From c566c89f2a55e4d2b5e4c9755b12c103d8978e51 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Mar 2020 14:22:34 +0100 Subject: [PATCH 1/3] add pyza ransomware --- clusters/ransomware.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c2dcb57..0805fe8 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13752,7 +13752,25 @@ ], "uuid": "42148074-196b-4f8c-b149-12163fc385fa", "value": "Wadhrama" + }, + { + "description": "Mespinoza ransomware is used at least since october 2018. First versions used the common extension \".locked\". SInce december 2019 a new version in open sourced and documented, this new version uses the \".pyza\" extension.", + "meta": { + "extensions": [ + ".pyza", + ".locked" + ], + "refs": [ + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf" + ], + "synonyms": [ + "Pyza" + ] + }, + "uuid": "deed3c10-93b6-41b9-b150-f4dd1b665d87", + "value": "Mespinoza" } ], - "version": 83 + "version": 84 } From 8a3422acb41313787b0a6840fc343d6ea43c7f42 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 3 Apr 2020 11:58:02 +0200 Subject: [PATCH 2/3] add Pyta ransomnotes --- clusters/ransomware.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 0805fe8..f61e70a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13760,6 +13760,9 @@ ".pyza", ".locked" ], + "ransomnotes-filenames": [ + "RECOVER_YOUR_DATA.txt" + ], "refs": [ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf" From 7859c8dbd710d8bdb451044b85300f04dbdcae60 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 3 Apr 2020 16:19:45 +0200 Subject: [PATCH 3/3] Add coronavirus ransomware --- clusters/ransomware.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f61e70a..6cf1827 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13773,7 +13773,25 @@ }, "uuid": "deed3c10-93b6-41b9-b150-f4dd1b665d87", "value": "Mespinoza" + }, + { + "description": "A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.\nWith the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan.\nThis new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.", + "meta": { + "ransomnotes-filenames": [ + "CoronaVirus.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/c/coronavirus-ransomware/ransom-note.jpg", + "https://www.bleepstatic.com/images/news/ransomware/c/coronavirus-ransomware/mbr-locker.jpg", + "https://www.bleepstatic.com/images/news/ransomware/c/coronavirus-ransomware/changed-mbrlocker-screen.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/" + ] + }, + "uuid": "575b2b3c-d762-4ba6-acbd-51ecdb57249f", + "value": "CoronaVirus" } ], - "version": 84 + "version": 85 }