diff --git a/clusters/ransomware.json b/clusters/ransomware.json index cd8c91a..ebf46cc 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13857,7 +13857,27 @@ }, "uuid": "e390e1bb-2af1-4139-8e61-6e534d707dfb", "value": "Snake Ransomware" + }, + { + "description": "Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below.\neCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer.\nOn June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.", + "meta": { + "extensions": [ + ".encrypt" + ], + "ransomnotes": [ + "All your data has been locked(crypted).\n​How to unclock(decrypt) instruction located in this TOR website:\nhttp://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]\nUse TOR browser for access .onion websites.\nhttps://duckduckgo.com/html?q=tor+browser+how+to\n\nDo NOT remove this file and NOT remove last line in this file!\n[base64 encoded encrypted data]" + ], + "ransomnotes-filenames": [ + "README_FOR_DECRYPT.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/", + "https://www.anomali.com/blog/the-ech0raix-ransomware" + ] + }, + "uuid": "f3ded787-783e-4c6b-909a-8da01254380c", + "value": "eCh0raix" } ], - "version": 86 + "version": 87 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 572c9cf..33f2cd0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8339,7 +8339,18 @@ }, "uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e", "value": "COBALT KATANA" + }, + { + "description": "Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.\nDark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades.\nWe also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation.\nWe link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie", + "meta": { + "refs": [ + "https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/", + "https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin" + ] + }, + "uuid": "3cbc52d5-fe4d-4d7a-a5e9-641b7c073d62", + "value": "Dark Basin" } ], - "version": 162 + "version": 163 }