From bd940d45ad9903ac5dbc96acd12ad41d1f8a63ab Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 21 Nov 2017 14:16:41 +0100 Subject: [PATCH 1/2] cryptomix - merge duplicates and update --- clusters/ransomware.json | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f79be3c..e7e3ee8 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5018,16 +5018,22 @@ ".id_*_email_zeta@dr.com", ".id_(ID_MACHINE)_email_anx@dr.com_.scl", ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli", - "*filename*.email[*email*]_id[*id*].rdmk" + "*filename*.email[*email*]_id[*id*].rdmk", + ".EMPTY", + ".0000" ], "ransomnotes": [ "HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", - "INSTRUCTION RESTORE FILE.TXT" + "INSTRUCTION RESTORE FILE.TXT", + "# HELP_DECRYPT_YOUR_FILES #.TXT" ], "refs": [ "http://www.nyxbone.com/malware/CryptoMix.html", - "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", + "https://twitter.com/JakubKroustek/status/804009831518572544", + "https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/" ] } }, @@ -8326,26 +8332,6 @@ ] } }, - { - "value": "Zeta", - "description": "Ransomware", - "meta": { - "synonyms": [ - "CryptoMix" - ], - "extensions": [ - ".code", - ".scl", - ".rmd" - ], - "ransomnotes": [ - "# HELP_DECRYPT_YOUR_FILES #.TXT" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/804009831518572544" - ] - } - }, { "value": "Zimbra", "description": "Ransomware mpritsken@priest.com", From a7d117781b2b2cf14de07053a234fe859bb6e903 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 21 Nov 2017 14:24:46 +0100 Subject: [PATCH 2/2] cryptomix - add ransomnotes --- clusters/ransomware.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e7e3ee8..ac17a71 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5026,7 +5026,11 @@ "HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", "INSTRUCTION RESTORE FILE.TXT", - "# HELP_DECRYPT_YOUR_FILES #.TXT" + "# HELP_DECRYPT_YOUR_FILES #.TXT", + "_HELP_INSTRUCTION.TXT", + "C:\\ProgramData\\[random].exe", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]" ], "refs": [ "http://www.nyxbone.com/malware/CryptoMix.html",