mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
fix merge
This commit is contained in:
commit
a6f7795952
2 changed files with 50 additions and 4 deletions
|
@ -2126,6 +2126,21 @@
|
||||||
"uuid": "c3ef2acd-cc5d-4240-80e7-47e85b46db96",
|
"uuid": "c3ef2acd-cc5d-4240-80e7-47e85b46db96",
|
||||||
"value": "GOG Ransomware"
|
"value": "GOG Ransomware"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"description": "RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.",
|
||||||
|
"meta": {
|
||||||
|
"date": "November 2020",
|
||||||
|
"encryption": "AES",
|
||||||
|
"extensions": [
|
||||||
|
".mouse"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "9479d372-605e-408e-a2a3-ea971ad4ad78",
|
||||||
|
"value": "RegretLocker"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.",
|
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -13949,6 +13964,16 @@
|
||||||
"uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee",
|
"uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee",
|
||||||
"value": "WastedLocker"
|
"value": "WastedLocker"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"description": "Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil. For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "c52a65d5-9bea-4a09-a81b-7f789ab48ce0",
|
||||||
|
"value": "Babuk Ranomsware"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"description": "Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts.\nThrough their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t.\n Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.",
|
"description": "Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts.\nThrough their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t.\n Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -14002,5 +14027,5 @@
|
||||||
"value": "RansomEXX"
|
"value": "RansomEXX"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 89
|
"version": 91
|
||||||
}
|
}
|
||||||
|
|
|
@ -4483,7 +4483,9 @@
|
||||||
"https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware",
|
"https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware",
|
||||||
"https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
|
"https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
|
||||||
"https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/",
|
"https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/",
|
||||||
"https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html"
|
"https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
|
||||||
|
"https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them",
|
||||||
|
"https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"OceanLotus Group",
|
"OceanLotus Group",
|
||||||
|
@ -4497,7 +4499,8 @@
|
||||||
"APT 32",
|
"APT 32",
|
||||||
"Ocean Buffalo",
|
"Ocean Buffalo",
|
||||||
"POND LOACH",
|
"POND LOACH",
|
||||||
"TIN WOODLAWN"
|
"TIN WOODLAWN",
|
||||||
|
"BISMUTH"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -8513,7 +8516,25 @@
|
||||||
},
|
},
|
||||||
"uuid": "c8b961fe-3698-41ac-aba1-002ee3c19531",
|
"uuid": "c8b961fe-3698-41ac-aba1-002ee3c19531",
|
||||||
"value": "Operation Skeleton Key"
|
"value": "Operation Skeleton Key"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
|
||||||
|
"https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
|
||||||
|
"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
|
||||||
|
"https://pastebin.com/6EDgCKxd",
|
||||||
|
"https://github.com/fireeye/sunburst_countermeasures"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"DarkHalo"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
|
||||||
|
"value": "UNC2452"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 195
|
"version": 196
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue