From 8b10e3aaee449d1e564e65b5d3499ecfce895c4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Wed, 3 May 2017 14:24:53 +0200 Subject: [PATCH] managing duplicate --- clusters/ransomware.json | 675 ++++++++++++++++++++++++++------------- 1 file changed, 453 insertions(+), 222 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f552977..477b585 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -38,7 +38,8 @@ "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html", + "https://twitter.com/jiriatvirlab/status/838779371750031360" ] } }, @@ -90,16 +91,19 @@ } }, { - "value": "Vortex Ransomware", + "value": "Vortex Ransomware or Ŧl๏tєгค гคภร๏๓ฬคгє", "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "March 2017", - "encryption": "", + "extensions": [ + ".aes" + ], "ransomnotes": [ "Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html", + "https://twitter.com/struppigel/status/839778905091424260" ] } }, @@ -126,14 +130,16 @@ "meta": { "date": "March 2017", "extensions": [ - ".enc" + ".enc", + ".ENC" ], "encryption": "AES-128", "ransomnotes": [ "OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html", + "https://twitter.com/jiriatvirlab/status/840863070733885440" ] } }, @@ -178,7 +184,8 @@ ], "encryption": "AES-128", "ransomnotes": [ - "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU" + "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", + "ПАРОЛЬ.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html" @@ -197,13 +204,14 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html", "https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", + "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" ] } }, { "value": "Karmen Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear", "meta": { "date": "March 2017", "extensions": [ @@ -215,13 +223,14 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", - "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html", + "https://twitter.com/malwrhunterteam/status/841747002438361089" ] } }, { "value": "Revenge Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", "meta": { "date": "March 2017", "extensions": [ @@ -230,7 +239,8 @@ "encryption": "AES-256 + RSA-1024", "ransomnotes": [ "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", - "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail." + "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", + "# !!!HELP_FILE!!! #.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", @@ -239,7 +249,7 @@ } }, { - "value": "Turkish FileEncryptor Ransomware", + "value": "Turkish FileEncryptor Ransomware or Fake CTB-Locker", "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "March 2017", @@ -249,7 +259,8 @@ "encryption": "AES", "ransomnotes": [ "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", - "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss." + "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.". + "Beni Oku.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", @@ -259,16 +270,18 @@ }, { "value": "Kirk Ransomware & Spock Decryptor", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero", "meta": { "date": "March 2017", "extensions": [ - ".kirked" + ".kirked", + ".Kirked" ], "encryption": "AES+RSA", "ransomnotes": [ "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png", - "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER" + "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER", + "RANSOM_NOTE.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html", @@ -276,7 +289,8 @@ "https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/", "http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html", "http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges", - "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/" + "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/", + "https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/" ] } }, @@ -290,17 +304,19 @@ ], "encryption": "AES", "ransomnotes": [ - "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg" + "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", + "ZINO_NOTE.TXT" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", - "https://twitter.com/demonslay335?lang=en" + "https://twitter.com/demonslay335?lang=en", + "https://twitter.com/malwrhunterteam/status/842781575410597894" ] } }, { "value": "Crptxxx Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass", "meta": { "date": "March 2017", "extensions": [ @@ -308,12 +324,14 @@ ], "encryption": "AES", "ransomnotes": [ - "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png" + "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png", + "HOW_TO_FIX_!.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", - "http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc" + "http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc", + "https://twitter.com/malwrhunterteam/status/839467168760725508" ] } }, @@ -327,11 +345,13 @@ ], "encryption": "", "ransomnotes": [ - "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png" + "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", + "motd.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/" + "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", + "https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/" ] } }, @@ -349,13 +369,14 @@ "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html", + "https://twitter.com/PolarToffee/status/843527738774507522" ] } }, { "value": "FabSysCrypto Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "meta": { "date": "March 2017", "extensions": [ @@ -366,7 +387,8 @@ "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html", + "https://twitter.com/struppigel/status/837565766073475072" ] } }, @@ -425,7 +447,8 @@ ], "encryption": "AES", "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html", + "https://twitter.com/malwrhunterteam/status/836995570384453632" ] } }, @@ -468,30 +491,36 @@ "encryption": "AES", "ransomnotes": [ "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", - "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png" + "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", + "ReadMe-[3_random_chars].html" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", + "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" ] } }, { - "value": "PickelsRansomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PicklesRansomware", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", "meta": { "date": "February 2017", "extensions": [ ".EnCrYpTeD" ], "encryption": "AES", + "ransomnotes": [ + "READ_ME_TO_DECRYPT.txt" + ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html", + "https://twitter.com/JakubKroustek/status/834821166116327425" ] } }, { "value": "Vanguard Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file.", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware", "meta": { "date": "February 2017", "encryption": "ChaCha20 and Poly1305", @@ -499,7 +528,8 @@ "NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety." ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html", + "https://twitter.com/JAMESWT_MHT/status/834783231476166657" ] } }, @@ -516,7 +546,9 @@ "ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** " ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html", + "https://twitter.com/Jan0fficial/status/834706668466405377 +" ] } }, @@ -526,11 +558,14 @@ "meta": { "date": "February 2017", "extensions": [ - ".trumplockerf" + ".trumplockerf", + ".TheTrumpLockerf", + ".TheTrumpLockerfp" ], "encryption": "AES-128", "ransomnotes": [ - "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg" + "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", + "What happen to my files.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", @@ -541,24 +576,26 @@ }, { "value": "Damage Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi", "meta": { "date": "February 2017", "extensions": [ ".damage" ], - "encryption": "AES-128", + "encryption": "AES-128 OR Combination of SHA-1 and Blowfish", "ransomnotes": [ "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html", + "https://decrypter.emsisoft.com/damage", + "https://twitter.com/demonslay335/status/835664067843014656" ] } }, { "value": "XYZWare Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "meta": { "date": "February 2017", "extensions": [ @@ -569,7 +606,8 @@ "All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html", + "https://twitter.com/malwrhunterteam/status/833636006721122304" ] } }, @@ -592,29 +630,32 @@ }, { "value": "CryptConsole 2.0 Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", "meta": { "date": "February 2017", "encryption": "AES", "ransomnotes": [ - "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png" + "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", + "How decrypt files.hta" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html", ] } }, { "value": "BarRax  Ransomware or BarRaxCrypt  Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "meta": { "date": "February 2017", "extensions": [ - ".barRex" + ".barRex", + ".BarRax" ], "encryption": "AES", "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", + "https://twitter.com/demonslay335/status/835668540367777792" ] } }, @@ -716,7 +757,8 @@ "[KASISKI]" ], "ransomnotes": [ - "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg" + "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", + "INSTRUCCIONES.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", @@ -752,7 +794,7 @@ "extensions": [ ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" ], - "encryption": "AES-256", + "encryption": "AES(256)/ROT-13", "ransomnotes": [ "# RESTORING FILES #.txt", "# RESTORING FILES #.html", @@ -766,7 +808,7 @@ }, { "value": "Hermes Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: \"HERMES\"", "meta": { "date": "February 2017", "extensions": [ @@ -775,11 +817,16 @@ "encryption": "AES", "ransomnotes": [ "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", - "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png" + "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", + "DECRYPT_INFORMATION.html", + "UNIQUE_ID_DO_NOT_REMOVE" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", + "https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/", + "https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/ +" ] } }, @@ -876,17 +923,19 @@ ], "encryption": "AES-256", "ransomnotes": [ - "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png" + "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", + "README.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", - "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/" + "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", + "https://twitter.com/_ddoxer/status/827555507741274113" ] } }, { "value": "Ranion RaasRansomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below).", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service", "meta": { "date": "February 2016", "encryption": "AES-256", @@ -956,7 +1005,8 @@ ], "refs": [ "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", - "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", + "https://twitter.com/jiriatvirlab/status/825411602535088129" ] } }, @@ -975,7 +1025,9 @@ "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", + "https://twitter.com/PolarToffee/status/824705553201057794" ] } }, @@ -1063,7 +1115,7 @@ }, { "value": "Sage 2.0 Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected.", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker", "meta": { "date": "January 2017", "extensions": [ @@ -1072,12 +1124,15 @@ "encryption": "AES", "ransomnotes": [ "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", - "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png" + "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", + "!Recovery_[3_random_chars].html" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", - "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom" + "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom", + "https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/", + "https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga" ] } }, @@ -1093,7 +1148,8 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html", - "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/" + "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/", + "https://twitter.com/BleepinComputer/status/822653335681593345" ] } }, @@ -1136,7 +1192,7 @@ }, { "value": "Satan Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS", "meta": { "date": "January 2017", "extensions": [ @@ -1144,7 +1200,8 @@ ], "encryption": "AES-256 + RSA-2048", "ransomnotes": [ - "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png" + "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", + "HELP_DECRYPT_FILES.html" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", @@ -1194,8 +1251,8 @@ } }, { - "value": "Kaandsona Ransomware or RansomTroll Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia.", + "value": "Kaandsona Ransomware or RansomTroll Ransomware or Käändsõna Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts", "meta": { "date": "January 2017", "extensions": [ @@ -1207,19 +1264,20 @@ "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html" + "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", + "https://twitter.com/BleepinComputer/status/819927858437099520" ] } }, { "value": "LambdaLocker Ransomware", - "description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", "meta": { "date": "January 2017", "extensions": [ ".lambda_l0cked" ], - "encryption": "AES", + "encryption": "AES-256", "ransomnotes": [ "READ_IT.hTmL", "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" @@ -1261,10 +1319,13 @@ "encryption": "XOR", "ransomnotes": [ "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", - "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png" + "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", + "_HELP_Recover_Files_.html" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html" + "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", + "https://decrypter.emsisoft.com/marlboro", + "https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/" ] } }, @@ -1273,15 +1334,15 @@ "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png", "meta": { "date": "January 2017", - "extensions": [ - "" - ], "encryption": "AES+RSA", "ransomnotes": [ - "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png" + "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", + "[Infection-ID].HTML" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", + "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", + "http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/" ] } }, @@ -1332,7 +1393,8 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html", "https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/", + "https://twitter.com/malwrhunterteam/status/830116190873849856" ] } }, @@ -1346,7 +1408,9 @@ "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html", + "https://twitter.com/malwrhunterteam/status/829768819031805953", + "https://twitter.com/malwrhunterteam/status/838700700586684416" ] } }, @@ -1382,7 +1446,9 @@ "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html", + "https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/ +" ] } }, @@ -1410,10 +1476,12 @@ "date": "January 2017", "encryption": "ROT-23", "ransomnotes": [ - "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg" + "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", + "README.HTML" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", + "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" ] } }, @@ -1487,11 +1555,13 @@ }, { "value": "Evil Ransomware or File0Locked KZ Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan.", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript +", "meta": { "date": "January 2017", "extensions": [ - ".file0locked" + ".file0locked", + ".evillock" ], "encryption": "AES", "ransomnotes": [ @@ -1503,7 +1573,9 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html", "http://www.enigmasoftware.com/evilransomware-removal/", - "http://usproins.com/evil-ransomware-is-lurking/" + "http://usproins.com/evil-ransomware-is-lurking/", + "https://twitter.com/jiriatvirlab/status/818443491713884161", + "https://twitter.com/PolarToffee/status/826508611878793219" ] } }, @@ -1517,13 +1589,14 @@ "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html", + "https://twitter.com/malwrhunterteam/status/817648547231371264" ] } }, { "value": "SkyName Ransomware or Blablabla Ransomware", - "description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "meta": { "date": "January 2017", "encryption": "AES", @@ -1533,13 +1606,14 @@ "https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html", + "https://twitter.com/malwrhunterteam/status/817079028725190656" ] } }, { "value": "MafiaWare Ransomware or Depsex Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia.", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear", "meta": { "date": "January 2017", "extensions": [ @@ -1547,26 +1621,38 @@ ], "encryption": "AES", "ransomnotes": [ - "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png" + "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", + "READ_ME.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", + "https://twitter.com/BleepinComputer/status/817069320937345024" ] } }, { - "value": "Globe3 Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins.", + "value": "Globe3 Ransomware or Purge Ransomware", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.", "meta": { "date": "January 2017", "extensions": [ ".decrypt2017", ".hnumkhotep", ".badnews", - ".globe" + ".globe", + ".[random].bit", + ".[random].encrypted", + ".[random].raid10", + ".[random].globe", + ".[mia.kokers@aol.com]", + ".unlockv@india.com", + ".rescuers@india.com.3392cYAn548QZeUf.lock", + ".locked", + ".decrypt2017", + ".hnumkhotep" ], - "encryption": "AES-256+RSA", + "encryption": "AES-256+RSA or RC4", "ransomnotes": [ "How To Recover Encrypted Files.hta", "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", @@ -1576,7 +1662,8 @@ "https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html", "https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/", "https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/", - "https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html" + "https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html", + "https://decrypter.emsisoft.com/globe3" ] } }, @@ -1651,7 +1738,8 @@ "https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html", + "https://twitter.com/BleepinComputer/status/816112218815266816" ] } }, @@ -1668,13 +1756,15 @@ "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html", + "https://twitter.com/BleepinComputer/status/815392891338194945 +" ] } }, { "value": "Red Alert", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear", "meta": { "date": "December 2016", "extensions": [ @@ -1686,7 +1776,8 @@ "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html", + "https://twitter.com/JaromirHorejsi/status/815557601312329728" ] } }, @@ -1714,10 +1805,12 @@ "date": "January 2017", "encryption": "Twofish", "ransomnotes": [ - "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg" + "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", + "Xhelp.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html" + "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", + "https://twitter.com/JakubKroustek/status/825790584971472902" ] } }, @@ -1745,7 +1838,8 @@ "meta": { "date": "January 2017", "extensions": [ - ".lock" + ".lock", + ".locked" ], "encryption": "AES", "ransomnotes": [ @@ -1753,7 +1847,9 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html", - "https://www.pcrisk.com/removal-guides/10899-zyka-ransomware" + "https://www.pcrisk.com/removal-guides/10899-zyka-ransomware", + "https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip", + "https://twitter.com/GrujaRS/status/826153382557712385" ] } }, @@ -1831,6 +1927,7 @@ "encryption": "AES-256", "ransomnotes": [ "YOUR_FILES_ARE_DEAD.HTA", + "MERRY_I_LOVE_YOU_BRUCE.HTA", "https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png", "https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png" ], @@ -1838,7 +1935,8 @@ "https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html", "https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/", "http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/", - "https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/" + "https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/", + "https://decrypter.emsisoft.com/mrcr" ] } }, @@ -1861,7 +1959,7 @@ "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.", "meta": { "date": "November/December 2016", - "encryption": "AES+RSA", + "encryption": "AES-256+RSA", "ransomnotes": [ "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" ], @@ -1871,7 +1969,8 @@ "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/", "http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/ http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware", - "http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/" + "http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", + "https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/" ] } }, @@ -1885,11 +1984,13 @@ ], "encryption": "AES", "ransomnotes": [ - "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif" + "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", + "unlock-everybody.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" + "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/", + "" ] } }, @@ -1904,10 +2005,12 @@ "encryption": "AES", "ransomnotes": [ "More.html", - "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png" + "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", + "More.html" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", + "https://twitter.com/demonslay335/status/813064189719805952" ] } }, @@ -1941,7 +2044,9 @@ "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html", + "https://twitter.com/PolarToffee/status/812331918633172992 +" ] } }, @@ -2008,7 +2113,8 @@ "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html", + "https://twitter.com/BleepinComputer/status/812131324979007492" ] } }, @@ -2060,7 +2166,9 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html", - "http://www.archersecuritygroup.com/what-is-ransomware/" + "http://www.archersecuritygroup.com/what-is-ransomware/", + "https://twitter.com/demonslay335/status/812002960083394560", + "https://twitter.com/malwrhunterteam/status/811613888705859586" ] } }, @@ -2081,8 +2189,8 @@ } }, { - "value": "EnkripsiPC Ransomware ", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins.", + "value": "EnkripsiPC Ransomware or IDRANSOMv3 or Manifestus", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name", "meta": { "date": "December 2016", "extensions": [ @@ -2093,7 +2201,10 @@ "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html", + "https://twitter.com/demonslay335/status/811343914712100872", + "https://twitter.com/BleepinComputer/status/811264254481494016", + "https://twitter.com/struppigel/status/811587154983981056" ] } }, @@ -2122,16 +2233,18 @@ "date": "December 2016", "encryption": "AES", "ransomnotes": [ - "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png" + "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", + "RESTORE_YOUR_FILES.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", + "https://twitter.com/struppigel/status/810766686005719040" ] } }, { "value": "CryptoBlock Ransomware ", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated.", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS", "meta": { "date": "December 2016", "encryption": "RSA-2048", @@ -2139,7 +2252,8 @@ "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html", + "https://twitter.com/drProct0r/status/810500976415281154" ] } }, @@ -2163,7 +2277,7 @@ }, { "value": "Koolova Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests.", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop", "meta": { "date": "December 2016", "extensions": [ @@ -2174,7 +2288,8 @@ "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html", + "https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/" ] } }, @@ -2188,12 +2303,15 @@ ], "encryption": "AES", "ransomnotes": [ - "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg" + "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", + "HOW_OPEN_FILES.hta" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", - "https://twitter.com/fwosar/status/812421183245287424" + "https://twitter.com/fwosar/status/812421183245287424", + "https://decrypter.emsisoft.com/globeimposter", + "https://twitter.com/malwrhunterteam/status/809795402421641216" ] } }, @@ -2283,12 +2401,14 @@ "meta": { "date": "December 2016", "extensions": [ - ".kraken" + ".kraken", + "[base64].kraken" ], "encryption": "AES", "ransomnotes": [ "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", - "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png" + "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", + "_HELP_YOUR_FILES.html" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" @@ -2311,7 +2431,7 @@ }, { "value": "PayDay Ransomware ", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency)", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear", "meta": { "date": "December 2016", "extensions": [ @@ -2319,10 +2439,12 @@ ], "encryption": "AES-256", "ransomnotes": [ - "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg" + "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", + "!!!!!ATENÇÃO!!!!!.html" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", + "https://twitter.com/BleepinComputer/status/808316635094380544" ] } }, @@ -2374,7 +2496,7 @@ }, { "value": "UltraLocker Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire", "meta": { "date": "December 2016", "extensions": [ @@ -2385,7 +2507,8 @@ "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html", + "https://twitter.com/struppigel/status/807161652663742465" ] } }, @@ -2455,7 +2578,9 @@ "encryption": "AES-256", "ransomnotes": [ "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", - "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg" + "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", + "restore_your_files.html", + "restore_your_files.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", @@ -2546,11 +2671,13 @@ ], "encryption": "AES and RSA", "ransomnotes": [ - "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png" + "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", + "[5 numbers]-MATRIX-README.RTF" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", - "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html", + "https://twitter.com/rommeljoven17/status/804251901529231360" ] } }, @@ -2573,7 +2700,7 @@ }, { "value": "RIP (Phoenix) Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "meta": { "date": "November 2016", "extensions": [ @@ -2581,16 +2708,18 @@ ], "encryption": "AES-256", "ransomnotes": [ - "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG" + "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", + "Important!.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", + "https://twitter.com/BleepinComputer/status/804810315456200704" ] } }, { "value": "Locked-In Ransomware or NoValid Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe", "meta": { "date": "November 2016", "extensions": [ @@ -2598,11 +2727,13 @@ ], "encryption": "AES-256", "ransomnotes": [ - "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg" + "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", + "RESTORE_CORUPTED_FILES.HTML" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/" + "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", + "https://twitter.com/struppigel/status/807169774098796544" ] } }, @@ -2645,7 +2776,8 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html", - "https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html" + "https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html", + "https://twitter.com/BleepinComputer/status/801486420368093184" ] } }, @@ -2662,13 +2794,14 @@ "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html", + "https://twitter.com/jiriatvirlab/status/801910919739674624" ] } }, { "value": "Lomix Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire", "meta": { "date": "November 2016", "extensions": [ @@ -2679,7 +2812,8 @@ "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html", + "https://twitter.com/siri_urz/status/801815087082274816" ] } }, @@ -2689,14 +2823,18 @@ "meta": { "date": "November 2016", "extensions": [ - ".locked" + ".locked", + ".Locked" ], "encryption": "AES", "ransomnotes": [ - "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG" + "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", + "HOW TO DECRYPT YOU FILES.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", + "https://decrypter.emsisoft.com/ozozalocker", + "https://twitter.com/malwrhunterteam/status/801503401867673603" ] } }, @@ -2750,7 +2888,11 @@ "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html", + "https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph", + "https://rol.im/VindowsUnlocker.zip", + "https://twitter.com/JakubKroustek/status/800729944112427008", + "https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/" ] } }, @@ -2764,7 +2906,8 @@ ], "encryption": "AES", "ransomnotes": [ - "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg" + "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", + "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" ], "refs": [ "http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", @@ -2774,7 +2917,7 @@ }, { "value": "Nagini Ransomware or Voldemort Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", "meta": { "date": "November 2016", "encryption": "RSA", @@ -2793,14 +2936,16 @@ "meta": { "date": "November 2016", "extensions": [ - ".l0cked" + ".l0cked", + ".L0cker" ], "encryption": "AES", "ransomnotes": [ "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html", + "https://twitter.com/JakubKroustek/status/799388289337671680" ] } }, @@ -2810,28 +2955,41 @@ "meta": { "date": "November 2016", "extensions": [ - ".CHIP" + ".CHIP", + ".DALE" ], "encryption": "AES + RSA-512", "ransomnotes": [ - "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG" + "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", + "CHIP_FILES.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", + "http://malware-traffic-analysis.net/2016/11/17/index.html", + "https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/" ] } }, { "value": "Dharma Ransomware", - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS  > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS  > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant +", "meta": { "date": "November 2016", "extensions": [ - ".dharma" + ".dharma", + ".wallet", + ".zzzzz" ], "encryption": "AES + RSA-512", + "ransomnotes": [ + "README.txt", + "README.jpg", + "Info.hta" + ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", + "https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/" ] } }, @@ -2848,12 +3006,13 @@ "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html", + "https://twitter.com/malwrhunterteam/status/798268218364358656" ] } }, { - "value": "CryptoLuck Ransomware", + "value": "CryptoLuck Ransomware or YafunnLocker", "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "November 2016", @@ -2863,33 +3022,51 @@ "encryption": "AES-256 + RSA-2048", "ransomnotes": [ "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", - "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG" + "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", + "%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt." ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", + "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", + "https://twitter.com/malwareforme/status/798258032115322880", + "https://twitter.com/malwareforme/status/798258032115322880" ] } }, { - "value": "Crypton Ransomware", + "value": "Crypton Ransomware, or Nemesis or X3M", "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "November 2016", "extensions": [ - "_crypt" + "_crypt", + ".id-_locked", + ".id-_locked_by_krec", + ".id-_locked_by_perfect", + ".id-_x3m", + ".id-_r9oj", + ".id-_garryweber@protonmail.ch", + ".id-_steaveiwalker@india.com_", + ".id-_julia.crown@india.com_", + ".id-_tom.cruz@india.com_", + ".id-_CarlosBoltehero@india.com_", + ".id-_maria.lopez1@india.com_" ], - "encryption": "AES + RSA", + "encryption": "AES-256 + RSA + SHA-256", "ransomnotes": [ "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html", + "https://decrypter.emsisoft.com/crypton", + "https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/", + "https://twitter.com/JakubKroustek/status/829353444632825856" ] } }, { "value": "Karma Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp", "meta": { "date": "November 2016", "extensions": [ @@ -2897,7 +3074,9 @@ ], "encryption": "AES", "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png" + "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", + "# DECRYPT MY FILES #.html", + "# DECRYPT MY FILES #.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", @@ -2924,18 +3103,26 @@ } }, { - "value": "PClock3 Ransomware or PClock SuppTeam Ransomware ", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PClock3 Ransomware or PClock SuppTeam Ransomware orCryptoLocker clone or WinPlock", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", "meta": { "date": "November 2016", "extensions": [ ".locked" ], - "encryption": "AES", + "encryption": "AES or XOR", + "ransomnotes": [ + "Your files are locked !.txt", + "Your files are locked !!.txt", + "Your files are locked !!!.txt", + "Your files are locked !!!!.txt", + "%AppData%\\WinCL\\winclwp.jpg", + ], "refs": [ "https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/", "https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html", - "http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/" + "http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/", + "https://decrypter.emsisoft.com/" ] } }, @@ -2959,7 +3146,7 @@ } }, { - "value": "PaySafeGen (German) Ransomware", + "value": "PaySafeGen (German) Ransomware or Paysafecard Generator 2016", "description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "November 2016", @@ -2971,13 +3158,14 @@ "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html", + "https://twitter.com/JakubKroustek/status/796083768155078656" ] } }, { "value": "Telecrypt Ransomware", - "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills.", + "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.", "meta": { "date": "November 2016", "extensions": [ @@ -2990,7 +3178,10 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked" + "http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked", + "https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" ] } }, @@ -3008,7 +3199,8 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html", - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/" + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", + "https://twitter.com/struppigel/status/795630452128227333" ] } }, @@ -3029,17 +3221,24 @@ }, { "value": "PayDOS Ransomware  or Serpent Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048", "meta": { "date": "November 2016", "extensions": [ - ".dng" + ".dng", + ".serpent" + ], + "encryption": "AES-256", + "ransomnotes": [ + "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", + "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" + ], - "encryption": "AES", "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html", "https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", + "https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers" ] } }, @@ -3114,7 +3313,7 @@ }, { "value": "Kangaroo Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda", "meta": { "date": "November 2016", "extensions": [ @@ -3122,7 +3321,8 @@ ], "encryption": "AES", "ransomnotes": [ - "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png" + "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", + "filename.Instructions_Data_Recovery.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", @@ -3261,15 +3461,17 @@ ], "ransomnotes": [ "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", - "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg" + "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", + "CreatesReadThisFileImportant.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", + "https://twitter.com/struppigel/status/791943837874651136" ] } }, { - "value": "JackPot Ransomware", + "value": "JackPot Ransomware or Jack.Pot Ransomware", "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "October 2016", @@ -3288,7 +3490,7 @@ }, { "value": "ONYX Ransomeware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware", "meta": { "date": "October 2016", "extensions": [ @@ -3335,7 +3537,8 @@ "encryption": "AES", "ransomnotes": [ "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", - "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg" + "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", + "ransomed.hTmL" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", @@ -3412,25 +3615,31 @@ "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html", + "https://twitter.com/struppigel/status/791554654664552448", + "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ] } }, { "value": "Hucky Ransomware or Hungarian Locky Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky", "meta": { "date": "October 2016", "extensions": [ - ".locky" + ".locky", + "[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky" ], "encryption": "AES-128+RSA", "ransomnotes": [ "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", - "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!" + "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", + "_Adatok_visszaallitasahoz_utasitasok.txt", + "_locky_recover_instructions.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html" + "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", + "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe" ] } }, @@ -3444,16 +3653,18 @@ ], "encryption": "AES", "ransomnotes": [ - "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team" + "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", + "YOUR FILES ARE ENCRYPTED!.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html", + "https://twitter.com/PolarToffee/status/811940037638111232" ] } }, { "value": "AngryDuck Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC", "meta": { "date": "October 2016", "extensions": [ @@ -3465,7 +3676,9 @@ "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", + "https://twitter.com/demonslay335/status/790334746488365057 +" ] } }, @@ -3483,7 +3696,8 @@ "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html", + "https://twitter.com/malwrhunterteam/status/789882488365678592" ] } }, @@ -3494,10 +3708,12 @@ "date": "October 2016", "encryption": "AES-512", "ransomnotes": [ - "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG" + "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", + "!!!!!readme!!!!!.htm" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", + "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" ] } }, @@ -3514,7 +3730,8 @@ "All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price." ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html", + "https://www.youtube.com/watch?v=Xe30kV4ip8w" ] } }, @@ -3536,37 +3753,42 @@ } }, { - "value": "JapanLocker Ransomware & SHC Ransomware, SHCLocker", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "JapanLocker Ransomware & SHC Ransomware, SHCLocker ,SyNcryption", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping", "meta": { "date": "October 2016", "extensions": [ "#LOCK#" ], - "encryption": "AES-256 & RSA-2048", + "encryption": "AES-256 + RSA-2048", "ransomnotes": [ "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html", - "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker" + "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker", + "https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php", + "https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots +" ] } }, { "value": "Anubis Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2", "meta": { "date": "October 2016", "extensions": [ ".coded" ], - "encryption": "AES", + "encryption": "AES(256)", "ransomnotes": [ - "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg" + "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", + "Decryption Instructions.txt" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", + "http://nyxbone.com/malware/Anubis.html" ] } }, @@ -3586,11 +3808,12 @@ }, { "value": "Exotic Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables", "meta": { "date": "October 2016", "extensions": [ - ".exotic" + ".exotic", + "random.exotic" ], "encryption": "AES-128", "ransomnotes": [ @@ -3661,7 +3884,7 @@ }, { "value": "Venis Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com", "meta": { "date": "October 2016", "extensions": [ @@ -3672,7 +3895,9 @@ "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html", + "https://twitter.com/Antelox/status/785849412635521024", + "http://pastebin.com/HuK99Xmj" ] } }, @@ -3695,7 +3920,7 @@ }, { "value": "Deadly Ransomware or Deadly for a Good Purpose Ransomware", - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...", "meta": { "date": "October 2016", "encryption": "AES-256", @@ -3703,7 +3928,8 @@ "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html", + "https://twitter.com/malwrhunterteam/status/785533373007728640" ] } }, @@ -3727,7 +3953,7 @@ } }, { - "value": "Globe2 Ransomwar", + "value": "Globe2 Ransomware or Purge Ransomware", "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "meta": { "date": "October 2016", @@ -3741,14 +3967,18 @@ ".[random].globe", ".[random].encrypted", ".mia.kokers@aol.com", - ".[mia.kokers@aol.com]" + ".[mia.kokers@aol.com]", + ".lovewindows", + ".openforyou@india.com", + ".." ], - "encryption": "AES-256", + "encryption": "AES-256 or Blowfish", "ransomnotes": [ "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html", + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221" ] } }, @@ -3766,7 +3996,8 @@ "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" ], "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html" + "https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html", + "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/" ] } },