mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-26 16:57:18 +00:00
fix ransomware ransomnotes
This commit is contained in:
parent
f5a7efaadc
commit
9d8d5ce1c8
1 changed files with 31 additions and 17 deletions
|
@ -94,7 +94,7 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"date": "March 2017",
|
"date": "March 2017",
|
||||||
"encryption": "AES-128",
|
"encryption": "AES-128",
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes": [
|
||||||
"DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com"
|
"DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -695,7 +695,7 @@
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".damage"
|
".damage"
|
||||||
],
|
],
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes": [
|
||||||
"TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com"
|
"TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -1302,10 +1302,12 @@
|
||||||
".<7_random_letters>"
|
".<7_random_letters>"
|
||||||
],
|
],
|
||||||
"payment-method": "Email",
|
"payment-method": "Email",
|
||||||
|
"ransomnotes": [
|
||||||
|
"WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com"
|
||||||
|
],
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes-filenames": [
|
||||||
"encrypted_readme.txt",
|
"encrypted_readme.txt",
|
||||||
"_<encrypt extensions>_encrypted_readme.txt",
|
"_<encrypt extensions>_encrypted_readme.txt"
|
||||||
"WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com"
|
|
||||||
],
|
],
|
||||||
"ransomnotes-refs": [
|
"ransomnotes-refs": [
|
||||||
"https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png"
|
"https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png"
|
||||||
|
@ -3686,15 +3688,15 @@
|
||||||
"ransomnotes": [
|
"ransomnotes": [
|
||||||
"all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc",
|
"all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc",
|
||||||
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
|
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
|
||||||
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam."
|
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
|
||||||
|
"all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com"
|
||||||
],
|
],
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes-filenames": [
|
||||||
"README.txt",
|
"README.txt",
|
||||||
"README.jpg",
|
"README.jpg",
|
||||||
"Info.hta",
|
"Info.hta",
|
||||||
"FILES ENCRYPTED.txt",
|
"FILES ENCRYPTED.txt",
|
||||||
"INFO.hta",
|
"INFO.hta"
|
||||||
"all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com"
|
|
||||||
],
|
],
|
||||||
"ransomnotes-refs": [
|
"ransomnotes-refs": [
|
||||||
"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg",
|
"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg",
|
||||||
|
@ -4716,7 +4718,7 @@
|
||||||
"encryption": "AES-256",
|
"encryption": "AES-256",
|
||||||
"payment-method": "Bitcoin",
|
"payment-method": "Bitcoin",
|
||||||
"price": "2",
|
"price": "2",
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes": [
|
||||||
"Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com"
|
"Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
|
@ -6541,7 +6543,14 @@
|
||||||
"payment-method": "Bitcoin",
|
"payment-method": "Bitcoin",
|
||||||
"price": "1.2 (500$) - 2.4",
|
"price": "1.2 (500$) - 2.4",
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes-filenames": [
|
||||||
"de_crypt_readme.bmp, .txt, .html"
|
"de_crypt_readme.bmp",
|
||||||
|
"de_crypt_readme.txt",
|
||||||
|
"de_crypt_readme.html",
|
||||||
|
"[victim_id].html",
|
||||||
|
"[victim_id].bmp",
|
||||||
|
"!Recovery_[victim_id].bmp",
|
||||||
|
"!Recovery_[victim_id].html",
|
||||||
|
"!Recovery_[victim_id].txt"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||||||
|
@ -6573,7 +6582,9 @@
|
||||||
"payment-method": "Bitcoin",
|
"payment-method": "Bitcoin",
|
||||||
"price": "1.2 (500$) - 2.4",
|
"price": "1.2 (500$) - 2.4",
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes-filenames": [
|
||||||
"<personal-ID>.txt, .html, .bmp"
|
"<personal-ID>.txt",
|
||||||
|
"<personal-ID>.html",
|
||||||
|
"<personal-ID>.bmp"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||||||
|
@ -7470,7 +7481,8 @@
|
||||||
"payment-method": "Bitcoin",
|
"payment-method": "Bitcoin",
|
||||||
"price": "0.5(190 - 250 $)",
|
"price": "0.5(190 - 250 $)",
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes-filenames": [
|
||||||
"UNLOCK_FILES_INSTRUCTIONS.html and .txt"
|
"UNLOCK_FILES_INSTRUCTIONS.html",
|
||||||
|
"UNLOCK_FILES_INSTRUCTIONS.txt"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/",
|
"http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/",
|
||||||
|
@ -11564,13 +11576,13 @@
|
||||||
"Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.",
|
"Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.",
|
||||||
"WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.",
|
"WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.",
|
||||||
"ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.",
|
"ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.",
|
||||||
"Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again."
|
"Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.",
|
||||||
|
"Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com",
|
||||||
|
"Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com"
|
||||||
],
|
],
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes-filenames": [
|
||||||
"How_return_files.txt",
|
"How_return_files.txt",
|
||||||
"Image.jpg",
|
"Image.jpg"
|
||||||
"Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com",
|
|
||||||
"Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com"
|
|
||||||
],
|
],
|
||||||
"ransomnotes-refs": [
|
"ransomnotes-refs": [
|
||||||
"https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg",
|
"https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg",
|
||||||
|
@ -12949,10 +12961,12 @@
|
||||||
],
|
],
|
||||||
"payment-method": "Bitcoin",
|
"payment-method": "Bitcoin",
|
||||||
"price": "300 $",
|
"price": "300 $",
|
||||||
"ransomnotes-filenames": [
|
"ransomnotes": [
|
||||||
"how to get back you files.txt",
|
|
||||||
"Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com"
|
"Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com"
|
||||||
],
|
],
|
||||||
|
"ransomnotes-filenames": [
|
||||||
|
"how to get back you files.txt"
|
||||||
|
],
|
||||||
"ransomnotes-refs": [
|
"ransomnotes-refs": [
|
||||||
"https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg"
|
"https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg"
|
||||||
],
|
],
|
||||||
|
|
Loading…
Reference in a new issue