From b4e4d2e539b7a2bc149a51511a6e84f235099b4e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 May 2019 12:39:33 +0200 Subject: [PATCH 1/3] rework of ransomware galaxy --- clusters/ransomware.json | 1364 +++++++++++++++++++++++--------------- 1 file changed, 825 insertions(+), 539 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 345a723..7ea0968 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -20,7 +20,7 @@ ], "payment-method": "Bitcoin", "price": "1(300$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" ], "refs": [ @@ -40,7 +40,7 @@ ], "payment-method": "Bitcoin", "price": "250 €", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" ], "refs": [ @@ -58,7 +58,7 @@ "encryption": "AES-128", "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" ], "refs": [ @@ -77,7 +77,7 @@ "example:.encrypted.contact_here_me@india.com.enjey" ], "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" ], "refs": [ @@ -94,7 +94,7 @@ "meta": { "date": "March 2017", "encryption": "AES-128", - "ransomnotes": [ + "ransomnotes-filenames": [ "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" ], "refs": [ @@ -137,7 +137,7 @@ ], "payment-method": "Bitcoin", "price": "0,0361312 (50$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" ], "refs": [ @@ -215,7 +215,9 @@ "payment-method": "MoneyPak", "price": "300$", "ransomnotes": [ - "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", + "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU" + ], + "ransomnotes-filenames": [ "ПАРОЛЬ.txt" ], "refs": [ @@ -232,7 +234,7 @@ "encryption": "AES-128", "payment-method": "Bitcoin", "price": "300$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" ], "refs": [ @@ -255,7 +257,7 @@ ], "payment-method": "Bitcoin", "price": "1.2683", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" ], "refs": [ @@ -276,10 +278,14 @@ ".REVENGE" ], "ransomnotes": [ - "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", - "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", + "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail." + ], + "ransomnotes-filenames": [ "# !!!HELP_FILE!!! #.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" @@ -299,10 +305,14 @@ "payment-method": "Bitcoin", "price": "150$", "ransomnotes": [ - "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", - "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.", + "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss." + ], + "ransomnotes-filenames": [ "Beni Oku.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", "https://twitter.com/JakubKroustek/status/842034887397908480" @@ -356,10 +366,12 @@ ".ZINO" ], "payment-method": "Bitcoin", - "ransomnotes": [ - "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "ZINO_NOTE.TXT" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", "https://twitter.com/demonslay335?lang=en", @@ -377,10 +389,12 @@ "extensions": [ ".crptxxx" ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "HOW_TO_FIX_!.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", @@ -400,10 +414,12 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ - "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "motd.txt" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", @@ -423,7 +439,7 @@ ], "payment-method": "Dollars", "price": "20 - 100", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" ], @@ -445,7 +461,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" ], "refs": [ @@ -464,7 +480,7 @@ "extensions": [ "[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is" ], - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png" ], "refs": [ @@ -549,7 +565,9 @@ "payment-method": "Bitcoin", "price": "0.1", "ransomnotes": [ - "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", + "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" ], "refs": [ @@ -569,11 +587,13 @@ ], "payment-method": "Bitcoin", "price": "0.01 - 0.06", - "ransomnotes": [ - "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", - "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", + "ransomnotes-filenames": [ "ReadMe-[3_random_chars].html" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", + "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" @@ -592,7 +612,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME_TO_DECRYPT.txt" ], "refs": [ @@ -652,10 +672,12 @@ ], "payment-method": "Bitcoin", "price": "1(50 - 165$)", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", + "ransomnotes-filenames": [ "What happen to my files.txt" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", @@ -673,7 +695,7 @@ "extensions": [ ".damage" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" ], "refs": [ @@ -716,7 +738,7 @@ ], "payment-method": "Bitcoin", "price": "0.1 (250$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" ], "refs": [ @@ -733,10 +755,12 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.5 - 0.7", - "ransomnotes": [ - "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", + "ransomnotes-filenames": [ "How decrypt files.hta" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/" @@ -772,7 +796,7 @@ "meta": { "date": "February 2017", "encryption": "AES", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg" ], "refs": [ @@ -793,7 +817,9 @@ "payment-method": "Bitcoin", "price": "0.8 - 2", "ransomnotes": [ - "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", + "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" ], "refs": [ @@ -829,7 +855,7 @@ "meta": { "date": "February 2017", "encryption": "AES", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png" ], "refs": [ @@ -846,7 +872,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" ], "refs": [ @@ -868,10 +894,12 @@ ], "payment-method": "Dollars", "price": "500", - "ransomnotes": [ - "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "INSTRUCCIONES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", "https://twitter.com/MarceloRivero/status/832302976744173570", @@ -915,9 +943,11 @@ ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "# RESTORING FILES #.txt", - "# RESTORING FILES #.html", + "# RESTORING FILES #.html" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" ], "refs": [ @@ -938,11 +968,15 @@ ], "payment-method": "Email - Bitcoin", "ransomnotes": [ - "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", - "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", - "DECRYPT_INFORMATION.html", "UNIQUE_ID_DO_NOT_REMOVE" ], + "ransomnotes-filenames": [ + "DECRYPT_INFORMATION.html" + ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", + "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", @@ -970,7 +1004,7 @@ "extensions": [ ".hasp" ], - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg" ], "refs": [ @@ -990,7 +1024,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" ], "refs": [ @@ -1007,7 +1041,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0,3169", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" ], @@ -1048,7 +1082,7 @@ ], "payment-method": "Dollars", "price": "249", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" ], "refs": [ @@ -1067,10 +1101,12 @@ ".yourransom" ], "payment-method": "Email", - "ransomnotes": [ - "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "README.txt" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", @@ -1087,7 +1123,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "0.6 - 0.95", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" ], "refs": [ @@ -1107,10 +1143,12 @@ ".potato" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to recover my files.txt", "README.png", - "README.html", + "README.html" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg" ], "refs": [ @@ -1130,11 +1168,15 @@ ], "payment-method": "Email", "ransomnotes": [ + "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" + ], + "ransomnotes-filenames": [ "!!!.txt", "1.bmp", - "1.jpg", - "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg", - "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" + "1.jpg" + ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" @@ -1154,10 +1196,14 @@ "payment-method": "Bitcoin", "price": "0.25", "ransomnotes": [ - "YOUR FILES ARE ENCRYPTED!!!.txt", - "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", "YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool." ], + "ransomnotes-filenames": [ + "YOUR FILES ARE ENCRYPTED!!!.txt" + ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png" + ], "refs": [ "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", @@ -1179,9 +1225,11 @@ "payment-method": "Bitcoin", "price": "0.2", "ransomnotes": [ - "How decrypt files.hta", "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" ], + "ransomnotes-filenames": [ + "How decrypt files.hta" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", @@ -1232,9 +1280,11 @@ "payment-method": "Bitcoin", "price": "0,65806", "ransomnotes": [ - "note.iti", "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" ], + "ransomnotes-filenames": [ + "note.iti" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", "http://www.enigmasoftware.com/funfactransomware-removal/" @@ -1252,12 +1302,14 @@ ".<7_random_letters>" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "encrypted_readme.txt", "__encrypted_readme.txt", - "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" @@ -1276,11 +1328,13 @@ ], "payment-method": "Bitcoin", "price": "2,15555 (2000$)", - "ransomnotes": [ - "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", - "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", + "ransomnotes-filenames": [ "!Recovery_[3_random_chars].html" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", + "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", @@ -1298,8 +1352,10 @@ "date": "January 2017", "encryption": "AES", "payment-method": "Bitcoin", - "ransomnotes": [ - "Warning警告.html", + "ransomnotes-filenames": [ + "Warning警告.html" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" ], "refs": [ @@ -1321,7 +1377,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" ], @@ -1345,8 +1401,10 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "HOW_OPEN_FILES.html", + "ransomnotes-filenames": [ + "HOW_OPEN_FILES.html" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" ], "refs": [ @@ -1366,10 +1424,12 @@ ], "payment-method": "Bitcoin", "price": "0.1 - your choice", - "ransomnotes": [ - "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", + "ransomnotes-filenames": [ "HELP_DECRYPT_FILES.html" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", "https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/", @@ -1400,7 +1460,7 @@ ], "payment-method": "Bitcoin", "price": "150 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" ], "refs": [ @@ -1423,9 +1483,11 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "IMPORTANTE_LEER.html", - "RECUPERAR_ARCHIVOS.html", + "RECUPERAR_ARCHIVOS.html" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" ], "refs": [ @@ -1447,9 +1509,11 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", "https://twitter.com/BleepinComputer/status/819927858437099520" @@ -1472,8 +1536,10 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ - "READ_IT.hTmL", + "ransomnotes-filenames": [ + "READ_IT.hTmL" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" ], "refs": [ @@ -1493,8 +1559,10 @@ ".HakunaMatata" ], "payment-method": "Website (onion)", - "ransomnotes": [ - "Recovers files yako.html", + "ransomnotes-filenames": [ + "Recovers files yako.html" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" ], "refs": [ @@ -1518,11 +1586,13 @@ ], "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ - "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", - "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", + "ransomnotes-filenames": [ "_HELP_Recover_Files_.html" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", + "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", "https://decrypter.emsisoft.com/marlboro", @@ -1539,10 +1609,12 @@ "encryption": "AES+RSA", "payment-method": "Bitcoin", "price": "79$", - "ransomnotes": [ - "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", + "ransomnotes-filenames": [ "[Infection-ID].HTML" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", @@ -1577,7 +1649,7 @@ ], "payment-method": "Bitcoin", "price": "0.35", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" ], "refs": [ @@ -1597,7 +1669,7 @@ ], "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" ], @@ -1618,7 +1690,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.33", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" ], "refs": [ @@ -1640,7 +1712,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" ], "refs": [ @@ -1662,7 +1734,7 @@ ], "payment-method": "Bitcoin", "price": "50$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" ], "refs": [ @@ -1706,10 +1778,12 @@ "encryption": "ROT-23", "payment-method": "Bitcoin", "price": "0.085", - "ransomnotes": [ - "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", + "ransomnotes-filenames": [ "README.HTML" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" @@ -1727,7 +1801,7 @@ ], "payment-method": "Bitcoin", "price": "0.085", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" ], "refs": [ @@ -1748,7 +1822,7 @@ ".cancer" ], "payment-method": "no ransom", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" ], "refs": [ @@ -1768,7 +1842,7 @@ ".locked" ], "payment-method": "Email - Bitcoin", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" ], "refs": [ @@ -1789,7 +1863,7 @@ ], "payment-method": "Bitcoin", "price": "10", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" ], "refs": [ @@ -1809,9 +1883,11 @@ ".evillock" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_DECRYPT_YOUR_FILES.TXT", - "HOW_TO_DECRYPT_YOUR_FILES.HTML", + "HOW_TO_DECRYPT_YOUR_FILES.HTML" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png", "https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png" ], @@ -1835,7 +1911,7 @@ "date": "January 2017", "payment-method": "Bitcoin", "price": "0.03", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg", "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" ], @@ -1857,8 +1933,10 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "1000 CZK", - "ransomnotes": [ - "INFOK1.txt", + "ransomnotes-filenames": [ + "INFOK1.txt" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png", "https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg" ], @@ -1883,10 +1961,12 @@ ], "payment-method": "Bitcoin", "price": "155$", - "ransomnotes": [ - "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "READ_ME.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", @@ -1920,8 +2000,10 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ - "How To Recover Encrypted Files.hta", + "ransomnotes-filenames": [ + "How To Recover Encrypted Files.hta" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", "https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png" ], @@ -1958,7 +2040,7 @@ ], "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg" ], "refs": [ @@ -1981,9 +2063,11 @@ ".BTC" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "BTC_DECRYPT_FILES.txt", - "BTC_DECRYPT_FILES.html", + "BTC_DECRYPT_FILES.html" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png" ], "refs": [ @@ -2005,7 +2089,7 @@ ], "payment-method": "Bitcoin", "price": "700$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png" ], "refs": [ @@ -2024,8 +2108,10 @@ ".LOCKED" ], "payment-method": "Bitcoin - WebSite (onion)", - "ransomnotes": [ - "DecryptFile.txt", + "ransomnotes-filenames": [ + "DecryptFile.txt" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png", "https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png" ], @@ -2047,7 +2133,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" ], "refs": [ @@ -2067,8 +2153,10 @@ ".locked" ], "payment-method": "Website", - "ransomnotes": [ - "MESSAGE.txt", + "ransomnotes-filenames": [ + "MESSAGE.txt" + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" ], "refs": [ @@ -2098,7 +2186,7 @@ ], "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg" ], "refs": [ @@ -2114,10 +2202,12 @@ "date": "January 2017", "encryption": "Twofish", "payment-method": "Email", - "ransomnotes": [ - "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "Xhelp.jpg" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", "https://twitter.com/JakubKroustek/status/825790584971472902" @@ -2135,7 +2225,7 @@ ".7zipper" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png" ], "refs": [ @@ -2157,7 +2247,7 @@ ], "payment-method": "Bitcoin", "price": "170€/$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png" ], "refs": [ @@ -2177,7 +2267,7 @@ "encryption": "AES-256 (fake)", "payment-method": "Bitcoin", "price": "50£", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif" ], "refs": [ @@ -2198,7 +2288,7 @@ ], "payment-method": "Bitcoin", "price": "0.18 (100$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg", "https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad" ], @@ -2227,9 +2317,11 @@ ".MERRY" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_DEAD.HTA", - "MERRY_I_LOVE_YOU_BRUCE.HTA", + "MERRY_I_LOVE_YOU_BRUCE.HTA" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png", "https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png" ], @@ -2272,7 +2364,7 @@ "encryption": "AES-256+RSA", "payment-method": "Bitcoin", "price": "222 (200 000$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" ], "refs": [ @@ -2298,10 +2390,12 @@ ], "payment-method": "Bitcoin", "price": "20 - 30$", - "ransomnotes": [ - "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", + "ransomnotes-filenames": [ "unlock-everybody.txt" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" @@ -2319,10 +2413,12 @@ ".bript" ], "payment-method": "Email - Bitcoin", - "ransomnotes": [ - "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", + "ransomnotes-filenames": [ "More.html" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", "https://twitter.com/demonslay335/status/813064189719805952" @@ -2340,7 +2436,7 @@ ".adam" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg" ], "refs": [ @@ -2360,7 +2456,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" ], "refs": [ @@ -2390,7 +2486,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg" ], "refs": [ @@ -2414,8 +2510,10 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ - "YOU_HAVE_BEEN_HACKED.txt", + "ransomnotes-filenames": [ + "YOU_HAVE_BEEN_HACKED.txt" + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png" ], "refs": [ @@ -2432,7 +2530,7 @@ "encryption": "AES-256+RSA", "payment-method": "Bitcoin", "price": "0.6 - 1.6", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png" ], "refs": [ @@ -2455,7 +2553,7 @@ ], "payment-method": "Bitcoin", "price": "0.4", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" ], "refs": [ @@ -2475,7 +2573,7 @@ ".madebyadam" ], "payment-method": "Website (gift card)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg" ], "refs": [ @@ -2504,7 +2602,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif" ], "refs": [ @@ -2527,7 +2625,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg" ], "refs": [ @@ -2547,7 +2645,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.2 (160$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg" ], "refs": [ @@ -2569,7 +2667,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" ], "refs": [ @@ -2604,7 +2702,7 @@ ".braincrypt" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png", "https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg" ], @@ -2622,10 +2720,12 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ - "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", + "ransomnotes-filenames": [ "RESTORE_YOUR_FILES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", "https://twitter.com/struppigel/status/810766686005719040" @@ -2641,7 +2741,7 @@ "encryption": "RSA-2048", "payment-method": "Bitcoin", "price": "0.3", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" ], "refs": [ @@ -2661,8 +2761,10 @@ ".aes256" ], "payment-method": "Email", - "ransomnotes": [ - "!!! READ THIS -IMPORTANT !!!.txt", + "ransomnotes-filenames": [ + "!!! READ THIS -IMPORTANT !!!.txt" + ], + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" ], "refs": [ @@ -2681,7 +2783,7 @@ ".encrypted" ], "payment-method": "Game", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" ], "refs": [ @@ -2703,10 +2805,12 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "HOW_OPEN_FILES.hta" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", @@ -2742,7 +2846,7 @@ ".v8" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png" ], "refs": [ @@ -2761,7 +2865,7 @@ ".ENC" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg" ], "refs": [ @@ -2780,7 +2884,7 @@ ".antihacker2017" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg" ], "refs": [ @@ -2796,7 +2900,7 @@ "date": "December 2016", "payment-method": "Dollars", "price": "100 - 250 - 500", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png" ], "refs": [ @@ -2814,7 +2918,7 @@ "meta": { "date": "December 2016", "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png" ], "refs": [ @@ -2835,11 +2939,13 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ - "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", - "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", + "ransomnotes-filenames": [ "_HELP_YOUR_FILES.html" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", + "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" ] @@ -2854,7 +2960,7 @@ "encryption": "AES", "payment-method": "Bitcoin", "price": "0.25", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg" ], "refs": [ @@ -2874,10 +2980,12 @@ ], "payment-method": "Bitcoin", "price": "950 bresilian real ($)", - "ransomnotes": [ - "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", + "ransomnotes-filenames": [ "!!!!!ATENÇÃO!!!!!.html" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", "https://twitter.com/BleepinComputer/status/808316635094380544" @@ -2910,7 +3018,9 @@ "payment-method": "Bitcoin", "price": "0.3", "ransomnotes": [ - "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", + "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins" + ], + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" ], "refs": [ @@ -2946,7 +3056,7 @@ ], "payment-method": "Bitcoin", "price": "1000 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" ], "refs": [ @@ -2966,7 +3076,7 @@ ".pre_alpha" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png" ], "refs": [ @@ -2988,7 +3098,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif" ], @@ -3008,7 +3118,7 @@ "_morf56@meta.ua_" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png" ], "refs": [ @@ -3029,12 +3139,14 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ - "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", - "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", + "ransomnotes-filenames": [ "restore_your_files.html", "restore_your_files.txt" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", + "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" @@ -3053,7 +3165,7 @@ ], "payment-method": "Bitcoin", "price": "0.33 - 0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg" ], "refs": [ @@ -3073,7 +3185,7 @@ ], "payment-method": "Bitcoin", "price": "1.33 - 1.34", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg", "https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg" ], @@ -3096,7 +3208,7 @@ ], "payment-method": "Bitcoin", "price": "0.74 (545 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png" ], "refs": [ @@ -3118,7 +3230,7 @@ ], "payment-method": "Bitcoin", "price": "4(1040 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" ], "refs": [ @@ -3149,24 +3261,28 @@ ], "payment-method": "Email", "ransomnotes": [ - "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", + "WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!", + "HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!" + ], + "ransomnotes-filenames": [ "[5 numbers]-MATRIX-README.RTF", "!ReadMe_To_Decrypt_Files!.rtf", "#Decrypt_Files_ReadMe#.rtf", + "#KOK8_README#.rtf", + "#FOX_README#.rtf", + "!README_GMAN!.rtf", + "#README_EMAN50#.rtf", + "#NOBAD_README#.rtf", + "!ITLOCK_README!.rtf" + ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/ransom-note.jpg", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/background.jpg", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/2/wallpaper.jpg", - "WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!", "https://pbs.twimg.com/media/DZ4VCRpWsAYtckw.jpg", "https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg", - "#KOK8_README#.rtf", - "#FOX_README#.rtf", - "HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!", - "!README_GMAN!.rtf", - "#README_EMAN50#.rtf", - "https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg", - "#NOBAD_README#.rtf", - "!ITLOCK_README!.rtf" + "https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", @@ -3199,7 +3315,7 @@ ".locked" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png" ], "refs": [ @@ -3219,10 +3335,12 @@ ], "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ - "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", + "ransomnotes-filenames": [ "Important!.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", "https://twitter.com/BleepinComputer/status/804810315456200704" @@ -3240,10 +3358,12 @@ ".novalid" ], "payment-method": "Bitcoin - Link WebSite", - "ransomnotes": [ - "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", + "ransomnotes-filenames": [ "RESTORE_CORUPTED_FILES.HTML" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", @@ -3275,7 +3395,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg" ], "refs": [ @@ -3291,7 +3411,7 @@ "date": "November 2016", "encryption": "AES", "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png" ], "refs": [ @@ -3313,7 +3433,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" ], "refs": [ @@ -3334,7 +3454,7 @@ ], "payment-method": "Bitcoin", "price": "0.68096697 (500$)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" ], "refs": [ @@ -3356,10 +3476,12 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", + "ransomnotes-filenames": [ "HOW TO DECRYPT YOU FILES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", "https://decrypter.emsisoft.com/ozozalocker", @@ -3378,7 +3500,7 @@ ".mo0n" ], "payment-method": "WebSite link", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg" ], "refs": [ @@ -3402,7 +3524,7 @@ ], "payment-method": "Bitcoin", "price": "0,5 - 1,5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG", "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], @@ -3427,7 +3549,7 @@ ], "payment-method": "Call Number", "price": "349.99$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" ], "refs": [ @@ -3450,7 +3572,7 @@ ".ENCRYPTED" ], "payment-method": "no ransom", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" ], @@ -3468,7 +3590,7 @@ "date": "November 2016", "encryption": "RSA", "payment-method": "CreditCard", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg" ], "refs": [ @@ -3493,7 +3615,7 @@ ], "payment-method": "Bitcoin", "price": "100$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" ], "refs": [ @@ -3514,10 +3636,12 @@ ".DALE" ], "payment-method": "Tor WebSite", - "ransomnotes": [ - "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", + "ransomnotes-filenames": [ "CHIP_FILES.txt" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", "http://malware-traffic-analysis.net/2016/11/17/index.html", @@ -3560,16 +3684,20 @@ ], "payment-method": "Bitcoin - Email", "ransomnotes": [ + "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." + ], + "ransomnotes-filenames": [ "README.txt", "README.jpg", "Info.hta", "FILES ENCRYPTED.txt", "INFO.hta", + "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg", - "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", - "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", "https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg", "https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg", "https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg", @@ -3606,7 +3734,7 @@ ], "payment-method": "Bitcoin", "price": "1200€", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" ], "refs": [ @@ -3628,10 +3756,12 @@ "payment-method": "Bitcoin", "price": "0.7 - 2.1", "ransomnotes": [ - "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", - "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", "%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt." ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", + "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", @@ -3665,7 +3795,7 @@ ], "payment-method": "Bitcoin", "price": "0.2 - 2", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" ], "refs": [ @@ -3692,11 +3822,13 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", + "ransomnotes-filenames": [ "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", "https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/", @@ -3716,7 +3848,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png" ], "refs": [ @@ -3736,7 +3868,7 @@ ], "payment-method": "Bitcoin", "price": "0.55 - 0.65", - "ransomnotes": [ + "ransomnotes-filenames": [ "Your files are locked !.txt", "Your files are locked !!.txt", "Your files are locked !!!.txt", @@ -3767,7 +3899,7 @@ ".kolobocheg@aol.com_" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.ransomware.wiki/tag/kolobo/" ], "refs": [ @@ -3792,7 +3924,7 @@ ], "payment-method": "PaySafeCard", "price": "100€", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" ], "refs": [ @@ -3816,7 +3948,7 @@ ], "payment-method": "Qhvi-wallet / Yandex-wallet", "price": "5000 rubles", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif" ], "refs": [ @@ -3840,7 +3972,7 @@ ], "payment-method": "Bitcoin", "price": "0.4", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png" ], "refs": [ @@ -3879,7 +4011,7 @@ ], "payment-method": "Bitcoin", "price": "0.33", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" ], @@ -3923,7 +4055,7 @@ ], "payment-method": "Bitcoin", "price": "0.03", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg" ], "refs": [ @@ -3944,7 +4076,7 @@ ".hollycrypt" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG" ], "refs": [ @@ -3963,7 +4095,7 @@ ".BTC" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG" ], "refs": [ @@ -3986,10 +4118,12 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ - "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", + "ransomnotes-filenames": [ "filename.Instructions_Data_Recovery.txt" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/" @@ -4007,7 +4141,7 @@ ".dCrypt" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png" ], "refs": [ @@ -4049,7 +4183,7 @@ ".ace" ], "payment-method": "Website (onion)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png" ], "refs": [ @@ -4089,7 +4223,7 @@ ], "payment-method": "Bitcoin", "price": "10 (7300 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG" ], "refs": [ @@ -4115,9 +4249,11 @@ "price": "7 (2000 - 5000 $)", "ransomnotes": [ "Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!", - "INFO.txt", "Для связи с нами используйте почту\ninkognitoman@tutamail.com\ninkognitoman@firemail.cc" ], + "ransomnotes-filenames": [ + "INFO.txt" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", @@ -4162,10 +4298,14 @@ "payment-method": "rupies", "price": "3500 - 5000 - 10 000", "ransomnotes": [ - "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", - "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", + "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020" + ], + "ransomnotes-filenames": [ "CreatesReadThisFileImportant.txt" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", "https://twitter.com/struppigel/status/791943837874651136" @@ -4183,7 +4323,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg" ], "refs": [ @@ -4208,7 +4348,9 @@ "payment-method": "Bitcoin", "price": "100 $", "ransomnotes": [ - "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.", + "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files." + ], + "ransomnotes-refs": [ "https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg" ], "refs": [ @@ -4230,7 +4372,7 @@ ], "payment-method": "Bitcoin", "price": "1000 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG" ], "refs": [ @@ -4251,11 +4393,13 @@ ".Alcatraz" ], "payment-method": "Email", - "ransomnotes": [ - "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", - "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", + "ransomnotes-filenames": [ "ransomed.hTmL" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", + "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", @@ -4275,7 +4419,9 @@ ], "payment-method": "Email", "ransomnotes": [ - "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.", + "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email." + ], + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png" ], "refs": [ @@ -4296,7 +4442,7 @@ ], "payment-method": "Bitcoin", "price": "0.053773", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg" ], "refs": [ @@ -4315,7 +4461,7 @@ ".encrypted" ], "payment-method": "Game", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png" ], "refs": [ @@ -4336,7 +4482,7 @@ ], "payment-method": "Bitcoin", "price": "0.29499335", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg", "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" ], @@ -4360,11 +4506,15 @@ ], "payment-method": "Email", "ransomnotes": [ - "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", - "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", + "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!" + ], + "ransomnotes-filenames": [ "_Adatok_visszaallitasahoz_utasitasok.txt", "_locky_recover_instructions.txt" ], + "ransomnotes-refs": [ + "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", @@ -4388,7 +4538,9 @@ "payment-method": "Bitcoin", "price": "2 - 4", "ransomnotes": [ - "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", + "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team" + ], + "ransomnotes-filenames": [ "YOUR FILES ARE ENCRYPTED!.txt" ], "refs": [ @@ -4410,9 +4562,11 @@ "payment-method": "Bitcoin", "price": "10 (7300 $)", "ransomnotes": [ - "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg", "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" ], + "ransomnotes-refs": [ + "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", "https://twitter.com/demonslay335/status/790334746488365057" @@ -4431,7 +4585,7 @@ ], "payment-method": "Email", "price": "1000 rubles", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg", "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" ], @@ -4450,10 +4604,12 @@ "encryption": "AES-512", "payment-method": "Bitcoin", "price": "0.25 - 0.5", - "ransomnotes": [ - "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", + "ransomnotes-filenames": [ "!!!!!readme!!!!!.htm" ], + "ransomnotes-refs": [ + "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" @@ -4492,7 +4648,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], "refs": [ @@ -4511,7 +4667,7 @@ "#LOCK#" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" ], "refs": [ @@ -4539,10 +4695,12 @@ ], "payment-method": "Bitcoin", "price": "1 - 2.5 - 3", - "ransomnotes": [ - "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", + "ransomnotes-filenames": [ "Decryption Instructions.txt" ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", "http://nyxbone.com/malware/Anubis.html" @@ -4558,7 +4716,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ + "ransomnotes-filenames": [ "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" ], "refs": [ @@ -4579,7 +4737,7 @@ ], "payment-method": "Bitcoin", "price": "50 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg", "https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg", "https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg" @@ -4604,7 +4762,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg" ], "refs": [ @@ -4624,7 +4782,7 @@ ], "payment-method": "Bitcoin", "price": "0.0523", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png" ], "refs": [ @@ -4659,7 +4817,7 @@ ], "payment-method": "Bitcoin", "price": "0.2", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg" ], "refs": [ @@ -4678,7 +4836,7 @@ ".venis" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" ], "refs": [ @@ -4717,7 +4875,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" ], "refs": [ @@ -4741,7 +4899,7 @@ ], "payment-method": "Bitcoin", "price": "~2", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg", "https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG", "https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg" @@ -4775,7 +4933,7 @@ ], "payment-method": "Bitcoin", "price": "0.8 - 1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" ], "refs": [ @@ -4808,7 +4966,7 @@ ], "payment-method": "PaySafe", "price": "300 CZK - 2000 CZK after 12 hours", - "ransomnotes": [ + "ransomnotes-refs": [ "https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg", "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" ], @@ -4830,7 +4988,7 @@ ], "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png" ], "refs": [ @@ -4849,7 +5007,7 @@ ".ecrypt" ], "payment-method": "Tor WebSite", - "ransomnotes": [ + "ransomnotes-refs": [ "https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png" ], "refs": [ @@ -4896,7 +5054,7 @@ ".enc" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_LOCKED.txt" ], "refs": [ @@ -4917,7 +5075,7 @@ ], "payment-method": "Bitcoin", "price": "0.1 (37$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "read_this_file.txt" ], "refs": [ @@ -4939,7 +5097,7 @@ ], "payment-method": "Bitcoin", "price": "13 (4980$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "FILES_BACK.txt" ], "refs": [ @@ -4970,7 +5128,7 @@ "extensions": [ ".8lock8" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -4987,7 +5145,7 @@ "._AiraCropEncrypted" ], "payment-method": "WebSite (onion) - Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to decrypt your files.txt" ], "refs": [ @@ -5005,7 +5163,7 @@ ".disappeared" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "Read_Me.Txt" ], "refs": [ @@ -5023,7 +5181,7 @@ ], "payment-method": "Bitcoin", "price": "1 (650$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "README HOW TO DECRYPT YOUR FILES.HTML" ], "refs": [ @@ -5044,7 +5202,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Unlock_files_randomx5.html" ], "refs": [ @@ -5065,7 +5223,7 @@ ], "payment-method": "Itunes Gift Cards", "price": "400$", - "ransomnotes": [ + "ransomnotes-filenames": [ "Read Me (How Decrypt) !!!!.txt" ], "refs": [ @@ -5097,7 +5255,7 @@ ], "payment-method": "Bitcoin", "price": "Depending on the victim’s situation", - "ransomnotes": [ + "ransomnotes-filenames": [ "ПРОЧТИ_МЕНЯ.txt", "READ_ME.txt" ], @@ -5117,7 +5275,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME.txt" ], "refs": [ @@ -5155,7 +5313,7 @@ "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" ], "payment-method": "Email - WebSite (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "*.How_To_Decrypt.txt", "*.Contact_Here_To_Recover_Your_Files.txt", "*.Where_my_files.txt", @@ -5197,7 +5355,7 @@ ".locked" ], "payment-method": "Email - WebSite (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "*.How_To_Get_Back.txt" ], "refs": [ @@ -5215,7 +5373,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ + "ransomnotes-filenames": [ "info.txt", "info.html" ], @@ -5244,7 +5402,7 @@ "meta": { "payment-method": "Bitcoin", "price": "2 (888,4$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "Help Decrypt.html" ], "refs": [ @@ -5279,7 +5437,7 @@ ".id-[ID]_[EMAIL_ADDRESS]" ], "payment-method": "Email - Telegram", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW TO DECRYPT.txt" ], "refs": [ @@ -5312,7 +5470,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "recover.txt", "recover.bmp" ], @@ -5379,7 +5537,7 @@ ], "payment-method": "Bitcoin", "price": "0.07 (30$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "Hacked_Read_me_to_decrypt_files.html", "YourID.txt" ], @@ -5443,7 +5601,7 @@ ], "payment-method": "Reais", "price": "2000 (543$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "MENSAGEM.txt" ], "refs": [ @@ -5462,7 +5620,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_OPEN_FILES.html" ], "refs": [ @@ -5498,7 +5656,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "#_HOW_TO_FIX_!.hta" ], "refs": [ @@ -5528,7 +5686,7 @@ "extensions": [ "(.*).encoded.([A-Z0-9]{9})" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "BUYUNLOCKCODE.txt" ], "refs": [ @@ -5546,7 +5704,7 @@ ], "payment-method": "Bitcoin", "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", - "ransomnotes": [ + "ransomnotes-filenames": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" ], @@ -5585,7 +5743,7 @@ ], "payment-method": "Bitcoin", "price": "1.24 / 2.48 after 7 days", - "ransomnotes": [ + "ransomnotes-filenames": [ "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt", "# DECRYPT MY FILES #.vbs", @@ -5629,7 +5787,7 @@ ], "payment-method": "Bitcoin", "price": "0.939", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT", ".gif" @@ -5662,7 +5820,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "wallpaper.jpg" ], "refs": [ @@ -5684,7 +5842,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!!-WARNING-!!!.html", "!!!-WARNING-!!!.txt" ], @@ -5732,7 +5890,7 @@ ], "payment-method": "Email", "price": "100$", - "ransomnotes": [ + "ransomnotes-refs": [ "http://virusinfo.info/showthread.php?t=185396" ], "refs": [ @@ -5752,7 +5910,7 @@ ], "payment-method": "Bitcoin", "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", - "ransomnotes": [ + "ransomnotes-filenames": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" ], @@ -5791,7 +5949,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", - "ransomnotes": [ + "ransomnotes-filenames": [ "README.TXT", "README.HTML", "README.BMP" @@ -5812,7 +5970,7 @@ ], "payment-method": "Bitcoin", "price": "0.1 (45$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_THIS_TO_DECRYPT.html" ], "refs": [ @@ -5894,7 +6052,7 @@ "encryption": "AES + RSA", "payment-method": "Bitcoin", "price": "1 - 2", - "ransomnotes": [ + "ransomnotes-filenames": [ "OKSOWATHAPPENDTOYOURFILES.TXT" ], "refs": [ @@ -5920,7 +6078,7 @@ "meta": { "payment-method": "Bitcoin", "price": "0.9 (500$) - 1.9 (1000$) after 4 days", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_DECRYPT.TXT", "HOW_DECRYPT.HTML", "HOW_DECRYPT.URL" @@ -5968,7 +6126,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ IF YOU WANT YOUR FILES BACK.html" ], "refs": [ @@ -6007,7 +6165,7 @@ "extensions": [ ".clf" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "wallpaper.jpg" ] }, @@ -6051,7 +6209,7 @@ ], "payment-method": "Bitcoin", "price": "100€", - "ransomnotes": [ + "ransomnotes-filenames": [ "README!!!.txt", "GetYouFiles.txt", "crjoker.html" @@ -6150,10 +6308,6 @@ "ransomnotes": [ "HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", - "INSTRUCTION RESTORE FILE.TXT", - "# HELP_DECRYPT_YOUR_FILES #.TXT", - "_HELP_INSTRUCTION.TXT", - "C:\\ProgramData\\[random].exe", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number", @@ -6162,9 +6316,17 @@ "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number", "!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number", - "https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nleab@tuta.io\n\nitprocessor@protonmail.com\n\npcambulance1@protonmail.com\n\nleablossom@yandex.com\n\nblossomlea@yandex.com\n\nleablossom@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[redacted lowercase GUID] number" ], + "ransomnotes-filenames": [ + "INSTRUCTION RESTORE FILE.TXT", + "# HELP_DECRYPT_YOUR_FILES #.TXT", + "_HELP_INSTRUCTION.TXT", + "C:\\ProgramData\\[random].exe" + ], + "ransomnotes-refs": [ + "https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg" + ], "refs": [ "http://www.nyxbone.com/malware/CryptoMix.html", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", @@ -6227,7 +6389,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 (360$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "!Where_are_my_files!.html" ], "refs": [ @@ -6244,7 +6406,7 @@ "extensions": [ ".doomed" ], - "ransomnotes": [ + "ransomnotes-filenames": [ "LEER_INMEDIATAMENTE.txt" ], "refs": [ @@ -6263,7 +6425,7 @@ ], "payment-method": "Bitcoin", "price": "200$", - "ransomnotes": [ + "ransomnotes-filenames": [ "ATTENTION.url" ], "refs": [ @@ -6282,7 +6444,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 (100$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW TO DECRYPT FILES.txt", "%Temp%\\.bmp" ], @@ -6310,7 +6472,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_INSTRUCTION.HTM", "DECRYPT_INSTRUCTION.TXT", "DECRYPT_INSTRUCTION.URL", @@ -6325,7 +6487,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", @@ -6340,7 +6502,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", @@ -6362,7 +6524,7 @@ ], "payment-method": "Bitcoin", "price": "1.09 (500$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_YOUR_FILES.HTML", "HELP_YOUR_FILES.PNG" ] @@ -6378,7 +6540,7 @@ ], "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", - "ransomnotes": [ + "ransomnotes-filenames": [ "de_crypt_readme.bmp, .txt, .html" ], "refs": [ @@ -6410,7 +6572,7 @@ ], "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", - "ransomnotes": [ + "ransomnotes-filenames": [ ".txt, .html, .bmp" ], "refs": [ @@ -6486,7 +6648,7 @@ ".cry" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_FOR_DECRYPT.txt" ], "refs": [ @@ -6507,7 +6669,7 @@ ], "payment-method": "Bitcoin", "price": "0.08686 (50$)", - "ransomnotes": [ + "ransomnotes-filenames": [ "AllFilesAreLocked .bmp", "DecryptAllFiles .txt", ".html" @@ -6547,9 +6709,11 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "你的檔案被我們加密啦!!!.txt", "Your files encrypted by our friends !!! txt" ], + "ransomnotes-filenames": [ + "你的檔案被我們加密啦!!!.txt" + ], "refs": [ "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", "https://github.com/aaaddress1/my-Little-Ransomware" @@ -6595,7 +6759,7 @@ ], "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -6644,7 +6808,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_YOUR_FILES.txt" ], "refs": [ @@ -6702,7 +6866,7 @@ "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", "payment-method": "Bitcoin", "price": "1 - 2 - 4", - "ransomnotes": [ + "ransomnotes-filenames": [ "cryptinfo.txt", "decrypting.txt", "start.txt" @@ -6755,7 +6919,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_TO_RECURE_YOUR_FILES.txt" ], "refs": [ @@ -6777,7 +6941,7 @@ ], "payment-method": "Email", "price": "250$", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW TO DECODE FILES!!!.txt", "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" ], @@ -6809,7 +6973,7 @@ ".dxxd" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "ReadMe.TxT" ], "refs": [ @@ -6866,7 +7030,7 @@ ".locked" ], "payment-method": "Download Decryter", - "ransomnotes": [ + "ransomnotes-filenames": [ "README.txt" ], "refs": [ @@ -6905,7 +7069,7 @@ ], "payment-method": "Email", "price": "450$ - 1000$", - "ransomnotes": [ + "ransomnotes-filenames": [ "qwer.html", "qwer2.html", "locked.bmp" @@ -6923,7 +7087,7 @@ { "description": "Ransomware Coded in GO", "meta": { - "ransomnotes": [ + "ransomnotes-filenames": [ "Instructions.html" ], "refs": [ @@ -6954,7 +7118,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to recover.enc" ], "refs": [ @@ -6973,7 +7137,7 @@ ".1txt" ], "payment-method": "WebSite (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "enigma.hta", "enigma_encr.txt", "enigma_info.txt" @@ -7017,7 +7181,7 @@ ], "payment-method": "Bitcoin", "price": "1.50520802", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ ME FOR DECRYPT.txt" ], "refs": [ @@ -7053,9 +7217,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "DECRYPT_YOUR_FILES.HTML", "RESTORE-FILES![id]" ], + "ransomnotes-filenames": [ + "DECRYPT_YOUR_FILES.HTML" + ], "refs": [ "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" ], @@ -7073,7 +7239,7 @@ ".FenixIloveyou!!" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "Help to decrypt.txt" ], "refs": [ @@ -7122,7 +7288,7 @@ ], "payment-method": "Bitcoin", "price": "500$", - "ransomnotes": [ + "ransomnotes-filenames": [ "[random_chars]-READ_ME.html" ], "refs": [ @@ -7162,7 +7328,7 @@ "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", "meta": { "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "help-file-decrypt.enc", "/pronk.txt" ] @@ -7216,7 +7382,7 @@ ".dll" ], "payment-method": "No Ransom - No Descrypter", - "ransomnotes": [ + "ransomnotes-filenames": [ "fs0ciety.html", "DECRYPT_YOUR_FILES.HTML" ], @@ -7278,7 +7444,7 @@ ], "payment-method": "Bitcoin", "price": "250$", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to restore files.hta" ], "refs": [ @@ -7303,7 +7469,7 @@ ], "payment-method": "Bitcoin", "price": "0.5(190 - 250 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "UNLOCK_FILES_INSTRUCTIONS.html and .txt" ], "refs": [ @@ -7351,7 +7517,7 @@ "meta": { "payment-method": "Bitcoin", "price": "500 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Your files have been crypted.html" ], "refs": [ @@ -7462,7 +7628,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "help_dcfile.txt" ], "refs": [ @@ -7577,7 +7743,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_DECRYPT_HYRDA_ID_[ID number].txt" ], "refs": [ @@ -7623,7 +7789,7 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "%Temp%\\.bmp" ], "refs": [ @@ -7657,7 +7823,7 @@ ], "payment-method": "Bitcoin", "price": "50 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Important_Read_Me.html" ], "refs": [ @@ -7673,7 +7839,7 @@ "encryption": "RC6 (files), RSA 2048 (RC6 key)", "payment-method": "Bitcoin", "price": "0.046627", - "ransomnotes": [ + "ransomnotes-filenames": [ "readme_liesmich_encryptor_raas.txt" ], "refs": [ @@ -7763,7 +7929,7 @@ ], "payment-method": "PaySafeCard", "price": "300 €", - "ransomnotes": [ + "ransomnotes-filenames": [ "Comment débloquer mes fichiers.txt", "Readme.txt" ], @@ -7793,7 +7959,7 @@ "meta": { "payment-method": "rubles", "price": "6 000", - "ransomnotes": [ + "ransomnotes-filenames": [ "How Decrypt Files.txt" ], "refs": [ @@ -7838,7 +8004,7 @@ "keybtc@inbox_com" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_YOUR_FILES.txt", "READ.txt", "readme.txt" @@ -7855,7 +8021,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.5 (500 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "how_decrypt.gif", "how_decrypt.html" ], @@ -7910,7 +8076,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "ReadMe.txt" ], "refs": [ @@ -7930,7 +8096,7 @@ ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "w.jpg" ], "refs": [ @@ -7953,7 +8119,7 @@ ], "payment-method": "Bitcoin", "price": "0.03", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_ALL.html" ], "refs": [ @@ -7969,7 +8135,7 @@ "meta": { "encryption": "AES-256", "payment-method": "ransom", - "ransomnotes": [ + "ransomnotes-filenames": [ "KryptoLocker_README.txt" ], "refs": [ @@ -8002,7 +8168,7 @@ ".LeChiffre" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to decrypt LeChiffre files.html" ], "refs": [ @@ -8022,7 +8188,7 @@ ], "payment-method": "Monero", "price": "50 - 500", - "ransomnotes": [ + "ransomnotes-filenames": [ "RANSOM_NOTE.txt" ], "refs": [ @@ -8071,7 +8237,7 @@ ], "payment-method": "Bitcoin", "price": "0.2 (200 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "LEAME.txt" ], "refs": [ @@ -8103,7 +8269,7 @@ ".locklock" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME.TXT" ], "refs": [ @@ -8140,6 +8306,10 @@ "payment-method": "Bitcoin", "price": "3 - 5 - 7", "ransomnotes": [ + "DesktopOSIRIS.(bmp|htm)", + "lukitus.bmp." + ], + "ransomnotes-filenames": [ "_Locky_recover_instructions.txt", "_Locky_recover_instructions.bmp", "_HELP_instructions.txt", @@ -8147,10 +8317,8 @@ "_HOWDO_text.html", "_WHAT_is.html", "_INSTRUCTION.html", - "DesktopOSIRIS.(bmp|htm)", "OSIRIS-[0-9]{4}.htm", - "lukitus.htm", - "lukitus.bmp." + "lukitus.htm" ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", @@ -8247,7 +8415,7 @@ ], "payment-method": "Bitcoin", "price": "1 - 2", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_ReadMe1.TXT", "DECRYPT_ReadMe.TXT" ], @@ -8267,7 +8435,7 @@ ], "payment-method": "Bitcoin", "price": "1.4 - 3.9", - "ransomnotes": [ + "ransomnotes-filenames": [ "_DECRYPT_INFO_[extension pattern].html" ], "refs": [ @@ -8287,7 +8455,7 @@ ], "payment-method": "Bitcoin", "price": "0.7 - 1.1", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!! Readme For Decrypt !!!.txt", "ReadMeFilesDecrypt!!!.txt" ], @@ -8316,7 +8484,7 @@ "description": "Ransomware", "meta": { "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "where_are_your_files.txt", "readme_your_files_have_been_encrypted.txt" ], @@ -8360,7 +8528,7 @@ ".fuck" ], "payment-method": "Bitcoin - Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -8379,9 +8547,11 @@ "payment-method": "Bitcoin", "price": "1.9338", "ransomnotes": [ - "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT " ], + "ransomnotes-filenames": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML" + ], "refs": [ "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/", "https://id-ransomware.blogspot.com/2016/05/petya-mischa-ransomware.html" @@ -8402,7 +8572,7 @@ ], "payment-method": "Bitcoin", "price": "1.011 (400 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -8435,9 +8605,11 @@ "payment-method": "Bitcoin", "price": "4", "ransomnotes": [ - "4-14-2016-INFECTION.TXT", "IMPORTANT.README" ], + "ransomnotes-filenames": [ + "4-14-2016-INFECTION.TXT" + ], "refs": [ "http://nyxbone.com/malware/Mobef.html", "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", @@ -8494,7 +8666,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "decrypt explanations.html" ], "refs": [ @@ -8512,7 +8684,7 @@ "encryption": "AES-256 + RSA", "payment-method": "Bitcoin", "price": "0.1 (43 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "ATTENTION.RTF" ], "refs": [ @@ -8541,7 +8713,7 @@ ], "payment-method": "Bitcoin", "price": "0.39983 - 4", - "ransomnotes": [ + "ransomnotes-filenames": [ "Decrypted.txt" ], "refs": [ @@ -8579,7 +8751,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "!_RECOVERY_HELP_!.txt", "HELP_ME_PLEASE.txt" ], @@ -8601,7 +8773,7 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "Recupere seus arquivos. Leia-me!.txt" ], "refs": [ @@ -8639,7 +8811,7 @@ ".nuclear55" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!_RECOVERY_instructions_!!.html", "!!_RECOVERY_instructions_!!.txt" ], @@ -8677,7 +8849,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_RESTORE_FILES.txt" ], "refs": [ @@ -8699,7 +8871,7 @@ "email-[params].cbf" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "desk.bmp", "desk.jpg" ], @@ -8740,7 +8912,7 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "how to get data.txt" ], "synonyms": [ @@ -8783,7 +8955,7 @@ ], "payment-method": "Bitcoin", "price": "0.29499335", - "ransomnotes": [ + "ransomnotes-filenames": [ "log.txt" ], "refs": [ @@ -8814,7 +8986,7 @@ ], "payment-method": "Bitcoin", "price": "0.8", - "ransomnotes": [ + "ransomnotes-filenames": [ "IMPORTANT READ ME.txt", "File Decrypt Help.html" ], @@ -8855,7 +9027,7 @@ ], "payment-method": "Bitcoin", "price": "0.25", - "ransomnotes": [ + "ransomnotes-filenames": [ "README!.txt" ], "refs": [ @@ -8887,7 +9059,7 @@ "meta": { "encryption": "Modified Salsa20", "payment-method": "Bitcoin - Website (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES_ARE_ENCRYPTED.TXT" ], "refs": [ @@ -9022,7 +9194,7 @@ "meta": { "encryption": "AES", "payment-method": "Website (onion)", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_INSTRUCTION.html" ] }, @@ -9038,10 +9210,12 @@ "payment-method": "Bitcoin", "price": "3 (1 800 $)", "ransomnotes": [ + ".*id*" + ], + "ransomnotes-filenames": [ "!_HOW_TO_RESTORE_[extension].TXT", "!_HOW_TO_RESTORE_[extension].html", "!_HOW_TO_RESTORE_*id*.txt", - ".*id*", "@_USE_TO_FIX_JJnY.txt" ], "refs": [ @@ -9082,7 +9256,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1 - 2", - "ransomnotes": [ + "ransomnotes-filenames": [ "Ransomware.txt" ], "refs": [ @@ -9101,7 +9275,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPTION INSTRUCTIONS.txt", "rtext.txt" ], @@ -9121,7 +9295,7 @@ ], "payment-method": "Bitcoin", "price": "0.39 (215 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!!README!!![id].rtf" ], "refs": [ @@ -9160,7 +9334,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "YOUR_FILES.url" ], "refs": [ @@ -9212,7 +9386,7 @@ "!@#$%___________%$#@.mail" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "\\fud.bmp", "\\paycrypt.bmp", "\\strongcrypt.bmp", @@ -9286,7 +9460,9 @@ "VictemKey_300_700", "VictemKey_700_2000", "VictemKey_2000_3000", - "VictemKey_3000", + "VictemKey_3000" + ], + "ransomnotes-filenames": [ "zXz.html" ], "refs": [ @@ -9350,7 +9526,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1 - 50", - "ransomnotes": [ + "ransomnotes-filenames": [ "RarVault.htm" ], "refs": [ @@ -9404,7 +9580,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Readme.txt" ], "refs": [ @@ -9445,7 +9621,7 @@ ], "payment-method": "Bitcoin", "price": "0.2403 (100.29 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_HOW_TO_UNLOCK.TXT", "README_HOW_TO_UNLOCK.HTML" ], @@ -9563,7 +9739,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT_YOUR_FILES.html", "###-READ-FOR-HELLPP.html", "000-PLEASE-READ-WE-HELP.html", @@ -9627,7 +9803,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECRYPT_YOUR_FILES.HTML" ], "refs": [ @@ -9646,7 +9822,7 @@ ], "payment-method": "Bitcoin", "price": "6", - "ransomnotes": [ + "ransomnotes-filenames": [ "RESTORE_ALL_DATA.html" ], "refs": [ @@ -9680,7 +9856,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "!satana!.txt" ], "refs": [ @@ -9743,7 +9919,7 @@ ], "payment-method": "Bitcoin", "price": "50 - 100 - 200 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Readme.txt" ], "refs": [ @@ -9787,7 +9963,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "文件解密帮助.txt" ], "refs": [ @@ -9820,7 +9996,7 @@ ], "payment-method": "Bitcoin", "price": "0.8", - "ransomnotes": [ + "ransomnotes-filenames": [ "_RECOVER_INSTRUCTIONS.ini" ], "refs": [ @@ -9840,7 +10016,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_IT.txt" ], "refs": [ @@ -9874,7 +10050,7 @@ ], "payment-method": "Bitcoin", "price": "0.66 (300 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "_HOW_TO_Decrypt.bmp" ], "refs": [ @@ -9894,7 +10070,7 @@ ], "payment-method": "Bitcoin", "price": "0.66 (300 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_Me.txt" ], "refs": [ @@ -9981,7 +10157,7 @@ "description": "Ransomware Still in development, shows FileIce survey", "meta": { "payment-method": "no ransom", - "ransomnotes": [ + "ransomnotes-filenames": [ "ThxForYurTyme.txt" ], "refs": [ @@ -10023,7 +10199,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Como descriptografar os seus arquivos.txt" ], "refs": [ @@ -10047,7 +10223,7 @@ ".xyz" ], "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_TO_SAVE_FILES.txt", "Howto_RESTORE_FILES.html" ], @@ -10087,7 +10263,7 @@ "meta": { "encryption": "AES-256 + ECHD + SHA1", "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-filenames": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", @@ -10120,7 +10296,7 @@ "description": "Ransomware", "meta": { "payment-method": "Bitcoin", - "ransomnotes": [ + "ransomnotes-filenames": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", @@ -10154,7 +10330,7 @@ "meta": { "payment-method": "Bitcoin", "price": "1.25", - "ransomnotes": [ + "ransomnotes-filenames": [ "HELP_DECRYPT.HTML" ] }, @@ -10171,7 +10347,7 @@ ], "payment-method": "Bitcoin", "price": "4.081", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_RESTORE_FILES.html", "DECRYPT_INSTRUCTIONS.html", "DESIFROVANI_POKYNY.html", @@ -10226,7 +10402,7 @@ "meta": { "payment-method": "Bitcoin", "price": "100 - 150 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "Payment_Instructions.jpg" ], "refs": [ @@ -10245,7 +10421,7 @@ ], "payment-method": "Bitcoin", "price": "0.23", - "ransomnotes": [ + "ransomnotes-filenames": [ "tox.html" ], "refs": [ @@ -10262,7 +10438,7 @@ ".braincrypt" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "!!! HOW TO DECRYPT FILES !!!.txt" ], "refs": [ @@ -10290,7 +10466,7 @@ ".no_more_ransom" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "README.txt", "nomoreransom_note_original.txt" ], @@ -10345,7 +10521,7 @@ ], "payment-method": "Bitcoin", "price": "2", - "ransomnotes": [ + "ransomnotes-filenames": [ "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" ], "refs": [ @@ -10363,7 +10539,7 @@ "umbrecrypt_ID_[VICTIMID]" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "README_DECRYPT_UMBRE_ID_[victim_id].jpg", "README_DECRYPT_UMBRE_ID_[victim_id].txt", "default32643264.bmp", @@ -10382,7 +10558,7 @@ "meta": { "payment-method": "Website", "price": "0.18", - "ransomnotes": [ + "ransomnotes-filenames": [ "Files encrypted.txt" ], "refs": [ @@ -10404,7 +10580,7 @@ ], "payment-method": "Website", "price": "2.5", - "ransomnotes": [ + "ransomnotes-filenames": [ "READTHISNOW!!!.txt", "Hellothere.txt", "YOUGOTHACKED.TXT" @@ -10424,7 +10600,7 @@ ".CCCRRRPPP" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-filenames": [ "READ_ME_!.txt" ], "refs": [ @@ -10458,7 +10634,7 @@ ], "payment-method": "Bitcoin", "price": "0.438", - "ransomnotes": [ + "ransomnotes-filenames": [ "VAULT.txt", "xort.txt", "trun.txt", @@ -10508,7 +10684,7 @@ ], "payment-method": "Bitcoin", "price": "0.15 (100 $)", - "ransomnotes": [ + "ransomnotes-filenames": [ "ReadMe.txt" ], "refs": [ @@ -10550,7 +10726,7 @@ ], "payment-method": "Bitcoin", "price": "2.5 - 3", - "ransomnotes": [ + "ransomnotes-filenames": [ "How to decrypt your data.txt" ], "refs": [ @@ -10574,7 +10750,7 @@ ], "payment-method": "Bitcoin", "price": "299 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "HOW_TO_UNLOCK_FILES_README_().txt" ], "refs": [ @@ -10605,8 +10781,10 @@ ], "payment-method": "Bitcoin", "price": "0.8", - "ransomnotes": [ - "HOW TO DECRYPT FILES.TXT", + "ransomnotes-filenames": [ + "HOW TO DECRYPT FILES.TXT" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/Dfj9G_2XkAE0ZS2.jpg", "https://pbs.twimg.com/media/Dfj9H66WkAEHazN.jpg" ], @@ -10672,7 +10850,7 @@ ], "payment-method": "Bitcoin", "price": "3", - "ransomnotes": [ + "ransomnotes-filenames": [ "how.txt" ], "refs": [ @@ -10721,7 +10899,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-filenames": [ "Take_Seriously (Your saving grace).txt" ], "refs": [ @@ -10790,7 +10968,7 @@ ], "payment-method": "Bitcoin", "price": "1.82 - 2.036", - "ransomnotes": [ + "ransomnotes-filenames": [ "WallpapeR.bmp", "ReadMe.bmp", "ReadMe.html", @@ -10823,7 +11001,7 @@ ], "payment-method": "Bitcoin", "price": "0.122", - "ransomnotes": [ + "ransomnotes-filenames": [ "DECODE_FILES.txt" ], "refs": [ @@ -10841,7 +11019,7 @@ ".pr0tect" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg" ], "refs": [ @@ -10859,7 +11037,7 @@ ], "payment-method": "PaySafeCard", "price": "50 €", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg" ], "refs": [ @@ -10877,7 +11055,7 @@ ".OXR" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg" ], "refs": [ @@ -10895,7 +11073,7 @@ ], "payment-method": "Bitcoin", "price": "0.5", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg" ], "refs": [ @@ -10928,7 +11106,7 @@ ], "payment-method": "Bitcoin", "price": "250 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg" ], "refs": [ @@ -10944,7 +11122,7 @@ "meta": { "payment-method": "Bitcoin", "price": "2 100 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "RESTORE_INFO-[id].txt" ], "refs": [ @@ -10976,7 +11154,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-filenames": [ "readme.html", "readme.png" ], @@ -11055,9 +11233,11 @@ "payment-method": "Bitcoin", "price": "0.2 - 0.4 - 2", "ransomnotes": [ - "_READ_ME_FOR_DECRYPT.txt", "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" ], + "ransomnotes-filenames": [ + "_READ_ME_FOR_DECRYPT.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/", "https://id-ransomware.blogspot.com/2017/11/storagecrypter.html" @@ -11075,9 +11255,11 @@ "payment-method": "Bitcoin", "price": "500 - 700 $", "ransomnotes": [ - "RECOVERY.txt", "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" ], + "ransomnotes-filenames": [ + "RECOVERY.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/", "https://id-ransomware.blogspot.com/2017/12/hc7-ransomware.html" @@ -11139,21 +11321,25 @@ ], "payment-method": "Bitcoin Email", "ransomnotes": [ + "Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!", + "Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.", + "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future." + ], + "ransomnotes-filenames": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", "HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT", "HOW TO RECOVER ENCRYPTED FILES.TXT", - "Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!", "INSTRUCTIONS FOR RESTORING FILES.TXT", - "Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.", "!!!ReadMeToDecrypt.txt", - "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.", + "_How to restore files.TXT", + "How to restore encrypted files.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg", - "_How to restore files.TXT", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg", - "https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg", - "How to restore encrypted files.txt" + "https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -11183,9 +11369,11 @@ "payment-method": "Bitcoin", "price": "0.00725", "ransomnotes": [ - "HOW TO DECRYPT FILES.url", "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." ], + "ransomnotes-filenames": [ + "HOW TO DECRYPT FILES.url" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/", "http://id-ransomware.blogspot.com/2017/12/file-spider-ransomware.html" @@ -11260,13 +11448,17 @@ "payment-method": "Dash", "price": "1 - 3", "ransomnotes": [ - "GDCB-DECRYPT.txt", - "CRAB-Decrypt.txt", - "https://www.bleepstatic.com/images/news/ransomware/g/gandcrab/v3/desktop-background.jpg", "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "---= GANDCRAB =---\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]\n5. Follow the instructions on this page\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\nIf you can't download TOR and use it, or in your country TOR blocked, read it:\n1. Visit https://tox.chat/download.html\n2. Download and install qTOX on your PC.\n3. Open it, click \"New Profile\" and create profile.\n4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5\n5. In message please write your ID and wait our answer: 6361f798c4ba3647\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "ENCRYPTED BY GANDCRAB 3\n\nDEAR [user_name],\n\nYOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR\n\nFor further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.", - " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! ", + " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! " + ], + "ransomnotes-filenames": [ + "GDCB-DECRYPT.txt", + "CRAB-Decrypt.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/g/gandcrab/v3/desktop-background.jpg", "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/gandcrab-fallout.jpg" ], "refs": [ @@ -11369,17 +11561,21 @@ "payment-method": "Bitcoin", "price": "750 $", "ransomnotes": [ - "How_return_files.txt", - "Image.jpg", "Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", "WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.", - "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", - "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com", "ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.", - "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", - "https://2.bp.blogspot.com/-T4lvnNISc_A/WQY1SI1r1mI/AAAAAAAAE-E/tH7p02nS2LUTvXmq66poiyM1RYhHc4HbwCLcB/s200/lock-note.jpg", "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again." ], + "ransomnotes-filenames": [ + "How_return_files.txt", + "Image.jpg", + "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", + "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com" + ], + "ransomnotes-refs": [ + "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", + "https://2.bp.blogspot.com/-T4lvnNISc_A/WQY1SI1r1mI/AAAAAAAAE-E/tH7p02nS2LUTvXmq66poiyM1RYhHc4HbwCLcB/s200/lock-note.jpg" + ], "refs": [ "https://www.securityweek.com/rsautil-ransomware-distributed-rdp-attacks", "https://www.bleepingcomputer.com/news/security/rsautil-ransomware-helppme-india-com-installed-via-hacked-remote-desktop-services/", @@ -11399,7 +11595,9 @@ "meta": { "payment-method": "Bitcoin", "ransomnotes": [ - "Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!", + "Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!" + ], + "ransomnotes-filenames": [ "README_DECRYPT.txt" ], "refs": [ @@ -11414,9 +11612,11 @@ "meta": { "payment-method": "Bitcoin Email (Tor)", "ransomnotes": [ - "Zenis-Instructions.html", "*** All your files has been encrypted ***\n\nI am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world. A world in digital space that you are supposed to play the role of my toys.\n\nIf you want to win in this game, you have to listen carefully to my instructions, otherwise you will be caught up in a one-step game and you will become the main loser of the story.\n\nMy instructions are simple and clear. Then follow these steps:\n\n1. Send this file (Zenis-Instructions.html) to my email with one your encrypted file less than 2 MB to trust to the game.\n\n2. I decrypt your file for free and send for you.\n\n3. If you confirm the correctness of the files, verify that the files are correct via email\n\n4. Then receive the price of decrypting files\n\n5. After you have deposited, please send me the payment details\n\n6. After i confirm deposit, i send you the \"Zenis Decryptor\" along with \"Private Key\" to recovery all your files.\n\nNow you can finish the game. You won the game. congratulations.\n\n\nPlease submit your request to both emails:\n\nTheZenis@Tutanota.com\n\nTheZenis@MailFence.com\n\nIf you did not receive an email after six hours, submit your request to the following emails:\n\nTheZenis@Protonmail.com\n\nTheZenis@Mail2Tor.com (On the TOR network)\n\n\nWarning: 3rd party and public programs, It may cause irreversible damage to your files. And your files will be lost forever." ], + "ransomnotes-filenames": [ + "Zenis-Instructions.html" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/", "https://id-ransomware.blogspot.com/2018/03/zenis-ransomware.html" @@ -11445,9 +11645,11 @@ ], "payment-method": "Monero miner on the computer", "ransomnotes": [ - "HOW-TO-DECRYPT-FILES.txt", " ____ __ __ ____ __\n / __ ) / /____ _ _____ / /__ / __ \\ __ __ / /_ __ __\n / __ |/ // __ `// ___// //_/ / /_/ // / / // __ \\ / / / /\n / /_/ // // /_/ // /__ / ,< / _, _// /_/ // /_/ // /_/ /\n /_____//_/ \\__,_/ \\___//_/|_| /_/ |_| \\__,_//_.___/ \\__, /\n /____/\n\n===================== Identification Key =====================\n\n[id]\n\n===================== Identification Key =====================\n\n[Can not access your files?]\n\nCongratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.\nOur hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.\n\nThis time, we are guest with a new souvenir called \"Black Ruby\". A ruby ​​in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.\n\nSo let's talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.\nIt does not matter if you're a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it's important that you have a black ruby and to get rid of it, you need to get back to previous situation and we need a next step.\n\nThe breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge.\nWe are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone. We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility. you must pay $650 (USD) worth of Bitcoins for restore your system to the previous state and you are free to choose to stay in this situation or return to the normal.\n\nDo not forget that your opportunity is limited. From these limits you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.\n\n ========================================================================================================================\n\n [HOW TO DECRYPT FILES]\n\n 1. Copy \"Identification Key\".\n 2. Send this key with two encrypted files (less than 5 MB) for trust us to email address \"TheBlackRuby@Protonmail.com\".\n 3. We decrypt your two files and send them to your email.\n 4. After ensuring the integrity of the files, you must pay $650 (USD) with bitcoin and send transaction code to our email, our bitcoin address is \"19S7k3zHphKiYr85T25FnqdxizHcgmjoj1\".\n 5. You get \"Black Ruby Decryptor\" Along with the private key of your system.\n 6. Everything returns to the normal and your files will bereleased.\n\n========================================================================================================================\n\n[What is encryption?]\n\nEncryption is a reversible modification of information for security reasons but providing full access to it for authorised users.\n To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an \"Personal Identification Key\". But not only it. It is required also to have the special decryption software\n(in your case “Black Ruby Decryptor” software) for safe and complete decryption of all your files and data.\n\n[Everything is clear for me but what should I do?]\n\n The first step is reading these instructions to the end. Your files have been encrypted with the “Black Ruby Ransomware” software; the instructions (“HOW-TO-DECRYPT-FILES.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Black Ruby Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.\n\n[Have you got advice?]\n\n[*** Any attempts to get back you files with the third-party tools can be fatal for your encrypted files ***]\nThe most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. \nFinally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Black Ruby Ransomware” software may be fatal for your files.\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." ], + "ransomnotes-filenames": [ + "HOW-TO-DECRYPT-FILES.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf" @@ -11465,9 +11667,11 @@ ], "payment-method": "Website Tor", "ransomnotes": [ - "HOW-TO-RECOVERY-FILES.TXT", "[Rose ASCII art]\n\n[WhiteRose written in ASCII art]\n\nThe singing of the sparrows, the breezes of the northern mountains and smell of the earth that was raining in the morning filled the entire garden space. I'm sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day.\n\nBehind me is an empty house of dreams and in front of me, full of beautiful white roses. To my left is an empty blue pool of red fish and my right, trees full of spring white blooms.\n\n I drink coffee, I'll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend.\n\nI have neither a pet, nor a friend or an enemy; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I'm just a little interested in hacking and programming. My only electronic devices in this big garden are an old laptop for do projects and an iPhone for check out the news feeds for malware analytics on Twitter without likes posts.\n\nBelieve me, my only assets are the white roses of this garden. I think of days and write at night: the story, poem, code, exploit or the accumulation of the number of white roses sold and I say to myself that the wealth is having different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses.\n\nToday, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the worth of unity, intimacy, joy and love and is the decision to release white roses and to give gifts to all peoples of the world.\n\nI do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it's important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. Wait for good days with White Rose.\n\nI hope you accept this gift from me and if it reaches you, close your eyes and place yourself in a large garden on a wooden chair and feel this beautiful scene to reduce your anxiety and everyday tension.\n\nThank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\n[Recovery Instructions]\n\n I. Download qTox on your computer from [https://tox.chat/download.html]\nII. Create new profile then enter our ID in search contacts\n Our Tox ID: \"6F548F217897AA4140FB4C514C8187F2FFDBA3CAFC83795DEE2FBCA369E689006B7CED4A18E9\". III. Wait for us to accept your request.\nIV. Copy '[PersonalKey]' in \"HOW-TO-RECOVERY-FILES.TXT\" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat.\n IV.I. Only if you did not receive a reply after 24 hours from us, send your message to our secure tor email address \"TheWhiteRose@Torbox3uiot6wchz.onion\".\n IV.II. For perform \"Step IV.I\" and enter the TOR network, you must download tor and register in \"http://torbox3uiot6wchz.onion\" Mail Service)\nV. We decrypt your two files and we will send you.\nVI. After ensuring the integrity of the files, We will send you payment info.\nVII. Now after payment, you get \"WhiteRose Decryptor\" Along with the private key of your system.\nVIII.Everything returns to the normal and your files will be released.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\nWhat is encryption?\n\n In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it, and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. in your case “WhiteRose Decryptor” software for safe and complete decryption of all your files and data.\n\nAny other way?\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." ], + "ransomnotes-filenames": [ + "HOW-TO-RECOVERY-FILES.TXT" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/", "http://id-ransomware.blogspot.com/2018/03/whiterose-ransomware.html" @@ -11484,7 +11688,7 @@ ], "payment-method": "Game", "price": "Play to decrypt", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/p/pubg-ransomware/pubg-ransomware.jpg" ], "refs": [ @@ -11503,8 +11707,10 @@ ], "payment-method": "Bitcoin", "price": "0.5 - 1", - "ransomnotes": [ - "How To Decode Files.hta", + "ransomnotes-filenames": [ + "How To Decode Files.hta" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg" ], "refs": [ @@ -11528,9 +11734,11 @@ "payment-method": "Bitcoin", "price": "0.2", "ransomnotes": [ - "READ_ME_FOR_DECRYPT_[id].txt", " ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!\n ====================================================================================================\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n\n The only 1 way to decrypt your files is to receive the private key and decryption program.\n\n Any attempts to restore your files with the third-party software will be fatal for your files!\n ====================================================================================================\n To receive the private key and decryption program follow the instructions below:\n\n 1. Download \"Tor Browser\" from https://www.torproject.org/ and install it.\n\n 2. In the \"Tor Browser\" open your personal page here:\n\n\n http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513\n\n\n Note! This page is available via \"Tor Browser\" only.\n ====================================================================================================\n Also you can use temporary addresses on your personal page without using \"Tor Browser\":\n\n\n http://[victim_id].bankme.date/EP866p5M93wDS513\n\n http://[victim_id].jobsnot.services/EP866p5M93wDS513\n\n http://[victim_id].carefit.agency/EP866p5M93wDS513\n\n http://[victim_id].hotdisk.world/EP866p5M93wDS513\n\n\n Note! These are temporary addresses! They will be available for a limited amount of time!" ], + "ransomnotes-filenames": [ + "READ_ME_FOR_DECRYPT_[id].txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/", "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/", @@ -11549,9 +11757,11 @@ "payment-method": "Bitcoin", "price": "10 000 $", "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg", "UNCRYPT.README" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg" + ], "refs": [ "https://twitter.com/siri_urz/status/981191281195044867", "http://id-ransomware.blogspot.com/2018/04/vurten-ransomware.html" @@ -11592,9 +11802,11 @@ ".FUCK" ], "ransomnotes": [ - "https://pastebin.com/xkRaRytW", "What Happened to My Computer?\nYour important files are encrypted.\nMany of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.\n\nCan I Recover My Files?\nSure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.\nBut if you want to decrypt all your files, you need to pay.\n\nHow Do I Pay?\nPayment is accepted in Bitcoin only.\nPlease check the current price of Bitcoin and buy some bitcoins.\nAnd send the correct amount to the address specified in this window.\n\nWe strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!\nOnce the payment is sent, send us an e-mail to the specified address specifying your \"Client ID\", you will be sent your decryption key in return.\nHow to buy Bitcoins?\n\nStep 1 : Create a portfolio on the Blockchain website at the address : https://blockchain.info/fr/wallet/#/signup\nStep 2 : Sign in to your account you just created and purchase the amount shown : https://blockchain.info/wallet/#/buy-sell\n Step 3 : Send the amount to the indicated Bitcoin address, once this is done send us an email with your \"Client ID\" you can retreive this in the file \"instruction.txt\" or \"Whats Appens With My File.s.txt\" in order to ask us the key of decryption of your data.\n\nContact us at : spaghetih@protonmail.com\nSend 20$ to Bitcoin at 1MFA4PEuDoe2UCKgabrwm8P4KztASKtiuv if you want decrypt your files !\nYour Client ID is : [id]" ], + "ransomnotes-refs": [ + "https://pastebin.com/xkRaRytW" + ], "refs": [ "https://twitter.com/demonslay335/status/981270787905720320" ] @@ -11693,16 +11905,18 @@ ], "payment-method": "Bitcoin", "price": "1 200 yuan (180,81 $)", - "ransomnotes": [ - "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", - "https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg", + "ransomnotes-filenames": [ "_@XiaoBa@_.bmp", "_@Explanation@_.hta", "_XiaoBa_Info_.hta", "_XiaoBa_Info_.bmp", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg", "# # DECRYPT MY FILE # #.bmp" ], + "ransomnotes-refs": [ + "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", + "https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/", "https://twitter.com/malwrhunterteam/status/923847744137154560", @@ -11727,7 +11941,9 @@ "payment-method": "Bitcoin", "price": "7000 $", "ransomnotes": [ - "Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser...", + "Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser..." + ], + "ransomnotes-refs": [ "https://sensorstechforum.com/wp-content/uploads/2018/04/stf-NMCRYPT-ransomware-virus-ransom-note-tor-onion-network-page-768x827.png" ], "refs": [ @@ -11744,9 +11960,11 @@ "payment-method": "Bitcoin", "price": "0.2", "ransomnotes": [ - "!HELP_YOUR_FILES.HTML", "We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…" ], + "ransomnotes-filenames": [ + "!HELP_YOUR_FILES.HTML" + ], "refs": [ "https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html", "http://id-ransomware.blogspot.com/2018/04/ironlocker-ransomware.html" @@ -11762,7 +11980,7 @@ ], "payment-method": "Bitcoin", "price": "0.007305 - 0.05", - "ransomnotes": [ + "ransomnotes-refs": [ "https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg" ], "refs": [ @@ -11781,8 +11999,10 @@ ], "payment-method": "Bitcoin", "price": "0.14", - "ransomnotes": [ - "HOW DECRIPT FILES.hta", + "ransomnotes-filenames": [ + "HOW DECRIPT FILES.hta" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/c/compiled-ransomware/ransom-note.jpg" ], "refs": [ @@ -11819,7 +12039,9 @@ "price": "2500 $", "ransomnotes": [ "SIGRUN 1.0 RANSOMWARE\n\nAll your important files are encrypted\n\nYour files has been encrypted by sigrun ransomware with unique decryption key.\n\nThere is only one way to get your files back: contact with us, pay, and get decryptor software. \n\nWe accept Bitcoin and Dash, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/ and others.\n\nYou have unique idkey (in a yellow frame), write it in letter when contact with us.\n\nAlso you can decrypt 3 files for test, its guarantee what we can decrypt your files.\n\nIDKEY:\n>>> [id_key] <<<\nContact information:\n\nemail: sigrun_decryptor@protonmail.ch", - "~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n|Our e-mail is: sigrun_decryptor@protonmail.ch|\n-----------------------------------------------\n\nAs a proof we will decrypt 3 files for free!\n\nPlease, attach this to your message:\n[id_key]", + "~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n|Our e-mail is: sigrun_decryptor@protonmail.ch|\n-----------------------------------------------\n\nAs a proof we will decrypt 3 files for free!\n\nPlease, attach this to your message:\n[id_key]" + ], + "ransomnotes-filenames": [ "RESTORE-SIGRUN.html", "RESTORE-SIGRUN.txt" ], @@ -11838,7 +12060,7 @@ ".crybrazil" ], "payment-method": "Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/crybrazil.jpg" ], "refs": [ @@ -11855,7 +12077,7 @@ "meta": { "payment-method": "Bitcoin", "price": "0.0065 (50 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De00yEDVQAE_p9z[1].jpg" ], "refs": [ @@ -11873,8 +12095,10 @@ ".DiskDoctor" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ - "HOW TO RECOVER ENCRYPTED FILES.TXT", + "ransomnotes-filenames": [ + "HOW TO RECOVER ENCRYPTED FILES.TXT" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg" ], "refs": [ @@ -11896,7 +12120,7 @@ ], "payment-method": "Bitcoin", "price": "0.1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg" ], "refs": [ @@ -11922,15 +12146,19 @@ "payment-method": "Bitcoin", "price": "100 - 500", "ransomnotes": [ - "#RECOVERY-PC#.txt", "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================", - "!-GET_MY_FILES-!.txt", - "@_RESTORE-FILES_@.txt", "%UserProfile%wall.i", - "https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg", - "https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg", "==========================# zorro ransomware #==========================\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nRandom key is encrypted with RSA public key (2048 bit)\n.We STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you need to get the RSA-key from us.\n--\nTo obtain an RSA-key, follow these steps in order:\n1. pay this sum 500$ to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac\n2. write on the e-mail ochennado@tutanota.com or anastacialove21@mail.com indicating in the letter this ID-[id] and BTC-purse, from which paid.\nIn the reply letter you will receive an RSA-key and instructions on what to do next.\nWe guarantee you the recovery of files, if you do it right.\n==========================# zorro ransomware #==========================" ], + "ransomnotes-filenames": [ + "#RECOVERY-PC#.txt", + "!-GET_MY_FILES-!.txt", + "@_RESTORE-FILES_@.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg", + "https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg" + ], "refs": [ "https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", @@ -11952,7 +12180,7 @@ ], "payment-method": "Bitcoin", "price": "500 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg", "http://id-ransomware.blogspot.com/2018/05/pgpsnippet-ransomware.html" ], @@ -11985,7 +12213,7 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/15/DfQI_lnXUAAukGK[1].jpg" ], "refs": [ @@ -12018,7 +12246,7 @@ "_V.0.0.0.1{paradise@all-ransomware.info}.prt" ], "payment-method": "Bitcoin Email", - "ransomnotes": [ + "ransomnotes-filenames": [ "PARADISE_README_paradise@all-ransomware.info.txt" ], "refs": [ @@ -12041,10 +12269,12 @@ "price": "0.1 - 0.3", "ransomnotes": [ "Your files were encrypted with AES-256.\n\nAsk how to restore your files by email reycarnasi1983@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: reycarnasi1983@torbox3uiot6wchz.onion\nATTENTION: e-mail (reycarnasi1983@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]-----END KEY-----", - "ScrewYou.txt", - "Readme.txt", "Your files were encrypted with AES-256.\n\nAsk how to restore your files by email ssananunak1987@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: ssananunak1987@torbox3uiot6wchz.onion\nATTENTION: e-mail (ssananunak1987@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]" ], + "ransomnotes-filenames": [ + "ScrewYou.txt", + "Readme.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1006220895302705154", "https://id-ransomware.blogspot.com/2018/03/b2dr-ransomware.html" @@ -12061,9 +12291,11 @@ ], "payment-method": "Email Tor", "ransomnotes": [ - "Readme.txt", "Hello. Your files have been encrypted.\n\nFor help, write to this e-mail: codyprince92@mail.com\nAttach to the letter 1-2 files (no more than 3 MB) and your personal key.\n\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: codyprince@torbox3uiot6wchz.onion\n\n\nATTENTION: e-mail (codyprince@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n\n\nYour personal key:\n\n[redacted hex]" ], + "ransomnotes-filenames": [ + "Readme.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1006237353474756610", "http://id-ransomware.blogspot.com/2017/05/yyto-ransomware.html" @@ -12079,9 +12311,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "Notice.txt", "Your files was encrypted using AES-256 algorithm. Write me to e-mail: qnbqwqe@protonmail.com to get your decryption key.\nYour USERKEY: [redacted 1024 bytes in base64]" ], + "ransomnotes-filenames": [ + "Notice.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1007334654918250496" ] @@ -12099,7 +12333,7 @@ ], "payment-method": "Bitcoin", "price": "3003 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsoIB_0U0AAXgEz[1].jpg" ], "refs": [ @@ -12140,8 +12374,12 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "_How_to_decrypt_files.txt", - "Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:", + "Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:" + ], + "ransomnotes-filenames": [ + "_How_to_decrypt_files.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/u/986406/Ransomware/DBGer/DBGer-ransom-note.png" ], "refs": [ @@ -12214,9 +12452,11 @@ "payment-method": "Bitcoin", "price": "300 $", "ransomnotes": [ - "!!!KEYPASS_DECRYPTION_INFO!!!.txt", "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]" ], + "ransomnotes-filenames": [ + "!!!KEYPASS_DECRYPTION_INFO!!!.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/", "https://www.kaspersky.com/blog/keypass-ransomware/23447/" @@ -12238,9 +12478,11 @@ ], "payment-method": "Bitcoin", "price": "200 - 600 $", - "ransomnotes": [ + "ransomnotes-filenames": [ + "!readme.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsW33OQXgAAwJzv[1].jpg", - "!readme.txt", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsobVENXcAAR3GC[1].jpg" ], "refs": [ @@ -12258,9 +12500,11 @@ "meta": { "payment-method": "Bitcoin", "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg", "Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information." ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg" + ], "refs": [ "https://twitter.com/malwrhunterteam/status/1032242391665790981", "https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/", @@ -12282,8 +12526,10 @@ ], "payment-method": "Bitcoin", "price": "200 $", - "ransomnotes": [ - "CRYPTONAR RECOVERY INFORMATION.txt", + "ransomnotes-filenames": [ + "CRYPTONAR RECOVERY INFORMATION.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg" ], "refs": [ @@ -12340,8 +12586,12 @@ "payment-method": "Bitcoin", "price": "0.5", "ransomnotes": [ - "IMPORTANT ABOUT DECRYPT.txt", - "L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.", + "L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system." + ], + "ransomnotes-filenames": [ + "IMPORTANT ABOUT DECRYPT.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg" ], "refs": [ @@ -12358,7 +12608,7 @@ "meta": { "payment-method": "Bitcoin", "price": "80 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg" ], "refs": [ @@ -12380,7 +12630,7 @@ ], "payment-method": "Bitcoin", "price": "100 - 500 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg" ], "refs": [ @@ -12399,10 +12649,12 @@ ], "payment-method": "Bitcoin", "price": "100 $", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg", + "ransomnotes-filenames": [ "README.txt" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", "https://twitter.com/siri_urz/status/1035138577934557184" @@ -12419,11 +12671,13 @@ "meta": { "payment-method": "Bitcoin", "price": "400 $", - "ransomnotes": [ + "ransomnotes-filenames": [ + "ReadMe.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg", "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg", - "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg", - "ReadMe.txt" + "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" @@ -12456,7 +12710,7 @@ "meta": { "payment-method": "Dollars", "price": "80", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" ], "refs": [ @@ -12475,8 +12729,10 @@ ".SAVEfiles." ], "payment-method": "Email", - "ransomnotes": [ - "!!!SAVE__FILES__INFO!!!.txt", + "ransomnotes-filenames": [ + "!!!SAVE__FILES__INFO!!!.txt" + ], + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" ], "refs": [ @@ -12495,10 +12751,14 @@ "payment-method": "Won", "price": "50 000 (50 $)", "ransomnotes": [ - "Warning!!!!!!.txt", - "https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg", "한국어: 경고!!! 모든 문서, 사진, 데이테베이스 및 기타 중요한 파일이 암호화되었습니다!!\n당신은 돈을 지불해야 합니다\n비트코인 5만원을 fasfry2323@naver.com로 보내십시오 비트코인 지불코드: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 결제 사이트 http://www.localbitcoins.com/ \nEnglish: Warning!!! All your documents, photos, databases and other important personal files were encrypted!!\nYou have to pay for it.\nSend fifty thousand won to fasfry2323@naver.com Bitcoin payment code: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Payment site http://www.localbitcoins.com/" ], + "ransomnotes-filenames": [ + "Warning!!!!!!.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/" ] @@ -12515,10 +12775,14 @@ "payment-method": "Bitcoin", "price": "0.1", "ransomnotes": [ - "DECRYPTING.txt", - "https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg", "+-----------------------+\n¦----+CommonRansom+-----¦\n+-----------------------+\nHello dear friend,\nYour files were encrypted!\nYou have only 12 hours to decrypt it\nIn case of no answer our team will delete your decryption password\nWrite back to our e-mail: old@nuke.africa\n\n\nIn your message you have to write:\n1. This ID-[VICTIM_ID]\n2. [IP_ADDRESS]:PORT(rdp) of infected machine\n3. Username:Password with admin rights\n4. Time when you have paid 0.1 btc to this bitcoin wallet:\n35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF\n\n\nAfter payment our team will decrypt your files immediatly\n\n\nFree decryption as guarantee:\n1. File must be less than 10MB\n2. Only .txt or .lnk files, no databases\n3. Only 5 files\n\n\nHow to obtain bitcoin:\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/" ], + "ransomnotes-filenames": [ + "DECRYPTING.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/" ] @@ -12550,9 +12814,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "readmy.txt", "Attention! All your files are encrypted!\nTo recover your files and access them,\nsend a message with your id to email DecryptFox@protonmail.com\n \nPlease note when installing or running antivirus will be deleted\n important file to decrypt your files and data will be lost forever!!!!\n \nYou have 5 attempts to enter the code. If you exceed this\nthe number, all the data, will be irreversibly corrupted. Be\ncareful when entering the code!\n \nyour id [redacted 32 lowercase hex]" ], + "ransomnotes-filenames": [ + "readmy.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", "https://twitter.com/demonslay335/status/1049325784979132417" @@ -12569,7 +12835,7 @@ ], "payment-method": "Bitcoin", "price": "780 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "#RECOVERY_FILES#.txt" ], "refs": [ @@ -12588,7 +12854,7 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/mvp.jpg" ], "refs": [ @@ -12605,9 +12871,11 @@ "payment-method": "Bitcoin", "price": "0.8", "ransomnotes": [ - "read_me_for_recover_your_files.txt", "All your important files on this device have been encrypted.\n\nNo one can decrypt your files except us.\n\nIf you want to recover all your files. contact us via E-mail.\nDON'T forget to send us your ID!!!\n\nTo recover your files,You have to pay 0.8 bitcoin.\n\n\n\n\nContact Email : Leviathan13@protonmail.com\n\nYour ID :\n\n[redacted 0x200 bytes in base64 form]\n\n\nFree decryption as guarantee\n\nIf you can afford the specified amount of bitcoin,\nyou can send to us up to 2 files for demonstration.\n\nPlease note that files must NOT contain valuable information\nand their total size must be less than 2Mb." ], + "ransomnotes-filenames": [ + "read_me_for_recover_your_files.txt" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", "" @@ -12638,7 +12906,7 @@ ], "payment-method": "Bitcoin", "price": "0.002 (50 $)", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/9/moira.jpg" ], "refs": [ @@ -12661,9 +12929,11 @@ "payment-method": "Bitcoin", "price": "25 000 sek (sweden)", "ransomnotes": [ - "aboutYourFiles.txt", "Hi. Thank you for using my program. If you're reading this, a lot of your files have\nbeen encrypted. To decrypt them, you need my decryption program. For this, I want 25 000 sek, I want\nthem in bitcoin. Email me when you've paid with details about the transaction. I'll give you two days.\nIf you have not paid in two days(from the day you received the email), It will cost 1000 sek more per day.\n If I have not heard from you after five days (from the day you received the email), I assume your files are not that\nimportant to you. So I'll delete your decryption-key, and you will never see your files again.\n\n\nAfter the payment, email me the following information:\n* the bitcoin address you sent from (important, write it down when you do the transaction)\n* the ID at the bottom of this document (this is important!! Otherwise I don't know which key belongs\nto you).\nThen I will send you the decryption-program and provide you with instructions of how to remove\nthe virus if you have not already figured it out.\n\n\nEmail:\naperfectday2018@protonmail.com\n\nBitcoin adress: \n1LX3tBkW161hoF5DbGzbrm3sdXaF6XHv2D\n\nMake sure to get the bitcoin adress right, copy and paste and double check. If you send the bitcoin\nto the wrong adress, it will be lost forever. You cant stop or regret a bitcoin transaction.\n\n\nIMPORTANT: \n\nDo not loose this document. You also have a copy of it on your desktop.\nDo NOT change any filenames!!! !!!\n\n\nThank you for the money, it means a lot to me. \n\n\n\nID: [redacted 13 numbers]" ], + "ransomnotes-filenames": [ + "aboutYourFiles.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1059470985055875074", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/" @@ -12679,9 +12949,11 @@ ], "payment-method": "Bitcoin", "price": "300 $", - "ransomnotes": [ + "ransomnotes-filenames": [ "how to get back you files.txt", - "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com", + "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg" ], "refs": [ @@ -12698,7 +12970,7 @@ ".Vapor" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/vapor.jpg" ], "refs": [ @@ -12717,7 +12989,7 @@ ], "payment-method": "Bitcoin", "price": "0.00000001", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsPVGaHXcAAtnXz[1].jpg" ], "refs": [ @@ -12736,11 +13008,13 @@ ], "payment-method": "Bitcoin", "price": "999999.5", - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg", + "ransomnotes-filenames": [ "!=How_recovery_files=!.html" ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg" + ], "refs": [ "https://twitter.com/petrovic082/status/1065223932637315074", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", @@ -12761,7 +13035,7 @@ ], "payment-method": "Bitcoin", "price": "0.00000001", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg", "https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg", "https://pbs.twimg.com/media/Ds4IYbfWsAECNuJ.jpg" @@ -12784,9 +13058,11 @@ "payment-method": "Bitcoin", "price": "1", "ransomnotes": [ - "_How_To_Decrypt_My_File_.txt", "I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]" ], + "ransomnotes-filenames": [ + "_How_To_Decrypt_My_File_.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1067109661076262913", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/" @@ -12817,7 +13093,7 @@ ".israbye" ], "payment-method": "Politic", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dtlxf0eW4AAJCdZ[1].jpg", "https://pbs.twimg.com/media/DtlxfFsW4AAs-Co.jpg" ], @@ -12836,7 +13112,7 @@ "prepend (encrypted)" ], "payment-method": "Bitcoin Website", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtkQKCDWoAM13kD[1].jpg" ], "refs": [ @@ -12864,9 +13140,11 @@ ".FJ7QvaR9VUmi" ], "payment-method": "Email", - "ransomnotes": [ + "ransomnotes-filenames": [ + "DECRYPT.txt" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg", - "DECRYPT.txt", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/14/Dt-APfCW0AADWV8[1].jpg" ], "refs": [ @@ -12889,7 +13167,7 @@ ], "payment-method": "Bitcoin", "price": "900 $", - "ransomnotes": [ + "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dt1_DpMXcAMC8J_[1].jpg" ], "refs": [ @@ -12922,8 +13200,10 @@ ], "payment-method": "Bitcoin", "price": "1", - "ransomnotes": [ - "README_BACK_FILES.htm", + "ransomnotes-filenames": [ + "README_BACK_FILES.htm" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/Dt4xTDjWwAEBjBh.jpg" ], "refs": [ @@ -12943,9 +13223,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "!!!READ_IT!!!.txt", "!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!\n\nPlease follow few steps below:\n\n1.Send us your ID.\n2.We can decrypt 1 file what would you make sure that we have decription tool!\n3.Then you'll get payment instruction and after payment you will get your decryption tool!\n\n\n Do not try to rename files!!! Only we can decrypt all your data!\n\n Contact us:\n\ngetmydata@india.com\nmydataback@aol.com\n\n Your ID:[redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]\n[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]" ], + "ransomnotes-filenames": [ + "!!!READ_IT!!!.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1072164314608480257" ] @@ -12959,8 +13241,10 @@ ".locked" ], "payment-method": "Email", - "ransomnotes": [ - "ODSZYFRFUJ_PLIKI_TERAZ.txt", + "ransomnotes-filenames": [ + "ODSZYFRFUJ_PLIKI_TERAZ.txt" + ], + "ransomnotes-refs": [ "https://pbs.twimg.com/media/DuIsIoWXQAEGKlr.jpg" ], "refs": [ @@ -12977,9 +13261,11 @@ ], "payment-method": "Email", "ransomnotes": [ - "_openme.txt", "---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- \n\nDon't worry, you can return all your files!\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nThis software will decrypt all your encrypted files.\nWhat guarantees do we give to you?\nYou can send one of your encrypted file from your PC and we decrypt it for free.\nBut we can decrypt only 1 file for free. File must not contain valuable information\nDon't try to use third-party decrypt tools because it will destroy your files.\nDiscount 50% available if you contact us first 72 hours.\n\n---------------------------------------------------------------------------------------------------------------------------\n\n\nTo get this software you need write on our e-mail:\nhelpshadow@india.com\n\nReserve e-mail address to contact us:\nhelpshadow@firemail.cc\n\nYour personal ID:\n[redacted 43 alphanumeric chars]" ], + "ransomnotes-filenames": [ + "_openme.txt" + ], "refs": [ "https://twitter.com/demonslay335/status/1072907748155842565" ] @@ -13152,4 +13438,4 @@ } ], "version": 62 -} +} \ No newline at end of file From f5a7efaadc81b2cdb1e9b3589ef5c4a4d365cbca Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 May 2019 12:39:53 +0200 Subject: [PATCH 2/3] jq --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7ea0968..3a97015 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13438,4 +13438,4 @@ } ], "version": 62 -} \ No newline at end of file +} From 9d8d5ce1c845a2ee7679b46f930a3b88300b4142 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 May 2019 16:23:09 +0200 Subject: [PATCH 3/3] fix ransomware ransomnotes --- clusters/ransomware.json | 48 ++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3a97015..1eae530 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -94,7 +94,7 @@ "meta": { "date": "March 2017", "encryption": "AES-128", - "ransomnotes-filenames": [ + "ransomnotes": [ "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" ], "refs": [ @@ -695,7 +695,7 @@ "extensions": [ ".damage" ], - "ransomnotes-filenames": [ + "ransomnotes": [ "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" ], "refs": [ @@ -1302,10 +1302,12 @@ ".<7_random_letters>" ], "payment-method": "Email", + "ransomnotes": [ + "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + ], "ransomnotes-filenames": [ "encrypted_readme.txt", - "__encrypted_readme.txt", - "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + "__encrypted_readme.txt" ], "ransomnotes-refs": [ "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png" @@ -3686,15 +3688,15 @@ "ransomnotes": [ "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", + "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com" ], "ransomnotes-filenames": [ "README.txt", "README.jpg", "Info.hta", "FILES ENCRYPTED.txt", - "INFO.hta", - "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com" + "INFO.hta" ], "ransomnotes-refs": [ "https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg", @@ -4716,7 +4718,7 @@ "encryption": "AES-256", "payment-method": "Bitcoin", "price": "2", - "ransomnotes-filenames": [ + "ransomnotes": [ "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" ], "refs": [ @@ -6541,7 +6543,14 @@ "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", "ransomnotes-filenames": [ - "de_crypt_readme.bmp, .txt, .html" + "de_crypt_readme.bmp", + "de_crypt_readme.txt", + "de_crypt_readme.html", + "[victim_id].html", + "[victim_id].bmp", + "!Recovery_[victim_id].bmp", + "!Recovery_[victim_id].html", + "!Recovery_[victim_id].txt" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", @@ -6573,7 +6582,9 @@ "payment-method": "Bitcoin", "price": "1.2 (500$) - 2.4", "ransomnotes-filenames": [ - ".txt, .html, .bmp" + ".txt", + ".html", + ".bmp" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", @@ -7470,7 +7481,8 @@ "payment-method": "Bitcoin", "price": "0.5(190 - 250 $)", "ransomnotes-filenames": [ - "UNLOCK_FILES_INSTRUCTIONS.html and .txt" + "UNLOCK_FILES_INSTRUCTIONS.html", + "UNLOCK_FILES_INSTRUCTIONS.txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/", @@ -11564,13 +11576,13 @@ "Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", "WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.", "ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.", - "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again." + "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", + "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", + "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com" ], "ransomnotes-filenames": [ "How_return_files.txt", - "Image.jpg", - "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", - "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com" + "Image.jpg" ], "ransomnotes-refs": [ "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", @@ -12949,10 +12961,12 @@ ], "payment-method": "Bitcoin", "price": "300 $", - "ransomnotes-filenames": [ - "how to get back you files.txt", + "ransomnotes": [ "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com" ], + "ransomnotes-filenames": [ + "how to get back you files.txt" + ], "ransomnotes-refs": [ "https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg" ],