" - }, - { - "description": "AES(256); .Venusf .Venusp; ", - "value": "VenusLocker" - }, - { - "description": ".exe; ", - "value": "Virlock" - }, - { - "description": "Crysis; AES(256); .CrySiS .xtbl; .id-########.decryptformoney@india.com.xtbl; ", - "value": "Virus-Encoder" - }, - { - "description": ".wflx; ", - "value": "WildFire Locker" - }, - { - "description": "XOR or TEA; .EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791; ", - "value": "Xorist" - }, - { - "description": ".xrtn; ", - "value": "XRTN " - }, - { - "description": "Zcryptor; .zcrypt; ", - "value": "Zcrypt" - }, - { - "description": ".crypto; ", - "value": "Zimbra" - }, - { - "description": "VaultCrypt CrypVault; RSA; .vault; ", - "value": "Zlader / Russian" - }, - { - "description": "GNL Locker; .zyklon; ", - "value": "Zyklon" - }, - { - "description": "AES; ", - "value": "Erebus" + "meta": { + "date": "", + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } } ], - "source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml" + "sources": [ + "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", + "http://pastebin.com/raw/GHgpWjar" + ] }