From a7d117781b2b2cf14de07053a234fe859bb6e903 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 21 Nov 2017 14:24:46 +0100
Subject: [PATCH] cryptomix - add ransomnotes

---
 clusters/ransomware.json | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index e7e3ee8..ac17a71 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -5026,7 +5026,11 @@
           "HELP_YOUR_FILES.html (CryptXXX)",
           "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)",
           "INSTRUCTION RESTORE FILE.TXT",
-          "# HELP_DECRYPT_YOUR_FILES #.TXT"
+          "# HELP_DECRYPT_YOUR_FILES #.TXT",
+          "_HELP_INSTRUCTION.TXT",
+          "C:\\ProgramData\\[random].exe",
+          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number",
+          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]"
         ],
         "refs": [
           "http://www.nyxbone.com/malware/CryptoMix.html",