diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 750cb65..6bf9bb9 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -18,14 +18,14 @@ "extensions": [ "RANDOM 3 LETTERS ARE ADDED" ], + "payment-method": "Bitcoin", + "price": "1(300$)", "ransomnotes": [ "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1(300$)" + ] }, "uuid": "81b4e3ac-aa83-4616-9899-8e19ee3bb78b", "value": "Nhtnwcuf Ransomware (Fake)" @@ -38,15 +38,15 @@ "extensions": [ "RANDOM 3 LETTERS ARE ADDED" ], + "payment-method": "Bitcoin", + "price": "250 €", "ransomnotes": [ "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html", "https://twitter.com/jiriatvirlab/status/838779371750031360" - ], - "payment-method": "Bitcoin", - "price": "250 €" + ] }, "uuid": "a8187609-329a-4de0-bda7-7823314e7db9", "value": "CryptoJacky Ransomware" @@ -56,14 +56,14 @@ "meta": { "date": "March 2017", "encryption": "AES-128", + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "b97f07c4-136a-488a-9fa0-35ab45fbfe36", "value": "Kaenlupuf Ransomware" @@ -76,6 +76,7 @@ "extensions": [ "example:.encrypted.contact_here_me@india.com.enjey" ], + "payment-method": "Bitcoin", "ransomnotes": [ "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" ], @@ -83,8 +84,7 @@ "https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/", "https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "e98e6b50-00fd-484e-a5c1-4b2363579447", "value": "EnjeyCrypter Ransomware" @@ -111,6 +111,8 @@ "extensions": [ ".aes" ], + "payment-method": "Dollars", + "price": "199", "ransomnotes": [ "Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =" ], @@ -120,9 +122,7 @@ ], "synonyms": [ "Ŧl๏tєгค гคภร๏๓ฬคгє" - ], - "payment-method": "Dollars", - "price": "199" + ] }, "uuid": "04a5889d-b97d-4653-8a0f-d2df85f93430", "value": "Vortex Ransomware" @@ -135,14 +135,14 @@ "extensions": [ ".fuck_you" ], + "payment-method": "Bitcoin", + "price": "0,0361312 (50$)", "ransomnotes": [ "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0,0361312 (50$)" + ] }, "uuid": "2069c483-4701-4a3b-bd51-3850c7aa59d2", "value": "GC47 Ransomware" @@ -156,15 +156,15 @@ ".enc", ".ENC" ], + "payment-method": "Bitcoin", + "price": "10000 Rubles (135€)", "ransomnotes": [ "OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html", "https://twitter.com/jiriatvirlab/status/840863070733885440" - ], - "payment-method": "Bitcoin", - "price": "10000 Rubles (135€)" + ] }, "uuid": "f158ea74-c8ba-4e5a-b07f-52bd8fe30888", "value": "RozaLocker Ransomware" @@ -177,14 +177,14 @@ "extensions": [ ".enc" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b", "value": "CryptoMeister Ransomware" @@ -212,15 +212,15 @@ "extensions": [ ".Project34" ], + "payment-method": "MoneyPak", + "price": "300$", "ransomnotes": [ "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", "ПАРОЛЬ.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html" - ], - "payment-method": "MoneyPak", - "price": "300$" + ] }, "uuid": "4af0d2bd-46da-44da-b17e-987f86957c1d", "value": "Project34 Ransomware" @@ -230,6 +230,8 @@ "meta": { "date": "March 2017", "encryption": "AES-128", + "payment-method": "Bitcoin", + "price": "300$", "ransomnotes": [ "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" ], @@ -238,9 +240,7 @@ "https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" - ], - "payment-method": "Bitcoin", - "price": "300$" + ] }, "uuid": "e11da570-e38d-4290-8a2c-8a31ae832ffb", "value": "PetrWrap Ransomware" @@ -253,6 +253,8 @@ "extensions": [ ".grt" ], + "payment-method": "Bitcoin", + "price": "1.2683", "ransomnotes": [ "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" ], @@ -260,9 +262,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html", "https://twitter.com/malwrhunterteam/status/841747002438361089" - ], - "payment-method": "Bitcoin", - "price": "1.2683" + ] }, "uuid": "da7de60e-0725-498d-9a35-303ddb5bf60a", "value": "Karmen Ransomware" @@ -296,6 +296,8 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "150$", "ransomnotes": [ "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.", @@ -307,9 +309,7 @@ ], "synonyms": [ "Fake CTB-Locker" - ], - "payment-method": "Bitcoin", - "price": "150$" + ] }, "uuid": "a291ac4c-7851-480f-b317-e977a616ac9d", "value": "Turkish FileEncryptor Ransomware" @@ -323,6 +323,8 @@ ".kirked", ".Kirked" ], + "payment-method": "Monero", + "price": "1100 roupies (14€)", "ransomnotes": [ "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER" ], @@ -340,9 +342,7 @@ "http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges", "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/", "https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/" - ], - "payment-method": "Monero", - "price": "1100 roupies (14€)" + ] }, "uuid": "6e442a2e-97db-4a7b-b4a1-9abb4a7472d8", "value": "Kirk Ransomware & Spock Decryptor" @@ -355,6 +355,7 @@ "extensions": [ ".ZINO" ], + "payment-method": "Bitcoin", "ransomnotes": [ "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", "ZINO_NOTE.TXT" @@ -363,8 +364,7 @@ "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", "https://twitter.com/demonslay335?lang=en", "https://twitter.com/malwrhunterteam/status/842781575410597894" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "719c8ba7-598e-4511-a851-34e651e301fa", "value": "ZinoCrypt Ransomware" @@ -398,6 +398,8 @@ "extensions": [ ".enc" ], + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", "motd.txt" @@ -406,9 +408,7 @@ "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", "https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "5d1a3631-165c-4091-ba55-ac8da62efadf", "value": "MOTD Ransomware" @@ -421,6 +421,8 @@ "extensions": [ ".devil" ], + "payment-method": "Dollars", + "price": "20 - 100", "ransomnotes": [ "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" @@ -428,9 +430,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html", "https://twitter.com/PolarToffee/status/843527738774507522" - ], - "payment-method": "Dollars", - "price": "20 - 100" + ] }, "uuid": "f3ead274-6c98-4532-b922-03d5ce4e7cfc", "value": "CryptoDevil Ransomware" @@ -443,15 +443,15 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html", "https://twitter.com/struppigel/status/837565766073475072" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "e4d36930-2e00-4583-b5f5-d8f83736d3ce", "value": "FabSysCrypto Ransomware" @@ -482,11 +482,11 @@ "extensions": [ ".Horas-Bah" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "dd3601f1-df0a-4e67-8a20-82e7ba0ed13c", "value": "RedAnts Ransomware" @@ -499,11 +499,11 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "4c3788d6-30a9-4cad-af33-81f9ce3a0d4f", "value": "ConsoleApplication1 Ransomware" @@ -516,11 +516,11 @@ "extensions": [ ".kr3" ], + "payment-method": "no ransom", "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html", "https://twitter.com/malwrhunterteam/status/836995570384453632" - ], - "payment-method": "no ransom" + ] }, "uuid": "f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7", "value": "KRider Ransomware" @@ -529,11 +529,11 @@ "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", "meta": { "date": "February 2017", + "payment-method": "Bitcoin", + "price": "0.5 (300$)", "refs": [ "https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50" - ], - "payment-method": "Bitcoin", - "price": "0.5 (300$)" + ] }, "uuid": "44f6d489-f376-4416-9ba4-e153472f75fc", "value": "CYR-Locker Ransomware (FAKE)" @@ -546,15 +546,15 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "0570e09d-10b9-448c-87fd-c1c4063e6592", "value": "DotRansomware" @@ -567,6 +567,8 @@ "extensions": [ ".locked-[3_random_chars]" ], + "payment-method": "Bitcoin", + "price": "0.01 - 0.06", "ransomnotes": [ "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", @@ -575,9 +577,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" - ], - "payment-method": "Bitcoin", - "price": "0.01 - 0.06" + ] }, "uuid": "37b9a28d-8554-4233-b130-efad4be97bc0", "value": "Unlock26 Ransomware" @@ -590,15 +590,15 @@ "extensions": [ ".EnCrYpTeD" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "READ_ME_TO_DECRYPT.txt" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html", "https://twitter.com/JakubKroustek/status/834821166116327425" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "87171865-9fc9-42a9-9bd4-a453f556f20c", "value": "PicklesRansomware" @@ -608,15 +608,15 @@ "meta": { "date": "February 2017", "encryption": "ChaCha20 and Poly1305", + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety." ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html", "https://twitter.com/JAMESWT_MHT/status/834783231476166657" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "6a6eed70-3f90-420b-9e4a-5cce9428dc06", "value": "Vanguard Ransomware" @@ -650,6 +650,8 @@ ".TheTrumpLockerf", ".TheTrumpLockerfp" ], + "payment-method": "Bitcoin", + "price": "1(50 - 165$)", "ransomnotes": [ "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", "What happen to my files.txt" @@ -658,9 +660,7 @@ "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/" - ], - "payment-method": "Bitcoin", - "price": "1(50 - 165$)" + ] }, "uuid": "63bd845c-94f6-49dc-8f0c-22e6f67820f7", "value": "TrumpLocker Ransomware" @@ -693,15 +693,15 @@ "extensions": [ "your files get marked with: “youarefucked”" ], + "payment-method": "Bitcoin", + "price": "0.1 - 0.2", "ransomnotes": [ "All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html", "https://twitter.com/malwrhunterteam/status/833636006721122304" - ], - "payment-method": "Bitcoin", - "price": "0.1 - 0.2" + ] }, "uuid": "f0652feb-a104-44e8-91c7-b0435253352b", "value": "XYZWare Ransomware" @@ -714,14 +714,14 @@ "extensions": [ "your files get marked with: “youarefucked”" ], + "payment-method": "Bitcoin", + "price": "0.1 (250$)", "ransomnotes": [ "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" ], "refs": [ "https://www.enigmasoftware.com/youarefuckedransomware-removal/" - ], - "payment-method": "Bitcoin", - "price": "0.1 (250$)" + ] }, "uuid": "912af0ef-2d78-4a90-a884-41f3c37c723b", "value": "YouAreFucked Ransomware" @@ -731,6 +731,8 @@ "meta": { "date": "February 2017", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "0.5 - 0.7", "ransomnotes": [ "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", "How decrypt files.hta" @@ -738,9 +740,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 0.7" + ] }, "uuid": "7343da8f-fe18-46c9-8cda-5b04fb48e97d", "value": "CryptConsole 2.0 Ransomware" @@ -754,15 +754,15 @@ ".barRex", ".BarRax" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", "https://twitter.com/demonslay335/status/835668540367777792" ], "synonyms": [ "BarRaxCrypt Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "c0ee166e-273f-4940-859c-ba6f8666247c", "value": "BarRax Ransomware" @@ -790,6 +790,8 @@ "extensions": [ ".ENCR" ], + "payment-method": "Bitcoin", + "price": "0.8 - 2", "ransomnotes": [ "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" @@ -799,9 +801,7 @@ ], "synonyms": [ "CzechoSlovak Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.8 - 2" + ] }, "uuid": "c9e29151-7eda-4192-9c34-f9a81b2ef743", "value": "UserFilesLocker Ransomware" @@ -814,12 +814,12 @@ "extensions": [ ".A9v9Ahu4-000" ], + "payment-method": "Bitcoin", + "price": "6", "refs": [ "https://id-ransomware.blogspot.co.il/2017_03_01_archive.html", "https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "6" + ] }, "uuid": "78649172-cf5b-4e8a-950b-a967ff700acf", "value": "AvastVirusinfo Ransomware" @@ -844,6 +844,8 @@ "meta": { "date": "February 2017", "encryption": "AES-256", + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" ], @@ -852,9 +854,7 @@ ], "synonyms": [ "VHDLocker Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "9de7a1f2-cc21-40cf-b44e-c67f0262fbce", "value": "PleaseRead Ransomware" @@ -866,6 +866,8 @@ "extensions": [ "[KASISKI]" ], + "payment-method": "Dollars", + "price": "500", "ransomnotes": [ "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", "INSTRUCCIONES.txt" @@ -874,9 +876,7 @@ "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", "https://twitter.com/MarceloRivero/status/832302976744173570", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" - ], - "payment-method": "Dollars", - "price": "500" + ] }, "uuid": "59b537dc-3764-42fc-a416-92d2950aaff1", "value": "Kasiski Ransomware" @@ -889,6 +889,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys" ], @@ -899,9 +901,7 @@ ], "synonyms": [ "Locky Impersonator Ransomware" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "26a34763-a70c-4877-b99f-ae39decd2107", "value": "Fake Locky Ransomware" @@ -914,6 +914,7 @@ "extensions": [ ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" ], + "payment-method": "Email", "ransomnotes": [ "# RESTORING FILES #.txt", "# RESTORING FILES #.html", @@ -922,8 +923,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html", "https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/" - ], - "payment-method": "Email" + ] }, "uuid": "1f915f16-2e2f-4681-a1e8-e146a0a4fcdf", "value": "CryptoShield 1.0 Ransomware" @@ -936,6 +936,7 @@ "extensions": [ ".locked" ], + "payment-method": "Email - Bitcoin", "ransomnotes": [ "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", @@ -947,8 +948,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", "https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/", "https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/" - ], - "payment-method": "Email - Bitcoin" + ] }, "related": [ { @@ -988,14 +988,14 @@ "extensions": [ ".wcry" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "0983bdda-c637-4ad9-a56f-615b2b052740", "value": "Wcry Ransomware" @@ -1005,6 +1005,8 @@ "meta": { "date": "February 2017", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "0,3169", "ransomnotes": [ "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" @@ -1012,9 +1014,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html", "https://twitter.com/bleepincomputer/status/816053140147597312?lang=en" - ], - "payment-method": "Bitcoin", - "price": "0,3169" + ] }, "uuid": "27feba66-e9c7-4414-a560-1e5b7da74d08", "value": "DUMB Ransomware" @@ -1028,12 +1028,12 @@ ".b0C", ".b0C.x" ], + "payment-method": "Bitcoin", + "price": "0,2", "refs": [ "https://id-ransomware.blogspot.co.il/2017_02_01_archive.html", "https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0,2" + ] }, "uuid": "c24f48ca-060b-4164-aafe-df7b3f43f40e", "value": "X-Files" @@ -1046,14 +1046,14 @@ "extensions": [ ".aes" ], + "payment-method": "Dollars", + "price": "249", "ransomnotes": [ "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html" - ], - "payment-method": "Dollars", - "price": "249" + ] }, "uuid": "b50265ac-ee45-4f5a-aca1-fabe3157fc14", "value": "Polski Ransomware" @@ -1066,6 +1066,7 @@ "extensions": [ ".yourransom" ], + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", "README.txt" @@ -1074,8 +1075,7 @@ "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", "https://twitter.com/_ddoxer/status/827555507741274113" - ], - "payment-method": "Email" + ] }, "uuid": "908b914b-6744-4e16-b014-121cf2106b5f", "value": "YourRansom Ransomware" @@ -1085,15 +1085,15 @@ "meta": { "date": "February 2016", "encryption": "AES-256", + "payment-method": "Bitcoin", + "price": "0.6 - 0.95", "ransomnotes": [ "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html", "https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/" - ], - "payment-method": "Bitcoin", - "price": "0.6 - 0.95" + ] }, "uuid": "b4de724f-add4-4095-aa5a-e4d039322b59", "value": "Ranion RaasRansomware" @@ -1106,6 +1106,7 @@ "extensions": [ ".potato" ], + "payment-method": "Email", "ransomnotes": [ "How to recover my files.txt", "README.png", @@ -1114,8 +1115,7 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "378cb77c-bb89-4d32-bef9-1b132343f3fe", "value": "Potato Ransomware" @@ -1128,6 +1128,7 @@ "extensions": [ ".-opentoyou@india.com" ], + "payment-method": "Email", "ransomnotes": [ "!!!.txt", "1.bmp", @@ -1137,8 +1138,7 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "e290fa29-6fc1-4fb5-ac98-44350e508bc1", "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)" @@ -1151,6 +1151,8 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "0.25", "ransomnotes": [ "YOUR FILES ARE ENCRYPTED!!!.txt", "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", @@ -1160,9 +1162,7 @@ "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", "https://twitter.com/jiriatvirlab/status/825411602535088129" - ], - "payment-method": "Bitcoin", - "price": "0.25" + ] }, "uuid": "c039a50b-f5f9-4ad0-8b66-e1d8cc86717b", "value": "RansomPlus" @@ -1176,6 +1176,8 @@ ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", ".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters" ], + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "How decrypt files.hta", "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" @@ -1186,9 +1188,7 @@ "https://twitter.com/PolarToffee/status/824705553201057794", "https://twitter.com/demonslay335/status/1004351990493741057", "https://twitter.com/demonslay335/status/1004803373747572736" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "42508fd8-3c2d-44b2-9b74-33c5d82b297d", "value": "CryptConsole" @@ -1200,11 +1200,11 @@ "extensions": [ ".zxz" ], + "payment-method": "Email", "refs": [ "https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310", "https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "e4932d1c-2f97-474d-957e-c7df87f9591e", "value": "ZXZ Ramsomware" @@ -1229,6 +1229,8 @@ "meta": { "date": "January 2017", "encryption": "AES+RSA", + "payment-method": "Bitcoin", + "price": "0,65806", "ransomnotes": [ "note.iti", "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" @@ -1236,9 +1238,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", "http://www.enigmasoftware.com/funfactransomware-removal/" - ], - "payment-method": "Bitcoin", - "price": "0,65806" + ] }, "uuid": "2bfac605-a2c5-4742-92a2-279a08a4c575", "value": "FunFact Ransomware" @@ -1251,6 +1251,7 @@ "extensions": [ ".<7_random_letters>" ], + "payment-method": "Email", "ransomnotes": [ "encrypted_readme.txt", "__encrypted_readme.txt", @@ -1260,8 +1261,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" - ], - "payment-method": "Email" + ] }, "uuid": "89d5a541-ef9a-4b18-ac04-2e1384031a2d", "value": "ZekwaCrypt Ransomware" @@ -1274,6 +1274,8 @@ "extensions": [ ".sage" ], + "payment-method": "Bitcoin", + "price": "2,15555 (2000$)", "ransomnotes": [ "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", @@ -1285,9 +1287,7 @@ "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom", "https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/", "https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga" - ], - "payment-method": "Bitcoin", - "price": "2,15555 (2000$)" + ] }, "uuid": "9174eef3-65f7-4ab5-9b55-b323b36fb962", "value": "Sage 2.0 Ransomware" @@ -1297,6 +1297,7 @@ "meta": { "date": "January 2017", "encryption": "AES", + "payment-method": "Bitcoin", "ransomnotes": [ "Warning警告.html", "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" @@ -1305,8 +1306,7 @@ "https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html", "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/", "https://twitter.com/BleepinComputer/status/822653335681593345" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4", "value": "CloudSword Ransomware" @@ -1319,6 +1319,8 @@ "extensions": [ ".killedXXX" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" @@ -1328,9 +1330,7 @@ ], "synonyms": [ "Fake" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "327eb8b4-5793-42f0-96c0-7f651a0debdc", "value": "DN" @@ -1343,15 +1343,15 @@ "extensions": [ ".id-_garryweber@protonmail.ch" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "HOW_OPEN_FILES.html", "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/garryweber.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "b6e6da33-bf23-4586-81cf-dcfe10e13a81", "value": "GarryWeber Ransomware" @@ -1364,6 +1364,8 @@ "extensions": [ ".stn" ], + "payment-method": "Bitcoin", + "price": "0.1 - your choice", "ransomnotes": [ "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", "HELP_DECRYPT_FILES.html" @@ -1374,9 +1376,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "https://twitter.com/Xylit0l/status/821757718885236740" - ], - "payment-method": "Bitcoin", - "price": "0.1 - your choice" + ] }, "related": [ { @@ -1398,6 +1398,8 @@ "extensions": [ ".HavocCrypt" ], + "payment-method": "Bitcoin", + "price": "150 $", "ransomnotes": [ "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" ], @@ -1406,9 +1408,7 @@ ], "synonyms": [ "HavocCrypt Ransomware" - ], - "payment-method": "Bitcoin", - "price": "150 $" + ] }, "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", "value": "Havoc" @@ -1421,6 +1421,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "IMPORTANTE_LEER.html", "RECUPERAR_ARCHIVOS.html", @@ -1429,9 +1431,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html", "http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "ca831782-fcbf-4984-b04e-d79b14e48a71", "value": "CryptoSweetTooth Ransomware" @@ -1444,6 +1444,8 @@ "extensions": [ ".kencf" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" @@ -1455,9 +1457,7 @@ "synonyms": [ "RansomTroll Ransomware", "Käändsõna Ransomware" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "aed61a0a-dc48-43ac-9c33-27e5a286899e", "value": "Kaandsona Ransomware" @@ -1470,6 +1470,8 @@ "extensions": [ ".lambda_l0cked" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1", "ransomnotes": [ "READ_IT.hTmL", "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" @@ -1477,9 +1479,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html", "http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1" + ] }, "uuid": "0d1b35e9-c87a-4972-8c27-a11c13e351d7", "value": "LambdaLocker Ransomware" @@ -1492,6 +1492,7 @@ "extensions": [ ".HakunaMatata" ], + "payment-method": "Website (onion)", "ransomnotes": [ "Recovers files yako.html", "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" @@ -1502,8 +1503,7 @@ ], "synonyms": [ "HakunaMatataRansomware" - ], - "payment-method": "Website (onion)" + ] }, "uuid": "0645cae2-bda9-4d68-8bc3-c3c1eb9d1801", "value": "NMoreia 2.0 Ransomware" @@ -1516,6 +1516,8 @@ "extensions": [ ".oops" ], + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", @@ -1525,9 +1527,7 @@ "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", "https://decrypter.emsisoft.com/marlboro", "https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "4ae98da3-c667-4c6e-b0fb-5b52c667637c", "value": "Marlboro Ransomware" @@ -1537,6 +1537,8 @@ "meta": { "date": "January 2017", "encryption": "AES+RSA", + "payment-method": "Bitcoin", + "price": "79$", "ransomnotes": [ "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", "[Infection-ID].HTML" @@ -1545,9 +1547,7 @@ "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", "http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/" - ], - "payment-method": "Bitcoin", - "price": "79$" + ] }, "uuid": "46601172-d938-47af-8cf5-c5a796ab68ab", "value": "Spora Ransomware" @@ -1560,10 +1560,10 @@ "extensions": [ ".crypto" ], + "payment-method": "Bitcoin", "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "7ae2f594-8a72-4ba8-a37a-32457d1d3fe8", "value": "CryptoKill Ransomware" @@ -1575,14 +1575,14 @@ "extensions": [ "AES+RSA" ], + "payment-method": "Bitcoin", + "price": "0.35", "ransomnotes": [ "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.35" + ] }, "uuid": "62120e20-21f6-474b-9dc1-fc871d25c798", "value": "All_Your_Documents Ransomware" @@ -1595,6 +1595,8 @@ "extensions": [ ".velikasrbija" ], + "payment-method": "Bitcoin", + "price": "500$", "ransomnotes": [ "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" @@ -1604,9 +1606,7 @@ "https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/", "https://twitter.com/malwrhunterteam/status/830116190873849856" - ], - "payment-method": "Bitcoin", - "price": "500$" + ] }, "uuid": "fb1e99cb-73fa-4961-a052-c90b3f383542", "value": "SerbRansom 2017 Ransomware" @@ -1616,6 +1616,8 @@ "meta": { "date": "January 2017", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "0.33", "ransomnotes": [ "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" ], @@ -1623,9 +1625,7 @@ "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html", "https://twitter.com/malwrhunterteam/status/829768819031805953", "https://twitter.com/malwrhunterteam/status/838700700586684416" - ], - "payment-method": "Bitcoin", - "price": "0.33" + ] }, "uuid": "ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37", "value": "Fadesoft Ransomware" @@ -1638,6 +1638,8 @@ "extensions": [ ".encypted" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" ], @@ -1645,9 +1647,7 @@ "https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html", "https://www.ozbargain.com.au/node/228888?page=3", "https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "681ad7cc-fda0-40dc-83b3-91fdfdec81e1", "value": "HugeMe Ransomware" @@ -1660,6 +1660,8 @@ "extensions": [ ".crypt" ], + "payment-method": "Bitcoin", + "price": "50$", "ransomnotes": [ "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" ], @@ -1669,9 +1671,7 @@ ], "synonyms": [ "DynA CryptoLocker Ransomware" - ], - "payment-method": "Bitcoin", - "price": "50$" + ] }, "uuid": "9979ae53-98f7-49a2-aa1e-276973c2b44f", "value": "DynA-Crypt Ransomware" @@ -1684,6 +1684,8 @@ "extensions": [ ".crypt" ], + "payment-method": "Bitcoin", + "price": "0.75 (787.09$) - 2.25 (2366.55$ after 7 days)", "ransomnotes": [ "==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================" ], @@ -1692,9 +1694,7 @@ ], "synonyms": [ "Serpent Danish Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.75 (787.09$) - 2.25 (2366.55$ after 7 days)" + ] }, "uuid": "3b472aac-085b-409e-89f1-e8c766f7c401", "value": "Serpent 2017 Ransomware" @@ -1704,6 +1704,8 @@ "meta": { "date": "January 2017", "encryption": "ROT-23", + "payment-method": "Bitcoin", + "price": "0.085", "ransomnotes": [ "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", "README.HTML" @@ -1711,9 +1713,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" - ], - "payment-method": "Bitcoin", - "price": "0.085" + ] }, "uuid": "c21e637c-6611-47e1-a191-571409b6669a", "value": "Erebus 2017 Ransomware" @@ -1725,6 +1725,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.085", "ransomnotes": [ "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" ], @@ -1733,9 +1735,7 @@ ], "synonyms": [ "Ransomuhahawhere" - ], - "payment-method": "Bitcoin", - "price": "0.085" + ] }, "uuid": "dcb183d1-11b5-464c-893a-21e132cb7b51", "value": "Cyber Drill Exercise " @@ -1747,14 +1747,14 @@ "extensions": [ ".cancer" ], + "payment-method": "no ransom", "ransomnotes": [ "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html", "https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/" - ], - "payment-method": "no ransom" + ] }, "uuid": "ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f", "value": "Cancer Ransomware FAKE" @@ -1767,14 +1767,14 @@ "extensions": [ ".locked" ], + "payment-method": "Email - Bitcoin", "ransomnotes": [ "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html", "https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html" - ], - "payment-method": "Email - Bitcoin" + ] }, "uuid": "ed5b30b0-2949-410a-bc4c-3d90de93d033", "value": "UpdateHost Ransomware" @@ -1787,14 +1787,14 @@ "extensions": [ ".v8dp" ], + "payment-method": "Bitcoin", + "price": "10", "ransomnotes": [ "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "10" + ] }, "uuid": "b5942085-c9f2-4d1a-aadf-1061ad38fb1d", "value": "Nemesis Ransomware" @@ -1808,6 +1808,7 @@ ".file0locked", ".evillock" ], + "payment-method": "Email", "ransomnotes": [ "HOW_TO_DECRYPT_YOUR_FILES.TXT", "HOW_TO_DECRYPT_YOUR_FILES.HTML", @@ -1823,8 +1824,7 @@ ], "synonyms": [ "File0Locked KZ Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "57933295-4a0e-4f6a-b06b-36807ff150cd", "value": "Evil Ransomware" @@ -1833,6 +1833,8 @@ "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.", "meta": { "date": "January 2017", + "payment-method": "Bitcoin", + "price": "0.03", "ransomnotes": [ "https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg", "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" @@ -1843,9 +1845,7 @@ ], "synonyms": [ "Ocelot Locker Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.03" + ] }, "uuid": "054b9fbd-72fa-464f-a683-a69ab3936d69", "value": "Ocelot Ransomware (FAKE RANSOMWARE)" @@ -1855,6 +1855,8 @@ "meta": { "date": "January 2017", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "1000 CZK", "ransomnotes": [ "INFOK1.txt", "https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png", @@ -1866,9 +1868,7 @@ ], "synonyms": [ "Blablabla Ransomware" - ], - "payment-method": "Bitcoin", - "price": "1000 CZK" + ] }, "uuid": "00b8ff33-1504-49a4-a025-b761738eed68", "value": "SkyName Ransomware" @@ -1881,6 +1881,8 @@ "extensions": [ ".locked-by-mafia" ], + "payment-method": "Bitcoin", + "price": "155$", "ransomnotes": [ "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", "READ_ME.txt" @@ -1892,9 +1894,7 @@ ], "synonyms": [ "Depsex Ransomware" - ], - "payment-method": "Bitcoin", - "price": "155$" + ] }, "uuid": "e5a60429-ae5d-46f4-a731-da9e2fcf8b92", "value": "MafiaWare Ransomware" @@ -1918,6 +1918,8 @@ ".decrypt2017", ".hnumkhotep" ], + "payment-method": "Bitcoin", + "price": "3", "ransomnotes": [ "How To Recover Encrypted Files.hta", "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", @@ -1932,9 +1934,7 @@ ], "synonyms": [ "Purge Ransomware" - ], - "payment-method": "Bitcoin", - "price": "3" + ] }, "related": [ { @@ -1956,6 +1956,8 @@ "extensions": [ ".firecrypt" ], + "payment-method": "Bitcoin", + "price": "500$", "ransomnotes": [ "https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg" ], @@ -1965,9 +1967,7 @@ ], "synonyms": [ "FireCrypt Ransomware" - ], - "payment-method": "Bitcoin", - "price": "500$" + ] }, "uuid": "fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08", "value": "BleedGreen Ransomware" @@ -1980,6 +1980,7 @@ "extensions": [ ".BTC" ], + "payment-method": "Email", "ransomnotes": [ "BTC_DECRYPT_FILES.txt", "BTC_DECRYPT_FILES.html", @@ -1987,8 +1988,7 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/btcamant.html" - ], - "payment-method": "Email" + ] }, "uuid": "a5826bd3-b457-4aa9-a2e7-f0044ad9992f", "value": "BTCamant Ransomware" @@ -2003,14 +2003,14 @@ "_r9oj", "_locked" ], + "payment-method": "Bitcoin", + "price": "700$", "ransomnotes": [ "https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "700$" + ] }, "uuid": "192bc3e8-ace8-4229-aa88-37034a11ef5b", "value": "X3M Ransomware" @@ -2023,6 +2023,7 @@ "extensions": [ ".LOCKED" ], + "payment-method": "Bitcoin - WebSite (onion)", "ransomnotes": [ "DecryptFile.txt", "https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png", @@ -2031,8 +2032,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html", "https://twitter.com/BleepinComputer/status/816112218815266816" - ], - "payment-method": "Bitcoin - WebSite (onion)" + ] }, "uuid": "c3ef2acd-cc5d-4240-80e7-47e85b46db96", "value": "GOG Ransomware" @@ -2045,15 +2045,15 @@ "extensions": [ ".edgel" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html", "https://twitter.com/BleepinComputer/status/815392891338194945" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "ecfa106d-0aff-4f7e-a259-f00eb14fc245", "value": "EdgeLocker" @@ -2066,6 +2066,7 @@ "extensions": [ ".locked" ], + "payment-method": "Website", "ransomnotes": [ "MESSAGE.txt", "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" @@ -2073,8 +2074,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html", "https://twitter.com/JaromirHorejsi/status/815557601312329728" - ], - "payment-method": "Website" + ] }, "related": [ { @@ -2096,14 +2096,14 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "1.5", "ransomnotes": [ "https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1.5" + ] }, "uuid": "ed26fcf3-47fb-45cc-b5f9-de18f6491934", "value": "First" @@ -2113,6 +2113,7 @@ "meta": { "date": "January 2017", "encryption": "Twofish", + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", "Xhelp.jpg" @@ -2120,8 +2121,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", "https://twitter.com/JakubKroustek/status/825790584971472902" - ], - "payment-method": "Email" + ] }, "uuid": "fd5bb71f-80dc-4a6d-ba8e-ed74999700d3", "value": "XCrypt Ransomware" @@ -2134,14 +2134,14 @@ "extensions": [ ".7zipper" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html", "https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png" - ], - "payment-method": "Email" + ] }, "uuid": "d8ec9e54-a4a4-451e-9f29-e7503174c16e", "value": "7Zipper Ransomware" @@ -2155,6 +2155,8 @@ ".lock", ".locked" ], + "payment-method": "Bitcoin", + "price": "170€/$", "ransomnotes": [ "https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png" ], @@ -2163,9 +2165,7 @@ "https://www.pcrisk.com/removal-guides/10899-zyka-ransomware", "https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip", "https://twitter.com/GrujaRS/status/826153382557712385" - ], - "payment-method": "Bitcoin", - "price": "170€/$" + ] }, "uuid": "7b7c8124-c679-4201-b5a5-5e66e6d52b70", "value": "Zyka Ransomware" @@ -2175,15 +2175,15 @@ "meta": { "date": "January 2017", "encryption": "AES-256 (fake)", + "payment-method": "Bitcoin", + "price": "50£", "ransomnotes": [ "https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html", "http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c" - ], - "payment-method": "Bitcoin", - "price": "50£" + ] }, "uuid": "a9365b55-acd8-4b70-adac-c86d121b80b3", "value": "SureRansom Ransomeware (Fake)" @@ -2196,6 +2196,8 @@ "extensions": [ ".se" ], + "payment-method": "Bitcoin", + "price": "0.18 (100$)", "ransomnotes": [ "https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg", "https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad" @@ -2207,9 +2209,7 @@ "http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012", "https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg", "https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png" - ], - "payment-method": "Bitcoin", - "price": "0.18 (100$)" + ] }, "uuid": "1317351f-ec8f-4c76-afab-334e1384d3d3", "value": "Netflix Ransomware" @@ -2226,6 +2226,7 @@ ".RMCM1", ".MERRY" ], + "payment-method": "Email", "ransomnotes": [ "YOUR_FILES_ARE_DEAD.HTA", "MERRY_I_LOVE_YOU_BRUCE.HTA", @@ -2242,8 +2243,7 @@ "synonyms": [ "Merry X-Mas", "MRCR" - ], - "payment-method": "Email" + ] }, "uuid": "72cbed4e-b26a-46a1-82be-3d0154fdd2e5", "value": "Merry Christmas" @@ -2256,11 +2256,11 @@ "extensions": [ ".seoire" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "bdf807c2-74ec-4802-9907-a89b1d910296", "value": "Seoirse Ransomware" @@ -2270,6 +2270,8 @@ "meta": { "date": "November/December 2016", "encryption": "AES-256+RSA", + "payment-method": "Bitcoin", + "price": "222 (200 000$)", "ransomnotes": [ "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" ], @@ -2281,9 +2283,7 @@ "http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware", "http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", "https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/" - ], - "payment-method": "Bitcoin", - "price": "222 (200 000$)" + ] }, "uuid": "8e067af6-d1f7-478a-8a8e-5154d2685bd1", "value": "KillDisk Ransomware" @@ -2296,6 +2296,8 @@ "extensions": [ ".deria" ], + "payment-method": "Bitcoin", + "price": "20 - 30$", "ransomnotes": [ "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", "unlock-everybody.txt" @@ -2303,9 +2305,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" - ], - "payment-method": "Bitcoin", - "price": "20 - 30$" + ] }, "uuid": "c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3", "value": "DeriaLock Ransomware" @@ -2318,6 +2318,7 @@ "extensions": [ ".bript" ], + "payment-method": "Email - Bitcoin", "ransomnotes": [ "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", "More.html" @@ -2325,8 +2326,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", "https://twitter.com/demonslay335/status/813064189719805952" - ], - "payment-method": "Email - Bitcoin" + ] }, "uuid": "43bfbb2a-9416-44da-81ef-03d6d3a3923f", "value": "BadEncript Ransomware" @@ -2339,13 +2339,13 @@ "extensions": [ ".adam" ], + "payment-method": "Website", "ransomnotes": [ "https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html" - ], - "payment-method": "Website" + ] }, "uuid": "5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc", "value": "AdamLocker Ransomware" @@ -2358,15 +2358,15 @@ "extensions": [ ".alphabet" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html", "https://twitter.com/PolarToffee/status/812331918633172992" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -2388,6 +2388,8 @@ "extensions": [ ".kokolocker" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg" ], @@ -2397,9 +2399,7 @@ ], "synonyms": [ "KokoLocker Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "d672fe4f-4561-488e-bca6-20385b53d77f", "value": "KoKoKrypt Ransomware" @@ -2412,15 +2412,15 @@ "extensions": [ ".l33tAF" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "YOU_HAVE_BEEN_HACKED.txt", "https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "791a6720-d589-4cf7-b164-08b35b453ac7", "value": "L33TAF Locker Ransomware" @@ -2430,6 +2430,8 @@ "meta": { "date": "December 2016", "encryption": "AES-256+RSA", + "payment-method": "Bitcoin", + "price": "0.6 - 1.6", "ransomnotes": [ "https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png" ], @@ -2438,9 +2440,7 @@ ], "synonyms": [ "PClock SysGop Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.6 - 1.6" + ] }, "uuid": "b78be3f4-e39b-41cc-adc0-5824f246959b", "value": "PClock4 Ransomware" @@ -2453,15 +2453,15 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.4", "ransomnotes": [ "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html", "https://twitter.com/BleepinComputer/status/812131324979007492" - ], - "payment-method": "Bitcoin", - "price": "0.4" + ] }, "uuid": "ffa7ac2f-b216-4fac-80be-e859a0e0251f", "value": "Guster Ransomware" @@ -2474,13 +2474,13 @@ "extensions": [ ".madebyadam" ], + "payment-method": "Website (gift card)", "ransomnotes": [ "https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html" - ], - "payment-method": "Website (gift card)" + ] }, "related": [ { @@ -2502,6 +2502,8 @@ "extensions": [ ".cryptolocker" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif" ], @@ -2510,9 +2512,7 @@ ], "synonyms": [ "Fake CryptoLocker" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "4094b021-6654-49d5-9b80-a3666a1c1e44", "value": "CryptoLocker3 Ransomware" @@ -2525,6 +2525,8 @@ "extensions": [ ".crypted" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg" ], @@ -2533,9 +2535,7 @@ "http://www.archersecuritygroup.com/what-is-ransomware/", "https://twitter.com/demonslay335/status/812002960083394560", "https://twitter.com/malwrhunterteam/status/811613888705859586" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "4cf270e7-e4df-49d5-979b-c13d8ce117cc", "value": "ProposalCrypt Ransomware" @@ -2545,6 +2545,8 @@ "meta": { "date": "December 2016", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "0.2 (160$)", "ransomnotes": [ "https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg" ], @@ -2552,9 +2554,7 @@ "https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/", "https://twitter.com/struppigel/status/811587154983981056" - ], - "payment-method": "Bitcoin", - "price": "0.2 (160$)" + ] }, "uuid": "e62ba8f5-e7ce-44ab-ac33-713ace192de3", "value": "Manifestus Ransomware " @@ -2567,6 +2567,8 @@ "extensions": [ ".fucked" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" ], @@ -2579,9 +2581,7 @@ "synonyms": [ "IDRANSOMv3", "Manifestus" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "related": [ { @@ -2603,14 +2603,14 @@ "extensions": [ ".braincrypt" ], + "payment-method": "Email", "ransomnotes": [ "https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png", "https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "ade6ec5e-e082-43cb-9b82-ff8c0f4d7e56", "value": "BrainCrypt Ransomware" @@ -2620,6 +2620,8 @@ "meta": { "date": "December 2016", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", "RESTORE_YOUR_FILES.txt" @@ -2627,9 +2629,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", "https://twitter.com/struppigel/status/810766686005719040" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "7de27419-9874-4c3f-b75f-429a507ed7c5", "value": "MSN CryptoLocker Ransomware" @@ -2639,15 +2639,15 @@ "meta": { "date": "December 2016", "encryption": "RSA-2048", + "payment-method": "Bitcoin", + "price": "0.3", "ransomnotes": [ "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html", "https://twitter.com/drProct0r/status/810500976415281154" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "7b0df78e-8f00-468f-a6ef-3e1bda2a344c", "value": "CryptoBlock Ransomware " @@ -2660,14 +2660,14 @@ "extensions": [ ".aes256" ], + "payment-method": "Email", "ransomnotes": [ "!!! READ THIS -IMPORTANT !!!.txt", "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "69c9b45f-f226-485f-9033-fcb796c315cf", "value": "AES-NI Ransomware " @@ -2680,14 +2680,14 @@ "extensions": [ ".encrypted" ], + "payment-method": "Game", "ransomnotes": [ "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html", "https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/" - ], - "payment-method": "Game" + ] }, "uuid": "ff6b8fc4-cfe0-45c1-9814-3261e39b4c9a", "value": "Koolova Ransomware" @@ -2701,6 +2701,8 @@ ".crypt", ".emilysupp" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", "HOW_OPEN_FILES.hta" @@ -2717,9 +2719,7 @@ "synonyms": [ "Globe Imposter", "GlobeImposter" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -2741,13 +2741,13 @@ "extensions": [ ".v8" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "45862a62-4cb3-4101-84db-8e338d17e283", "value": "V8Locker Ransomware" @@ -2760,13 +2760,13 @@ "extensions": [ ".ENC" ], + "payment-method": "Website", "ransomnotes": [ "https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html" - ], - "payment-method": "Website" + ] }, "uuid": "96bd63e5-99bd-490c-a23a-e0092337f6e6", "value": "Cryptorium (Fake Ransomware)" @@ -2779,13 +2779,13 @@ "extensions": [ ".antihacker2017" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "efd64e86-611a-4e10-91c7-e741cf0c58d9", "value": "Antihacker2017 Ransomware" @@ -2794,6 +2794,8 @@ "description": "It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg", "meta": { "date": "December 2016", + "payment-method": "Dollars", + "price": "100 - 250 - 500", "ransomnotes": [ "https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png" ], @@ -2802,9 +2804,7 @@ "https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/", "https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/" - ], - "payment-method": "Dollars", - "price": "100 - 250 - 500" + ] }, "uuid": "e479e32e-c884-4ea0-97d3-3c3356135719", "value": "CIA Special Agent 767 Ransomware (FAKE!!!)" @@ -2813,13 +2813,13 @@ "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.", "meta": { "date": "December 2016", + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "d1698a73-8be8-4c10-8114-8cfa1c399eb1", "value": "LoveServer Ransomware " @@ -2833,6 +2833,8 @@ ".kraken", "[base64].kraken" ], + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", @@ -2840,9 +2842,7 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "51737c36-11a0-4c25-bd87-a990bd479aaf", "value": "Kraken Ransomware" @@ -2852,14 +2852,14 @@ "meta": { "date": "December 2016", "encryption": "AES", + "payment-method": "Bitcoin", + "price": "0.25", "ransomnotes": [ "https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.25" + ] }, "uuid": "8a7e0615-b9bd-41ab-89f1-62d041350e99", "value": "Antix Ransomware" @@ -2872,6 +2872,8 @@ "extensions": [ ".sexy" ], + "payment-method": "Bitcoin", + "price": "950 bresilian real ($)", "ransomnotes": [ "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", "!!!!!ATENÇÃO!!!!!.html" @@ -2879,9 +2881,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", "https://twitter.com/BleepinComputer/status/808316635094380544" - ], - "payment-method": "Bitcoin", - "price": "950 bresilian real ($)" + ] }, "uuid": "70324b69-6076-4d00-884e-7f9d5537a65a", "value": "PayDay Ransomware " @@ -2894,10 +2894,10 @@ "extensions": [ ".encrypted" ], + "payment-method": "no ransom", "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html" - ], - "payment-method": "no ransom" + ] }, "uuid": "76b14980-e53c-4209-925e-3ab024210734", "value": "Slimhem Ransomware" @@ -2907,15 +2907,15 @@ "meta": { "date": "December 2016", "encryption": "AES-256", + "payment-method": "Bitcoin", + "price": "0.3", "ransomnotes": [ "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "94a3be6b-3a83-40fb-85b2-555239260235", "value": "M4N1F3STO Ransomware (FAKE!!!!!)" @@ -2928,10 +2928,10 @@ "extensions": [ ".DALE" ], + "payment-method": "Email", "synonyms": [ "DaleLocker Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "abe6cbe4-9031-46da-9e1c-89d9babe6449", "value": "Dale Ransomware" @@ -2944,15 +2944,15 @@ "extensions": [ ".locked (added before the ending, not to the ending, for example: file.locked.doc" ], + "payment-method": "Bitcoin", + "price": "1000 $", "ransomnotes": [ "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html", "https://twitter.com/struppigel/status/807161652663742465" - ], - "payment-method": "Bitcoin", - "price": "1000 $" + ] }, "uuid": "3a66610b-5197-4af9-b662-d873afc81b2e", "value": "UltraLocker Ransomware" @@ -2965,6 +2965,7 @@ "extensions": [ ".pre_alpha" ], + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png" ], @@ -2972,8 +2973,7 @@ "https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/" - ], - "payment-method": "Email" + ] }, "uuid": "d755510f-d775-420c-83a0-b0fe9e483256", "value": "AES_KEY_GEN_ASSIST Ransomware" @@ -2986,15 +2986,15 @@ "extensions": [ ".locky" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1", "ransomnotes": [ "https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1" + ] }, "uuid": "a23d7c45-7200-4074-9acf-8789600fa145", "value": "Code Virus Ransomware " @@ -3007,13 +3007,13 @@ "extensions": [ "_morf56@meta.ua_" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "1cdc34ce-43b7-4df1-ae8f-ae0acbe5e4ad", "value": "FLKR Ransomware" @@ -3027,6 +3027,8 @@ ".kok", ".filock" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1", "ransomnotes": [ "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", @@ -3036,9 +3038,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1" + ] }, "uuid": "c1b3477b-cd7f-4726-8744-a2c44275dffd", "value": "PopCorn Time Ransomware" @@ -3051,14 +3051,14 @@ "extensions": [ ".hacked" ], + "payment-method": "Bitcoin", + "price": "0.33 - 0.5", "ransomnotes": [ "https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.33 - 0.5" + ] }, "uuid": "c2624d8e-da7b-4d94-b06f-363131ddb6ac", "value": "HackedLocker Ransomware" @@ -3071,6 +3071,8 @@ "extensions": [ "." ], + "payment-method": "Bitcoin", + "price": "1.33 - 1.34", "ransomnotes": [ "https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg", "https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg" @@ -3079,9 +3081,7 @@ "https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html", "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/", "https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/" - ], - "payment-method": "Bitcoin", - "price": "1.33 - 1.34" + ] }, "uuid": "ac7affb8-971d-4c05-84f0-172b61d007d7", "value": "GoldenEye Ransomware" @@ -3094,6 +3094,8 @@ "extensions": [ ".sage" ], + "payment-method": "Bitcoin", + "price": "0.74 (545 $)", "ransomnotes": [ "https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png" ], @@ -3101,9 +3103,7 @@ "https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/", "https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/" - ], - "payment-method": "Bitcoin", - "price": "0.74 (545 $)" + ] }, "uuid": "3e5a475f-7467-49ab-917a-4d1f590ad9b4", "value": "Sage Ransomware" @@ -3116,6 +3116,8 @@ "extensions": [ ".VO_" ], + "payment-method": "Bitcoin", + "price": "4(1040 $)", "ransomnotes": [ "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" ], @@ -3124,9 +3126,7 @@ ], "synonyms": [ "VO_ Ransomware" - ], - "payment-method": "Bitcoin", - "price": "4(1040 $)" + ] }, "uuid": "5024f328-2595-4dbd-9007-218147e55d5f", "value": "SQ_ Ransomware" @@ -3147,6 +3147,7 @@ ".NOBAD", ".ITLOCK" ], + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", "[5 numbers]-MATRIX-README.RTF", @@ -3184,8 +3185,7 @@ "synonyms": [ "Malta Ransomware", "Matrix Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "42ee85b9-45f8-47a3-9bab-b695ac271544", "value": "Matrix" @@ -3198,13 +3198,13 @@ "extensions": [ ".locked" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "03d92e7b-95ae-4c5b-8b58-daa2fd98f7a1", "value": "Satan666 Ransomware" @@ -3217,6 +3217,8 @@ "extensions": [ ".R.i.P" ], + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", "Important!.txt" @@ -3224,9 +3226,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", "https://twitter.com/BleepinComputer/status/804810315456200704" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "5705df4a-42b0-4579-ad9f-8bfa42bae471", "value": "RIP (Phoenix) Ransomware" @@ -3239,6 +3239,7 @@ "extensions": [ ".novalid" ], + "payment-method": "Bitcoin - Link WebSite", "ransomnotes": [ "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", "RESTORE_CORUPTED_FILES.HTML" @@ -3247,8 +3248,7 @@ "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", "https://twitter.com/struppigel/status/807169774098796544" - ], - "payment-method": "Bitcoin - Link WebSite" + ] }, "uuid": "777f0b78-e778-435f-b4d5-e40f0b7f54c3", "value": "Locked-In Ransomware or NoValid Ransomware" @@ -3273,14 +3273,14 @@ "extensions": [ ".crypter" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "957850f7-081a-4191-9e5e-cf9ff27584ac", "value": "RenLocker Ransomware (FAKE)" @@ -3290,6 +3290,7 @@ "meta": { "date": "November 2016", "encryption": "AES", + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png" ], @@ -3297,8 +3298,7 @@ "https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html", "https://twitter.com/BleepinComputer/status/801486420368093184" - ], - "payment-method": "Email" + ] }, "uuid": "459ea908-e39e-4274-8866-362281e24911", "value": "Thanksgiving Ransomware" @@ -3311,15 +3311,15 @@ "extensions": [ ".hannah" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html", "https://twitter.com/jiriatvirlab/status/801910919739674624" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "3a40c5ae-b117-45cd-b674-a7750e3f3082", "value": "CockBlocker Ransomware" @@ -3332,15 +3332,15 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "0.68096697 (500$)", "ransomnotes": [ "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html", "https://twitter.com/siri_urz/status/801815087082274816" - ], - "payment-method": "Bitcoin", - "price": "0.68096697 (500$)" + ] }, "uuid": "e721b7c5-df07-4e26-b375-fc09a4911451", "value": "Lomix Ransomware" @@ -3354,6 +3354,8 @@ ".locked", ".Locked" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", "HOW TO DECRYPT YOU FILES.txt" @@ -3362,9 +3364,7 @@ "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", "https://decrypter.emsisoft.com/ozozalocker", "https://twitter.com/malwrhunterteam/status/801503401867673603" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "d20b0d12-1a56-4339-b02b-eb3803dc3e6e", "value": "OzozaLocker Ransomware" @@ -3377,6 +3377,7 @@ "extensions": [ ".mo0n" ], + "payment-method": "WebSite link", "ransomnotes": [ "https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg" ], @@ -3386,8 +3387,7 @@ ], "synonyms": [ "m0on Ransomware" - ], - "payment-method": "WebSite link" + ] }, "uuid": "5539c8e7-2058-4757-b9e3-71ff7d41db31", "value": "Crypute Ransomware" @@ -3400,6 +3400,8 @@ "extensions": [ ".maktub" ], + "payment-method": "Bitcoin", + "price": "0,5 - 1,5", "ransomnotes": [ "https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG", "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" @@ -3410,9 +3412,7 @@ ], "synonyms": [ "Fake Maktub Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0,5 - 1,5" + ] }, "uuid": "9490641f-6a51-419c-b3dc-c6fa2bab4ab3", "value": "NMoreira Ransomware" @@ -3425,6 +3425,8 @@ "extensions": [ ".vindows" ], + "payment-method": "Call Number", + "price": "349.99$", "ransomnotes": [ "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" ], @@ -3434,9 +3436,7 @@ "https://rol.im/VindowsUnlocker.zip", "https://twitter.com/JakubKroustek/status/800729944112427008", "https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/" - ], - "payment-method": "Call Number", - "price": "349.99$" + ] }, "uuid": "b58e1265-2855-4c8a-ac34-bb1504086084", "value": "VindowsLocker Ransomware" @@ -3449,6 +3449,7 @@ "extensions": [ ".ENCRYPTED" ], + "payment-method": "no ransom", "ransomnotes": [ "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" @@ -3456,8 +3457,7 @@ "refs": [ "http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" - ], - "payment-method": "no ransom" + ] }, "uuid": "96c10791-258f-4b2b-a2cc-b5abddbdb285", "value": "Donald Trump 2 Ransomware" @@ -3467,6 +3467,7 @@ "meta": { "date": "November 2016", "encryption": "RSA", + "payment-method": "CreditCard", "ransomnotes": [ "https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg" ], @@ -3476,8 +3477,7 @@ ], "synonyms": [ "Voldemort Ransomware" - ], - "payment-method": "CreditCard" + ] }, "uuid": "46a35af7-9d05-4de4-a955-41ccf3d3b83b", "value": "Nagini Ransomware" @@ -3491,15 +3491,15 @@ ".l0cked", ".L0cker" ], + "payment-method": "Bitcoin", + "price": "100$", "ransomnotes": [ "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html", "https://twitter.com/JakubKroustek/status/799388289337671680" - ], - "payment-method": "Bitcoin", - "price": "100$" + ] }, "uuid": "a8ea7a67-c019-4c6c-8061-8614c47f153e", "value": "ShellLocker Ransomware" @@ -3513,6 +3513,7 @@ ".CHIP", ".DALE" ], + "payment-method": "Tor WebSite", "ransomnotes": [ "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", "CHIP_FILES.txt" @@ -3524,8 +3525,7 @@ ], "synonyms": [ "ChipLocker Ransomware" - ], - "payment-method": "Tor WebSite" + ] }, "uuid": "7487fd37-d4ba-4c85-b6f8-8d4d7d5b74d7", "value": "Chip Ransomware" @@ -3558,6 +3558,7 @@ ".bkpx", ".[newsantaclaus@aol.com].santa" ], + "payment-method": "Bitcoin - Email", "ransomnotes": [ "README.txt", "README.jpg", @@ -3590,8 +3591,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", "https://www.youtube.com/watch?v=qjoYtwLx2TI", "https://twitter.com/GrujaRS/status/1072139616910757888" - ], - "payment-method": "Bitcoin - Email" + ] }, "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "value": "Dharma Ransomware" @@ -3604,15 +3604,15 @@ "extensions": [ ".angelamerkel" ], + "payment-method": "Bitcoin", + "price": "1200€", "ransomnotes": [ "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html", "https://twitter.com/malwrhunterteam/status/798268218364358656" - ], - "payment-method": "Bitcoin", - "price": "1200€" + ] }, "uuid": "a9bb4ae1-b4da-49bb-aeeb-3596cb883860", "value": "Angela Merkel Ransomware" @@ -3625,6 +3625,8 @@ "extensions": [ "._luck" ], + "payment-method": "Bitcoin", + "price": "0.7 - 2.1", "ransomnotes": [ "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", @@ -3637,9 +3639,7 @@ ], "synonyms": [ "YafunnLocker" - ], - "payment-method": "Bitcoin", - "price": "0.7 - 2.1" + ] }, "uuid": "615b682d-4746-464d-8091-8869d0e6ea2c", "value": "CryptoLuck Ransomware" @@ -3663,6 +3663,8 @@ ".id-_CarlosBoltehero@india.com_", ".id-_maria.lopez1@india.com_" ], + "payment-method": "Bitcoin", + "price": "0.2 - 2", "ransomnotes": [ "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" ], @@ -3675,9 +3677,7 @@ "synonyms": [ "Nemesis", "X3M" - ], - "payment-method": "Bitcoin", - "price": "0.2 - 2" + ] }, "uuid": "117693d2-1551-486e-93e5-981945eecabd", "value": "Crypton Ransomware" @@ -3690,6 +3690,8 @@ "extensions": [ ".karma" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", "# DECRYPT MY FILES #.html", @@ -3699,9 +3701,7 @@ "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", "https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "51596eaa-6df7-4aa3-8df4-cec3aeffb1b5", "value": "Karma Ransomware" @@ -3714,14 +3714,14 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "878c06be-95d7-4a0d-9dba-178ffc1d3e5e", "value": "WickedLocker HT Ransomware" @@ -3734,6 +3734,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.55 - 0.65", "ransomnotes": [ "Your files are locked !.txt", "Your files are locked !!.txt", @@ -3751,9 +3753,7 @@ "PClock SuppTeam Ransomware", "WinPlock", "CryptoLocker clone" - ], - "payment-method": "Bitcoin", - "price": "0.55 - 0.65" + ] }, "uuid": "6c38f175-b32a-40ef-8cad-33c2c8840d51", "value": "PClock3 Ransomware" @@ -3766,6 +3766,7 @@ "extensions": [ ".kolobocheg@aol.com_" ], + "payment-method": "Email", "ransomnotes": [ "https://www.ransomware.wiki/tag/kolobo/" ], @@ -3776,8 +3777,7 @@ ], "synonyms": [ "Kolobocheg Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "f32f0bec-961b-4c01-9cc1-9cf409efd598", "value": "Kolobo Ransomware" @@ -3790,6 +3790,8 @@ "extensions": [ ".cry_" ], + "payment-method": "PaySafeCard", + "price": "100€", "ransomnotes": [ "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" ], @@ -3799,9 +3801,7 @@ ], "synonyms": [ "Paysafecard Generator 2016" - ], - "payment-method": "PaySafeCard", - "price": "100€" + ] }, "uuid": "379d5258-6f11-4c41-a685-c2ff555c0cb9", "value": "PaySafeGen (German) Ransomware" @@ -3814,6 +3814,8 @@ "extensions": [ ".Xcri" ], + "payment-method": "Qhvi-wallet / Yandex-wallet", + "price": "5000 rubles", "ransomnotes": [ "https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif" ], @@ -3823,9 +3825,7 @@ "https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" - ], - "payment-method": "Qhvi-wallet / Yandex-wallet", - "price": "5000 rubles" + ] }, "uuid": "2f362760-925b-4948-aae5-dd0d2fc21002", "value": "Telecrypt Ransomware" @@ -3838,6 +3838,8 @@ "extensions": [ ".cerber" ], + "payment-method": "Bitcoin", + "price": "0.4", "ransomnotes": [ "https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png" ], @@ -3845,9 +3847,7 @@ "https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", "https://twitter.com/struppigel/status/795630452128227333" - ], - "payment-method": "Bitcoin", - "price": "0.4" + ] }, "uuid": "28808e63-e71f-4aaa-b203-9310745f87b6", "value": "CerberTear Ransomware" @@ -3860,10 +3860,10 @@ "extensions": [ ".dll" ], + "payment-method": "Bitcoin", "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "81c476c3-3190-440d-be4a-ea875e9415aa", "value": "FuckSociety Ransomware" @@ -3877,6 +3877,8 @@ ".dng", ".serpent" ], + "payment-method": "Bitcoin", + "price": "0.33", "ransomnotes": [ "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" @@ -3889,9 +3891,7 @@ ], "synonyms": [ "Serpent Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.33" + ] }, "uuid": "4818a48a-dfc2-4f35-a76d-e4fb462d6c94", "value": "PayDOS Ransomware" @@ -3921,6 +3921,8 @@ "extensions": [ ".rnsmwr" ], + "payment-method": "Bitcoin", + "price": "0.03", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg" ], @@ -3928,9 +3930,7 @@ "https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html", "https://twitter.com/struppigel/status/794444032286060544", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/" - ], - "payment-method": "Bitcoin", - "price": "0.03" + ] }, "uuid": "47512afc-ecf2-4766-8487-8f3bc8dddbf3", "value": "Gremit Ransomware" @@ -3943,13 +3943,13 @@ "extensions": [ ".hollycrypt" ], + "payment-method": "Bitcoin Email", "ransomnotes": [ "https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "b77298c1-3f84-4ffb-a81b-36eab5c10881", "value": "Hollycrypt Ransomware" @@ -3962,6 +3962,7 @@ "extensions": [ ".BTC" ], + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG" ], @@ -3970,8 +3971,7 @@ ], "synonyms": [ "BTC Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "3f461284-85a1-441c-b07d-8b547be43ca2", "value": "BTCLocker Ransomware" @@ -3984,6 +3984,8 @@ "extensions": [ ".crypted_file" ], + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", "filename.Instructions_Data_Recovery.txt" @@ -3991,9 +3993,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "5ab1449f-7e7d-47e7-924a-8662bc2df805", "value": "Kangaroo Ransomware" @@ -4006,13 +4006,13 @@ "extensions": [ ".dCrypt" ], + "payment-method": "Email", "ransomnotes": [ "https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "6bf055c6-acb2-4459-92b0-70d61616ab62", "value": "DummyEncrypter Ransomware" @@ -4025,6 +4025,7 @@ "extensions": [ ".dCrypt" ], + "payment-method": "Email", "ransomnotes": [ "YOUR FILES ARE ENCRYPTED THAT THEIR DECRYPT SEND EMAIL US AT encryptss77@gmail.com IN MESSAGE INDICATE IP ADDRESS OF COMPUTER WHERE YOU SAW THIS MESSAGE YOU CAN FIND IT ON 2IP.RU WE WILL REPLY TO YOU WITHIN 24 HOURS" ], @@ -4034,8 +4035,7 @@ ], "synonyms": [ "SFX Monster Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "317cab8a-31a1-4a82-876a-94edc7afffba", "value": "Encryptss77 Ransomware" @@ -4048,13 +4048,13 @@ "extensions": [ ".ace" ], + "payment-method": "Website (onion)", "ransomnotes": [ "https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html" - ], - "payment-method": "Website (onion)" + ] }, "uuid": "7ee22340-ed89-4e22-b085-257bde4c0fc5", "value": "WinRarer Ransomware" @@ -4067,14 +4067,14 @@ "extensions": [ ".blackblock" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1", "ransomnotes": [ "YOUR FILES HAVE BEEN ENCRYPTED! Your personal ID ***** Your file have been encrypted with a powerful strain of a virus called ransomware. Your files are encrypted using the same methods banks and the military use. There is currently no possible way to decrypt files with the private key. Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info necessary to decrypt all your files, quickly and easily." ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1" + ] }, "uuid": "30771cde-2543-4c13-b722-ff940f235b0f", "value": "Russian Globe Ransomware" @@ -4087,14 +4087,14 @@ "extensions": [ ".zn2016" ], + "payment-method": "Bitcoin", + "price": "10 (7300 $)", "ransomnotes": [ "https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "10 (7300 $)" + ] }, "uuid": "e999ca18-61cb-4419-a2fa-ab8af6ebe8dc", "value": "ZeroCrypt Ransomware" @@ -4111,6 +4111,8 @@ "!@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR", "!@#$%^&-()_+.1C" ], + "payment-method": "Bitcoin", + "price": "7 (2000 - 5000 $)", "ransomnotes": [ "Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!", "INFO.txt", @@ -4125,9 +4127,7 @@ "RotorCrypt", "RotoCrypt", "Tar Ransomware" - ], - "payment-method": "Bitcoin", - "price": "7 (2000 - 5000 $)" + ] }, "uuid": "63991ed9-98dc-4f24-a0a6-ff58e489c263", "value": "RotorCrypt(RotoCrypt, Tar) Ransomware" @@ -4140,14 +4140,14 @@ "extensions": [ "ISHTAR-. (prefix)" ], + "payment-method": "Email - rubles", + "price": "15 000", "ransomnotes": [ "FOR FILE DISCRIPTION, PLEASE CONTACT YOU@edtonmail@protonmail.com Or BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standard encryption order: AES 256 + RSA 2048. > A unique AES key is created for each file. > Decryption is impossible without the ISHTAR.DATA file (see% APPDATA% directory). ----- TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com OR TO BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standart encryption routine: AES 256 + RSA 2048. > Every AES key is unique per file. > Decryption is impossible without ISHTAR.DATA file (see% APPDATA% path)." ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html" - ], - "payment-method": "Email - rubles", - "price": "15 000" + ] }, "uuid": "30cad868-b2f1-4551-8f76-d17695c67d52", "value": "Ishtar Ransomware" @@ -4159,6 +4159,8 @@ "extensions": [ ".hcked" ], + "payment-method": "rupies", + "price": "3500 - 5000 - 10 000", "ransomnotes": [ "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", @@ -4167,9 +4169,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", "https://twitter.com/struppigel/status/791943837874651136" - ], - "payment-method": "rupies", - "price": "3500 - 5000 - 10 000" + ] }, "uuid": "07f859cd-9c36-4dae-a6fc-fa4e4aa36176", "value": "MasterBuster Ransomware" @@ -4181,6 +4181,8 @@ "extensions": [ ".coin" ], + "payment-method": "Bitcoin", + "price": "3", "ransomnotes": [ "https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg" ], @@ -4191,9 +4193,7 @@ ], "synonyms": [ "Jack.Pot Ransomware" - ], - "payment-method": "Bitcoin", - "price": "3" + ] }, "uuid": "04f1772a-053e-4f6e-a9af-3f83ab312633", "value": "JackPot Ransomware" @@ -4205,6 +4205,8 @@ "extensions": [ ".Encryption:" ], + "payment-method": "Bitcoin", + "price": "100 $", "ransomnotes": [ "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.", "https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg" @@ -4213,9 +4215,7 @@ "https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html", "https://twitter.com/struppigel/status/791557636164558848", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "927a4150-9380-4310-9f68-cb06d8debcf2", "value": "ONYX Ransomeware" @@ -4228,6 +4228,8 @@ "extensions": [ ".inf643" ], + "payment-method": "Bitcoin", + "price": "1000 $", "ransomnotes": [ "https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG" ], @@ -4235,9 +4237,7 @@ "https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html", "https://twitter.com/struppigel/status/791576159960072192", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" - ], - "payment-method": "Bitcoin", - "price": "1000 $" + ] }, "uuid": "ddeab8b3-5df2-414e-9c6b-06b309e1fcf4", "value": "IFN643 Ransomware" @@ -4250,6 +4250,7 @@ "extensions": [ ".Alcatraz" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", @@ -4259,8 +4260,7 @@ "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", "https://twitter.com/PolarToffee/status/792796055020642304" - ], - "payment-method": "Email" + ] }, "uuid": "2ad63264-8f52-4ab4-ad26-ca8c3bcc066e", "value": "Alcatraz Locker Ransomware" @@ -4273,6 +4273,7 @@ "extensions": [ ".encrypted" ], + "payment-method": "Email", "ransomnotes": [ "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.", "https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png" @@ -4280,8 +4281,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html", "https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/" - ], - "payment-method": "Email" + ] }, "uuid": "ff5a04bb-d412-4cb3-9780-8d3488b7c268", "value": "Esmeralda Ransomware" @@ -4294,14 +4294,14 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "0.053773", "ransomnotes": [ "https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.053773" + ] }, "uuid": "56e49b84-a250-4aaf-9f65-412616709652", "value": "EncrypTile Ransomware" @@ -4314,14 +4314,14 @@ "extensions": [ ".encrypted" ], + "payment-method": "Game", "ransomnotes": [ "https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ], - "payment-method": "Game" + ] }, "uuid": "ca5d0e52-d0e4-4aa9-872a-0669433c0dcc", "value": "Fileice Ransomware Survey Ransomware" @@ -4334,6 +4334,8 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "0.29499335", "ransomnotes": [ "https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg", "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" @@ -4342,9 +4344,7 @@ "https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html", "https://twitter.com/struppigel/status/791554654664552448", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" - ], - "payment-method": "Bitcoin", - "price": "0.29499335" + ] }, "uuid": "4e6e45c2-8e13-49ad-8b27-e5aeb767294a", "value": "CryptoWire Ransomeware" @@ -4358,6 +4358,7 @@ ".locky", "[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky" ], + "payment-method": "Email", "ransomnotes": [ "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", @@ -4371,8 +4372,7 @@ ], "synonyms": [ "Hungarian Locky Ransomware" - ], - "payment-method": "Email" + ] }, "uuid": "74f91a93-4f1e-4603-a6f5-aaa40d2dd311", "value": "Hucky Ransomware" @@ -4385,6 +4385,8 @@ "extensions": [ ".wnx" ], + "payment-method": "Bitcoin", + "price": "2 - 4", "ransomnotes": [ "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", "YOUR FILES ARE ENCRYPTED!.txt" @@ -4392,9 +4394,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html", "https://twitter.com/PolarToffee/status/811940037638111232" - ], - "payment-method": "Bitcoin", - "price": "2 - 4" + ] }, "uuid": "e30e663d-d8c8-44f2-8da7-03b1a9c52376", "value": "Winnix Cryptor Ransomware" @@ -4407,6 +4407,8 @@ "extensions": [ ".adk" ], + "payment-method": "Bitcoin", + "price": "10 (7300 $)", "ransomnotes": [ "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg", "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" @@ -4414,9 +4416,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", "https://twitter.com/demonslay335/status/790334746488365057" - ], - "payment-method": "Bitcoin", - "price": "10 (7300 $)" + ] }, "uuid": "2813a5c7-530b-492f-8d77-fe7b1ed96a65", "value": "AngryDuck Ransomware" @@ -4429,6 +4429,8 @@ "extensions": [ ".lock93" ], + "payment-method": "Email", + "price": "1000 rubles", "ransomnotes": [ "https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg", "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" @@ -4436,9 +4438,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html", "https://twitter.com/malwrhunterteam/status/789882488365678592" - ], - "payment-method": "Email", - "price": "1000 rubles" + ] }, "uuid": "2912426d-2a26-4091-a87f-032a6d3d28c1", "value": "Lock93 Ransomware" @@ -4448,6 +4448,8 @@ "meta": { "date": "October 2016", "encryption": "AES-512", + "payment-method": "Bitcoin", + "price": "0.25 - 0.5", "ransomnotes": [ "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", "!!!!!readme!!!!!.htm" @@ -4455,9 +4457,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" - ], - "payment-method": "Bitcoin", - "price": "0.25 - 0.5" + ] }, "uuid": "dd99cc50-91f7-4375-906a-7d09c76ee9f7", "value": "ASN1 Encoder Ransomware" @@ -4470,14 +4470,14 @@ "extensions": [ ".hacked" ], + "payment-method": "Email Bitcoin", "ransomnotes": [ "All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price." ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html", "https://www.youtube.com/watch?v=Xe30kV4ip8w" - ], - "payment-method": "Email Bitcoin" + ] }, "uuid": "97bdadda-e874-46e6-8672-11dbfe3958c4", "value": "Click Me Ransomware" @@ -4490,14 +4490,14 @@ "extensions": [ ".hacked" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "e7a5c384-a93c-4ed4-8411-ca1e52396256", "value": "AiraCrop Ransomware" @@ -4510,6 +4510,7 @@ "extensions": [ "#LOCK#" ], + "payment-method": "Email", "ransomnotes": [ "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" ], @@ -4523,8 +4524,7 @@ "SHC Ransomware", "SHCLocker", "SyNcryption" - ], - "payment-method": "Email" + ] }, "uuid": "d579e5b6-c6fd-43d9-9213-7591cd324f94", "value": "JapanLocker Ransomware" @@ -4537,6 +4537,8 @@ "extensions": [ ".coded" ], + "payment-method": "Bitcoin", + "price": "1 - 2.5 - 3", "ransomnotes": [ "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", "Decryption Instructions.txt" @@ -4544,9 +4546,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", "http://nyxbone.com/malware/Anubis.html" - ], - "payment-method": "Bitcoin", - "price": "1 - 2.5 - 3" + ] }, "uuid": "a6215279-37d8-47f7-9b1b-efae4178c738", "value": "Anubis Ransomware" @@ -4556,14 +4556,14 @@ "meta": { "date": "October 2016", "encryption": "AES-256", + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "eef4bf49-5b1d-463a-aef9-538c5dc2f71f", "value": "XTPLocker 5.0 Ransomware" @@ -4577,6 +4577,8 @@ ".exotic", "random.exotic" ], + "payment-method": "Bitcoin", + "price": "50 $", "ransomnotes": [ "https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg", "https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg", @@ -4587,9 +4589,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware", "https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "50 $" + ] }, "uuid": "eb22cb8d-763d-4cac-af35-46dc4f85317b", "value": "Exotic Ransomware" @@ -4602,14 +4602,14 @@ "extensions": [ ".dll" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "6ec0f43c-6b73-4f5e-bee7-a231572eb994", "value": "APT Ransomware v.2" @@ -4622,6 +4622,8 @@ "extensions": [ ".enc" ], + "payment-method": "Bitcoin", + "price": "0.0523", "ransomnotes": [ "https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png" ], @@ -4632,9 +4634,7 @@ "synonyms": [ "WS Go Ransonware", "Trojan.Encoder.6491" - ], - "payment-method": "Bitcoin", - "price": "0.0523" + ] }, "related": [ { @@ -4657,14 +4657,14 @@ ".NCRYPT", ".ncrypt" ], + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "d590865e-f3ae-4381-9d82-3f540f9818cb", "value": "NCrypt Ransomware" @@ -4677,6 +4677,7 @@ "extensions": [ ".venis" ], + "payment-method": "Email", "ransomnotes": [ "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" ], @@ -4684,8 +4685,7 @@ "https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html", "https://twitter.com/Antelox/status/785849412635521024", "http://pastebin.com/HuK99Xmj" - ], - "payment-method": "Email" + ] }, "uuid": "b9cfe6f3-5970-4283-baf4-252e0491b91c", "value": "Venis Ransomware" @@ -4698,14 +4698,14 @@ "extensions": [ ".1txt" ], + "payment-method": "Bitcoin", + "price": "200 $", "ransomnotes": [ "We encrypt important files on your computer: documents, databases, photos, videos and keys. Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know. Encrypted files have .1txt extension. It decrypts files without the private key IMPOSSIBLE. \nIf you want to get the files back: \n1) Install the Tor Browser http://www.torproject.org/ \n2) Locate the desktop key to access E_N_I_G_M_A.RSA site (password is encrypted in the key of your files) \n3) Go to the website http://kf2uimw5omtgveu6.onion/ into a torus-browser and log in using E_N_I_G_M_A.RSA \n4) Follow the instructions on the website and download the decoder \nC:\\Documents and Settings\\Администратор\\Рабочийстол\\E_N_I_G_M_A.RSA - The path to the key file on the desktop C:\\DOCUME~1\\9335~1\\LOCALS~1\\Temp\\E_N_I_G_M_A.RSA - The path to the key file in TMP directory" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "200 $" + ] }, "uuid": "507506a3-3745-47fd-8d31-ef122317c0c2", "value": "Enigma 2 Ransomware" @@ -4715,6 +4715,8 @@ "meta": { "date": "October 2016", "encryption": "AES-256", + "payment-method": "Bitcoin", + "price": "500$", "ransomnotes": [ "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" ], @@ -4724,9 +4726,7 @@ ], "synonyms": [ "Deadly for a Good Purpose Ransomware" - ], - "payment-method": "Bitcoin", - "price": "500$" + ] }, "uuid": "a25e39b0-b601-403c-bba8-2f595e221269", "value": "Deadly Ransomware" @@ -4739,6 +4739,8 @@ "extensions": [ ".comrade" ], + "payment-method": "Bitcoin", + "price": "~2", "ransomnotes": [ "https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg", "https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG", @@ -4746,9 +4748,7 @@ ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "~2" + ] }, "uuid": "db23145a-e15b-4cf7-9d2c-ffa9928750d5", "value": "Comrade Circle Ransomware" @@ -4773,6 +4773,8 @@ ".openforyou@india.com", ".." ], + "payment-method": "Bitcoin", + "price": "0.8 - 1", "ransomnotes": [ "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" ], @@ -4782,9 +4784,7 @@ ], "synonyms": [ "Purge Ransomware" - ], - "payment-method": "Bitcoin", - "price": "0.8 - 1" + ] }, "related": [ { @@ -4806,6 +4806,8 @@ "extensions": [ ".k0stya" ], + "payment-method": "PaySafe", + "price": "300 CZK - 2000 CZK after 12 hours", "ransomnotes": [ "https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg", "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" @@ -4813,9 +4815,7 @@ "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html", "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/" - ], - "payment-method": "PaySafe", - "price": "300 CZK - 2000 CZK after 12 hours" + ] }, "uuid": "7d6f02d2-a626-40f6-81c3-14e3a9a2aea5", "value": "Kostya Ransomware" @@ -4828,14 +4828,14 @@ "extensions": [ ".comrade" ], + "payment-method": "Bitcoin", + "price": "1.5", "ransomnotes": [ "https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1.5" + ] }, "uuid": "ed3a4f8a-49de-40c3-9acb-da1b78f89c4f", "value": "Fs0ciety Locker Ransomware" @@ -4848,13 +4848,13 @@ "extensions": [ ".ecrypt" ], + "payment-method": "Tor WebSite", "ransomnotes": [ "https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html" - ], - "payment-method": "Tor WebSite" + ] }, "uuid": "6a77c96b-1814-427f-83ca-fe7e0e40b1c0", "value": "Erebus Ransomware" @@ -4863,6 +4863,8 @@ "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", "meta": { "date": "May 2017", + "payment-method": "Bitcoin", + "price": "0.1781 (300$ - $600)", "refs": [ "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" ], @@ -4872,9 +4874,7 @@ "WanaCrypt0r", "WCrypt", "WCRY" - ], - "payment-method": "Bitcoin", - "price": "0.1781 (300$ - $600)" + ] }, "related": [ { @@ -4895,13 +4895,13 @@ "extensions": [ ".enc" ], + "payment-method": "Email", "ransomnotes": [ "YOUR_FILES_ARE_LOCKED.txt" ], "refs": [ "http://www.nyxbone.com/malware/CryptoHasYou.html" - ], - "payment-method": "Email" + ] }, "uuid": "a0ce5d94-a22a-40db-a09f-a796d0bb4006", "value": ".CryptoHasYou." @@ -4915,6 +4915,8 @@ "._[timestamp]_$[email]$.777", "e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777" ], + "payment-method": "Bitcoin", + "price": "0.1 (37$)", "ransomnotes": [ "read_this_file.txt" ], @@ -4923,9 +4925,7 @@ ], "synonyms": [ "Sevleg" - ], - "payment-method": "Bitcoin", - "price": "0.1 (37$)" + ] }, "uuid": "cd9e9eaa-0895-4d55-964a-b53eacdfd36a", "value": "777" @@ -4937,6 +4937,8 @@ ".R4A", ".R5A" ], + "payment-method": "Bitcoin", + "price": "13 (4980$)", "ransomnotes": [ "FILES_BACK.txt" ], @@ -4947,9 +4949,7 @@ ], "synonyms": [ "7ev3n-HONE$T" - ], - "payment-method": "Bitcoin", - "price": "13 (4980$)" + ] }, "related": [ { @@ -4986,13 +4986,13 @@ "extensions": [ "._AiraCropEncrypted" ], + "payment-method": "WebSite (onion) - Email", "ransomnotes": [ "How to decrypt your files.txt" ], "refs": [ "https://twitter.com/PolarToffee/status/796079699478900736" - ], - "payment-method": "WebSite (onion) - Email" + ] }, "uuid": "77919c1f-4ef8-41cd-a635-2d3118ade1f3", "value": "AiraCrop" @@ -5004,13 +5004,13 @@ ".unavailable", ".disappeared" ], + "payment-method": "Email", "ransomnotes": [ "Read_Me.Txt" ], "refs": [ "https://decrypter.emsisoft.com/al-namrood" - ], - "payment-method": "Email" + ] }, "uuid": "0040dca4-bf2e-43cb-89ae-ab1b50f1183d", "value": "Al-Namrood" @@ -5021,15 +5021,15 @@ "extensions": [ ".bin" ], + "payment-method": "Bitcoin", + "price": "1 (650$)", "ransomnotes": [ "README HOW TO DECRYPT YOUR FILES.HTML" ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/", "https://news.softpedia.com/news/cerber-devs-create-new-ransomware-called-alfa-506165.shtml" - ], - "payment-method": "Bitcoin", - "price": "1 (650$)" + ] }, "uuid": "888abc95-9e01-4cbc-a6e5-058eb9314f51", "value": "ALFA Ransomware" @@ -5042,6 +5042,8 @@ "random", "random(x5)" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "Unlock_files_randomx5.html" ], @@ -5049,9 +5051,7 @@ "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "76a08868-345f-4566-a403-5f5e575dfee5", "value": "Alma Ransomware" @@ -5063,6 +5063,8 @@ "extensions": [ ".encrypt" ], + "payment-method": "Itunes Gift Cards", + "price": "400$", "ransomnotes": [ "Read Me (How Decrypt) !!!!.txt" ], @@ -5073,9 +5075,7 @@ ], "synonyms": [ "AlphaLocker" - ], - "payment-method": "Itunes Gift Cards", - "price": "400$" + ] }, "related": [ { @@ -5095,6 +5095,8 @@ "extensions": [ ".amba" ], + "payment-method": "Bitcoin", + "price": "Depending on the victim’s situation", "ransomnotes": [ "ПРОЧТИ_МЕНЯ.txt", "READ_ME.txt" @@ -5102,9 +5104,7 @@ "refs": [ "https://twitter.com/benkow_/status/747813034006020096", "https://www.enigmasoftware.com/ambaransomware-removal/" - ], - "payment-method": "Bitcoin", - "price": "Depending on the victim’s situation" + ] }, "uuid": "8dd289d8-71bc-42b0-aafd-540dafa93343", "value": "AMBA" @@ -5115,14 +5115,14 @@ "extensions": [ ".AngleWare" ], + "payment-method": "Bitcoin", + "price": "3", "ransomnotes": [ "READ_ME.txt" ], "refs": [ "https://twitter.com/BleepinComputer/status/844531418474708993" - ], - "payment-method": "Bitcoin", - "price": "3" + ] }, "uuid": "e06526ac-0083-44ab-8787-dd7278746bb6", "value": "AngleWare" @@ -5130,13 +5130,13 @@ { "description": "Ransomware Based on HiddenTear", "meta": { + "payment-method": "Write a FaceBook message", "refs": [ "https://twitter.com/struppigel/status/842047409446387714" ], "synonyms": [ "ngocanh" - ], - "payment-method": "Write a FaceBook message" + ] }, "uuid": "5b94100d-83bb-4e30-be7a-6015c00356e0", "value": "Anony" @@ -5154,6 +5154,7 @@ "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" ], + "payment-method": "Email - WebSite (onion)", "ransomnotes": [ "*.How_To_Decrypt.txt", "*.Contact_Here_To_Recover_Your_Files.txt", @@ -5167,8 +5168,7 @@ ], "synonyms": [ "Fabiansomeware" - ], - "payment-method": "Email - WebSite (onion)" + ] }, "related": [ { @@ -5196,13 +5196,13 @@ ".encrypted", ".locked" ], + "payment-method": "Email - WebSite (onion)", "ransomnotes": [ "*.How_To_Get_Back.txt" ], "refs": [ "http://decrypter.emsisoft.com/download/apocalypsevm" - ], - "payment-method": "Email - WebSite (onion)" + ] }, "uuid": "5bc9c3a5-a35f-43aa-a999-fc7cd0685994", "value": "ApocalypseVM" @@ -5213,15 +5213,15 @@ "extensions": [ ".locky" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1", "ransomnotes": [ "info.txt", "info.html" ], "refs": [ "https://decrypter.emsisoft.com/autolocky" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1" + ] }, "uuid": "803fa9e2-8803-409a-b455-3a886c23fae4", "value": "AutoLocky" @@ -5242,6 +5242,8 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "2 (888,4$)", "ransomnotes": [ "Help Decrypt.html" ], @@ -5249,9 +5251,7 @@ "https://decrypter.emsisoft.com/badblock", "http://www.nyxbone.com/malware/BadBlock.html", "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" - ], - "payment-method": "Bitcoin", - "price": "2 (888,4$)" + ] }, "uuid": "f1a30552-21c1-46be-8b5f-64bd62b03d35", "value": "BadBlock" @@ -5278,6 +5278,7 @@ ".id-1235240425_help@decryptservice.info", ".id-[ID]_[EMAIL_ADDRESS]" ], + "payment-method": "Email - Telegram", "ransomnotes": [ "HOW TO DECRYPT.txt" ], @@ -5287,8 +5288,7 @@ ], "synonyms": [ "Rakhni" - ], - "payment-method": "Email - Telegram" + ] }, "related": [ { @@ -5310,6 +5310,8 @@ ".bart", ".perl" ], + "payment-method": "Bitcoin", + "price": "3", "ransomnotes": [ "recover.txt", "recover.bmp" @@ -5321,9 +5323,7 @@ ], "synonyms": [ "BaCrypt" - ], - "payment-method": "Bitcoin", - "price": "3" + ] }, "related": [ { @@ -5343,12 +5343,12 @@ "extensions": [ ".clf" ], + "payment-method": "Bitcoin", + "price": "1", "refs": [ "https://noransom.kaspersky.com/", "https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "b5e9a802-cd17-4cd6-b83d-f36cce009808", "value": "BitCryptor" @@ -5360,12 +5360,12 @@ "extensions": [ ".bitstak" ], + "payment-method": "Bitcoin", + "price": "0.07867 (40€)", "refs": [ "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip", "https://id-ransomware.blogspot.com/2016/07/ransomware-007867.html" - ], - "payment-method": "Bitcoin", - "price": "0.07867 (40€)" + ] }, "uuid": "33e398fa-2586-415e-9b18-6ea2ea36ff74", "value": "BitStak" @@ -5377,6 +5377,8 @@ "extensions": [ ".Silent" ], + "payment-method": "Bitcoin", + "price": "0.07 (30$)", "ransomnotes": [ "Hacked_Read_me_to_decrypt_files.html", "YourID.txt" @@ -5387,9 +5389,7 @@ ], "synonyms": [ "SilentShade" - ], - "payment-method": "Bitcoin", - "price": "0.07 (30$)" + ] }, "uuid": "bf065217-e13a-4f6d-a5b2-ba0750b5c312", "value": "BlackShades Crypter" @@ -5401,11 +5401,11 @@ "extensions": [ ".blocatto" ], + "payment-method": "Bitcoin", + "price": "5 - 10", "refs": [ "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" - ], - "payment-method": "Bitcoin", - "price": "5 - 10" + ] }, "uuid": "a3e1cfec-aacd-4d84-aa7d-99ed6c17f26d", "value": "Blocatto" @@ -5420,15 +5420,15 @@ "related": [ { "dest-uuid": "b95aa3fb-9f32-450e-8058-67d94f196913", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar", + "payment-method": "Bitcoin", + "price": "1-2 / 7 after 1 week", "refs": [ "https://id-ransomware.blogspot.com/2016/05/booyah-ransomware-1-2-btc.html" ], - "payment-method": "Bitcoin", - "price": "1-2 / 7 after 1 week" + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "eee75995-321f-477f-8b57-eee4eedf4ba3", @@ -5441,15 +5441,15 @@ "extensions": [ ".lock" ], + "payment-method": "Reais", + "price": "2000 (543$)", "ransomnotes": [ "MENSAGEM.txt" ], "refs": [ "http://www.nyxbone.com/malware/brazilianRansom.html", "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" - ], - "payment-method": "Reais", - "price": "2000 (543$)" + ] }, "uuid": "f9cf4f0d-3efc-4d6d-baf2-7dcb96db1279", "value": "Brazilian" @@ -5460,14 +5460,14 @@ "extensions": [ ".id-%ID%_garryweber@protonmail.ch" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "HOW_OPEN_FILES.html" ], "refs": [ "https://twitter.com/JakubKroustek/status/821831437884211201" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "d2bc5ec4-1dd1-408a-a6f6-621986657dff", "value": "Brazilian Globe" @@ -5476,11 +5476,11 @@ "description": "Ransomware", "meta": { "encryption": "AES", + "payment-method": "Phone Number", + "price": "1000 Rubles (15$)", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" - ], - "payment-method": "Phone Number", - "price": "1000 Rubles (15$)" + ] }, "uuid": "889d2296-40d2-49f6-be49-cbdfbcde2246", "value": "BrLock" @@ -5496,14 +5496,14 @@ "extensions": [ ".btcware" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "#_HOW_TO_FIX_!.hta" ], "refs": [ "https://twitter.com/malwrhunterteam/status/845199679340011520" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "8d60dec9-d43f-4d52-904f-40fb67e57ef7", "value": "BTCWare Related to / new version of CryptXXX" @@ -5512,12 +5512,12 @@ "description": "Ransomware no file name change, no extension", "meta": { "encryption": "GOST", + "payment-method": "Bitcoin", + "price": "5", "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/", "https://id-ransomware.blogspot.com/2016/05/bucbi-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "5" + ] }, "uuid": "3510ce65-80e6-4f80-8cde-bb5ad8a271c6", "value": "Bucbi" @@ -5544,6 +5544,8 @@ "extensions": [ ".cry" ], + "payment-method": "Bitcoin", + "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", "ransomnotes": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" @@ -5551,9 +5553,7 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/", "https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours" + ] }, "related": [ { @@ -5583,6 +5583,8 @@ ".cerber2", ".cerber3" ], + "payment-method": "Bitcoin", + "price": "1.24 / 2.48 after 7 days", "ransomnotes": [ "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt", @@ -5604,9 +5606,7 @@ ], "synonyms": [ "CRBR ENCRYPTOR" - ], - "payment-method": "Bitcoin", - "price": "1.24 / 2.48 after 7 days" + ] }, "related": [ { @@ -5627,6 +5627,8 @@ ".crypt", "4 random characters, e.g., .PzZs, .MKJL" ], + "payment-method": "Bitcoin", + "price": "0.939", "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT", @@ -5635,9 +5637,7 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" - ], - "payment-method": "Bitcoin", - "price": "0.939" + ] }, "uuid": "27b036f0-afa3-4984-95b3-47fa344b1aa7", "value": "Chimera" @@ -5645,11 +5645,11 @@ { "description": "Ransomware Does not encrypt anything", "meta": { + "payment-method": "Paypal", + "price": "20$", "refs": [ "https://twitter.com/JakubKroustek/status/794956809866018816" - ], - "payment-method": "Paypal", - "price": "20$" + ] }, "uuid": "af3b3bbb-b54d-49d0-8e58-e9c56762a96b", "value": "Clock" @@ -5660,15 +5660,15 @@ "extensions": [ ".clf" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "wallpaper.jpg" ], "refs": [ "https://noransom.kaspersky.com/", "https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "15941fb1-08f0-4276-a61f-e2a306d6c6b5", "value": "CoinVault" @@ -5682,6 +5682,8 @@ ".enigma", ".czvxce" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "!!!-WARNING-!!!.html", "!!!-WARNING-!!!.txt" @@ -5689,9 +5691,7 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/", "https://id-ransomware.blogspot.com/2016/04/coverton-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "36450e8c-ff66-4ecf-9c0f-fbfb27a72d63", "value": "Coverton" @@ -5730,6 +5730,8 @@ ".cripttt", ".aga" ], + "payment-method": "Email", + "price": "100$", "ransomnotes": [ "http://virusinfo.info/showthread.php?t=185396" ], @@ -5737,9 +5739,7 @@ "SHTODELATVAM.txt", "Instructionaga.txt", "https://id-ransomware.blogspot.com/2016/06/cryfile-ransomware-100.html" - ], - "payment-method": "Email", - "price": "100$" + ] }, "uuid": "0d46e21d-8f1c-4355-8205-185fb7e041a7", "value": "CryFile" @@ -5750,6 +5750,8 @@ "extensions": [ ".cry" ], + "payment-method": "Bitcoin", + "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", "ransomnotes": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" @@ -5762,9 +5764,7 @@ "Cry", "CSTO", "Central Security Treatment Organization" - ], - "payment-method": "Bitcoin", - "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours" + ] }, "related": [ { @@ -5789,6 +5789,8 @@ "description": "Ransomware CryptXXX clone/spinoff", "meta": { "encryption": "AES-256", + "payment-method": "Bitcoin", + "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours", "ransomnotes": [ "README.TXT", "README.HTML", @@ -5797,9 +5799,7 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", "https://id-ransomware.blogspot.com/2016/07/crypmic-ransomware-aes-256.html" - ], - "payment-method": "Bitcoin", - "price": "Variable / 0.3 - 1.2 / Double after 4 days and 4 hours" + ] }, "uuid": "82cb7a40-0a78-4414-9afd-028d6b3082ea", "value": "CrypMIC" @@ -5810,6 +5810,8 @@ "extensions": [ ".ENCRYPTED" ], + "payment-method": "Bitcoin", + "price": "0.1 (45$)", "ransomnotes": [ "READ_THIS_TO_DECRYPT.html" ], @@ -5817,9 +5819,7 @@ "https://github.com/pekeinfo/DecryptCrypren", "http://www.nyxbone.com/malware/Crypren.html", "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" - ], - "payment-method": "Bitcoin", - "price": "0.1 (45$)" + ] }, "uuid": "a9f05b4e-6b03-4211-a2bd-6b4432eb3388", "value": "Crypren" @@ -5831,13 +5831,13 @@ "extensions": [ ".crypt38" ], + "payment-method": "Rubles", + "price": "1000 (15$)", "refs": [ "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption", "https://id-ransomware.blogspot.com/2016/06/regist-crypt38-ransomware-aes-1000-15.html" - ], - "payment-method": "Rubles", - "price": "1000 (15$)" + ] }, "uuid": "12a96f43-8a8c-410e-aaa3-ba6735276555", "value": "Crypt38" @@ -5845,11 +5845,11 @@ { "description": "Ransomware Does not actually encrypt the files, but simply renames them", "meta": { + "payment-method": "Bitcoin", + "price": "1", "refs": [ "https://twitter.com/jiriatvirlab/status/802554159564062722" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "37edc8d7-c939-4a33-9ed5-dafbbc1e5b1e", "value": "Crypter" @@ -5862,12 +5862,12 @@ ".scl", "id[_ID]email_xerx@usa.com.scl" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1.5", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered", "https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1.5" + ] }, "uuid": "5b0dd136-6428-48c8-b2a6-8e926a82dfac", "value": "CryptFIle2" @@ -5878,12 +5878,12 @@ "extensions": [ ".crinf" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1.5", "refs": [ "https://decrypter.emsisoft.com/", "https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1.5" + ] }, "uuid": "2b0d60c3-6560-49ac-baf0-5f642e8a77de", "value": "CryptInfinite" @@ -5892,6 +5892,8 @@ "description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.", "meta": { "encryption": "AES + RSA", + "payment-method": "Bitcoin", + "price": "1 - 2", "ransomnotes": [ "OKSOWATHAPPENDTOYOURFILES.TXT" ], @@ -5899,9 +5901,7 @@ "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml", "https://id-ransomware.blogspot.com/2016/04/cryptobit-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1 - 2" + ] }, "related": [ { @@ -5918,6 +5918,8 @@ { "description": "Ransomware no extension change", "meta": { + "payment-method": "Bitcoin", + "price": "0.9 (500$) - 1.9 (1000$) after 4 days", "ransomnotes": [ "HOW_DECRYPT.TXT", "HOW_DECRYPT.HTML", @@ -5926,9 +5928,7 @@ "refs": [ "https://decrypter.emsisoft.com/", "https://id-ransomware.blogspot.com/2016/04/cryptodefense-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.9 (500$) - 1.9 (1000$) after 4 days" + ] }, "uuid": "ad9eeff2-91b4-440a-ae74-ab84d3e2075e", "value": "CryptoDefense" @@ -5936,6 +5936,8 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "0.2", "refs": [ "http://blog.talosintel.com/2016/07/ranscam.html", "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/", @@ -5943,9 +5945,7 @@ ], "synonyms": [ "Ranscam" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "related": [ { @@ -5966,14 +5966,14 @@ "extensions": [ ".frtrss" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "READ IF YOU WANT YOUR FILES BACK.html" ], "refs": [ "https://id-ransomware.blogspot.com/2016/05/cryptofortress-ransomware-aes-256-1.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -6018,6 +6018,8 @@ "description": "Ransomware RAR's victim's files has a GUI", "meta": { "encryption": "AES-256 (RAR implementation)", + "payment-method": "Bitcoin", + "price": "0.33", "refs": [ "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", "https://id-ransomware.blogspot.com/2016/04/cryptohost-ransomware.html" @@ -6026,9 +6028,7 @@ "Manamecrypt", "Telograph", "ROI Locker" - ], - "payment-method": "Bitcoin", - "price": "0.33" + ] }, "related": [ { @@ -6049,6 +6049,8 @@ "extensions": [ ".crjoker" ], + "payment-method": "Bitcoin", + "price": "100€", "ransomnotes": [ "README!!!.txt", "GetYouFiles.txt", @@ -6056,9 +6058,7 @@ ], "refs": [ "https://id-ransomware.blogspot.com/2017/07/cryptojoker-2017-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "100€" + ] }, "related": [ { @@ -6099,10 +6099,10 @@ { "description": "Ransomware", "meta": { + "payment-method": "Email", "refs": [ "https://twitter.com/malwrhunterteam/status/839747940122001408" - ], - "payment-method": "Email" + ] }, "uuid": "8d5e3b1f-e333-4eed-8dec-d74f19d6bcbb", "value": "CryptoLocker 1.0.0" @@ -6110,11 +6110,11 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "250€", "refs": [ "https://twitter.com/malwrhunterteam/status/782890104947867649" - ], - "payment-method": "Bitcoin", - "price": "250€" + ] }, "uuid": "e1412d2a-2a94-4c83-aed0-9e09523514a4", "value": "CryptoLocker 5.1" @@ -6145,6 +6145,8 @@ ".BACKUP", "[16 uppercase hex].SYS" ], + "payment-method": "Bitcoin", + "price": "5", "ransomnotes": [ "HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", @@ -6181,9 +6183,7 @@ ], "synonyms": [ "Zeta" - ], - "payment-method": "Bitcoin", - "price": "5" + ] }, "related": [ { @@ -6200,11 +6200,11 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "Some Bitcoins", "refs": [ "https://twitter.com/malwrhunterteam/status/817672617658347521" - ], - "payment-method": "Bitcoin", - "price": "Some Bitcoins" + ] }, "related": [ { @@ -6225,15 +6225,15 @@ "extensions": [ ".crptrgr" ], + "payment-method": "Bitcoin", + "price": "0.5 (360$)", "ransomnotes": [ "!Where_are_my_files!.html" ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/", "https://id-ransomware.blogspot.com/2016/06/cryptoroger-aes-256-0.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 (360$)" + ] }, "uuid": "b6fe71ba-b0f4-4cc4-b84c-d3d80a37eada", "value": "CryptoRoger" @@ -6261,15 +6261,15 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "200$", "ransomnotes": [ "ATTENTION.url" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/", "https://id-ransomware.blogspot.com/2016/06/cryptoshocker-ransomware-aes-200.html" - ], - "payment-method": "Bitcoin", - "price": "200$" + ] }, "uuid": "545b4b25-763a-4a5c-8dda-12142c00422c", "value": "CryptoShocker" @@ -6280,6 +6280,8 @@ "extensions": [ ".CryptoTorLocker2015!" ], + "payment-method": "Bitcoin", + "price": "0.5 (100$)", "ransomnotes": [ "HOW TO DECRYPT FILES.txt", "%Temp%\\.bmp" @@ -6287,9 +6289,7 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/", "https://id-ransomware.blogspot.com/2016/04/cryptotorlocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 (100$)" + ] }, "uuid": "06ec3640-4b93-4e79-a8ec-e24b3d349dd5", "value": "CryptoTorLocker2015" @@ -6308,14 +6308,14 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1.09 (500$)", "ransomnotes": [ "DECRYPT_INSTRUCTION.HTM", "DECRYPT_INSTRUCTION.TXT", "DECRYPT_INSTRUCTION.URL", "INSTALL_TOR.URL" - ], - "payment-method": "Bitcoin", - "price": "1.09 (500$)" + ] }, "uuid": "5559fbc1-52c6-469c-be97-8f8344765577", "value": "CryptoWall 1" @@ -6323,14 +6323,14 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1.09 (500$)", "ransomnotes": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", "HELP_DECRYPT.HTML" - ], - "payment-method": "Bitcoin", - "price": "1.09 (500$)" + ] }, "uuid": "f2780d22-4410-4a2f-a1c3-f43807ed1f19", "value": "CryptoWall 2" @@ -6338,6 +6338,8 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1.09 (500$)", "ransomnotes": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", @@ -6347,9 +6349,7 @@ "refs": [ "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" - ], - "payment-method": "Bitcoin", - "price": "1.09 (500$)" + ] }, "uuid": "9d35fe47-5f8c-494c-a74f-23a7ac7f44be", "value": "CryptoWall 3" @@ -6360,12 +6360,12 @@ "extensions": [ "., e.g. ,27p9k967z.x1nep" ], + "payment-method": "Bitcoin", + "price": "1.09 (500$)", "ransomnotes": [ "HELP_YOUR_FILES.HTML", "HELP_YOUR_FILES.PNG" - ], - "payment-method": "Bitcoin", - "price": "1.09 (500$)" + ] }, "uuid": "f7c04ce6-dd30-4a94-acd4-9a3125bcb12e", "value": "CryptoWall 4" @@ -6376,6 +6376,8 @@ "extensions": [ ".crypt" ], + "payment-method": "Bitcoin", + "price": "1.2 (500$) - 2.4", "ransomnotes": [ "de_crypt_readme.bmp, .txt, .html" ], @@ -6386,9 +6388,7 @@ ], "synonyms": [ "CryptProjectXXX" - ], - "payment-method": "Bitcoin", - "price": "1.2 (500$) - 2.4" + ] }, "related": [ { @@ -6408,6 +6408,8 @@ "extensions": [ ".crypt" ], + "payment-method": "Bitcoin", + "price": "1.2 (500$) - 2.4", "ransomnotes": [ ".txt, .html, .bmp" ], @@ -6419,9 +6421,7 @@ ], "synonyms": [ "CryptProjectXXX" - ], - "payment-method": "Bitcoin", - "price": "1.2 (500$) - 2.4" + ] }, "related": [ { @@ -6445,6 +6445,8 @@ ".cryptz", "random" ], + "payment-method": "Bitcoin", + "price": "1.2 (500$) - 2.4", "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", @@ -6454,9 +6456,7 @@ "synonyms": [ "UltraDeCrypter", "UltraCrypter" - ], - "payment-method": "Bitcoin", - "price": "1.2 (500$) - 2.4" + ] }, "uuid": "60a50fe5-53ea-43f0-8a17-e7134f5fc371", "value": "CryptXXX 3.0" @@ -6467,13 +6467,13 @@ "extensions": [ ".cryp1" ], + "payment-method": "Bitcoin", + "price": "1.2 (500$) - 2.4", "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100", "https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1.2 (500$) - 2.4" + ] }, "uuid": "3f5a76ea-6b83-443e-b26f-b2b2d02d90e0", "value": "CryptXXX 3.1" @@ -6485,14 +6485,14 @@ "extensions": [ ".cry" ], + "payment-method": "Email", "ransomnotes": [ "README_FOR_DECRYPT.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/", "https://id-ransomware.blogspot.com/2016/09/crypy-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "0b0f5f33-1871-461d-8e7e-b5e0ebc82311", "value": "CryPy" @@ -6505,6 +6505,8 @@ ".ctbl", ".([a-z]{6,7})" ], + "payment-method": "Bitcoin", + "price": "0.08686 (50$)", "ransomnotes": [ "AllFilesAreLocked .bmp", "DecryptAllFiles .txt", @@ -6515,9 +6517,7 @@ ], "synonyms": [ "Citroni" - ], - "payment-method": "Bitcoin", - "price": "0.08686 (50$)" + ] }, "uuid": "6212bf8f-07db-490a-8cef-ac42042076c1", "value": "CTB-Faker" @@ -6525,13 +6525,13 @@ { "description": "Ransomware websites only", "meta": { + "payment-method": "Bitcoin", + "price": "0.4 - 0.8", "refs": [ "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", "https://github.com/eyecatchup/Critroni-php", "https://id-ransomware.blogspot.com/2016/06/ctb-locker-for-websites-04.html" - ], - "payment-method": "Bitcoin", - "price": "0.4 - 0.8" + ] }, "uuid": "555b2c6f-0848-4ac1-9443-e4c20814459a", "value": "CTB-Locker WEB" @@ -6544,6 +6544,8 @@ ".已加密", ".encrypted" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "你的檔案被我們加密啦!!!.txt", "Your files encrypted by our friends !!! txt" @@ -6554,9 +6556,7 @@ ], "synonyms": [ "my-Little-Ransomware" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "1a369bbf-6f03-454c-b507-15abe2a8bbb4", "value": "CuteRansomware" @@ -6564,6 +6564,8 @@ { "description": "Ransomware Based on HiddenTear", "meta": { + "payment-method": "Bitcoin", + "price": "1", "refs": [ "https://twitter.com/struppigel/status/778871886616862720", "https://twitter.com/struppigel/status/806758133720698881", @@ -6571,9 +6573,7 @@ ], "synonyms": [ "CyberSplitter" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -6593,14 +6593,14 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "1.5", "ransomnotes": [ "READ_IT.txt" ], "refs": [ "https://twitter.com/JaromirHorejsi/status/815555258478981121" - ], - "payment-method": "Bitcoin", - "price": "1.5" + ] }, "uuid": "0f074c07-613d-43cb-bd5f-37c747d39fe2", "value": "Death Bitches" @@ -6625,13 +6625,13 @@ "extensions": [ ".ded" ], + "payment-method": "Bitcoin", + "price": "2", "refs": [ "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", "http://www.nyxbone.com/malware/DEDCryptor.html", "https://id-ransomware.blogspot.com/2016/06/dedcryptor-ransomware-aes-256rsa-2.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "496b6c3c-771a-46cd-8e41-ce7c4168ae20", "value": "DEDCryptor" @@ -6642,15 +6642,15 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "HELP_YOUR_FILES.txt" ], "refs": [ "https://twitter.com/struppigel/status/798573300779745281", "https://id-ransomware.blogspot.com/2017/10/cryptodemo-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "b314d86f-92bb-4be3-b32a-19d6f8eb55d4", "value": "Demo" @@ -6659,12 +6659,12 @@ "description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte", "meta": { "encryption": "AES", + "payment-method": "Bitcoin", + "price": "2 - 3", "refs": [ "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/", "https://id-ransomware.blogspot.com/2016/08/detoxcrypto-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "2 - 3" + ] }, "uuid": "be094d75-eba8-4ff3-91f1-f8cde687e5ed", "value": "DetoxCrypto" @@ -6672,14 +6672,14 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "0.05", "ransomnotes": [ "Digisom Readme0.txt (0 to 9)" ], "refs": [ "https://twitter.com/PolarToffee/status/829727052316160000" - ], - "payment-method": "Bitcoin", - "price": "0.05" + ] }, "uuid": "c5b2a0bc-352f-481f-8c35-d378754793c0", "value": "Digisom" @@ -6687,11 +6687,11 @@ { "description": "Ransomware", "meta": { + "payment-method": "No ransom", "refs": [ "https://twitter.com/demonslay335/status/752586334527709184", "https://id-ransomware.blogspot.com/2016/07/revoyem-dirtydecrypt-ransomware-doc.html" - ], - "payment-method": "No ransom" + ] }, "uuid": "5ad8a530-3ab9-48b1-9a75-e1e97b3f77ec", "value": "DirtyDecrypt" @@ -6700,6 +6700,8 @@ "description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0", "meta": { "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", + "payment-method": "Bitcoin", + "price": "1 - 2 - 4", "ransomnotes": [ "cryptinfo.txt", "decrypting.txt", @@ -6711,9 +6713,7 @@ "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" - ], - "payment-method": "Bitcoin", - "price": "1 - 2 - 4" + ] }, "uuid": "407ebc7c-5b05-488f-862f-b2bf6c562372", "value": "DMALocker" @@ -6722,12 +6722,12 @@ "description": "Ransomware", "meta": { "encryption": "AES-256 + XPTLOCK5.0", + "payment-method": "Bitcoin", + "price": "1 - 2 (440$)", "refs": [ "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" - ], - "payment-method": "Bitcoin", - "price": "1 - 2 (440$)" + ] }, "uuid": "ba39be57-c138-48d5-b46b-d996ff899ffa", "value": "DMALocker 3.0" @@ -6738,11 +6738,11 @@ "extensions": [ ".fucked" ], + "payment-method": "Bitcoin", + "price": "0.5 (864$)", "refs": [ "https://twitter.com/BleepinComputer/status/822500056511213568" - ], - "payment-method": "Bitcoin", - "price": "0.5 (864$)" + ] }, "uuid": "45cae006-5d14-4c95-bb5b-dcf5555d7c78", "value": "DNRansomware" @@ -6754,6 +6754,8 @@ "extensions": [ ".domino" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "README_TO_RECURE_YOUR_FILES.txt" ], @@ -6761,9 +6763,7 @@ "http://www.nyxbone.com/malware/Domino.html", "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/", "https://id-ransomware.blogspot.com/2016/08/domino-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "7cb20800-2033-49a4-bdf8-a7da5a24f7f1", "value": "Domino" @@ -6776,6 +6776,8 @@ ".id-7ES642406.cry", ".Do_not_change_the_filename" ], + "payment-method": "Email", + "price": "250$", "ransomnotes": [ "HOW TO DECODE FILES!!!.txt", "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" @@ -6783,9 +6785,7 @@ "refs": [ "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/", "https://id-ransomware.blogspot.com/2017/03/donotchange-ransomware.html" - ], - "payment-method": "Email", - "price": "250$" + ] }, "uuid": "2e6f4fa6-5fdf-4d69-b764-063d88ba1dd0", "value": "DoNotChange" @@ -6809,6 +6809,7 @@ "extensions": [ ".dxxd" ], + "payment-method": "Email", "ransomnotes": [ "ReadMe.TxT" ], @@ -6816,8 +6817,7 @@ "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/", "https://id-ransomware.blogspot.com/2016/09/dxxd-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "57108b9e-5af8-4797-9924-e424cb5e9903", "value": "DXXD" @@ -6829,6 +6829,7 @@ "extensions": [ ".locked" ], + "payment-method": "Download Decrypter", "refs": [ "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html", "https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html" @@ -6837,8 +6838,7 @@ "Cryptear", "EDA2", "Hidden Tear" - ], - "payment-method": "Download Decrypter" + ] }, "related": [ { @@ -6866,6 +6866,7 @@ ".isis", ".locked" ], + "payment-method": "Download Decryter", "ransomnotes": [ "README.txt" ], @@ -6876,8 +6877,7 @@ ], "synonyms": [ "EduCrypter" - ], - "payment-method": "Download Decryter" + ] }, "uuid": "826a341a-c329-4e1e-bc9f-5d44c8317557", "value": "EduCrypt" @@ -6888,12 +6888,12 @@ "extensions": [ ".crypted" ], + "payment-method": "Bitcoin", + "price": "0.25 (320$)", "refs": [ "https://twitter.com/BroadAnalysis/status/845688819533930497", "https://twitter.com/malwrhunterteam/status/845652520202616832" - ], - "payment-method": "Bitcoin", - "price": "0.25 (320$)" + ] }, "uuid": "0a24ea0d-3f8a-428a-8b77-ef5281c1ee05", "value": "EiTest" @@ -6904,6 +6904,8 @@ "extensions": [ ".ha3" ], + "payment-method": "Email", + "price": "450$ - 1000$", "ransomnotes": [ "qwer.html", "qwer2.html", @@ -6914,9 +6916,7 @@ ], "synonyms": [ "Los Pollos Hermanos" - ], - "payment-method": "Email", - "price": "450$ - 1000$" + ] }, "uuid": "63d9cb32-a1b9-46c3-818a-df16d8b9e46a", "value": "El-Polocker" @@ -6953,14 +6953,14 @@ "extensions": [ ".enc" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "How to recover.enc" ], "refs": [ "https://id-ransomware.blogspot.com/2016/11/encryptojjs-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "3e5deef2-bace-40bc-beb1-5d9009233667", "value": "encryptoJJS" @@ -6973,6 +6973,7 @@ ".enigma", ".1txt" ], + "payment-method": "WebSite (onion)", "ransomnotes": [ "enigma.hta", "enigma_encr.txt", @@ -6981,8 +6982,7 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/", "https://id-ransomware.blogspot.com/2016/05/enigma-ransomware-aes-128-0.html" - ], - "payment-method": "WebSite (onion)" + ] }, "uuid": "1b24d240-df72-4388-946b-efa07a9447bb", "value": "Enigma" @@ -6990,10 +6990,10 @@ { "description": "Ransomware Based on RemindMe", "meta": { + "payment-method": "Bitcoin - Email", "refs": [ "https://twitter.com/malwrhunterteam/status/839022018230112256" - ], - "payment-method": "Bitcoin - Email" + ] }, "uuid": "198891fb-26a4-455a-9719-4130bedba103", "value": "Enjey" @@ -7001,11 +7001,11 @@ { "description": "Ransomware Target Linux O.S.", "meta": { + "payment-method": "Bitcoin", + "price": "2", "refs": [ "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "6771b42f-1d95-4b2e-bbb5-9ab703bbaa9d", "value": "Fairware" @@ -7016,15 +7016,15 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "1.50520802", "ransomnotes": [ "READ ME FOR DECRYPT.txt" ], "refs": [ "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code", "https://id-ransomware.blogspot.com/2016/07/fakben-team-ransomware-aes-256-1505.html" - ], - "payment-method": "Bitcoin", - "price": "1.50520802" + ] }, "uuid": "c308346a-2746-4900-8149-464a09086b55", "value": "Fakben" @@ -7035,11 +7035,11 @@ "extensions": [ ".cryptolocker" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://twitter.com/PolarToffee/status/812312402779836416" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "abddc01f-7d76-47d4-985d-ea6d16acccb1", "value": "FakeCryptoLocker" @@ -7052,6 +7052,7 @@ ".fantom", ".comrade" ], + "payment-method": "Email", "ransomnotes": [ "DECRYPT_YOUR_FILES.HTML", "RESTORE-FILES![id]" @@ -7061,8 +7062,7 @@ ], "synonyms": [ "Comrad Circle" - ], - "payment-method": "Email" + ] }, "uuid": "35be87a5-b498-4693-8b8d-8b17864ac088", "value": "Fantom" @@ -7073,6 +7073,7 @@ "extensions": [ ".FenixIloveyou!!" ], + "payment-method": "Email", "ransomnotes": [ "Help to decrypt.txt" ], @@ -7080,8 +7081,7 @@ "https://decrypter.emsisoft.com/fenixlocker", "https://twitter.com/fwosar/status/777197255057084416", "https://id-ransomware.blogspot.com/2016/09/fenixlocker-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "f9f54046-ed5d-4353-8b81-d92b51f596b4", "value": "FenixLocker" @@ -7089,12 +7089,12 @@ { "description": "Ransomware RaaS", "meta": { + "payment-method": "Bitcoin", + "price": "1", "refs": [ "https://twitter.com/rommeljoven17/status/846973265650335744", "https://id-ransomware.blogspot.com/2017/03/filefrozr-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "2a50f476-7355-4d58-b0ce-4235b2546c90", "value": "FILE FROZR" @@ -7105,11 +7105,11 @@ "extensions": [ ".ENCR" ], + "payment-method": "Bitcoin", + "price": "0.09 (100$ with discount price) - 150$", "refs": [ "https://twitter.com/jiriatvirlab/status/836616468775251968" - ], - "payment-method": "Bitcoin", - "price": "0.09 (100$ with discount price) - 150$" + ] }, "uuid": "b92bc550-7edb-4f8f-96fc-cf47d437df32", "value": "FileLocker" @@ -7121,15 +7121,15 @@ "extensions": [ ".firecrypt" ], + "payment-method": "Bitcoin", + "price": "500$", "ransomnotes": [ "[random_chars]-READ_ME.html" ], "refs": [ "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/", "https://id-ransomware.blogspot.com/2017/01/bleedgreen-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "500$" + ] }, "related": [ { @@ -7149,12 +7149,12 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://twitter.com/malwrhunterteam/status/773771485643149312", "https://id-ransomware.blogspot.com/2016/09/flyper-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "1a110f7e-8820-4a9a-86c0-db4056f0b911", "value": "Flyper" @@ -7162,11 +7162,11 @@ { "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", "meta": { + "payment-method": "Email", "ransomnotes": [ "help-file-decrypt.enc", "/pronk.txt" - ], - "payment-method": "Email" + ] }, "uuid": "3d75cb84-2f14-408d-95bd-f1316bf854e6", "value": "Fonco" @@ -7187,15 +7187,15 @@ "extensions": [ ".madebyadam" ], + "payment-method": "Playstore Card (Gift)", + "price": "25£ or 30$", "refs": [ "https://twitter.com/BleepinComputer/status/812135608374226944", "https://id-ransomware.blogspot.com/2016/12/roga-ransomware.html" ], "synonyms": [ "Roga" - ], - "payment-method": "Playstore Card (Gift)", - "price": "25£ or 30$" + ] }, "related": [ { @@ -7216,6 +7216,7 @@ ".fs0ciety", ".dll" ], + "payment-method": "No Ransom - No Descrypter", "ransomnotes": [ "fs0ciety.html", "DECRYPT_YOUR_FILES.HTML" @@ -7225,8 +7226,7 @@ "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", "https://twitter.com/siri_urz/status/795969998707720193", "https://id-ransomware.blogspot.com/2016/08/fsociety-ransomware.html" - ], - "payment-method": "No Ransom - No Descrypter" + ] }, "uuid": "d1e7c0d9-3c96-41b7-a4a2-7eaef64d7b0f", "value": "FSociety" @@ -7248,13 +7248,13 @@ "extensions": [ ".Z81928819" ], + "payment-method": "Bitcoin", + "price": "2", "refs": [ "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/", "https://id-ransomware.blogspot.com/2016/05/ghostcrypt-ransomware-aes-256-2-bitcoins.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "3b681f76-b0e4-4ba7-a113-5dd87d6ee53b", "value": "GhostCrypt" @@ -7262,10 +7262,10 @@ { "description": "Ransomware", "meta": { + "payment-method": "Email", "refs": [ "https://twitter.com/ni_fi_70/status/796353782699425792" - ], - "payment-method": "Email" + ] }, "uuid": "c6419971-47f8-4c80-a685-77292ff30fa7", "value": "Gingerbread" @@ -7277,6 +7277,8 @@ "extensions": [ ".purge" ], + "payment-method": "Bitcoin", + "price": "250$", "ransomnotes": [ "How to restore files.hta" ], @@ -7287,9 +7289,7 @@ ], "synonyms": [ "Purge" - ], - "payment-method": "Bitcoin", - "price": "250$" + ] }, "uuid": "b247b6e5-f51b-4bb5-8f5a-1628843abe99", "value": "Globe v1" @@ -7302,15 +7302,15 @@ ".locked", ".locked, e.g., bill.!ID!8MMnF!ID!.locked" ], + "payment-method": "Bitcoin", + "price": "0.5(190 - 250 $)", "ransomnotes": [ "UNLOCK_FILES_INSTRUCTIONS.html and .txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/", "http://id-ransomware.blogspot.ru/2016/05/gnl-locker-ransomware-gnl-locker-ip.html" - ], - "payment-method": "Bitcoin", - "price": "0.5(190 - 250 $)" + ] }, "related": [ { @@ -7338,11 +7338,11 @@ ".crypt", "!___[EMAILADDRESS]_.crypt" ], + "payment-method": "Email", "refs": [ "https://decrypter.emsisoft.com/", "http://id-ransomware.blogspot.com/2016/05/gomasom-ransonware.html" - ], - "payment-method": "Email" + ] }, "uuid": "70b85861-f419-4ad5-9aa6-254db292e043", "value": "Gomasom" @@ -7350,14 +7350,14 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "500 $", "ransomnotes": [ "Your files have been crypted.html" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" - ], - "payment-method": "Bitcoin", - "price": "500 $" + ] }, "uuid": "3229a370-7a09-4b93-ad89-9555a847b1dd", "value": "Goopic" @@ -7377,12 +7377,12 @@ ".locked", ".Locked" ], + "payment-method": "Bitcoin", + "price": "0.33 - 0.5", "refs": [ "https://twitter.com/demonslay335/status/806878803507101696", "http://id-ransomware.blogspot.com/2016/12/hackedlocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.33 - 0.5" + ] }, "uuid": "7f2df0cd-5962-4687-90a2-a49eab2b12bc", "value": "Hacked" @@ -7391,12 +7391,12 @@ "description": "Ransomware", "meta": { "encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4", + "payment-method": "MoneyPak", + "price": "0.5", "refs": [ "https://twitter.com/malwrhunterteam/status/847114064224497666", "http://id-ransomware.blogspot.com/2017/03/happydayzz-blackjocker-ransomware.html" - ], - "payment-method": "MoneyPak", - "price": "0.5" + ] }, "uuid": "e71c76f3-8274-4ec5-ac11-ac8b8286d069", "value": "HappyDayzz" @@ -7407,11 +7407,11 @@ "extensions": [ ".html" ], + "payment-method": "MoneyPak", + "price": "100 $", "refs": [ "https://decrypter.emsisoft.com/" - ], - "payment-method": "MoneyPak", - "price": "100 $" + ] }, "uuid": "5cadd11c-002a-4062-bafd-aadb7d740f59", "value": "Harasom" @@ -7420,6 +7420,7 @@ "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", "meta": { "encryption": "Custom (net shares), XTS-AES (disk)", + "payment-method": "Email", "refs": [ "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", @@ -7427,8 +7428,7 @@ ], "synonyms": [ "Mamba" - ], - "payment-method": "Email" + ] }, "related": [ { @@ -7446,11 +7446,11 @@ "description": "Ransomware File marker: \"Heimdall---\"", "meta": { "encryption": "AES-128-CBC", + "payment-method": "Bitcoin", "refs": [ "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/", "https://id-ransomware.blogspot.com/2016/11/heimdall-ransomware.html" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "c6d6ddf0-2afa-4cca-8982-ba2a7c0441ae", "value": "Heimdall" @@ -7461,14 +7461,14 @@ "extensions": [ ".XXX" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "help_dcfile.txt" ], "refs": [ "http://id-ransomware.blogspot.com/2016/09/helpdcfile-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "2fdc6daa-6b6b-41b9-9a25-1030101478c3", "value": "Help_dcfile" @@ -7480,12 +7480,12 @@ "extensions": [ ".herbst" ], + "payment-method": "Bitcoin", + "price": "0.1", "refs": [ "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware", "https://id-ransomware.blogspot.com/2016/06/herbst-autumn-ransomware-aes-256-01.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "related": [ { @@ -7506,12 +7506,12 @@ "extensions": [ ".cry" ], + "payment-method": "Bitcoin", + "price": "0.77756467", "refs": [ "http://www.nyxbone.com/malware/hibuddy.html", "http://id-ransomware.blogspot.ru/2016/05/hi-buddy-ransomware-aes-256-0.html" - ], - "payment-method": "Bitcoin", - "price": "0.77756467" + ] }, "uuid": "a0d6563d-1e98-4e49-9151-39fbeb09ef76", "value": "Hi Buddy!" @@ -7522,13 +7522,13 @@ "extensions": [ "removes extensions" ], + "payment-method": "Vodafone card", + "price": "25 €", "refs": [ "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", "https://twitter.com/jiriatvirlab/status/825310545800740864", "http://id-ransomware.blogspot.com/2016/08/hitler-ransomware.html" - ], - "payment-method": "Vodafone card", - "price": "25 €" + ] }, "uuid": "8807752b-bd26-45a7-ba34-c8ddd8e5781d", "value": "Hitler" @@ -7540,11 +7540,11 @@ "extensions": [ "(encrypted)" ], + "payment-method": "Link (onion)", "refs": [ "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/", "https://id-ransomware.blogspot.com/2016/07/holycrypt-ransomware.html" - ], - "payment-method": "Link (onion)" + ] }, "related": [ { @@ -7561,11 +7561,11 @@ { "description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear", "meta": { + "payment-method": "Bitcoin", + "price": "vary", "refs": [ "https://twitter.com/BleepinComputer/status/803288396814839808" - ], - "payment-method": "Bitcoin", - "price": "vary" + ] }, "uuid": "728aecfc-9b99-478f-a0a3-8c0fb6896353", "value": "HTCryptor" @@ -7576,6 +7576,8 @@ "extensions": [ "hydracrypt_ID_[\\w]{8}" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "README_DECRYPT_HYRDA_ID_[ID number].txt" ], @@ -7583,9 +7585,7 @@ "https://decrypter.emsisoft.com/", "http://www.malware-traffic-analysis.net/2016/02/03/index2.html", "https://id-ransomware.blogspot.com/2016/06/hydracrypt-ransomware-aes-256-cbc-rsa.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "335c3ab6-8f2c-458c-92a3-2f3a09a6064c", "value": "HydraCrypt" @@ -7596,10 +7596,10 @@ "extensions": [ ".crime" ], + "payment-method": "Website onion", "refs": [ "https://twitter.com/BleepinComputer/status/817085367144873985" - ], - "payment-method": "Website onion" + ] }, "uuid": "68e90fa4-ea66-4159-b454-5f48fdae3d89", "value": "iLock" @@ -7622,14 +7622,14 @@ "extensions": [ "<6 random characters>" ], + "payment-method": "Bitcoin", + "price": "100 $", "ransomnotes": [ "%Temp%\\.bmp" ], "refs": [ "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "a66fbb1e-ba59-48c1-aac8-8678b4a98dc1", "value": "International Police Association" @@ -7640,12 +7640,12 @@ "extensions": [ ".Locked" ], + "payment-method": "Bitcoin", + "price": "0.15", "refs": [ "https://twitter.com/demonslay335/status/796134264744083460", "http://id-ransomware.blogspot.com/2016/11/iransom-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.15" + ] }, "uuid": "4514ecd4-850d-446f-82cb-0668d2c94ffa", "value": "iRansom" @@ -7656,14 +7656,14 @@ "extensions": [ "!ENC" ], + "payment-method": "Bitcoin", + "price": "50 $", "ransomnotes": [ "Important_Read_Me.html" ], "refs": [ "https://twitter.com/JakubKroustek/status/757873976047697920" - ], - "payment-method": "Bitcoin", - "price": "50 $" + ] }, "uuid": "25a086aa-e25c-4190-a848-69d9f46fd8ab", "value": "JagerDecryptor" @@ -7672,6 +7672,8 @@ "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", "meta": { "encryption": "RC6 (files), RSA 2048 (RC6 key)", + "payment-method": "Bitcoin", + "price": "0.046627", "ransomnotes": [ "readme_liesmich_encryptor_raas.txt" ], @@ -7682,9 +7684,7 @@ "synonyms": [ "Encryptor RaaS", "Sarento" - ], - "payment-method": "Bitcoin", - "price": "0.046627" + ] }, "uuid": "50014fe7-5efd-4639-82ef-30d36f4d2918", "value": "Jeiphoos" @@ -7695,12 +7695,12 @@ "extensions": [ ".killedXXX" ], + "payment-method": "PaySafeCard", + "price": "0.1", "refs": [ "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", "https://twitter.com/BleepinComputer/status/822509105487245317" - ], - "payment-method": "PaySafeCard", - "price": "0.1" + ] }, "uuid": "fedd7285-d4bd-4411-985e-087954cee96d", "value": "Jhon Woddy" @@ -7730,6 +7730,8 @@ ".nemo-hacks.at.sigaint.org", ".LolSec" ], + "payment-method": "PaySafeCard", + "price": "0.4 (150 $)", "refs": [ "http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/", "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", @@ -7738,9 +7740,7 @@ ], "synonyms": [ "CryptoHitMan" - ], - "payment-method": "PaySafeCard", - "price": "0.4 (150 $)" + ] }, "related": [ { @@ -7762,6 +7762,8 @@ ".locked", ".css" ], + "payment-method": "PaySafeCard", + "price": "300 €", "ransomnotes": [ "Comment débloquer mes fichiers.txt", "Readme.txt" @@ -7771,9 +7773,7 @@ "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", "https://twitter.com/malwrhunterteam/status/828914052973858816", "http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html" - ], - "payment-method": "PaySafeCard", - "price": "300 €" + ] }, "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a", "value": "Job Crypter" @@ -7781,10 +7781,10 @@ { "description": "Ransomware", "meta": { + "payment-method": "Email", "refs": [ "http://id-ransomware.blogspot.com/2016/04/johnycryptor-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "5af5be3e-549f-4485-8c2e-1459d4e5c7d7", "value": "JohnyCryptor" @@ -7792,15 +7792,15 @@ { "description": "Ransomware", "meta": { + "payment-method": "rubles", + "price": "6 000", "ransomnotes": [ "How Decrypt Files.txt" ], "refs": [ "https://safezone.cc/resources/kawaii-decryptor.195/", "http://id-ransomware.blogspot.com/2016/09/kawaiilocker-ransomware.html" - ], - "payment-method": "rubles", - "price": "6 000" + ] }, "uuid": "b6d0ea4d-4e55-4b42-9d60-485d605d6c49", "value": "KawaiiLocker" @@ -7812,13 +7812,13 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "1", "refs": [ "http://news.drweb.com/show/?i=9877&lng=en&c=5", "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/", "https://id-ransomware.blogspot.com/2016/03/keranger-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -7838,6 +7838,7 @@ "extensions": [ "keybtc@inbox_com" ], + "payment-method": "Email", "ransomnotes": [ "DECRYPT_YOUR_FILES.txt", "READ.txt", @@ -7845,8 +7846,7 @@ ], "refs": [ "https://decrypter.emsisoft.com/" - ], - "payment-method": "Email" + ] }, "uuid": "3964e617-dde5-4c95-b4a0-e7c19c6e7d7f", "value": "KeyBTC" @@ -7854,6 +7854,8 @@ { "description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address", "meta": { + "payment-method": "Bitcoin", + "price": "1.5 (500 $)", "ransomnotes": [ "how_decrypt.gif", "how_decrypt.html" @@ -7861,9 +7863,7 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml", "https://id-ransomware.blogspot.com/2016/06/keyholder-ransomware-xor-cfb-cipher.html" - ], - "payment-method": "Bitcoin", - "price": "1.5 (500 $)" + ] }, "uuid": "66eda328-9408-4e98-ad27-572fd6b2acd8", "value": "KEYHolder" @@ -7874,11 +7874,11 @@ "extensions": [ ".rip" ], + "payment-method": "Bitcoin", "refs": [ "https://twitter.com/malwrhunterteam/status/782232299840634881", "http://id-ransomware.blogspot.com/2016/10/killerlocker-ransomware.html" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "ea8e7350-f243-4ef7-bc31-4648df8a4d96", "value": "KillerLocker" @@ -7891,13 +7891,13 @@ ".kimcilware", ".locked" ], + "payment-method": "Dollars", + "price": "140 - 415", "refs": [ "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/", "http://id-ransomware.blogspot.com/2016/04/kimcilware-ransomware.html" - ], - "payment-method": "Dollars", - "price": "140 - 415" + ] }, "uuid": "950e2514-8a7e-4fdb-a3ad-5679f6342e5d", "value": "KimcilWare" @@ -7909,15 +7909,15 @@ "extensions": [ ".암호화됨" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "ReadMe.txt" ], "refs": [ "http://www.nyxbone.com/malware/koreanRansom.html", "http://id-ransomware.blogspot.com/2016/08/korean-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "4febffe0-3837-41d7-b95f-e26d126275e4", "value": "Korean" @@ -7930,6 +7930,7 @@ ".31392E30362E32303136_[ID-KEY]_LSBJ1", ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" ], + "payment-method": "Email", "ransomnotes": [ "w.jpg" ], @@ -7940,8 +7941,7 @@ ], "synonyms": [ "QC" - ], - "payment-method": "Email" + ] }, "uuid": "47b5d261-11bd-4c7b-91f9-e5651578026a", "value": "Kozy.Jozy" @@ -7952,15 +7952,15 @@ "extensions": [ ".kratos" ], + "payment-method": "Bitcoin", + "price": "0.03", "ransomnotes": [ "README_ALL.html" ], "refs": [ "https://twitter.com/demonslay335/status/746090483722686465", "https://id-ransomware.blogspot.com/2016/06/kratoscrypt-ransomware-aes-256-0.html" - ], - "payment-method": "Bitcoin", - "price": "0.03" + ] }, "uuid": "cc819741-830b-4859-bb7c-ccedf3356acd", "value": "KratosCrypt" @@ -7969,13 +7969,13 @@ "description": "Ransomware Based on HiddenTear", "meta": { "encryption": "AES-256", + "payment-method": "ransom", "ransomnotes": [ "KryptoLocker_README.txt" ], "refs": [ "https://id-ransomware.blogspot.com/2016/07/kryptolocker-ransomware-aes-256.html" - ], - "payment-method": "ransom" + ] }, "uuid": "e68d4f37-704a-4f8e-9718-b12039fbe424", "value": "KryptoLocker" @@ -7983,15 +7983,15 @@ { "description": "Ransomware Variant of open-source MyLittleRansomware", "meta": { + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "@__help__@" ], "refs": [ "https://twitter.com/struppigel/status/847689644854595584", "http://id-ransomware.blogspot.com/2017/03/lanran-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "9e152871-fb16-475d-bf3b-f3b870d0237a", "value": "LanRan" @@ -8002,6 +8002,7 @@ "extensions": [ ".LeChiffre" ], + "payment-method": "Email", "ransomnotes": [ "How to decrypt LeChiffre files.html" ], @@ -8009,8 +8010,7 @@ "https://decrypter.emsisoft.com/lechiffre", "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/", "http://id-ransomware.blogspot.com/2016/05/lechiffre-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "ea1ba874-07e6-4a6d-82f0-e4ce4210e34e", "value": "LeChiffre" @@ -8021,15 +8021,15 @@ "extensions": [ ".Licked" ], + "payment-method": "Monero", + "price": "50 - 500", "ransomnotes": [ "RANSOM_NOTE.txt" ], "refs": [ "https://twitter.com/JakubKroustek/status/842404866614038529", "https://www.2-spyware.com/remove-lick-ransomware-virus.html" - ], - "payment-method": "Monero", - "price": "50 - 500" + ] }, "uuid": "f2e76070-0cea-4c9c-8d6b-1d847e777575", "value": "Lick" @@ -8037,14 +8037,14 @@ { "description": "Ransomware Linux Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1 (450 $)", "refs": [ "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" ], "synonyms": [ "Linux.Encoder.{0,3}" - ], - "payment-method": "Bitcoin", - "price": "1 (450 $)" + ] }, "uuid": "b4992483-a693-4e73-b39e-0f45c9f645b5", "value": "Linux.Encoder" @@ -8052,12 +8052,12 @@ { "description": "Ransomware Based on HiddenTear", "meta": { + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://twitter.com/malwrhunterteam/status/845183290873044994", "http://id-ransomware.blogspot.com/2017/03/lk-encryption-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "af52badb-3211-42b0-a1ac-e4d35d5829d7", "value": "LK Encryption" @@ -8070,15 +8070,15 @@ ".ENCRYPTED_BY_LLTP", ".ENCRYPTED_BY_LLTPp" ], + "payment-method": "Bitcoin", + "price": "0.2 (200 $)", "ransomnotes": [ "LEAME.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/", "http://id-ransomware.blogspot.com/2017/03/lltp-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.2 (200 $)" + ] }, "uuid": "0cec6928-80c7-4085-ba47-cdc52177dfd3", "value": "LLTP Locker" @@ -8086,12 +8086,12 @@ { "description": "Ransomware has GUI", "meta": { + "payment-method": "Bitcoin", + "price": "0.1", "refs": [ "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545", "https://id-ransomware.blogspot.com/2016/04/locker-ransomware-2015.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "abc7883c-244a-44ac-9c86-559dafa4eb63", "value": "Locker" @@ -8103,14 +8103,14 @@ "extensions": [ ".locklock" ], + "payment-method": "Email", "ransomnotes": [ "READ_ME.TXT" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/", "https://id-ransomware.blogspot.com/2016/09/locklock-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "7850bf92-394b-443b-8830-12f9ddbb50dc", "value": "LockLock" @@ -8138,6 +8138,8 @@ "([A-F0-9]{32}).osiris", ".lukitus" ], + "payment-method": "Bitcoin", + "price": "3 - 5 - 7", "ransomnotes": [ "_Locky_recover_instructions.txt", "_Locky_recover_instructions.bmp", @@ -8157,9 +8159,7 @@ "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/", "https://id-ransomware.blogspot.com/2016/02/locky.html" - ], - "payment-method": "Bitcoin", - "price": "3 - 5 - 7" + ] }, "related": [ { @@ -8179,11 +8179,11 @@ "extensions": [ ".crime" ], + "payment-method": "Dollars", + "price": "5", "refs": [ "https://id-ransomware.blogspot.com/2016/06/lortok-ransomware-aes-256-5.html" - ], - "payment-method": "Dollars", - "price": "5" + ] }, "uuid": "bc23872a-7cd3-4a66-9d25-6b4e6f90cc4e", "value": "Lortok" @@ -8194,11 +8194,11 @@ "extensions": [ "oor." ], + "payment-method": "Bitcoin", + "price": "4", "refs": [ "http://id-ransomware.blogspot.com/2016/04/lowlevel04-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "4" + ] }, "uuid": "d4fb0463-6cd1-45ac-a7d2-6eea8be39590", "value": "LowLevel04" @@ -8206,12 +8206,12 @@ { "description": "Ransomware Does not encrypt Unlock code=suckmydicknigga", "meta": { + "payment-method": "Bitcoin", + "price": "0.3", "refs": [ "https://twitter.com/jiriatvirlab/status/808015275367002113", "http://id-ransomware.blogspot.com/2016/12/m4n1f3sto-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "f5d19af8-1c85-408b-818e-db50208d62b1", "value": "M4N1F3STO" @@ -8219,10 +8219,10 @@ { "description": "Ransomware OS X ransomware (PoC)", "meta": { + "payment-method": "Bitcoin", "refs": [ "https://www.youtube.com/watch?v=9nJv_PN2m1Y" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "f9214319-6ad4-4c4e-bc6d-fb710f61da48", "value": "Mabouia" @@ -8230,11 +8230,11 @@ { "description": "Ransomware Based on HiddenTear", "meta": { + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "http://id-ransomware.blogspot.com/2017/03/macandchess-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "fae8bf6e-47d1-4449-a1c6-761a4970fc38", "value": "MacAndChess" @@ -8246,15 +8246,15 @@ "extensions": [ ".magic" ], + "payment-method": "Bitcoin", + "price": "1 - 2", "ransomnotes": [ "DECRYPT_ReadMe1.TXT", "DECRYPT_ReadMe.TXT" ], "refs": [ "http://id-ransomware.blogspot.com/2016/04/magic-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1 - 2" + ] }, "uuid": "31fa83fc-8247-4347-940a-e463acd66bac", "value": "Magic" @@ -8266,15 +8266,15 @@ "extensions": [ "[a-z]{4,6}" ], + "payment-method": "Bitcoin", + "price": "1.4 - 3.9", "ransomnotes": [ "_DECRYPT_INFO_[extension pattern].html" ], "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", "http://id-ransomware.blogspot.com/2016/04/maktub-locker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1.4 - 3.9" + ] }, "uuid": "ef6ceb04-243e-4783-b476-8e8e9f06e8a7", "value": "MaktubLocker" @@ -8286,6 +8286,8 @@ ".a19", ".ap19" ], + "payment-method": "Bitcoin", + "price": "0.7 - 1.1", "ransomnotes": [ "!!! Readme For Decrypt !!!.txt", "ReadMeFilesDecrypt!!!.txt" @@ -8294,9 +8296,7 @@ "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker", "http://id-ransomware.blogspot.com/2016/09/jokefrommars-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.7 - 1.1" + ] }, "uuid": "933bd53f-5ccf-4262-a70c-c01a6f05af3e", "value": "MarsJoke" @@ -8304,11 +8304,11 @@ { "description": "Ransomware Targeting French victims", "meta": { + "payment-method": "Bitcoin", + "price": "0.1", "refs": [ "https://twitter.com/siri_urz/status/840913419024945152" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "ce5a82ef-d2a3-405c-ac08-3dca71057eb5", "value": "Meister" @@ -8316,6 +8316,7 @@ { "description": "Ransomware", "meta": { + "payment-method": "Email", "ransomnotes": [ "where_are_your_files.txt", "readme_your_files_have_been_encrypted.txt" @@ -8323,8 +8324,7 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/844614889620561924", "http://id-ransomware.blogspot.com/2017/03/meteoritan-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "34f292d9-cb68-4bcf-a3db-a717362aca77", "value": "Meteoritan" @@ -8336,6 +8336,8 @@ "extensions": [ "Lock." ], + "payment-method": "Bitcoin", + "price": "48.48", "refs": [ "http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/", "https://www.avast.com/ransomware-decryption-tools#!", @@ -8345,9 +8347,7 @@ ], "synonyms": [ "Crypt888" - ], - "payment-method": "Bitcoin", - "price": "48.48" + ] }, "uuid": "7dd326a5-1168-4309-98b1-f2146d9cf8c7", "value": "MIRCOP" @@ -8360,13 +8360,13 @@ ".fucked", ".fuck" ], + "payment-method": "Bitcoin - Email", "ransomnotes": [ "READ_IT.txt" ], "refs": [ "http://id-ransomware.blogspot.com/2016/05/mireware-ransomware.html" - ], - "payment-method": "Bitcoin - Email" + ] }, "uuid": "9f01ded7-99f6-4863-b3a3-9d32aabf96c3", "value": "MireWare" @@ -8377,6 +8377,8 @@ "extensions": [ ".([a-zA-Z0-9]{4})" ], + "payment-method": "Bitcoin", + "price": "1.9338", "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT " @@ -8387,9 +8389,7 @@ ], "synonyms": [ "\"Petya's little brother\"" - ], - "payment-method": "Bitcoin", - "price": "1.9338" + ] }, "uuid": "a029df89-2bb1-409d-878b-a67572217a65", "value": "Mischa" @@ -8401,6 +8401,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "1.011 (400 $)", "ransomnotes": [ "READ_IT.txt" ], @@ -8410,9 +8412,7 @@ ], "synonyms": [ "Booyah" - ], - "payment-method": "Bitcoin", - "price": "1.011 (400 $)" + ] }, "related": [ { @@ -8433,6 +8433,8 @@ ".KEYZ", ".KEYH0LES" ], + "payment-method": "Bitcoin", + "price": "4", "ransomnotes": [ "4-14-2016-INFECTION.TXT", "IMPORTANT.README" @@ -8446,9 +8448,7 @@ "synonyms": [ "Yakes", "CryptoBit" - ], - "payment-method": "Bitcoin", - "price": "4" + ] }, "related": [ { @@ -8465,11 +8465,11 @@ { "description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant", "meta": { + "payment-method": "Bitcoin", + "price": "0.15 - 0.2", "refs": [ "https://twitter.com/malwrhunterteam/status/844826339186135040" - ], - "payment-method": "Bitcoin", - "price": "0.15 - 0.2" + ] }, "uuid": "2702fb96-8118-4519-bd75-23eed40f25e9", "value": "Monument" @@ -8480,12 +8480,12 @@ "extensions": [ ".кибер разветвитель" ], + "payment-method": "Bitcoin", + "price": "0.5", "refs": [ "https://twitter.com/JakubKroustek/status/815961663644008448", "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "8ec55495-fb31-49c7-a720-40250b5e085f", "value": "N-Splitter" @@ -8493,6 +8493,8 @@ { "description": "Ransomware Filemaker: \"333333333333\"", "meta": { + "payment-method": "Bitcoin", + "price": "1.5", "ransomnotes": [ "decrypt explanations.html" ], @@ -8500,9 +8502,7 @@ "https://twitter.com/demonslay335/status/790608484303712256", "https://twitter.com/demonslay335/status/831891344897482754", "http://id-ransomware.blogspot.com/2016/09/n1n1n1-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1.5" + ] }, "uuid": "a439b37b-e123-4b1d-9400-94aca70b223a", "value": "n1n1n1" @@ -8511,15 +8511,15 @@ "description": "Ransomware no extension change, has a GUI", "meta": { "encryption": "AES-256 + RSA", + "payment-method": "Bitcoin", + "price": "0.1 (43 $)", "ransomnotes": [ "ATTENTION.RTF" ], "refs": [ "http://github.com/Cyberclues/nanolocker-decryptor", "https://id-ransomware.blogspot.com/2016/06/nanolocker-ransomware-aes-256-rsa-01.html" - ], - "payment-method": "Bitcoin", - "price": "0.1 (43 $)" + ] }, "related": [ { @@ -8540,6 +8540,8 @@ "extensions": [ ".crypted" ], + "payment-method": "Bitcoin", + "price": "0.39983 - 4", "ransomnotes": [ "Decrypted.txt" ], @@ -8549,9 +8551,7 @@ "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/", "http://id-ransomware.blogspot.com/2016/04/nemucod-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.39983 - 4" + ] }, "uuid": "f1ee9ae8-b798-4e6f-8f98-874395d0fa18", "value": "Nemucod" @@ -8562,15 +8562,15 @@ "extensions": [ "AES-256" ], + "payment-method": "Bitcoin", + "price": "0.18 (100 $)", "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/", "https://id-ransomware.blogspot.com/2017/01/netflix-ransomware.html" ], "synonyms": [ "RANSOM_NETIX.A" - ], - "payment-method": "Bitcoin", - "price": "0.18 (100 $)" + ] }, "uuid": "5d3ec71e-9e0f-498a-aa33-0433799e80b4", "value": "Netix" @@ -8578,6 +8578,8 @@ { "description": "Ransomware Does not encrypt the files / Files are destroyed", "meta": { + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "!_RECOVERY_HELP_!.txt", "HELP_ME_PLEASE.txt" @@ -8585,9 +8587,7 @@ "refs": [ "https://twitter.com/demonslay335/status/839221457360195589", "http://id-ransomware.blogspot.com/2017/03/nhtnwcuf-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "1d8e8ca3-da2a-494c-9db3-5b1b6277c363", "value": "Nhtnwcuf" @@ -8600,6 +8600,8 @@ ".maktub", ".__AiraCropEncrypted!" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1.5", "ransomnotes": [ "Recupere seus arquivos. Leia-me!.txt" ], @@ -8611,9 +8613,7 @@ "synonyms": [ "XRatTeam", "XPan" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1.5" + ] }, "uuid": "51f00a39-f4b9-4ed2-ba0d-258c6bf3f71a", "value": "NMoreira" @@ -8621,13 +8621,13 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "250 NZD (299 $)", "refs": [ "https://twitter.com/JakubKroustek/status/757267550346641408", "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/", "https://id-ransomware.blogspot.com/2016/07/noobcrypt-ransomare-250-nzd.html" - ], - "payment-method": "Bitcoin", - "price": "250 NZD (299 $)" + ] }, "uuid": "aeb76911-ed45-4bf2-9a60-e023386e02a4", "value": "NoobCrypt" @@ -8639,14 +8639,14 @@ "extensions": [ ".nuclear55" ], + "payment-method": "Email", "ransomnotes": [ "!!_RECOVERY_instructions_!!.html", "!!_RECOVERY_instructions_!!.txt" ], "refs": [ "http://id-ransomware.blogspot.com/2016/10/nuke-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "e0bcb7d2-6032-43a0-b490-c07430d8a598", "value": "Nuke" @@ -8657,13 +8657,13 @@ "extensions": [ "_nullbyte" ], + "payment-method": "Bitcoin", + "price": "0.1", "refs": [ "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/", "http://id-ransomware.blogspot.com/2016/08/nullbyte-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "460b700b-5d03-43f9-99e7-916ff180a036", "value": "Nullbyte" @@ -8676,6 +8676,8 @@ ".odcodc", "C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "HOW_TO_RESTORE_FILES.txt" ], @@ -8685,9 +8687,7 @@ "https://twitter.com/PolarToffee/status/813762510302183424", "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png", "http://id-ransomware.blogspot.com/2016/05/odcodc-ransomware-rsa-2048.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "f90724e4-c148-4479-ae1a-109498b4688f", "value": "ODCODC" @@ -8699,6 +8699,7 @@ ".cbf", "email-[params].cbf" ], + "payment-method": "Email", "ransomnotes": [ "desk.bmp", "desk.jpg" @@ -8710,8 +8711,7 @@ "synonyms": [ "Vipasana", "Cryakl" - ], - "payment-method": "Email" + ] }, "related": [ { @@ -8739,14 +8739,14 @@ ".LOL!", ".OMG!" ], + "payment-method": "Bitcoin", + "price": "100 $", "ransomnotes": [ "how to get data.txt" ], "synonyms": [ "GPCode" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "related": [ { @@ -8766,11 +8766,11 @@ "extensions": [ ".EXE" ], + "payment-method": "Bitcoin", + "price": "250 $", "refs": [ "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" - ], - "payment-method": "Bitcoin", - "price": "250 $" + ] }, "uuid": "e5800883-c663-4eb0-b05e-6034df5bc6e0", "value": "Operation Global III" @@ -8782,6 +8782,8 @@ "dummy_file.encrypted", "dummy_file.encrypted.[extension]" ], + "payment-method": "Bitcoin", + "price": "0.29499335", "ransomnotes": [ "log.txt" ], @@ -8791,9 +8793,7 @@ ], "synonyms": [ "CryptoWire" - ], - "payment-method": "Bitcoin", - "price": "0.29499335" + ] }, "related": [ { @@ -8813,6 +8813,8 @@ "extensions": [ ".padcrypt" ], + "payment-method": "Bitcoin", + "price": "0.8", "ransomnotes": [ "IMPORTANT READ ME.txt", "File Decrypt Help.html" @@ -8821,9 +8823,7 @@ "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", "https://twitter.com/malwrhunterteam/status/798141978810732544", "http://id-ransomware.blogspot.com/2016/04/padcrypt-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.8" + ] }, "related": [ { @@ -8840,10 +8840,10 @@ { "description": "Ransomware Unlock code is: ajVr/G\\ RJz0R", "meta": { + "payment-method": "no ransom", "refs": [ "https://twitter.com/BleepinComputer/status/811635075158839296" - ], - "payment-method": "no ransom" + ] }, "uuid": "8f41c9ce-9bd4-4bbd-96d7-c965d1621be7", "value": "Padlock Screenlocker" @@ -8854,15 +8854,15 @@ "extensions": [ ".crypt" ], + "payment-method": "Bitcoin", + "price": "0.25", "ransomnotes": [ "README!.txt" ], "refs": [ "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" - ], - "payment-method": "Bitcoin", - "price": "0.25" + ] }, "related": [ { @@ -8887,6 +8887,7 @@ "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", "meta": { "encryption": "Modified Salsa20", + "payment-method": "Bitcoin - Website (onion)", "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.TXT" ], @@ -8898,8 +8899,7 @@ ], "synonyms": [ "Goldeneye" - ], - "payment-method": "Bitcoin - Website (onion)" + ] }, "related": [ { @@ -8921,13 +8921,13 @@ ".locked", ".locked" ], + "payment-method": "Bitcoin", + "price": "0.3", "refs": [ "https://decrypter.emsisoft.com/philadelphia", "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "http://id-ransomware.blogspot.ru/2016/09/philadelphia-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "6fd25982-9cf8-4379-a126-433c91aaadf2", "value": "Philadelphia" @@ -8938,11 +8938,11 @@ "extensions": [ ".id-[victim_id]-maestro@pizzacrypts.info" ], + "payment-method": "Email", "refs": [ "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip", "https://id-ransomware.blogspot.com/2016/07/pizzacrypts-ransomware-1.html" - ], - "payment-method": "Email" + ] }, "uuid": "2482122b-1df6-488e-8867-215b165a4f66", "value": "PizzaCrypts" @@ -8954,12 +8954,12 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin - Email", "refs": [ "http://www.nyxbone.com/malware/pokemonGO.html", "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/", "https://id-ransomware.blogspot.com/2016/08/pokemongo-ransomware-aes-256.html" - ], - "payment-method": "Bitcoin - Email" + ] }, "uuid": "8b151275-d4c4-438a-9d06-92da2835586d", "value": "PokemonGO" @@ -8968,11 +8968,11 @@ "description": "Ransomware Immitates CTB-Locker", "meta": { "encryption": "AES-256", + "payment-method": "Website (onion)", "refs": [ "https://support.kaspersky.com/8547", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" - ], - "payment-method": "Website (onion)" + ] }, "related": [ { @@ -8993,6 +8993,8 @@ "extensions": [ ".locky" ], + "payment-method": "Bitcoin", + "price": "500 $", "refs": [ "https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py", "https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip", @@ -9002,9 +9004,7 @@ ], "synonyms": [ "PoshCoder" - ], - "payment-method": "Bitcoin", - "price": "500 $" + ] }, "related": [ { @@ -9022,10 +9022,10 @@ "description": "Ransomware no decryption possible, throws key away, destroys the files", "meta": { "encryption": "AES", + "payment-method": "Website (onion)", "ransomnotes": [ "DECRYPT_INSTRUCTION.html" - ], - "payment-method": "Website (onion)" + ] }, "uuid": "b54d59d7-b604-4b01-8002-5a2930732ca6", "value": "PowerWorm" @@ -9036,6 +9036,8 @@ "extensions": [ "[a-z]{4,6},[0-9]" ], + "payment-method": "Bitcoin", + "price": "3 (1 800 $)", "ransomnotes": [ "!_HOW_TO_RESTORE_[extension].TXT", "!_HOW_TO_RESTORE_[extension].html", @@ -9048,9 +9050,7 @@ "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", "http://id-ransomware.blogspot.com/2016/09/princess-locker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "3 (1 800 $)" + ] }, "uuid": "7c8ff7e5-2cad-48e8-92e8-4c8226933cbc", "value": "Princess Locker" @@ -9058,11 +9058,11 @@ { "description": "Ransomware", "meta": { + "payment-method": "MoneyPak", + "price": "300 $", "refs": [ "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" - ], - "payment-method": "MoneyPak", - "price": "300 $" + ] }, "uuid": "c0ebfb75-254d-4d85-9d02-a7af8e655068", "value": "PRISM" @@ -9070,10 +9070,10 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", "refs": [ "https://twitter.com/jiriatvirlab/status/803297700175286273" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "1da6653c-8657-4cdc-9eaf-0df9d2ebbf10", "value": "Ps2exe" @@ -9081,15 +9081,15 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1 - 2", "ransomnotes": [ "Ransomware.txt" ], "refs": [ "https://twitter.com/malwrhunterteam/status/846705481741733892", "http://id-ransomware.blogspot.com/2017/03/r-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1 - 2" + ] }, "uuid": "f7cd8956-2825-4104-94b1-e9589ab1089a", "value": "R" @@ -9100,6 +9100,8 @@ "extensions": [ ".crypt" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "DECRYPTION INSTRUCTIONS.txt", "rtext.txt" @@ -9107,9 +9109,7 @@ "refs": [ "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/", "http://id-ransomware.blogspot.com/2016/07/r980-ransomware-aes-256-rsa4096-05.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "6a7ebb0a-78bc-4fdc-92ae-1b02976b5499", "value": "R980" @@ -9120,6 +9120,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.39 (215 $)", "ransomnotes": [ "!!!README!!![id].rtf" ], @@ -9130,9 +9132,7 @@ ], "synonyms": [ "RAA" - ], - "payment-method": "Bitcoin", - "price": "0.39 (215 $)" + ] }, "uuid": "b6d4faa1-6d76-42ff-8a18-238eb70cff06", "value": "RAA encryptor" @@ -9140,11 +9140,11 @@ { "description": "Ransomware RaaS Copy of Ranion RaaS", "meta": { + "payment-method": "Bitcoin", + "price": "0.05", "refs": [ "https://twitter.com/CryptoInsane/status/846181140025282561" - ], - "payment-method": "Bitcoin", - "price": "0.05" + ] }, "uuid": "4a95257a-6646-492f-93eb-d15dff7ce1eb", "value": "Rabion" @@ -9159,6 +9159,8 @@ ".RAD", ".RADAMANT" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "YOUR_FILES.url" ], @@ -9167,9 +9169,7 @@ "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", "http://www.nyxbone.com/malware/radamant.html", "https://id-ransomware.blogspot.com/2016/04/radamant-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "related": [ { @@ -9212,6 +9212,7 @@ ".crypt@india.com.[\\w]{4,12}", "!@#$%___________%$#@.mail" ], + "payment-method": "Email", "ransomnotes": [ "\\fud.bmp", "\\paycrypt.bmp", @@ -9233,8 +9234,7 @@ "Isda", "Cryptokluchen", "Bandarchor" - ], - "payment-method": "Email" + ] }, "related": [ { @@ -9261,11 +9261,11 @@ "extensions": [ "locked-.[a-zA-Z]{4}" ], + "payment-method": "PaySafeCard", + "price": "1000 $", "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" - ], - "payment-method": "PaySafeCard", - "price": "1000 $" + ] }, "uuid": "d45f089b-efc7-45f8-a681-845374349d83", "value": "Rannoh" @@ -9276,6 +9276,7 @@ "extensions": [ ".zXz" ], + "payment-method": "Bitcoin", "ransomnotes": [ "VictemKey_0_5", "VictemKey_5_30", @@ -9291,8 +9292,7 @@ "https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "e01a0cfa-2c8c-4e08-963a-4fa1e8cc6a34", "value": "RanRan" @@ -9300,12 +9300,12 @@ { "description": "Ransomware Doesn't encrypt user files", "meta": { + "payment-method": "Bitcoin", + "price": "100 $", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "related": [ { @@ -9322,11 +9322,11 @@ { "description": "Ransomware no extension change, Javascript Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1", "refs": [ "http://id-ransomware.blogspot.com/2016/04/ransom32.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "d74e2fa6-6b8d-49ed-80f9-07b274eecef8", "value": "Ransom32" @@ -9335,11 +9335,11 @@ "description": "Ransomware Locks the desktop", "meta": { "encryption": "Asymmetric 1024 ", + "payment-method": "Bitcoin", + "price": "500 $", "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" - ], - "payment-method": "Bitcoin", - "price": "500 $" + ] }, "uuid": "24f98123-192c-4e31-b2ee-4c77afbdc3be", "value": "RansomLock" @@ -9347,14 +9347,14 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1 - 50", "ransomnotes": [ "RarVault.htm" ], "refs": [ "http://id-ransomware.blogspot.com/2016/09/rarvault-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1 - 50" + ] }, "uuid": "c8ee96a3-ac22-40c7-8ed2-df67aeaca08d", "value": "RarVault" @@ -9367,12 +9367,12 @@ ".razy", ".fear" ], + "payment-method": "Link", "refs": [ "http://www.nyxbone.com/malware/Razy(German).html", "http://nyxbone.com/malware/Razy.html", "http://id-ransomware.blogspot.com/2016/08/razy-ransomware-aes.html" - ], - "payment-method": "Link" + ] }, "uuid": "f2a38c7b-054e-49ab-aa0e-67a7aac71837", "value": "Razy" @@ -9386,10 +9386,10 @@ ".bloc", ".korrektor" ], + "payment-method": "Bitcoin Email", "refs": [ "https://support.kaspersky.com/viruses/disinfection/4264" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "08f519f4-df8f-4baf-b7ac-c7a0c66f7e74", "value": "Rector" @@ -9401,15 +9401,15 @@ "extensions": [ ".rekt" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "Readme.txt" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/4264", "http://id-ransomware.blogspot.com/2016/08/rektlocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "5448f038-0558-45c7-bda7-76950f82846a", "value": "RektLocker" @@ -9421,6 +9421,8 @@ ".remind", ".crashed" ], + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "decypt_your_files.html " ], @@ -9428,9 +9430,7 @@ "http://www.nyxbone.com/malware/RemindMe.html", "http://i.imgur.com/gV6i5SN.jpg", "http://id-ransomware.blogspot.com/2016/05/remindme-ransomware-2.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "0120015c-7d37-469c-a966-7a0d42166e67", "value": "RemindMe" @@ -9442,6 +9442,8 @@ "extensions": [ ".rokku" ], + "payment-method": "Bitcoin", + "price": "0.2403 (100.29 $)", "ransomnotes": [ "README_HOW_TO_UNLOCK.TXT", "README_HOW_TO_UNLOCK.HTML" @@ -9449,9 +9451,7 @@ "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/", "https://id-ransomware.blogspot.com/2016/04/rokku-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.2403 (100.29 $)" + ] }, "related": [ { @@ -9468,12 +9468,12 @@ { "description": "Ransomware Stores your files in a password protected RAR file", "meta": { + "payment-method": "Bitcoin", + "price": "0.35", "refs": [ "https://twitter.com/siri_urz/status/842452104279134209", "https://id-ransomware.blogspot.com/2017/02/allyourdocuments-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.35" + ] }, "uuid": "e88a7509-9c79-42c1-8b0c-5e63af8e25b5", "value": "RoshaLock" @@ -9481,10 +9481,10 @@ { "description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background", "meta": { + "payment-method": "Bitcoin", "refs": [ "https://twitter.com/struppigel/status/801812325657440256" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "266b366b-2b4f-41af-a30f-eab1c63c9976", "value": "Runsomewere" @@ -9492,11 +9492,11 @@ { "description": "Ransomware Variant of the Philadelphia ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "0.3", "refs": [ "https://twitter.com/struppigel/status/823925410392080385" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "1149197c-89e7-4a8f-98aa-40ac0a9c0914", "value": "RussianRoulette" @@ -9504,11 +9504,11 @@ { "description": "Ransomware Variant of CryPy", "meta": { + "payment-method": "Email", "refs": [ "https://twitter.com/malwrhunterteam/status/845356853039190016", "http://id-ransomware.blogspot.com/2017/03/sadstory-ransomware.html" - ], - "payment-method": "Email" + ] }, "uuid": "6d81cee2-6c99-41fb-8b54-6581422d85dc", "value": "SADStory" @@ -9519,12 +9519,12 @@ "extensions": [ ".sage" ], + "payment-method": "Bitcoin", + "price": "0.52803 (625 $)", "refs": [ "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" - ], - "payment-method": "Bitcoin", - "price": "0.52803 (625 $)" + ] }, "uuid": "eacf3aee-ffb1-425a-862f-874e444a218d", "value": "Sage 2.2" @@ -9560,6 +9560,8 @@ ".iloveworld", ".weapologize" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "HELP_DECRYPT_YOUR_FILES.html", "###-READ-FOR-HELLPP.html", @@ -9601,9 +9603,7 @@ "SamSam Ransomware", "SamSam", "Samsam" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -9624,14 +9624,14 @@ "extensions": [ ".sanction" ], + "payment-method": "Bitcoin", + "price": "3", "ransomnotes": [ "DECRYPT_YOUR_FILES.HTML" ], "refs": [ "http://id-ransomware.blogspot.com/2016/05/sanction-ransomware-3.html" - ], - "payment-method": "Bitcoin", - "price": "3" + ] }, "uuid": "e7b69fbe-26ba-49df-aa62-a64525f89343", "value": "Sanction" @@ -9643,15 +9643,15 @@ "extensions": [ ".wallet" ], + "payment-method": "Bitcoin", + "price": "6", "ransomnotes": [ "RESTORE_ALL_DATA.html" ], "refs": [ "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/", "http://id-ransomware.blogspot.com/2017/03/sanctions-2017-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "6" + ] }, "uuid": "7b517c02-9f93-44c7-b957-10346803c43c", "value": "Sanctions" @@ -9662,11 +9662,11 @@ "extensions": [ ".enc" ], + "payment-method": "Bitcoin", + "price": "100 $", "refs": [ "https://twitter.com/BleepinComputer/status/835955409953357825" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "6e49ecfa-1c25-4841-ae60-3b1c3c9c7710", "value": "Sardoninir" @@ -9677,6 +9677,8 @@ "extensions": [ "Sarah_G@ausi.com___" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "!satana!.txt" ], @@ -9684,9 +9686,7 @@ "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", "https://blog.kaspersky.com/satana-ransomware/12558/", "https://id-ransomware.blogspot.com/2016/06/satana-ransomware-0.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "related": [ { @@ -9714,12 +9714,12 @@ "description": "Ransomware DetoxCrypto Variant", "meta": { "encryption": "AES", + "payment-method": "Euros", + "price": "50", "refs": [ "http://www.nyxbone.com/malware/Serpico.html", "http://id-ransomware.blogspot.com/2016/08/serpico-ransomware.html" - ], - "payment-method": "Euros", - "price": "50" + ] }, "related": [ { @@ -9740,6 +9740,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "50 - 100 - 200 $", "ransomnotes": [ "Readme.txt" ], @@ -9749,9 +9751,7 @@ ], "synonyms": [ "Atom" - ], - "payment-method": "Bitcoin", - "price": "50 - 100 - 200 $" + ] }, "related": [ { @@ -9771,12 +9771,12 @@ "extensions": [ ".shino" ], + "payment-method": "no ransom", "refs": [ "https://twitter.com/JakubKroustek/status/760560147131408384", "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/", "https://id-ransomware.blogspot.com/2016/08/shinolocker-ransomware.html" - ], - "payment-method": "no ransom" + ] }, "uuid": "bc029327-ee34-4eba-8933-bd85f2a1e9d1", "value": "ShinoLocker" @@ -9784,6 +9784,8 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "文件解密帮助.txt" ], @@ -9794,9 +9796,7 @@ ], "synonyms": [ "KinCrypt" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "related": [ { @@ -9817,15 +9817,15 @@ "extensions": [ ".~" ], + "payment-method": "Bitcoin", + "price": "0.8", "ransomnotes": [ "_RECOVER_INSTRUCTIONS.ini" ], "refs": [ "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", "https://id-ransomware.blogspot.com/2016/07/tilde-ransomware-aes-08.html" - ], - "payment-method": "Bitcoin", - "price": "0.8" + ] }, "uuid": "2709b2ff-a2be-49a9-b268-2576170a5dff", "value": "Simple_Encoder" @@ -9837,6 +9837,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "READ_IT.txt" ], @@ -9847,9 +9849,7 @@ ], "synonyms": [ "Pompous" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "44b6b99e-b1d9-4605-95c2-55c14c7c25be", "value": "SkidLocker" @@ -9857,10 +9857,10 @@ { "description": "Ransomware", "meta": { + "payment-method": "no ransom", "refs": [ "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" - ], - "payment-method": "no ransom" + ] }, "uuid": "27283e74-abc6-4d8a-bcb6-a60804b8e264", "value": "Smash!" @@ -9871,14 +9871,14 @@ "extensions": [ ".encrypted" ], + "payment-method": "Bitcoin", + "price": "0.66 (300 $)", "ransomnotes": [ "_HOW_TO_Decrypt.bmp" ], "refs": [ "http://id-ransomware.blogspot.com/2016/08/smrss32-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.66 (300 $)" + ] }, "uuid": "cd21bb2a-0c6a-463b-8c0e-16da251f69ae", "value": "Smrss32" @@ -9891,6 +9891,8 @@ ".RSNSlocked", ".RSplited" ], + "payment-method": "Bitcoin", + "price": "0.66 (300 $)", "ransomnotes": [ "READ_Me.txt" ], @@ -9898,9 +9900,7 @@ "http://nyxbone.com/malware/SNSLocker.html", "http://nyxbone.com/images/articulos/malware/snslocker/16.png", "http://id-ransomware.blogspot.com/2016/05/sns-locker-ransomware-aes-256-066.html" - ], - "payment-method": "Bitcoin", - "price": "0.66 (300 $)" + ] }, "uuid": "82658f48-6a62-4dee-bd87-382e76b84c3d", "value": "SNSLocker" @@ -9923,6 +9923,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "Random message includes bitcoin wallet address with instructions" ], @@ -9933,9 +9935,7 @@ "https://cdn.streamable.com/video/mp4/kfh3.mp4", "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/", "https://id-ransomware.blogspot.com/2016/07/stampado-ransomware-1.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "6b8729b0-7ffc-4d07-98de-e5210928b274", "value": "Stampado" @@ -9947,11 +9947,11 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "500 - 1000 $", "refs": [ "http://www.nyxbone.com/malware/Strictor.html" - ], - "payment-method": "Bitcoin", - "price": "500 - 1000 $" + ] }, "uuid": "d75bdd85-032a-46b7-a339-257fd5656c11", "value": "Strictor" @@ -9964,14 +9964,14 @@ ".surprise", ".tzu" ], + "payment-method": "Bitcoin", + "price": "0.5 - 25", "ransomnotes": [ "DECRYPTION_HOWTO.Notepad" ], "refs": [ "http://id-ransomware.blogspot.com/2016/05/surprise-ransomware-aes-256.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 25" + ] }, "uuid": "6848b77c-92c8-40ec-90ac-9c14b9f17272", "value": "Surprise" @@ -9979,13 +9979,13 @@ { "description": "Ransomware Still in development, shows FileIce survey", "meta": { + "payment-method": "no ransom", "ransomnotes": [ "ThxForYurTyme.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ], - "payment-method": "no ransom" + ] }, "uuid": "11725992-3634-4715-ae17-b6f5ed13b877", "value": "Survey" @@ -10002,11 +10002,11 @@ "extensions": [ ".szf" ], + "payment-method": "Email", "refs": [ "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/", "https://id-ransomware.blogspot.com/2016/06/szflocker-polish-ransomware-email.html" - ], - "payment-method": "Email" + ] }, "uuid": "a7845bbe-d7e6-4c7b-a9b8-dccbd93bc4b2", "value": "SZFLocker" @@ -10018,14 +10018,14 @@ "extensions": [ ".___xratteamLucked" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "Como descriptografar os seus arquivos.txt" ], "refs": [ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "65a31863-4f59-4c66-bc2d-31e8fb68bbe8", "value": "TeamXrat" @@ -10043,6 +10043,7 @@ ".zzz", ".xyz" ], + "payment-method": "Bitcoin", "ransomnotes": [ "HELP_TO_SAVE_FILES.txt", "Howto_RESTORE_FILES.html" @@ -10053,8 +10054,7 @@ ], "synonyms": [ "AlphaCrypt" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "af92c71e-935e-4486-b4e7-319bf16d622e", "value": "TeslaCrypt 0.x - 2.2.0" @@ -10069,12 +10069,12 @@ ".ttt", ".mp3" ], + "payment-method": "Bitcoin", "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "bd19dfff-7c8d-4c94-967e-f8ffc19e7dd9", "value": "TeslaCrypt 3.0+" @@ -10083,6 +10083,7 @@ "description": "Ransomware", "meta": { "encryption": "AES-256 + ECHD + SHA1", + "payment-method": "Bitcoin", "ransomnotes": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", @@ -10107,8 +10108,7 @@ "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "ab6b8f56-cf2d-4733-8f9c-df3d52c05e66", "value": "TeslaCrypt 4.1A" @@ -10116,6 +10116,7 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", "ransomnotes": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", @@ -10140,8 +10141,7 @@ "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "eed65c12-b179-4002-a11b-7a2e2df5f0c8", "value": "TeslaCrypt 4.2" @@ -10149,11 +10149,11 @@ { "description": "Ransomware Files cannot be decrypted Has a GUI", "meta": { + "payment-method": "Bitcoin", + "price": "1.25", "ransomnotes": [ "HELP_DECRYPT.HTML" - ], - "payment-method": "Bitcoin", - "price": "1.25" + ] }, "uuid": "c0bce92a-63b8-4538-93dc-0911ae46596d", "value": "Threat Finder" @@ -10166,6 +10166,8 @@ ".Encrypted", ".enc" ], + "payment-method": "Bitcoin", + "price": "4.081", "ransomnotes": [ "HOW_TO_RESTORE_FILES.html", "DECRYPT_INSTRUCTIONS.html", @@ -10188,9 +10190,7 @@ "Crypt0L0cker", "CryptoFortress", "Teerac" - ], - "payment-method": "Bitcoin", - "price": "4.081" + ] }, "related": [ { @@ -10221,15 +10221,15 @@ { "description": "Ransomware", "meta": { + "payment-method": "Bitcoin", + "price": "100 - 150 $", "ransomnotes": [ "Payment_Instructions.jpg" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/", "https://id-ransomware.blogspot.com/2016/06/towerweb-ransonware-100.html" - ], - "payment-method": "Bitcoin", - "price": "100 - 150 $" + ] }, "uuid": "4d470cf8-09b6-4d0e-8e5a-2f618e48c560", "value": "TowerWeb" @@ -10240,14 +10240,14 @@ "extensions": [ ".toxcrypt" ], + "payment-method": "Bitcoin", + "price": "0.23", "ransomnotes": [ "tox.html" ], "refs": [ "https://id-ransomware.blogspot.com/2016/06/toxcrypt-ransomware-aes-crypto-0.html" - ], - "payment-method": "Bitcoin", - "price": "0.23" + ] }, "uuid": "08fc7534-fe85-488b-92b0-630c0d91ecbe", "value": "Toxcrypt" @@ -10258,6 +10258,7 @@ "extensions": [ ".braincrypt" ], + "payment-method": "Email", "ransomnotes": [ "!!! HOW TO DECRYPT FILES !!!.txt" ], @@ -10268,8 +10269,7 @@ ], "synonyms": [ "BrainCrypt" - ], - "payment-method": "Email" + ] }, "uuid": "97673387-75ae-4da4-9a5f-38773f2492e7", "value": "Trojan" @@ -10286,6 +10286,7 @@ ".windows10", ".no_more_ransom" ], + "payment-method": "Email", "ransomnotes": [ "README.txt", "nomoreransom_note_original.txt" @@ -10295,8 +10296,7 @@ "http://www.nyxbone.com/malware/Troldesh.html", "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/", "https://id-ransomware.blogspot.com/2016/06/troldesh-ransomware-email.html" - ], - "payment-method": "Email" + ] }, "uuid": "6c3dd006-3501-4ebc-ab86-b06e4d555194", "value": "Troldesh orShade, XTBL" @@ -10308,12 +10308,12 @@ "extensions": [ ".enc" ], + "payment-method": "Bitcoin", + "price": "0.2 (115 $)", "refs": [ "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/", "http://id-ransomware.blogspot.com/2016/04/truecrypter-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.2 (115 $)" + ] }, "uuid": "c46bfed8-7010-432a-8108-138f6d067000", "value": "TrueCrypter" @@ -10324,11 +10324,11 @@ "extensions": [ ".sifreli" ], + "payment-method": "Bitcoin", + "price": "100 $", "refs": [ "https://twitter.com/struppigel/status/821991600637313024" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "132c39fc-1364-4210-aef9-48f73afc1108", "value": "Turkish" @@ -10340,14 +10340,14 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" ], "refs": [ "http://www.nyxbone.com/malware/turkishRansom.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "174dd201-0b0b-4a76-95c7-71f8141684d0", "value": "Turkish Ransom" @@ -10359,6 +10359,7 @@ "extensions": [ "umbrecrypt_ID_[VICTIMID]" ], + "payment-method": "Email", "ransomnotes": [ "README_DECRYPT_UMBRE_ID_[victim_id].jpg", "README_DECRYPT_UMBRE_ID_[victim_id].txt", @@ -10368,8 +10369,7 @@ "refs": [ "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware", "https://id-ransomware.blogspot.com/2016/06/umbrecrypt-ransomware-aes.html" - ], - "payment-method": "Email" + ] }, "uuid": "028b3489-51da-45d7-8bd0-62044e9ea49f", "value": "UmbreCrypt" @@ -10377,15 +10377,15 @@ { "description": "Ransomware", "meta": { + "payment-method": "Website", + "price": "0.18", "ransomnotes": [ "Files encrypted.txt" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/", "http://id-ransomware.blogspot.com/2016/09/unblockupc-ransomware.html" - ], - "payment-method": "Website", - "price": "0.18" + ] }, "uuid": "5a9f9ebe-f4c8-4985-8890-743f59d658fd", "value": "UnblockUPC" @@ -10399,6 +10399,8 @@ ".0x0", ".1999" ], + "payment-method": "Website", + "price": "2.5", "ransomnotes": [ "READTHISNOW!!!.txt", "Hellothere.txt", @@ -10406,9 +10408,7 @@ ], "refs": [ "http://id-ransomware.blogspot.com/2016/05/bitmessage-ransomware-aes-256-25-btc.html" - ], - "payment-method": "Website", - "price": "2.5" + ] }, "uuid": "bb8c6b80-91cb-4c01-b001-7b9e73228420", "value": "Ungluk" @@ -10420,14 +10420,14 @@ ".CRRRT", ".CCCRRRPPP" ], + "payment-method": "Website", "ransomnotes": [ "READ_ME_!.txt" ], "refs": [ "https://twitter.com/malwrhunterteam/status/839038399944224768", "http://id-ransomware.blogspot.com/2017/02/unlock26-ransomware.html" - ], - "payment-method": "Website" + ] }, "uuid": "dfe760e5-f878-492d-91d0-05fa45a2849d", "value": "Unlock92 " @@ -10435,11 +10435,11 @@ { "description": "Ransomware CryptoWire variant", "meta": { + "payment-method": "Bitcoin", + "price": "200 $", "refs": [ "https://twitter.com/struppigel/status/839771195830648833" - ], - "payment-method": "Bitcoin", - "price": "200 $" + ] }, "uuid": "7799247c-4e6a-4c20-b0b3-d8e6a8ab6783", "value": "VapeLauncher" @@ -10453,6 +10453,8 @@ ".xort", ".trun" ], + "payment-method": "Bitcoin", + "price": "0.438", "ransomnotes": [ "VAULT.txt", "xort.txt", @@ -10465,9 +10467,7 @@ "synonyms": [ "CrypVault", "Zlader" - ], - "payment-method": "Bitcoin", - "price": "0.438" + ] }, "related": [ { @@ -10487,10 +10487,10 @@ "extensions": [ ".VBRANSOM" ], + "payment-method": "Website (onion)", "refs": [ "https://twitter.com/BleepinComputer/status/817851339078336513" - ], - "payment-method": "Website (onion)" + ] }, "uuid": "44a56cd0-8cd8-486f-972d-4b1b416e9077", "value": "VBRANSOM 7" @@ -10503,6 +10503,8 @@ ".Venusf", ".Venusp" ], + "payment-method": "Bitcoin", + "price": "0.15 (100 $)", "ransomnotes": [ "ReadMe.txt" ], @@ -10510,9 +10512,7 @@ "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", "http://www.nyxbone.com/malware/venusLocker.html", "https://id-ransomware.blogspot.com/2016/08/venuslocker-ransomware-aes-256.html" - ], - "payment-method": "Bitcoin", - "price": "0.15 (100 $)" + ] }, "uuid": "7340c6d6-a16e-4a01-8bb4-8ad3edc64d28", "value": "VenusLocker" @@ -10523,12 +10523,12 @@ "extensions": [ ".exe" ], + "payment-method": "Bitcoin", + "price": "250 $", "refs": [ "http://www.nyxbone.com/malware/Virlock.html", "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" - ], - "payment-method": "Bitcoin", - "price": "250 $" + ] }, "uuid": "5c736959-6c58-4bf2-b084-7197b42e500a", "value": "Virlock" @@ -10545,6 +10545,8 @@ ".id-########.decryptformoney@india.com.xtbl", ".[email_address].DHARMA" ], + "payment-method": "Bitcoin", + "price": "2.5 - 3", "ransomnotes": [ "How to decrypt your data.txt" ], @@ -10556,9 +10558,7 @@ ], "synonyms": [ "CrySiS" - ], - "payment-method": "Bitcoin", - "price": "2.5 - 3" + ] }, "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", "value": "Virus-Encoder" @@ -10569,6 +10569,8 @@ "extensions": [ ".wflx" ], + "payment-method": "Bitcoin", + "price": "299 $", "ransomnotes": [ "HOW_TO_UNLOCK_FILES_README_().txt" ], @@ -10578,9 +10580,7 @@ ], "synonyms": [ "Hades Locker" - ], - "payment-method": "Bitcoin", - "price": "299 $" + ] }, "uuid": "31945e7b-a734-4333-9ea2-e52051ca015a", "value": "WildFire Locker" @@ -10600,6 +10600,8 @@ ".antihacker2017", "....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT" ], + "payment-method": "Bitcoin", + "price": "0.8", "ransomnotes": [ "HOW TO DECRYPT FILES.TXT", "https://pbs.twimg.com/media/Dfj9G_2XkAE0ZS2.jpg", @@ -10610,9 +10612,7 @@ "https://decrypter.emsisoft.com/xorist", "https://twitter.com/siri_urz/status/1006833669447839745", "https://id-ransomware.blogspot.com/2016/06/xrtn-ransomware-rsa-1024-gnu-privacy.html" - ], - "payment-method": "Bitcoin", - "price": "0.8" + ] }, "uuid": "0a15a920-9876-4985-9d3d-bb0794722258", "value": "Xorist" @@ -10633,11 +10633,11 @@ "extensions": [ ".Locked" ], + "payment-method": "Bitcoin", + "price": "0.25", "refs": [ "https://twitter.com/malwrhunterteam/status/808280549802418181" - ], - "payment-method": "Bitcoin", - "price": "0.25" + ] }, "uuid": "0810ea3e-1cd6-4ea3-a416-5895fb685c5b", "value": "You Have Been Hacked!!!" @@ -10648,15 +10648,15 @@ "extensions": [ ".zcrypt" ], + "payment-method": "Bitcoin", + "price": "1.2 - 5", "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/", "http://id-ransomware.blogspot.com/2016/05/zcrypt-ransomware-rsa-2048-email.html" ], "synonyms": [ "Zcryptor" - ], - "payment-method": "Bitcoin", - "price": "1.2 - 5" + ] }, "uuid": "7eed5e96-0219-4355-9a9c-44643272894c", "value": "Zcrypt" @@ -10667,15 +10667,15 @@ "extensions": [ ".crypto" ], + "payment-method": "Bitcoin", + "price": "3", "ransomnotes": [ "how.txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/", "https://id-ransomware.blogspot.com/2016/06/zimbra-ransomware-aes-optzimbrastore.html" - ], - "payment-method": "Bitcoin", - "price": "3" + ] }, "uuid": "07346620-a0b4-48d5-9158-5048741f5078", "value": "Zimbra" @@ -10687,6 +10687,8 @@ "extensions": [ ".vault" ], + "payment-method": "Bitcoin", + "price": "100 - 900 $", "refs": [ "http://www.nyxbone.com/malware/russianRansom.html" ], @@ -10694,9 +10696,7 @@ "Russian", "VaultCrypt", "CrypVault" - ], - "payment-method": "Bitcoin", - "price": "100 - 900 $" + ] }, "related": [ { @@ -10716,15 +10716,15 @@ "extensions": [ ".zorro" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "Take_Seriously (Your saving grace).txt" ], "refs": [ "https://twitter.com/BleepinComputer/status/844538370323812353", "http://id-ransomware.blogspot.com/2017/03/zorro-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "b2bd25e1-d41c-42f2-8971-ecceceb6ba08", "value": "Zorro" @@ -10735,14 +10735,14 @@ "extensions": [ ".zyklon" ], - "synonyms": [ - "GNL Locker" - ], + "payment-method": "Euro", + "price": "250", "refs": [ "http://id-ransomware.blogspot.com/2016/05/zyklon-locker-ransomware-windows-250.html" ], - "payment-method": "Euro", - "price": "250" + "synonyms": [ + "GNL Locker" + ] }, "related": [ { @@ -10769,11 +10769,11 @@ "extensions": [ ".vxLock" ], + "payment-method": "Bitcoin", + "price": "0.3", "refs": [ "https://id-ransomware.blogspot.com/2017/01/vxlock-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "37950a1c-0035-49e0-9278-e878df0a10f3", "value": "vxLock" @@ -10785,6 +10785,8 @@ "extensions": [ ".jaff" ], + "payment-method": "Bitcoin", + "price": "1.82 - 2.036", "ransomnotes": [ "WallpapeR.bmp", "ReadMe.bmp", @@ -10795,9 +10797,7 @@ "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/", "http://id-ransomware.blogspot.com/2017/05/jaff-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1.82 - 2.036" + ] }, "related": [ { @@ -10818,15 +10818,15 @@ "extensions": [ "._[10_digit_victim_id].UIWIX" ], + "payment-method": "Bitcoin", + "price": "0.122", "ransomnotes": [ "DECODE_FILES.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/", "http://id-ransomware.blogspot.com/2017/05/uiwix-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.122" + ] }, "uuid": "369d6fda-0284-44aa-9e74-f6651416fec4", "value": "Uiwix Ransomware" @@ -10837,13 +10837,13 @@ "extensions": [ ".pr0tect" ], + "payment-method": "Email", "ransomnotes": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/" - ], - "payment-method": "Email" + ] }, "uuid": "34cedaf0-b1f0-4b5d-b7bd-2eadfc630ea7", "value": "SOREBRECT" @@ -10854,15 +10854,15 @@ "extensions": [ ".CYRON" ], + "payment-method": "PaySafeCard", + "price": "50 €", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg" ], "refs": [ "https://twitter.com/struppigel/status/899524853426008064", "https://id-ransomware.blogspot.com/2017/08/cyron-ransomware.html" - ], - "payment-method": "PaySafeCard", - "price": "50 €" + ] }, "uuid": "f597d388-886e-46d6-a5cc-26deeb4674f2", "value": "Cyron" @@ -10873,13 +10873,13 @@ "extensions": [ ".OXR" ], + "payment-method": "Bitcoin Email", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/899528477824700416" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "3330e226-b71a-4ee4-8612-2b06b58368fc", "value": "Kappa" @@ -10890,14 +10890,14 @@ "extensions": [ ".Isis" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/899537940539478016" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "1fe6c23b-863e-49e4-9439-aa9e999aa2e1", "value": "Trojan Dz" @@ -10908,11 +10908,11 @@ "extensions": [ ".xolzsec" ], + "payment-method": "no ransom", "refs": [ "https://twitter.com/struppigel/status/899916577252028416", "http://id-ransomware.blogspot.com/2017/08/xolzsec-ransomware.html" - ], - "payment-method": "no ransom" + ] }, "uuid": "f2930308-2e4d-4af5-b119-746be0fe7f2c", "value": "Xolzsec" @@ -10923,15 +10923,15 @@ "extensions": [ ".flat" ], + "payment-method": "Bitcoin", + "price": "250 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/900238572409823232", "https://id-ransomware.blogspot.com/2017/08/flatchestware-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "250 $" + ] }, "uuid": "d29341fd-f48e-4caa-8a28-b17853b779d1", "value": "FlatChestWare" @@ -10939,6 +10939,8 @@ { "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.", "meta": { + "payment-method": "Bitcoin", + "price": "2 100 $", "ransomnotes": [ "RESTORE_INFO-[id].txt" ], @@ -10949,9 +10951,7 @@ ], "synonyms": [ "Syn Ack" - ], - "payment-method": "Bitcoin", - "price": "2 100 $" + ] }, "related": [ { @@ -10971,6 +10971,8 @@ "extensions": [ ".kk" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "readme.html", "readme.png" @@ -10978,9 +10980,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/", "http://id-ransomware.blogspot.com/2017/08/synccrypt-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "related": [ { @@ -10997,6 +10997,8 @@ { "description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.", "meta": { + "payment-method": "Bitcoin", + "price": "0.05 (300 $)", "refs": [ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html" @@ -11004,9 +11006,7 @@ "synonyms": [ "BadRabbit", "Bad-Rabbit" - ], - "payment-method": "Bitcoin", - "price": "0.05 (300 $)" + ] }, "related": [ { @@ -11033,12 +11033,12 @@ "extensions": [ "(Lucifer) [prepend]" ], + "payment-method": "Bitcoin", + "price": "150 $", "refs": [ "https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/", "http://id-ransomware.blogspot.com/2017/11/halloware-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "150 $" + ] }, "uuid": "b366627d-dbc0-45ba-90bc-5f5694f45e35", "value": "Halloware" @@ -11049,6 +11049,8 @@ "extensions": [ ".locked" ], + "payment-method": "Bitcoin", + "price": "0.2 - 0.4 - 2", "ransomnotes": [ "_READ_ME_FOR_DECRYPT.txt", "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" @@ -11056,9 +11058,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/", "https://id-ransomware.blogspot.com/2017/11/storagecrypter.html" - ], - "payment-method": "Bitcoin", - "price": "0.2 - 0.4 - 2" + ] }, "uuid": "0b920d03-971f-413c-8057-60d187192140", "value": "StorageCrypt" @@ -11069,6 +11069,8 @@ "extensions": [ ".GOTYA" ], + "payment-method": "Bitcoin", + "price": "500 - 700 $", "ransomnotes": [ "RECOVERY.txt", "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" @@ -11076,9 +11078,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/", "https://id-ransomware.blogspot.com/2017/12/hc7-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "500 - 700 $" + ] }, "uuid": "9325e097-9fea-490c-9b89-c2d40c166101", "value": "HC7" @@ -11089,13 +11089,13 @@ "extensions": [ ".fucku" ], + "payment-method": "Bitcoin", + "price": "2 500 $", "refs": [ "https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw", "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/", "http://id-ransomware.blogspot.com/2017/11/hc6-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "2 500 $" + ] }, "uuid": "909fde65-e015-40a9-9012-8d3ef62bba53", "value": "HC6" @@ -11103,12 +11103,12 @@ { "description": "Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.", "meta": { + "payment-method": "Bitcoin", + "price": "300 $", "refs": [ "https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/", "http://id-ransomware.blogspot.com/2017/11/qkg-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "300 $" + ] }, "uuid": "1f3eab7f-da0a-4e0b-8a9f-cda2f146c819", "value": "qkG" @@ -11134,6 +11134,7 @@ ".crypted034", ".ironhead" ], + "payment-method": "Bitcoin Email", "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", "HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT", @@ -11165,8 +11166,7 @@ "https://twitter.com/Amigo_A_/status/1039105453735784448", "https://twitter.com/GrujaRS/status/1072057088019496960", "http://id-ransomware.blogspot.com/2017/06/scarab-ransomware.html" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4", "value": "Scarab" @@ -11177,6 +11177,8 @@ "extensions": [ ".spider" ], + "payment-method": "Bitcoin", + "price": "0.00725", "ransomnotes": [ "HOW TO DECRYPT FILES.url", "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." @@ -11184,9 +11186,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/", "http://id-ransomware.blogspot.com/2017/12/file-spider-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.00725" + ] }, "uuid": "3e75ce6b-b6de-4e5a-9501-8f9f847c819c", "value": "File Spider" @@ -11195,15 +11195,15 @@ "description": "A barely functional piece of macOS ransomware, written in Swift.", "meta": { "date": "Febuary 2017", + "payment-method": "Bitcoin", + "price": "0.25", "refs": [ "https://objective-see.com/blog/blog_0x25.html#FileCoder" ], "synonyms": [ "FindZip", "Patcher" - ], - "payment-method": "Bitcoin", - "price": "0.25" + ] }, "related": [ { @@ -11228,11 +11228,11 @@ "description": "A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.", "meta": { "date": "June 2017", + "payment-method": "Bitcoin", + "price": "0.25 (700 $)", "refs": [ "https://objective-see.com/blog/blog_0x25.html" - ], - "payment-method": "Bitcoin", - "price": "0.25 (700 $)" + ] }, "related": [ { @@ -11254,6 +11254,8 @@ ".Crab", ".CRAB" ], + "payment-method": "Dash", + "price": "1 - 3", "ransomnotes": [ "GDCB-DECRYPT.txt", "CRAB-Decrypt.txt", @@ -11272,9 +11274,7 @@ "https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/", "https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/", "https://id-ransomware.blogspot.com/2018/01/gandcrab-ransomware.html" - ], - "payment-method": "Dash", - "price": "1 - 3" + ] }, "related": [ { @@ -11292,11 +11292,11 @@ "description": "Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.", "meta": { "date": "Febuary 2018", + "payment-method": "Bitcoin", + "price": "0.01 - 0.1", "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" - ], - "payment-method": "Bitcoin", - "price": "0.01 - 0.1" + ] }, "uuid": "cc7f6da3-fafd-444f-b7e9-f0e650fb4d4f", "value": "ShurL0ckr" @@ -11308,12 +11308,12 @@ "extensions": [ ".fairytail" ], + "payment-method": "Bitcoin", "refs": [ "https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/", "https://www.technologynews.tech/cryakl-ransomware-virus", "http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/" - ], - "payment-method": "Bitcoin" + ] }, "related": [ { @@ -11340,13 +11340,13 @@ "extensions": [ ".THANATOS" ], + "payment-method": "Bitcoin", + "price": "0.1", "refs": [ "https://mobile.twitter.com/EclecticIQ/status/968478323889332226", "https://www.eclecticiq.com/resources/thanatos--ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report", "http://id-ransomware.blogspot.com/2018/02/thanatos-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "related": [ { @@ -11363,6 +11363,8 @@ { "description": "RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.", "meta": { + "payment-method": "Bitcoin", + "price": "750 $", "ransomnotes": [ "How_return_files.txt", "Image.jpg", @@ -11384,9 +11386,7 @@ "synonyms": [ "Vagger", "DONTSLIP" - ], - "payment-method": "Bitcoin", - "price": "750 $" + ] }, "uuid": "f80b0a42-21ef-11e8-8ac7-0317408794e2", "value": "RSAUtil" @@ -11394,14 +11394,14 @@ { "description": "A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.", "meta": { + "payment-method": "Bitcoin", "ransomnotes": [ "Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!", "README_DECRYPT.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/qwerty-ransomware-utilizes-gnupg-to-encrypt-a-victims-files/" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "15c370c0-2799-11e8-a959-57cdcd57e3bf", "value": "Qwerty Ransomware" @@ -11409,6 +11409,7 @@ { "description": "A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.", "meta": { + "payment-method": "Bitcoin Email (Tor)", "ransomnotes": [ "Zenis-Instructions.html", "*** All your files has been encrypted ***\n\nI am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world. A world in digital space that you are supposed to play the role of my toys.\n\nIf you want to win in this game, you have to listen carefully to my instructions, otherwise you will be caught up in a one-step game and you will become the main loser of the story.\n\nMy instructions are simple and clear. Then follow these steps:\n\n1. Send this file (Zenis-Instructions.html) to my email with one your encrypted file less than 2 MB to trust to the game.\n\n2. I decrypt your file for free and send for you.\n\n3. If you confirm the correctness of the files, verify that the files are correct via email\n\n4. Then receive the price of decrypting files\n\n5. After you have deposited, please send me the payment details\n\n6. After i confirm deposit, i send you the \"Zenis Decryptor\" along with \"Private Key\" to recovery all your files.\n\nNow you can finish the game. You won the game. congratulations.\n\n\nPlease submit your request to both emails:\n\nTheZenis@Tutanota.com\n\nTheZenis@MailFence.com\n\nIf you did not receive an email after six hours, submit your request to the following emails:\n\nTheZenis@Protonmail.com\n\nTheZenis@Mail2Tor.com (On the TOR network)\n\n\nWarning: 3rd party and public programs, It may cause irreversible damage to your files. And your files will be lost forever." @@ -11416,20 +11417,19 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/", "https://id-ransomware.blogspot.com/2018/03/zenis-ransomware.html" - ], - "payment-method": "Bitcoin Email (Tor)" + ] }, "uuid": "cbe3ee70-2d11-11e8-84bb-9b3c525a48d9", "value": "Zenis Ransomware" }, { "meta": { + "payment-method": "Dollars", + "price": "199", "refs": [ "https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/", "http://id-ransomware.blogspot.com/2017/03/flotera-ransomware.html" - ], - "payment-method": "Dollars", - "price": "199" + ] }, "uuid": "aab356ac-396c-11e8-90c8-631229f19d7a", "value": "Flotera Ransomware" @@ -11440,6 +11440,7 @@ "extensions": [ ".BlackRuby" ], + "payment-method": "Monero miner on the computer", "ransomnotes": [ "HOW-TO-DECRYPT-FILES.txt", " ____ __ __ ____ __\n / __ ) / /____ _ _____ / /__ / __ \\ __ __ / /_ __ __\n / __ |/ // __ `// ___// //_/ / /_/ // / / // __ \\ / / / /\n / /_/ // // /_/ // /__ / ,< / _, _// /_/ // /_/ // /_/ /\n /_____//_/ \\__,_/ \\___//_/|_| /_/ |_| \\__,_//_.___/ \\__, /\n /____/\n\n===================== Identification Key =====================\n\n[id]\n\n===================== Identification Key =====================\n\n[Can not access your files?]\n\nCongratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.\nOur hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.\n\nThis time, we are guest with a new souvenir called \"Black Ruby\". A ruby ​​in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.\n\nSo let's talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.\nIt does not matter if you're a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it's important that you have a black ruby and to get rid of it, you need to get back to previous situation and we need a next step.\n\nThe breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge.\nWe are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone. We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility. you must pay $650 (USD) worth of Bitcoins for restore your system to the previous state and you are free to choose to stay in this situation or return to the normal.\n\nDo not forget that your opportunity is limited. From these limits you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.\n\n ========================================================================================================================\n\n [HOW TO DECRYPT FILES]\n\n 1. Copy \"Identification Key\".\n 2. Send this key with two encrypted files (less than 5 MB) for trust us to email address \"TheBlackRuby@Protonmail.com\".\n 3. We decrypt your two files and send them to your email.\n 4. After ensuring the integrity of the files, you must pay $650 (USD) with bitcoin and send transaction code to our email, our bitcoin address is \"19S7k3zHphKiYr85T25FnqdxizHcgmjoj1\".\n 5. You get \"Black Ruby Decryptor\" Along with the private key of your system.\n 6. Everything returns to the normal and your files will bereleased.\n\n========================================================================================================================\n\n[What is encryption?]\n\nEncryption is a reversible modification of information for security reasons but providing full access to it for authorised users.\n To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an \"Personal Identification Key\". But not only it. It is required also to have the special decryption software\n(in your case “Black Ruby Decryptor” software) for safe and complete decryption of all your files and data.\n\n[Everything is clear for me but what should I do?]\n\n The first step is reading these instructions to the end. Your files have been encrypted with the “Black Ruby Ransomware” software; the instructions (“HOW-TO-DECRYPT-FILES.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Black Ruby Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.\n\n[Have you got advice?]\n\n[*** Any attempts to get back you files with the third-party tools can be fatal for your encrypted files ***]\nThe most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. \nFinally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Black Ruby Ransomware” software may be fatal for your files.\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." @@ -11447,8 +11448,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf" - ], - "payment-method": "Monero miner on the computer" + ] }, "uuid": "abf3001c-396c-11e8-8da6-ef501eef12e1", "value": "Black Ruby" @@ -11460,6 +11460,7 @@ ".WHITEROSE", "_ENCRYPTED_BY.WHITEROSE" ], + "payment-method": "Website Tor", "ransomnotes": [ "HOW-TO-RECOVERY-FILES.TXT", "[Rose ASCII art]\n\n[WhiteRose written in ASCII art]\n\nThe singing of the sparrows, the breezes of the northern mountains and smell of the earth that was raining in the morning filled the entire garden space. I'm sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day.\n\nBehind me is an empty house of dreams and in front of me, full of beautiful white roses. To my left is an empty blue pool of red fish and my right, trees full of spring white blooms.\n\n I drink coffee, I'll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend.\n\nI have neither a pet, nor a friend or an enemy; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I'm just a little interested in hacking and programming. My only electronic devices in this big garden are an old laptop for do projects and an iPhone for check out the news feeds for malware analytics on Twitter without likes posts.\n\nBelieve me, my only assets are the white roses of this garden. I think of days and write at night: the story, poem, code, exploit or the accumulation of the number of white roses sold and I say to myself that the wealth is having different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses.\n\nToday, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the worth of unity, intimacy, joy and love and is the decision to release white roses and to give gifts to all peoples of the world.\n\nI do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it's important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. Wait for good days with White Rose.\n\nI hope you accept this gift from me and if it reaches you, close your eyes and place yourself in a large garden on a wooden chair and feel this beautiful scene to reduce your anxiety and everyday tension.\n\nThank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\n[Recovery Instructions]\n\n I. Download qTox on your computer from [https://tox.chat/download.html]\nII. Create new profile then enter our ID in search contacts\n Our Tox ID: \"6F548F217897AA4140FB4C514C8187F2FFDBA3CAFC83795DEE2FBCA369E689006B7CED4A18E9\". III. Wait for us to accept your request.\nIV. Copy '[PersonalKey]' in \"HOW-TO-RECOVERY-FILES.TXT\" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat.\n IV.I. Only if you did not receive a reply after 24 hours from us, send your message to our secure tor email address \"TheWhiteRose@Torbox3uiot6wchz.onion\".\n IV.II. For perform \"Step IV.I\" and enter the TOR network, you must download tor and register in \"http://torbox3uiot6wchz.onion\" Mail Service)\nV. We decrypt your two files and we will send you.\nVI. After ensuring the integrity of the files, We will send you payment info.\nVII. Now after payment, you get \"WhiteRose Decryptor\" Along with the private key of your system.\nVIII.Everything returns to the normal and your files will be released.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\nWhat is encryption?\n\n In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it, and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. in your case “WhiteRose Decryptor” software for safe and complete decryption of all your files and data.\n\nAny other way?\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." @@ -11467,8 +11468,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/", "http://id-ransomware.blogspot.com/2018/03/whiterose-ransomware.html" - ], - "payment-method": "Website Tor" + ] }, "uuid": "abc80362-396c-11e8-bc5c-8bca89c0f797", "value": "WhiteRose" @@ -11479,15 +11479,15 @@ "extensions": [ ".PUBG" ], + "payment-method": "Game", + "price": "Play to decrypt", "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/p/pubg-ransomware/pubg-ransomware.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/", "https://id-ransomware.blogspot.com/2018/04/pubg-ransomware.html" - ], - "payment-method": "Game", - "price": "Play to decrypt" + ] }, "uuid": "2239b3ca-3c9b-11e8-873e-53608d51ee71", "value": "PUBG Ransomware" @@ -11498,6 +11498,8 @@ "extensions": [ ".BadNews" ], + "payment-method": "Bitcoin", + "price": "0.5 - 1", "ransomnotes": [ "How To Decode Files.hta", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg" @@ -11507,9 +11509,7 @@ "https://twitter.com/malwrhunterteam/status/1034436350748053504", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", "http://id-ransomware.blogspot.com/2017/06/lockcrypt-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5 - 1" + ] }, "uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340", "value": "LockCrypt" @@ -11522,6 +11522,8 @@ ".kgpvwnr", ".ndpyhss" ], + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "READ_ME_FOR_DECRYPT_[id].txt", " ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!\n ====================================================================================================\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n\n The only 1 way to decrypt your files is to receive the private key and decryption program.\n\n Any attempts to restore your files with the third-party software will be fatal for your files!\n ====================================================================================================\n To receive the private key and decryption program follow the instructions below:\n\n 1. Download \"Tor Browser\" from https://www.torproject.org/ and install it.\n\n 2. In the \"Tor Browser\" open your personal page here:\n\n\n http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513\n\n\n Note! This page is available via \"Tor Browser\" only.\n ====================================================================================================\n Also you can use temporary addresses on your personal page without using \"Tor Browser\":\n\n\n http://[victim_id].bankme.date/EP866p5M93wDS513\n\n http://[victim_id].jobsnot.services/EP866p5M93wDS513\n\n http://[victim_id].carefit.agency/EP866p5M93wDS513\n\n http://[victim_id].hotdisk.world/EP866p5M93wDS513\n\n\n Note! These are temporary addresses! They will be available for a limited amount of time!" @@ -11531,9 +11533,7 @@ "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/", "https://twitter.com/demonslay335/status/1005133410501787648", "http://id-ransomware.blogspot.com/2017/10/my-decryptor-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "a0c1790a-3ee7-11e8-9774-93351d675a9e", "value": "Magniber Ransomware" @@ -11543,6 +11543,8 @@ "extensions": [ ".improved" ], + "payment-method": "Bitcoin", + "price": "10 000 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg", "UNCRYPT.README" @@ -11550,9 +11552,7 @@ "refs": [ "https://twitter.com/siri_urz/status/981191281195044867", "http://id-ransomware.blogspot.com/2018/04/vurten-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "10 000 $" + ] }, "uuid": "7666e948-3f09-11e8-b0b2-af79c067d856", "value": "Vurten" @@ -11560,13 +11560,13 @@ { "description": "A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.", "meta": { + "payment-method": "Bitcoin", + "price": "200 $", "refs": [ "https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/", "https://en.wikipedia.org/wiki/Ransomware#Reveton", "https://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed-explained-and-eliminated/" - ], - "payment-method": "Bitcoin", - "price": "200 $" + ] }, "uuid": "1912ec68-4145-11e8-ac06-9b6643035a71", "value": "Reveton ransomware" @@ -11574,11 +11574,11 @@ { "description": "Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob.\nLike a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well.\nIn order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob.\nWhen Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively.\nFusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.", "meta": { + "payment-method": "Bitcoin", + "price": "100 - 200 $", "refs": [ "https://en.wikipedia.org/wiki/Ransomware#Fusob" - ], - "payment-method": "Bitcoin", - "price": "100 - 200 $" + ] }, "uuid": "c921d9ac-4145-11e8-965b-df5002d4cad8", "value": "Fusob" @@ -11601,11 +11601,11 @@ }, { "meta": { + "payment-method": "Bitcoin", + "price": "100 $", "refs": [ "http://id-ransomware.blogspot.com/2018/03/bansomqarewanna-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "b95a76d8-4171-11e8-b9b3-1bf62ec3265e", "value": "BansomQare Manna Ransomware" @@ -11616,11 +11616,11 @@ }, { "meta": { + "payment-method": "Bitcoin Email", "refs": [ "https://twitter.com/malwrhunterteam/status/982229994364547073", "http://id-ransomware.blogspot.com/2018/04/skyfile-ransomware.html" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "b4654c94-417a-11e8-8c2c-5b5748496f92", "value": "SkyFile" @@ -11628,10 +11628,10 @@ { "description": "Supposed joke ransomware, decrypt when running an exectable with the string \"Minecraft\"", "meta": { + "payment-method": "Game", "refs": [ "https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/" - ], - "payment-method": "Game" + ] }, "uuid": "443c55c6-43d1-11e8-9072-6fdcf89aa4e6", "value": "MC Ransomware" @@ -11639,11 +11639,11 @@ { "description": "Supposed joke ransomware, decrypt when running an exectable with the string \"csgo\"", "meta": { + "payment-method": "Game", + "price": "Play during 5 hours", "refs": [ "https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/" - ], - "payment-method": "Game", - "price": "Play during 5 hours" + ] }, "uuid": "449e18b0-43d1-11e8-847e-0fed641732a1", "value": "CSGO Ransomware" @@ -11688,6 +11688,8 @@ ".XiaoBa34", ".AdolfHitler" ], + "payment-method": "Bitcoin", + "price": "1 200 yuan (180,81 $)", "ransomnotes": [ "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", "https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg", @@ -11706,9 +11708,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", "https://twitter.com/malwrhunterteam/status/1004048636530094081", "https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1 200 yuan (180,81 $)" + ] }, "uuid": "ef094aa6-4465-11e8-81ce-739cce28650b", "value": "XiaoBa ransomware" @@ -11721,6 +11721,8 @@ "extensions": [ ".NMCRYPT" ], + "payment-method": "Bitcoin", + "price": "7000 $", "ransomnotes": [ "Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser...", "https://sensorstechforum.com/wp-content/uploads/2018/04/stf-NMCRYPT-ransomware-virus-ransom-note-tor-onion-network-page-768x827.png" @@ -11728,9 +11730,7 @@ "refs": [ "https://sensorstechforum.com/nmcrypt-files-ransomware-virus-remove-restore-data/", "https://www.enigmasoftware.com/nmcryptansomware-removal/" - ], - "payment-method": "Bitcoin", - "price": "7000 $" + ] }, "uuid": "bd71be69-fb8c-4b1f-9d96-993ab23d5f2b", "value": "NMCRYPT Ransomware" @@ -11738,6 +11738,8 @@ { "description": "It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.\nWe know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design)\nDMA Locker (Iron Unlocker, decryption tool)\nSatan (exclusion list)", "meta": { + "payment-method": "Bitcoin", + "price": "0.2", "ransomnotes": [ "!HELP_YOUR_FILES.HTML", "We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…" @@ -11745,9 +11747,7 @@ "refs": [ "https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html", "http://id-ransomware.blogspot.com/2018/04/ironlocker-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.2" + ] }, "uuid": "ba64d47c-46cd-11e8-87df-ff6252b4ea76", "value": "Iron" @@ -11757,15 +11757,15 @@ "extensions": [ ".tron" ], + "payment-method": "Bitcoin", + "price": "0.007305 - 0.05", "ransomnotes": [ "https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg" ], "refs": [ "https://twitter.com/malwrhunterteam/status/985152346773696512", "http://id-ransomware.blogspot.com/2018/04/tron-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.007305 - 0.05" + ] }, "uuid": "94290f1c-46ff-11e8-b9c6-ef8852c58952", "value": "Tron ransomware" @@ -11776,15 +11776,15 @@ "extensions": [ "sequre@tuta.io_[hex]" ], + "payment-method": "Bitcoin", + "price": "0.14", "ransomnotes": [ "HOW DECRIPT FILES.hta", "https://www.bleepstatic.com/images/news/ransomware/c/compiled-ransomware/ransom-note.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/" - ], - "payment-method": "Bitcoin", - "price": "0.14" + ] }, "uuid": "c1788ac0-4fa0-11e8-b0fd-63f5a2914926", "value": "Unnamed ramsomware 1" @@ -11792,6 +11792,8 @@ { "description": "Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again.\nAccording to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim's was different from other reported ones.\nAn interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim's are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims.\nFinally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from \"stealing\" another victim's payment and using it to unlock their computer.\nIn a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.", "meta": { + "payment-method": "Bitcoin", + "price": "2", "ransomnotes": [ "Security Notice\n\nHey. Your hard disk is encrypted using RSA 2048 asymmetric encryption. To decrypt files you need to obtain the private key.\nIt means We are the only ones in the world to recover files back to you. Not even god can help you. Its all math and cryptography .\nIf you want your files back, Please send an email to 15fd9ngtetwjtdc@yopmail.com.\nWe don't know who are you, All what we need is some money and we are doing it for good cause.\nDon't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.\nYou can use of that bitcoin exchangers for transfering bitcoin.\nhttps://localbitcoins.com\nhttps://www.kraken.com\nPlease use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.\n\nProcess:\n1) Pay some BTC to our wallet address.(negotations almost impossible unless you are a russian citizen)\n2) We will send you private key and instructions to decrypt your hard drive\n3) Boom! You got your files back." ], @@ -11799,9 +11801,7 @@ "https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/", "https://twitter.com/M_Shahpasandi/status/989157283799162880", "https://id-ransomware.blogspot.com/2018/04/hpe-ilo-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "2" + ] }, "uuid": "39cb0268-528b-11e8-ac30-0fa44afdc8de", "value": "HPE iLO 4 Ransomware" @@ -11812,6 +11812,8 @@ "extensions": [ ".sigrun" ], + "payment-method": "Bitcoin Email", + "price": "2500 $", "ransomnotes": [ "SIGRUN 1.0 RANSOMWARE\n\nAll your important files are encrypted\n\nYour files has been encrypted by sigrun ransomware with unique decryption key.\n\nThere is only one way to get your files back: contact with us, pay, and get decryptor software. \n\nWe accept Bitcoin and Dash, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/ and others.\n\nYou have unique idkey (in a yellow frame), write it in letter when contact with us.\n\nAlso you can decrypt 3 files for test, its guarantee what we can decrypt your files.\n\nIDKEY:\n>>> [id_key] <<<\nContact information:\n\nemail: sigrun_decryptor@protonmail.ch", "~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n|Our e-mail is: sigrun_decryptor@protonmail.ch|\n-----------------------------------------------\n\nAs a proof we will decrypt 3 files for free!\n\nPlease, attach this to your message:\n[id_key]", @@ -11821,9 +11823,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/", "http://id-ransomware.blogspot.com/2018/05/sigrun-ransomware.html" - ], - "payment-method": "Bitcoin Email", - "price": "2500 $" + ] }, "uuid": "5a53eec2-6993-11e8-a4d5-67480005dcbd", "value": "Sigrun Ransomware" @@ -11834,6 +11834,7 @@ "extensions": [ ".crybrazil" ], + "payment-method": "Website", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/crybrazil.jpg" ], @@ -11841,8 +11842,7 @@ "https://twitter.com/malwrhunterteam/status/1002953824590614528", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/", "https://id-ransomware.blogspot.com/2018/06/crybrazil-ransomware.html" - ], - "payment-method": "Website" + ] }, "uuid": "30625df6-6e3e-11e8-b0cf-a7103cb03e05", "value": "CryBrazil" @@ -11850,15 +11850,15 @@ { "description": "new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.", "meta": { + "payment-method": "Bitcoin", + "price": "0.0065 (50 $)", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De00yEDVQAE_p9z[1].jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ ", "http://id-ransomware.blogspot.com/2018/06/pedcont-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.0065 (50 $)" + ] }, "uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 ", "value": "Pedcont" @@ -11869,6 +11869,7 @@ "extensions": [ ".DiskDoctor" ], + "payment-method": "Bitcoin Email", "ransomnotes": [ "HOW TO RECOVER ENCRYPTED FILES.TXT", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg" @@ -11879,8 +11880,7 @@ ], "synonyms": [ "Scarab-DiskDoctor" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "aa66e0c2-6fb5-11e8-851d-4722b7b3e9b9", "value": "DiskDoctor" @@ -11891,6 +11891,8 @@ "extensions": [ ".RedEye" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg" ], @@ -11899,9 +11901,7 @@ "https://twitter.com/JakubKroustek/status/1004463935905509376", "https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html", "https://id-ransomware.blogspot.com/2018/06/redeye-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "e675e8fa-7065-11e8-95e0-cfdc107099d8", "value": "RedEye" @@ -11916,6 +11916,8 @@ ".desu", ".ONI" ], + "payment-method": "Bitcoin", + "price": "100 - 500", "ransomnotes": [ "#RECOVERY-PC#.txt", "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================", @@ -11935,9 +11937,7 @@ ], "synonyms": [ "Zorro Ransomware" - ], - "payment-method": "Bitcoin", - "price": "100 - 500" + ] }, "uuid": "3ee0664e-706d-11e8-800d-9f690298b437", "value": "Aurora Ransomware" @@ -11947,15 +11947,15 @@ "extensions": [ ".digiworldhack@tutanota.com" ], + "payment-method": "Bitcoin", + "price": "500 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg", "http://id-ransomware.blogspot.com/2018/05/pgpsnippet-ransomware.html" ], "refs": [ "https://twitter.com/demonslay335/status/1005138187621191681" - ], - "payment-method": "Bitcoin", - "price": "500 $" + ] }, "uuid": "682ff7ac-7073-11e8-8c8b-bf1271b8800b", "value": "PGPSnippet Ransomware" @@ -11965,11 +11965,11 @@ "extensions": [ ".SF" ], + "payment-method": "Bitcoin Email", "refs": [ "https://twitter.com/demonslay335/status/1005136022282428419", "https://id-ransomware.blogspot.com/2018/04/spartacus-ransomware.html" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "fe42c270-7077-11e8-af82-d7bf7e6ab8a9", "value": "Spartacus Ransomware" @@ -11980,6 +11980,8 @@ "extensions": [ ".donut" ], + "payment-method": "Bitcoin", + "price": "100 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/15/DfQI_lnXUAAukGK[1].jpg" ], @@ -11987,9 +11989,7 @@ "https://twitter.com/siri_urz/status/1005438610806583296", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/", "http://id-ransomware.blogspot.com/2018/06/donut-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "e57e1f4a-72da-11e8-8c0d-af46e8f393d2", "value": "Donut" @@ -11997,13 +11997,13 @@ { "description": "Ransomware as a Service", "meta": { + "payment-method": "Bitcoin", + "price": "10", "refs": [ "https://twitter.com/Damian1338B/status/1005411102660923392", "https://www.bleepingcomputer.com/news/security/nemes1s-raas-is-padcrypt-ransomwares-affiliate-system/", "https://id-ransomware.blogspot.com/2017/01/nemesis-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "10" + ] }, "uuid": "3ac0f41e-72e0-11e8-85a8-f7ae254ab629", "value": "NemeS1S Ransomware" @@ -12014,6 +12014,7 @@ "extensions": [ "_V.0.0.0.1{paradise@all-ransomware.info}.prt" ], + "payment-method": "Bitcoin Email", "ransomnotes": [ "PARADISE_README_paradise@all-ransomware.info.txt" ], @@ -12021,8 +12022,7 @@ "https://twitter.com/malwrhunterteam/status/1005420103415017472", "https://twitter.com/malwrhunterteam/status/993499349199056897", "http://id-ransomware.blogspot.com/2017/09/paradise-ransomware.html" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "db06d2e0-72f9-11e8-9413-73999e1a9373", "value": "Paradise Ransomware" @@ -12034,6 +12034,8 @@ ".reycarnasi1983@protonmail.com.gw3w", ".ssananunak1987@protonmail.com.b2fr" ], + "payment-method": "Bitcoin", + "price": "0.1 - 0.3", "ransomnotes": [ "Your files were encrypted with AES-256.\n\nAsk how to restore your files by email reycarnasi1983@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: reycarnasi1983@torbox3uiot6wchz.onion\nATTENTION: e-mail (reycarnasi1983@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]-----END KEY-----", "ScrewYou.txt", @@ -12043,9 +12045,7 @@ "refs": [ "https://twitter.com/demonslay335/status/1006220895302705154", "https://id-ransomware.blogspot.com/2018/03/b2dr-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.1 - 0.3" + ] }, "uuid": "4a341cf4-72ff-11e8-8371-b74902a1dff3", "value": "B2DR Ransomware" @@ -12056,6 +12056,7 @@ "extensions": [ ".codyprince92@mail.com.ovgm" ], + "payment-method": "Email Tor", "ransomnotes": [ "Readme.txt", "Hello. Your files have been encrypted.\n\nFor help, write to this e-mail: codyprince92@mail.com\nAttach to the letter 1-2 files (no more than 3 MB) and your personal key.\n\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: codyprince@torbox3uiot6wchz.onion\n\n\nATTENTION: e-mail (codyprince@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n\n\nYour personal key:\n\n[redacted hex]" @@ -12063,8 +12064,7 @@ "refs": [ "https://twitter.com/demonslay335/status/1006237353474756610", "http://id-ransomware.blogspot.com/2017/05/yyto-ransomware.html" - ], - "payment-method": "Email Tor" + ] }, "uuid": "ef38d8b4-7392-11e8-ba1e-cfb37f0b9c73", "value": "YYTO Ransomware" @@ -12074,14 +12074,14 @@ "extensions": [ ".qnbqw" ], + "payment-method": "Email", "ransomnotes": [ "Notice.txt", "Your files was encrypted using AES-256 algorithm. Write me to e-mail: qnbqwqe@protonmail.com to get your decryption key.\nYour USERKEY: [redacted 1024 bytes in base64]" ], "refs": [ "https://twitter.com/demonslay335/status/1007334654918250496" - ], - "payment-method": "Email" + ] }, "uuid": "53e6e068-739c-11e8-aae4-df58f7f27ee5", "value": "Unnamed ramsomware 2" @@ -12094,6 +12094,8 @@ "pain", ".[yoursalvations@protonmail.ch].neverdies@tutanota.com" ], + "payment-method": "Bitcoin", + "price": "3003 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsoIB_0U0AAXgEz[1].jpg" ], @@ -12102,19 +12104,17 @@ "https://twitter.com/malwrhunterteam/status/1065675918000234497", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", "http://id-ransomware.blogspot.com/2018/03/everbe-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "3003 $" + ] }, "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2", "value": "Everbe Ransomware" }, { "meta": { + "payment-method": "Bitcoin", "refs": [ "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/" - ], - "payment-method": "Bitcoin" + ] }, "related": [ { @@ -12134,6 +12134,8 @@ "extensions": [ "image.png -- > [dbger@protonmail.com]image.png.dbger" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "_How_to_decrypt_files.txt", "Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:", @@ -12142,9 +12144,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/", "http://id-ransomware.blogspot.com/2018/06/dbger-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "541a479c-73a5-11e8-9d70-47736508231f", "value": "DBGer Ransomware" @@ -12152,12 +12152,12 @@ { "description": "Hidden Tear variant discovered in October 2016. After activation, provides victims with an unlimited amount of time to gather the requested ransom money and pay it. Related unlock keys and the response sent to and from a Gmail addres", "meta": { + "payment-method": "Bitcoin", + "price": "250 $", "refs": [ "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf", "https://id-ransomware.blogspot.com/2017/11/rastakhiz-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "250 $" + ] }, "uuid": "884eaa14-9ba8-11e8-a6ec-7f903f720e60", "value": "RASTAKHIZ" @@ -12165,15 +12165,15 @@ { "description": "DUMB variant discovered on November 16, 2017. Disguised itself as a popular virtual private network (VPN) in Iran known as Psiphon and infected Iranian users. Included Farsi-language ransom note, decryptable in the same way as previous DUMB-based variants. Message requested only US$15 for unlock key. Advertised two local and Iran-based payment processors: exchange.ir and webmoney.ir.Shared unique and specialized indicators with RASTAKHIZ; iDefense threat intelligence analysts believe this similarity confirms that the same actor was behind the repurposing of both types of ransomware.", "meta": { + "payment-method": "Bitcoin", + "price": "15 $", "refs": [ "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf", "http://id-ransomware.blogspot.com/2017/10/tyrant-ransomware.html" ], "synonyms": [ "Crypto Tyrant" - ], - "payment-method": "Bitcoin", - "price": "15 $" + ] }, "uuid": "701f2a3e-9baa-11e8-a044-4b8bc49ea971", "value": "TYRANT" @@ -12181,12 +12181,12 @@ { "description": "zCrypt variant discovered on November 17, 2017, one day after the discovery of TYRANT. Used Farsi-language ransom note asking for a staggering 20 Bitcoin ransom payment. Also advertised local Iran-based payment processors and exchanges—www.exchangeing[.]ir, www.payment24[.]ir, www.farhadexchange.net, and www.digiarz.com)—through which Bitcoins could be acquired.", "meta": { + "payment-method": "Bitcoin", + "price": "20", "refs": [ "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf", "https://id-ransomware.blogspot.com/2017/11/wannasmile-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "20" + ] }, "uuid": "b3f04486-9bc4-11e8-bbfe-cf096483b45e", "value": "WannaSmile" @@ -12194,10 +12194,10 @@ { "description": "Uses APK Editor Pro. Picks and activates DEX>Smali from APK Editor. Utilizes LockService application and edits the “const-string v4, value” to a desired unlock key. Changes contact information within the ransom note. Once the victim has downloaded the malicious app, the only way to recover its content is to pay the ransom and receive the unlock key. ", "meta": { + "payment-method": "Email", "refs": [ "https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf" - ], - "payment-method": "Email" + ] }, "uuid": "b48a7d62-9bc4-11e8-a7c5-47d13fad265f", "value": "Unnamed Android Ransomware" @@ -12208,6 +12208,8 @@ "extensions": [ ".KEYPASS" ], + "payment-method": "Bitcoin", + "price": "300 $", "ransomnotes": [ "!!!KEYPASS_DECRYPTION_INFO!!!.txt", "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]" @@ -12218,9 +12220,7 @@ ], "synonyms": [ "KeyPass" - ], - "payment-method": "Bitcoin", - "price": "300 $" + ] }, "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c", "value": "KEYPASS" @@ -12233,6 +12233,8 @@ "-DATASTOP", ".PUMA" ], + "payment-method": "Bitcoin", + "price": "200 - 600 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsW33OQXgAAwJzv[1].jpg", "!readme.txt", @@ -12243,9 +12245,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", "https://twitter.com/MarceloRivero/status/1065694365056679936", "http://id-ransomware.blogspot.com/2017/12/stop-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "200 - 600 $" + ] }, "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5", "value": "STOP Ransomware" @@ -12253,6 +12253,7 @@ { "description": "A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a \"tip\" to decrypt the files.", "meta": { + "payment-method": "Bitcoin", "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg", "Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information." @@ -12264,8 +12265,7 @@ ], "synonyms": [ "Barack Obama's Blackmail Virus Ransomware" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e", "value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware" @@ -12277,6 +12277,8 @@ ".fully.cryptoNar", ".partially.cryptoNar" ], + "payment-method": "Bitcoin", + "price": "200 $", "ransomnotes": [ "CRYPTONAR RECOVERY INFORMATION.txt", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg" @@ -12285,9 +12287,7 @@ "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/", "https://twitter.com/malwrhunterteam/status/1034492151541977088", "https://id-ransomware.blogspot.com/2018/08/cryptonar-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "200 $" + ] }, "related": [ { @@ -12307,12 +12307,12 @@ "extensions": [ ".[backdata@cock.li].CreamPie" ], + "payment-method": "Bitcoin", "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", "https://twitter.com/JakubKroustek/status/1033656080839139333", "https://id-ransomware.blogspot.com/2018/08/creampie-ransomware.html" - ], - "payment-method": "Bitcoin" + ] }, "uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab", "value": "CreamPie Ransomware" @@ -12334,6 +12334,8 @@ "extensions": [ ".cassetto" ], + "payment-method": "Bitcoin", + "price": "0.5", "ransomnotes": [ "IMPORTANT ABOUT DECRYPT.txt", "L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.", @@ -12343,9 +12345,7 @@ "https://twitter.com/demonslay335/status/1034213399922524160", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", "https://id-ransomware.blogspot.com/2018/08/cassetto-ransomware.html" - ], - "payment-method": "Bitcoin", - "price": "0.5" + ] }, "uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9", "value": "Cassetto Ransomware" @@ -12353,6 +12353,8 @@ { "description": "Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.", "meta": { + "payment-method": "Bitcoin", + "price": "80 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg" ], @@ -12362,9 +12364,7 @@ ], "synonyms": [ "Acroware Screenlocker" - ], - "payment-method": "Bitcoin", - "price": "80 $" + ] }, "uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584", "value": "Acroware Cryptolocker Ransomware" @@ -12375,15 +12375,15 @@ "extensions": [ ".aaaaaa" ], + "payment-method": "Bitcoin", + "price": "100 - 500 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg" ], "refs": [ "https://twitter.com/B_H101/status/1034379267956715520", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" - ], - "payment-method": "Bitcoin", - "price": "100 - 500 $" + ] }, "uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412", "value": "Termite Ransomware" @@ -12394,6 +12394,8 @@ "extensions": [ ".PICO" ], + "payment-method": "Bitcoin", + "price": "100 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg", "README.txt" @@ -12404,9 +12406,7 @@ ], "synonyms": [ "Pico Ransomware" - ], - "payment-method": "Bitcoin", - "price": "100 $" + ] }, "uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2", "value": "PICO Ransomware" @@ -12414,6 +12414,8 @@ { "description": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.", "meta": { + "payment-method": "Bitcoin", + "price": "400 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg", "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg", @@ -12422,9 +12424,7 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" - ], - "payment-method": "Bitcoin", - "price": "400 $" + ] }, "uuid": "df025902-b29e-11e8-a2ab-739167419c52", "value": "Sigma Ransomware" @@ -12436,14 +12436,14 @@ { "description": "An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.", "meta": { + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "Your database was encrypted by 'Mongo Lock'. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don't delete 'Unique_KEY' and save it to safe place, without that we cannot help you. Send email to us: mongodb@8chan.co for decryption service." ], "refs": [ "https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "2aa481fe-c254-11e8-ad1c-efee78419960", "value": "Mongo Lock" @@ -12451,6 +12451,8 @@ { "description": "The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it. ", "meta": { + "payment-method": "Dollars", + "price": "80", "ransomnotes": [ "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" ], @@ -12459,9 +12461,7 @@ "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", "https://twitter.com/MarceloRivero/status/1059575186117328898", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/" - ], - "payment-method": "Dollars", - "price": "80" + ] }, "uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5", "value": "Kraken Cryptor Ransomware" @@ -12471,14 +12471,14 @@ "extensions": [ ".SAVEfiles." ], + "payment-method": "Email", "ransomnotes": [ "!!!SAVE__FILES__INFO!!!.txt", "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/" - ], - "payment-method": "Email" + ] }, "uuid": "76bfb132-cc70-11e8-8623-bb3f209be6c9", "value": "SAVEfiles" @@ -12489,6 +12489,8 @@ "extensions": [ ".locked" ], + "payment-method": "Won", + "price": "50 000 (50 $)", "ransomnotes": [ "Warning!!!!!!.txt", "https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg", @@ -12496,9 +12498,7 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/" - ], - "payment-method": "Won", - "price": "50 000 (50 $)" + ] }, "uuid": "c06a1938-dcee-11e8-bc74-474b0080f0e5", "value": "File-Locker" @@ -12509,6 +12509,8 @@ "extensions": [ ".[old@nuke.africa].CommonRansom" ], + "payment-method": "Bitcoin", + "price": "0.1", "ransomnotes": [ "DECRYPTING.txt", "https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg", @@ -12516,9 +12518,7 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/" - ], - "payment-method": "Bitcoin", - "price": "0.1" + ] }, "uuid": "c0dffb94-dcee-11e8-81b9-3791d1c6638f", "value": "CommonRansom" @@ -12526,6 +12526,7 @@ { "description": "MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.", "meta": { + "payment-method": "Bitcoin Website", "refs": [ "https://twitter.com/malwrhunterteam/status/1048616343975682048", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/" @@ -12533,8 +12534,7 @@ "synonyms": [ "Godsomware v1.0", "Ransomware God Crypt" - ], - "payment-method": "Bitcoin Website" + ] }, "uuid": "7074f228-e0ee-11e8-9c49-7fc798e92ddbx§", "value": "God Crypt Joke Ransomware" @@ -12545,6 +12545,7 @@ "extensions": [ ".encr" ], + "payment-method": "Email", "ransomnotes": [ "readmy.txt", "Attention! All your files are encrypted!\nTo recover your files and access them,\nsend a message with your id to email DecryptFox@protonmail.com\n \nPlease note when installing or running antivirus will be deleted\n important file to decrypt your files and data will be lost forever!!!!\n \nYou have 5 attempts to enter the code. If you exceed this\nthe number, all the data, will be irreversibly corrupted. Be\ncareful when entering the code!\n \nyour id [redacted 32 lowercase hex]" @@ -12552,8 +12553,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", "https://twitter.com/demonslay335/status/1049325784979132417" - ], - "payment-method": "Email" + ] }, "uuid": "a920dea5-9f30-4fa2-9665-63f306874381", "value": "DecryptFox Ransomware" @@ -12564,15 +12564,15 @@ "extensions": [ ".garrantydecrypt" ], + "payment-method": "Bitcoin", + "price": "780 $", "ransomnotes": [ "#RECOVERY_FILES#.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", "https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/" - ], - "payment-method": "Bitcoin", - "price": "780 $" + ] }, "uuid": "f251740b-1594-460a-a378-371f3a2ae92c", "value": "garrantydecrypt" @@ -12583,15 +12583,15 @@ "extensions": [ ".mvp" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/mvp.jpg" ], "refs": [ "https://twitter.com/siri_urz/status/1039077365039673344", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "ea643bfd-613e-44d7-9408-4991d53e08fa", "value": "MVP Ransomware" @@ -12599,6 +12599,8 @@ { "description": "Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.", "meta": { + "payment-method": "Bitcoin", + "price": "0.8", "ransomnotes": [ "read_me_for_recover_your_files.txt", "All your important files on this device have been encrypted.\n\nNo one can decrypt your files except us.\n\nIf you want to recover all your files. contact us via E-mail.\nDON'T forget to send us your ID!!!\n\nTo recover your files,You have to pay 0.8 bitcoin.\n\n\n\n\nContact Email : Leviathan13@protonmail.com\n\nYour ID :\n\n[redacted 0x200 bytes in base64 form]\n\n\nFree decryption as guarantee\n\nIf you can afford the specified amount of bitcoin,\nyou can send to us up to 2 files for demonstration.\n\nPlease note that files must NOT contain valuable information\nand their total size must be less than 2Mb." @@ -12606,9 +12608,7 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", "" - ], - "payment-method": "Bitcoin", - "price": "0.8" + ] }, "uuid": "3675e50d-3f76-45f8-b3f3-4a645779e14d", "value": "StorageCrypter" @@ -12619,11 +12619,11 @@ "extensions": [ ".CQScSFy" ], + "payment-method": "Email", "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", "https://twitter.com/GrujaRS/status/1040677247735279616" - ], - "payment-method": "Email" + ] }, "uuid": "e90a57b5-cd17-4dce-b83f-d007053c7b35", "value": "Rektware" @@ -12633,6 +12633,8 @@ "extensions": [ ".mariacbc" ], + "payment-method": "Bitcoin", + "price": "0.002 (50 $)", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/9/moira.jpg" ], @@ -12643,9 +12645,7 @@ "synonyms": [ "M@r1a", "BlackHeart" - ], - "payment-method": "Bitcoin", - "price": "0.002 (50 $)" + ] }, "uuid": "1009b7f3-e737-49fd-a872-1e0fd1df4c00", "value": "M@r1a ransomware" @@ -12655,6 +12655,8 @@ "extensions": [ "(enc) prepend" ], + "payment-method": "Bitcoin", + "price": "25 000 sek (sweden)", "ransomnotes": [ "aboutYourFiles.txt", "Hi. Thank you for using my program. If you're reading this, a lot of your files have\nbeen encrypted. To decrypt them, you need my decryption program. For this, I want 25 000 sek, I want\nthem in bitcoin. Email me when you've paid with details about the transaction. I'll give you two days.\nIf you have not paid in two days(from the day you received the email), It will cost 1000 sek more per day.\n If I have not heard from you after five days (from the day you received the email), I assume your files are not that\nimportant to you. So I'll delete your decryption-key, and you will never see your files again.\n\n\nAfter the payment, email me the following information:\n* the bitcoin address you sent from (important, write it down when you do the transaction)\n* the ID at the bottom of this document (this is important!! Otherwise I don't know which key belongs\nto you).\nThen I will send you the decryption-program and provide you with instructions of how to remove\nthe virus if you have not already figured it out.\n\n\nEmail:\naperfectday2018@protonmail.com\n\nBitcoin adress: \n1LX3tBkW161hoF5DbGzbrm3sdXaF6XHv2D\n\nMake sure to get the bitcoin adress right, copy and paste and double check. If you send the bitcoin\nto the wrong adress, it will be lost forever. You cant stop or regret a bitcoin transaction.\n\n\nIMPORTANT: \n\nDo not loose this document. You also have a copy of it on your desktop.\nDo NOT change any filenames!!! !!!\n\n\nThank you for the money, it means a lot to me. \n\n\n\nID: [redacted 13 numbers]" @@ -12662,9 +12664,7 @@ "refs": [ "https://twitter.com/demonslay335/status/1059470985055875074", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/" - ], - "payment-method": "Bitcoin", - "price": "25 000 sek (sweden)" + ] }, "uuid": "ad600737-6d5f-4771-ae80-3e434e29c749", "value": "\"prepending (enc) ransomware\" (Not an official name)" @@ -12674,6 +12674,8 @@ "extensions": [ ".impect" ], + "payment-method": "Bitcoin", + "price": "300 $", "ransomnotes": [ "how to get back you files.txt", "Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com", @@ -12681,9 +12683,7 @@ ], "refs": [ "https://twitter.com/demonslay335/status/1060921043957755904" - ], - "payment-method": "Bitcoin", - "price": "300 $" + ] }, "uuid": "f7fa6978-c932-4e62-b4fc-3fbbbc195602", "value": "PyCL Ransomware" @@ -12694,14 +12694,14 @@ "extensions": [ ".Vapor" ], + "payment-method": "Email", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/vapor.jpg" ], "refs": [ "https://twitter.com/malwrhunterteam/status/1063769884608348160", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" - ], - "payment-method": "Email" + ] }, "uuid": "f53205a0-7a8f-41d1-a427-bf3ab9bd77bb", "value": "Vapor Ransomware" @@ -12712,15 +12712,15 @@ "extensions": [ ".Horsuke " ], + "payment-method": "Bitcoin", + "price": "0.00000001", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsPVGaHXcAAtnXz[1].jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", "https://twitter.com/GrujaRS/status/1063930127610986496" - ], - "payment-method": "Bitcoin", - "price": "0.00000001" + ] }, "uuid": "677aeb47-587d-40a4-80b7-22672ba1160c", "value": "EnyBenyHorsuke Ransomware" @@ -12731,6 +12731,8 @@ ".demonslay335_you_cannot_decrypt_me!", ".malwarehunterteam" ], + "payment-method": "Bitcoin", + "price": "999999.5", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg", @@ -12743,9 +12745,7 @@ ], "synonyms": [ "DelphiMorix" - ], - "payment-method": "Bitcoin", - "price": "999999.5" + ] }, "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4", "value": "DeLpHiMoRix" @@ -12756,6 +12756,8 @@ "extensions": [ ".PERSONAL_ID:.Nuclear" ], + "payment-method": "Bitcoin", + "price": "0.00000001", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg", "https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg", @@ -12765,9 +12767,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/", "https://twitter.com/GrujaRS/status/1066799421080461312", "https://www.youtube.com/watch?v=_aaFon7FVbc" - ], - "payment-method": "Bitcoin", - "price": "0.00000001" + ] }, "uuid": "950d5501-b5eb-4f53-b33d-76e789912c16", "value": "EnyBeny Nuclear Ransomware" @@ -12778,6 +12778,8 @@ "extensions": [ "[]..lucky" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "_How_To_Decrypt_My_File_.txt", "I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]" @@ -12785,9 +12787,7 @@ "refs": [ "https://twitter.com/demonslay335/status/1067109661076262913", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "a8eb9743-dfb6-4e13-a95e-e68153df94e9", "value": "Lucky Ransomware" @@ -12795,15 +12795,15 @@ { "description": "Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.", "meta": { + "payment-method": "Yuan", + "price": "110 (16 $)", "refs": [ "https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/", "https://www.bleepingcomputer.com/news/security/chinese-police-arrest-dev-behind-unnamed1989-wechat-ransomware/" ], "synonyms": [ "UNNAMED1989" - ], - "payment-method": "Yuan", - "price": "110 (16 $)" + ] }, "uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5", "value": "WeChat Ransom" @@ -12813,6 +12813,7 @@ "extensions": [ ".israbye" ], + "payment-method": "Politic", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dtlxf0eW4AAJCdZ[1].jpg", "https://pbs.twimg.com/media/DtlxfFsW4AAs-Co.jpg" @@ -12821,8 +12822,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", "https://www.youtube.com/watch?v=QevoUzbqNTQ", "https://twitter.com/GrujaRS/status/1070011234521673728" - ], - "payment-method": "Politic" + ] }, "uuid": "3ade75c8-6ef7-4c54-84d0-cab0161d3415", "value": "IsraBye" @@ -12832,14 +12832,14 @@ "extensions": [ "prepend (encrypted)" ], + "payment-method": "Bitcoin Website", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtkQKCDWoAM13kD[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/1069905624954269696", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/" - ], - "payment-method": "Bitcoin Website" + ] }, "related": [ { @@ -12860,6 +12860,7 @@ ".gerber5", ".FJ7QvaR9VUmi" ], + "payment-method": "Email", "ransomnotes": [ "https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg", "DECRYPT.txt", @@ -12869,8 +12870,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", "https://twitter.com/petrovic082/status/1071003939015925760", "https://twitter.com/Emm_ADC_Soft/status/1071716275590782976" - ], - "payment-method": "Email" + ] }, "uuid": "3bcc725f-6b89-4350-ad79-f50daa30f74e", "value": "Gerber Ransomware 1.0" @@ -12884,6 +12884,8 @@ "extensions": [ ".protected" ], + "payment-method": "Bitcoin", + "price": "900 $", "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dt1_DpMXcAMC8J_[1].jpg" ], @@ -12891,9 +12893,7 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/", "https://twitter.com/GrujaRS/status/1071153192975642630", "https://www.youtube.com/watch?v=iB019lDvArs" - ], - "payment-method": "Bitcoin", - "price": "900 $" + ] }, "uuid": "9ebfa028-a9dd-46ec-a915-1045fb297824", "value": "Outsider" @@ -12901,12 +12901,12 @@ { "description": "Uses http://ccrypt.sourceforge.net/ encryption program", "meta": { + "payment-method": "Bitcoin", + "price": "0.3", "refs": [ "https://twitter.com/demonslay335/status/1071123090564923393", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/" - ], - "payment-method": "Bitcoin", - "price": "0.3" + ] }, "uuid": "23fcbbf1-93ee-4baf-9082-67ca26553643", "value": "JungleSec" @@ -12917,6 +12917,8 @@ "extensions": [ ".fuck" ], + "payment-method": "Bitcoin", + "price": "1", "ransomnotes": [ "README_BACK_FILES.htm", "https://pbs.twimg.com/media/Dt4xTDjWwAEBjBh.jpg" @@ -12925,9 +12927,7 @@ "https://twitter.com/GrujaRS/status/1071349228172124160", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-14th-2018-slow-week/", "https://www.youtube.com/watch?v=uHYY6XZZEw4" - ], - "payment-method": "Bitcoin", - "price": "1" + ] }, "uuid": "edd4c8d0-d971-40a6-b7c6-5c57a4b51e48", "value": "EQ Ransomware" @@ -12938,14 +12938,14 @@ "extensions": [ ".mercury" ], + "payment-method": "Email", "ransomnotes": [ "!!!READ_IT!!!.txt", "!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!\n\nPlease follow few steps below:\n\n1.Send us your ID.\n2.We can decrypt 1 file what would you make sure that we have decription tool!\n3.Then you'll get payment instruction and after payment you will get your decryption tool!\n\n\n Do not try to rename files!!! Only we can decrypt all your data!\n\n Contact us:\n\ngetmydata@india.com\nmydataback@aol.com\n\n Your ID:[redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]\n[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]" ], "refs": [ "https://twitter.com/demonslay335/status/1072164314608480257" - ], - "payment-method": "Email" + ] }, "uuid": "968cf828-0653-4d86-a01d-186db598f391", "value": "Mercury Ransomware" @@ -12955,14 +12955,14 @@ "extensions": [ ".locked" ], + "payment-method": "Email", "ransomnotes": [ "ODSZYFRFUJ_PLIKI_TERAZ.txt", "https://pbs.twimg.com/media/DuIsIoWXQAEGKlr.jpg" ], "refs": [ "https://twitter.com/GrujaRS/status/1072468548977680385" - ], - "payment-method": "Email" + ] }, "uuid": "ea390fa7-94ac-4287-8a2d-c211330671b0", "value": "Forma Ransomware" @@ -12972,14 +12972,14 @@ "extensions": [ ".djvu" ], + "payment-method": "Email", "ransomnotes": [ "_openme.txt", "---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- \n\nDon't worry, you can return all your files!\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nThis software will decrypt all your encrypted files.\nWhat guarantees do we give to you?\nYou can send one of your encrypted file from your PC and we decrypt it for free.\nBut we can decrypt only 1 file for free. File must not contain valuable information\nDon't try to use third-party decrypt tools because it will destroy your files.\nDiscount 50% available if you contact us first 72 hours.\n\n---------------------------------------------------------------------------------------------------------------------------\n\n\nTo get this software you need write on our e-mail:\nhelpshadow@india.com\n\nReserve e-mail address to contact us:\nhelpshadow@firemail.cc\n\nYour personal ID:\n[redacted 43 alphanumeric chars]" ], "refs": [ "https://twitter.com/demonslay335/status/1072907748155842565" - ], - "payment-method": "Email" + ] }, "uuid": "e37ddc9e-8ceb-4817-a17e-755aa379ed14", "value": "Djvu" @@ -12987,6 +12987,8 @@ { "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.", "meta": { + "payment-method": "Bitcoin", + "price": "13.57", "ransomnotes-filenames": [ "RyukReadMe.txt" ], @@ -12996,9 +12998,7 @@ ], "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" - ], - "payment-method": "Bitcoin", - "price": "13.57" + ] }, "uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718", "value": "Ryuk ransomware" @@ -13006,10 +13006,10 @@ { "description": "In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.", "meta": { + "payment-method": "Bitcoin Email", "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" - ], - "payment-method": "Bitcoin Email" + ] }, "uuid": "09fa0e0a-f0b2-46ea-8477-653e627b1c22", "value": "BitPaymer" @@ -13019,6 +13019,7 @@ "extensions": [ ".locked" ], + "payment-method": "Email", "ransomnotes-filenames": [ "README-NOW.txt" ], @@ -13027,8 +13028,7 @@ ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/" - ], - "payment-method": "Email" + ] }, "uuid": "1e19dae5-80c3-4358-abcd-2bf0ba4c76fe", "value": "LockerGoga" @@ -13036,11 +13036,11 @@ { "description": "We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates.\nThe new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.", "meta": { + "payment-method": "Bitcoin", + "price": "0.12 (773 $)", "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/" - ], - "payment-method": "Bitcoin", - "price": "0.12 (773 $)" + ] }, "uuid": "53da7991-62b7-4fe2-af02-447a0734f41d", "value": "Princess Evolution" @@ -13048,14 +13048,14 @@ { "description": "A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server.\nAccording to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in. ", "meta": { + "payment-method": "Bitcoin", + "price": "0.0077", "refs": [ "https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/" ], "synonyms": [ "Fake GandCrab" - ], - "payment-method": "Bitcoin", - "price": "0.0077" + ] }, "uuid": "8cfa694b-3e6b-410a-828f-037d981870b2", "value": "Jokeroo"