From c81f128d987102516d3b985a65399f1417c64334 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 27 Nov 2018 15:59:26 +0100 Subject: [PATCH 1/4] add ransomwares --- clusters/ransomware.json | 55 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 736a5d4..7166074 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3291,7 +3291,8 @@ ".adobe", ".tron", ".AUDIT", - ".cccmn" + ".cccmn", + ".fire" ], "ransomnotes": [ "README.txt", @@ -3319,7 +3320,9 @@ "https://twitter.com/JakubKroustek/status/1038680437508501504", "https://twitter.com/demonslay335/status/1059521042383814657", "https://twitter.com/demonslay335/status/1059940414147489792", - "https://twitter.com/JakubKroustek/status/1060825783197933568" + "https://twitter.com/JakubKroustek/status/1060825783197933568", + "https://twitter.com/JakubKroustek/status/1064061275863425025", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" ] }, "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", @@ -11335,7 +11338,6 @@ "value": "M@r1a ransomware" }, { - "description": "", "meta": { "extensions": [ "(enc) prepend" @@ -11368,6 +11370,53 @@ }, "uuid": "f7fa6978-c932-4e62-b4fc-3fbbbc195602", "value": "PyCL Ransomware" + }, + { + "description": "MalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.", + "meta": { + "extensions": [ + ".Vapor" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/vapor.jpg" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/1063769884608348160", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" + ] + }, + "uuid": "f53205a0-7a8f-41d1-a427-bf3ab9bd77bb", + "value": "Vapor Ransomware" + }, + { + "description": "GrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.", + "meta": { + "extensions": [ + ".Horsuke " + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsPVGaHXcAAtnXz[1].jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", + "https://twitter.com/GrujaRS/status/1063930127610986496" + ] + }, + "uuid": "677aeb47-587d-40a4-80b7-22672ba1160c", + "value": "EnyBenyHorsuke Ransomware" + }, + { + "meta": { + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg" + ], + "refs": [ + "https://twitter.com/petrovic082/status/1065223932637315074", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" + ] + }, + "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4", + "value": "DeLpHiMoRix" } ], "version": 44 From 6382857ee3d8b976b8949c297d9b610e6dfc83aa Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 29 Nov 2018 15:23:57 +0100 Subject: [PATCH 2/4] add ransomwares --- clusters/ransomware.json | 48 +++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7166074..bc0ea7e 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -10014,7 +10014,8 @@ ".qweuirtksd", ".mammon", ".omerta", - ".bomber" + ".bomber", + ".CRYPTO" ], "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", @@ -10026,7 +10027,9 @@ "!!!ReadMeToDecrypt.txt", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n\n It's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n\n To do this, send me several encrypted files to kathi.bell.1997@outlook.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48 from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48\nAfter payment, send me a letter to kathi.bell.1997@outlook.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at kathi.bell.1997@outlook.com\n\n As a bonus, I will tell you how hacked your computer is and how to protect it in the future.", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg", + "HOW TO RECOVER ENCRYPTED FILES.TXT", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -10860,14 +10863,16 @@ "extensions": [ ".[everbe@airmail.cc].everbe", ".embrace", - "pain" + "pain", + ".[yoursalvations@protonmail.ch].neverdies@tutanota.com" ], "ransomnotes": [ - "!=How_recovery_files=!.txt", - "Hi !\nIf you want restore your files write on email - everbe@airmail.cc\nIn the subject write - id-de9bcb" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsoIB_0U0AAXgEz[1].jpg" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/" + "https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/", + "https://twitter.com/malwrhunterteam/status/1065675918000234497", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" ] }, "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2", @@ -10973,6 +10978,24 @@ "value": "KEYPASS" }, { + "description": "Emmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.", + "meta": { + "extensions": [ + ".INFOWAIT", + "-DATASTOP", + ".PUMA" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsW33OQXgAAwJzv[1].jpg", + "!readme.txt", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsobVENXcAAR3GC[1].jpg" + ], + "refs": [ + "https://twitter.com/Emm_ADC_Soft/status/1064459080016760833", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", + "https://twitter.com/MarceloRivero/status/1065694365056679936" + ] + }, "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5", "value": "STOP Ransomware" }, @@ -11407,12 +11430,21 @@ }, { "meta": { + "extensions": [ + ".demonslay335_you_cannot_decrypt_me!", + ".malwarehunterteam" + ], "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg" ], "refs": [ "https://twitter.com/petrovic082/status/1065223932637315074", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", + "https://twitter.com/demonslay335/status/1066099799705960448" + ], + "synonyms": [ + "DelphiMorix" ] }, "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4", From ef54489ea91caa90a78917c27cb9e294e21b98d8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 29 Nov 2018 15:33:39 +0100 Subject: [PATCH 3/4] add everbe rasomnotes --- clusters/ransomware.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index bc0ea7e..c5a57b4 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11436,7 +11436,8 @@ ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg", + "!=How_recovery_files=!.html" ], "refs": [ "https://twitter.com/petrovic082/status/1065223932637315074", From be9b4ff40f69abec33c1c7ee3a6422943b0dd766 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 29 Nov 2018 16:38:06 +0100 Subject: [PATCH 4/4] add DNSpionage cluster --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 10db40c..33489c7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6028,7 +6028,17 @@ }, "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", "value": "INDRIK SPIDER" + }, + { + "description": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + ] + }, + "uuid": "608a903a-8145-4fd1-84bc-235e278480bf", + "value": "DNSpionage" } ], - "version": 81 + "version": 82 }