From 44857c2ac313ad58ff53bb652fb8dc0aa7c55739 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 17 May 2017 10:08:53 +0200 Subject: [PATCH 1/9] add jaff Ransomware --- clusters/ransomware.json | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2065d72..0a7e498 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8120,7 +8120,28 @@ ".vxLock" ] } - } + }, + { + "value": "Jaff", + "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", + "meta": { + "extensions": [ + ".jaff" + ], + "encryption": "AES", + "ransomnotes": [ + "WallpapeR.bmp", + "ReadMe.bmp", + "ReadMe.html", + "ReadMe.txt" + ], + "refs": [ + "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", + "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" + ] + } + }, + ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", From 66ca4c6f2a1a9f424c9dfca984881c3dd1af4842 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 17 May 2017 10:10:27 +0200 Subject: [PATCH 2/9] add jaff Ransomwarejq-ed --- clusters/ransomware.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 0a7e498..001d411 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8123,7 +8123,7 @@ }, { "value": "Jaff", - "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", + "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed \"Jaff\". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", "meta": { "extensions": [ ".jaff" @@ -8140,8 +8140,7 @@ "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" ] } - }, - + } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", From c501517e9a80997a0ed28fd546326c0a68167672 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 17 May 2017 12:00:26 +0200 Subject: [PATCH 3/9] add synonym to hancitor --- clusters/tool.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index dbbcd0d..efed80e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1133,7 +1133,8 @@ "meta": { "synonyms": [ "Tordal", - "Chanitor" + "Chanitor", + "Pony" ], "refs": [ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" From 6859b2fb4eaf85b08c4dce4c5596529f4e6c04c4 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 17 May 2017 12:14:10 +0200 Subject: [PATCH 4/9] add synonym - step 1 --- clusters/ransomware.json | 71 ++++++++++++++++++++++++++++++++-------- 1 file changed, 57 insertions(+), 14 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 001d411..2f9b938 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -88,6 +88,9 @@ }, { "meta": { + "synonyms": [ + "Ŧl๏tєгค гคภร๏๓ฬคгє" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html", "https://twitter.com/struppigel/status/839778905091424260" @@ -101,7 +104,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Vortex Ransomware or Ŧl๏tєгค гคภร๏๓ฬคгє" + "value": "Vortex Ransomware" }, { "meta": { @@ -246,6 +249,9 @@ }, { "meta": { + "synonyms": [ + "Fake CTB-Locker" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", "https://twitter.com/JakubKroustek/status/842034887397908480" @@ -262,7 +268,7 @@ "date": "March 2017" }, "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Turkish FileEncryptor Ransomware or Fake CTB-Locker" + "value": "Turkish FileEncryptor Ransomware" }, { "meta": { @@ -640,6 +646,9 @@ }, { "meta": { + "synonyms": [ + "BarRaxCrypt  Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", "https://twitter.com/demonslay335/status/835668540367777792" @@ -652,7 +661,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "BarRax  Ransomware or BarRaxCrypt  Ransomware" + "value": "BarRax  Ransomware" }, { "meta": { @@ -670,6 +679,9 @@ }, { "meta": { + "synonyms": [ + "CzechoSlovak Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html" ], @@ -684,7 +696,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "UserFilesLocker Ransomware or CzechoSlovak Ransomware" + "value": "UserFilesLocker Ransomware" }, { "meta": { @@ -731,6 +743,9 @@ }, { "meta": { + "synonyms": [ + "VHDLocker Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html" ], @@ -741,7 +756,7 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PleaseRead Ransomware or VHDLocker Ransomware" + "value": "PleaseRead Ransomware" }, { "meta": { @@ -764,6 +779,9 @@ }, { "meta": { + "synonyms": [ + "Locky Impersonator Ransomware" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/", "https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html", @@ -779,7 +797,7 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Fake Locky Ransomware or Locky Impersonator Ransomware" + "value": "Fake Locky Ransomware" }, { "meta": { @@ -1132,6 +1150,9 @@ }, { "meta": { + "synonyms": [ + "Fake" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html" ], @@ -1146,7 +1167,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!", - "value": "DN or DoNotOpen Ransomware" + "value": "DN" }, { "meta": { @@ -1191,6 +1212,9 @@ }, { "meta": { + "synonyms": [ + "HavocCrypt Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html" ], @@ -1204,7 +1228,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..", - "value": "Havoc or HavocCrypt Ransomware" + "value": "Havoc" }, { "meta": { @@ -1228,6 +1252,10 @@ }, { "meta": { + "synonyms": [ + "RansomTroll Ransomware", + "Käändsõna Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", "https://twitter.com/BleepinComputer/status/819927858437099520" @@ -1243,7 +1271,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts", - "value": "Kaandsona Ransomware or RansomTroll Ransomware or Käändsõna Ransomware" + "value": "Kaandsona Ransomware" }, { "meta": { @@ -1266,6 +1294,9 @@ }, { "meta": { + "synonyms": [ + "HakunaMatataRansomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html", "https://id-ransomware.blogspot.co.il/2016_03_01_archive.html" @@ -1281,7 +1312,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NMoreia 2.0 Ransomware or HakunaMatataRansomware" + "value": "NMoreia 2.0 Ransomware" }, { "meta": { @@ -1410,6 +1441,9 @@ }, { "meta": { + "synonyms": [ + "DynA CryptoLocker Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html", "https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/" @@ -1424,10 +1458,13 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DynA-Crypt Ransomware or DynA CryptoLocker Ransomware" + "value": "DynA-Crypt Ransomware" }, { "meta": { + "synonyms": [ + "Serpent Danish Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html" ], @@ -1441,7 +1478,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Serpent 2017 Ransomware or Serpent Danish Ransomware" + "value": "Serpent 2017 Ransomware" }, { "meta": { @@ -1461,6 +1498,9 @@ }, { "meta": { + "synonyms": [ + "Ransomuhahawhere" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html" ], @@ -1473,7 +1513,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Cyber Drill Exercise or Ransomuhahawhere" + "value": "Cyber Drill Exercise " }, { "meta": { @@ -1529,6 +1569,9 @@ }, { "meta": { + "synonyms": [ + "File0Locked KZ Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html", "http://www.enigmasoftware.com/evilransomware-removal/", @@ -1550,7 +1593,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript", - "value": "Evil Ransomware or File0Locked KZ Ransomware" + "value": "Evil Ransomware" }, { "meta": { From bc4f1a93abbedb75b94626090549ed094dfeaa30 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 May 2017 09:19:48 +0200 Subject: [PATCH 5/9] add synonym - half done --- clusters/ransomware.json | 174 ++++++++++++++++++++++++++++++--------- 1 file changed, 136 insertions(+), 38 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2f9b938..e9af3ee 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1597,6 +1597,9 @@ }, { "meta": { + "synonyms": [ + "Ocelot Locker Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html", "https://twitter.com/malwrhunterteam/status/817648547231371264" @@ -1608,10 +1611,13 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.", - "value": "Ocelot Ransomware or Ocelot Locker Ransomware (FAKE RANSOMWARE)" + "value": "Ocelot Ransomware (FAKE RANSOMWARE)" }, { "meta": { + "synonyms": [ + "Blablabla Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html", "https://twitter.com/malwrhunterteam/status/817079028725190656" @@ -1625,10 +1631,13 @@ "date": "January 2017" }, "description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "SkyName Ransomware or Blablabla Ransomware" + "value": "SkyName Ransomware" }, { "meta": { + "synonyms": [ + "Depsex Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", @@ -1645,10 +1654,13 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear", - "value": "MafiaWare Ransomware or Depsex Ransomware" + "value": "MafiaWare Ransomware" }, { "meta": { + "synonyms": [ + "Purge Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html", "https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/", @@ -1681,10 +1693,13 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.", - "value": "Globe3 Ransomware or Purge Ransomware" + "value": "Globe3 Ransomware" }, { "meta": { + "synonyms": [ + "FireCrypt Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" @@ -1699,7 +1714,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg", - "value": "BleedGreen Ransomware or FireCrypt Ransomware" + "value": "BleedGreen Ransomware" }, { "meta": { @@ -1928,6 +1943,10 @@ }, { "meta": { + "synonyms": [ + "Merry X-Mas", + "MRCR" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html", "https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/", @@ -1952,7 +1971,7 @@ "date": " December 2016" }, "description": "It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.", - "value": "Merry Christmas, Merry X-Mas or MRCR" + "value": "Merry Christmas" }, { "meta": { @@ -2065,6 +2084,9 @@ }, { "meta": { + "synonyms": [ + "KokoLocker  Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html", "http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/" @@ -2079,7 +2101,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", - "value": "KoKoKrypt Ransomware or KokoLocker  Ransomware" + "value": "KoKoKrypt Ransomware" }, { "meta": { @@ -2101,6 +2123,9 @@ }, { "meta": { + "synonyms": [ + "PClock SysGop Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html" ], @@ -2111,7 +2136,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PClock4 Ransomware or PClock SysGop Ransomware" + "value": "PClock4 Ransomware" }, { "meta": { @@ -2150,6 +2175,9 @@ }, { "meta": { + "synonyms": [ + "Fake CryptoLocker" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html" ], @@ -2163,7 +2191,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.", - "value": "CryptoLocker3 Ransomware or Fake CryptoLocker" + "value": "CryptoLocker3 Ransomware" }, { "meta": { @@ -2203,6 +2231,10 @@ }, { "meta": { + "synonyms": [ + "IDRANSOMv3", + "Manifestus" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html", "https://twitter.com/demonslay335/status/811343914712100872", @@ -2219,7 +2251,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name", - "value": "EnkripsiPC Ransomware or IDRANSOMv3 or Manifestus" + "value": "EnkripsiPC Ransomware" }, { "meta": { @@ -2308,6 +2340,9 @@ }, { "meta": { + "synonyms": [ + "Globe Imposter" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", @@ -2326,7 +2361,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.", - "value": "Fake Globe Ransomware or Globe Imposter" + "value": "Fake Globe Ransomware" }, { "meta": { @@ -2343,7 +2378,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "V8Locker Ransomware " + "value": "V8Locker Ransomware" }, { "meta": { @@ -2492,11 +2527,8 @@ }, { "meta": { - "refs": [ - "" - ], - "ransomnotes": [ - "" + "synonyms": [ + "DaleLocker Ransomware" ], "encryption": "AES+RSA-512", "extensions": [ @@ -2505,7 +2537,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE", - "value": "Dale Ransomware or DaleLocker Ransomware" + "value": "Dale Ransomware" }, { "meta": { @@ -2659,6 +2691,9 @@ }, { "meta": { + "synonyms": [ + "VO_ Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html" ], @@ -2672,10 +2707,13 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.", - "value": "SQ_ Ransomware or VO_ Ransomware" + "value": "SQ_ Ransomware" }, { "meta": { + "synonyms": [ + "Malta Ransomware" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html", @@ -2692,7 +2730,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "Matrix or Malta Ransomware" + "value": "Matrix" }, { "meta": { @@ -2853,6 +2891,9 @@ }, { "meta": { + "synonyms": [ + "m0on Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html", "https://www.bleepingcomputer.com/virus-removal/threat/ransomware/" @@ -2867,10 +2908,13 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Crypute Ransomware  or m0on Ransomware" + "value": "Crypute Ransomware" }, { "meta": { + "synonyms": [ + "Fake Maktub Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" @@ -2886,7 +2930,7 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NMoreira Ransomware or Fake Maktub Ransomware" + "value": "NMoreira Ransomware" }, { "meta": { @@ -2930,6 +2974,9 @@ }, { "meta": { + "synonyms": [ + "Voldemort Ransomware" + ], "refs": [ "http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/" @@ -2941,7 +2988,7 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", - "value": "Nagini Ransomware or Voldemort Ransomware" + "value": "Nagini Ransomware" }, { "meta": { @@ -2964,6 +3011,9 @@ }, { "meta": { + "synonyms": [ + "ChipLocker Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", "http://malware-traffic-analysis.net/2016/11/17/index.html", @@ -2981,7 +3031,7 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Chip Ransomware or ChipLocker Ransomware" + "value": "Chip Ransomware" }, { "meta": { @@ -3025,6 +3075,9 @@ }, { "meta": { + "synonyms": [ + "YafunnLocker" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", @@ -3042,10 +3095,14 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoLuck Ransomware or YafunnLocker" + "value": "CryptoLuck Ransomware" }, { "meta": { + "synonyms": [ + "Nemesis", + "X3M" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html", "https://decrypter.emsisoft.com/crypton", @@ -3073,7 +3130,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Crypton Ransomware, or Nemesis or X3M" + "value": "Crypton Ransomware" }, { "meta": { @@ -3115,6 +3172,11 @@ }, { "meta": { + "synonyms": [ + "PClock SuppTeam Ransomware", + "WinPlock", + "CryptoLocker clone" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/", "https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html", @@ -3135,10 +3197,13 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", - "value": "PClock3 Ransomware or PClock SuppTeam Ransomware orCryptoLocker clone or WinPlock" + "value": "PClock3 Ransomware" }, { "meta": { + "synonyms": [ + "Kolobocheg Ransomware" + ], "refs": [ "https://www.ransomware.wiki/tag/kolobo/", "https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html", @@ -3154,10 +3219,13 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kolobo Ransomware or Kolobocheg Ransomware" + "value": "Kolobo Ransomware" }, { "meta": { + "synonyms": [ + "Paysafecard Generator 2016" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html", "https://twitter.com/JakubKroustek/status/796083768155078656" @@ -3172,7 +3240,7 @@ "date": "November 2016" }, "description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PaySafeGen (German) Ransomware or Paysafecard Generator 2016" + "value": "PaySafeGen (German) Ransomware" }, { "meta": { @@ -3230,6 +3298,9 @@ }, { "meta": { + "synonyms": [ + "Serpent Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html", "https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/", @@ -3248,7 +3319,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048", - "value": "PayDOS Ransomware  or Serpent Ransomware" + "value": "PayDOS Ransomware" }, { "meta": { @@ -3304,6 +3375,9 @@ }, { "meta": { + "synonyms": [ + "BTC Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html" ], @@ -3317,7 +3391,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "BTCLocker Ransomware or BTC Ransomware" + "value": "BTCLocker Ransomware" }, { "meta": { @@ -3357,6 +3431,9 @@ }, { "meta": { + "synonyms": [ + "SFX Monster Ransomware" + ], "refs": [ "http://virusinfo.info/showthread.php?t=201710", "https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html" @@ -3371,7 +3448,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Encryptss77 Ransomware or SFX Monster Ransomware" + "value": "Encryptss77 Ransomware" }, { "meta": { @@ -3480,6 +3557,9 @@ }, { "meta": { + "synonyms": [ + "Jack.Pot Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html", "https://twitter.com/struppigel/status/791639214152617985", @@ -3494,7 +3574,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "JackPot Ransomware or Jack.Pot Ransomware" + "value": "JackPot Ransomware" }, { "meta": { @@ -3631,6 +3711,9 @@ }, { "meta": { + "synonyms": [ + "Hungarian Locky Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", @@ -3650,7 +3733,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky", - "value": "Hucky Ransomware or Hungarian Locky Ransomware" + "value": "Hucky Ransomware" }, { "meta": { @@ -3762,6 +3845,11 @@ }, { "meta": { + "synonyms": [ + "SHC Ransomware", + "SHCLocker", + "SyNcryption" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker", @@ -3778,7 +3866,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping", - "value": "JapanLocker Ransomware & SHC Ransomware, SHCLocker ,SyNcryption" + "value": "JapanLocker Ransomware" }, { "meta": { @@ -3855,6 +3943,10 @@ }, { "meta": { + "synonyms": [ + "WS Go Ransonware", + "Trojan.Encoder.6491" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2" @@ -3869,7 +3961,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Windows_Security Ransonware or WS Go Ransonware, Trojan.Encoder.6491" + "value": "Windows_Security Ransonware" }, { "meta": { @@ -3927,6 +4019,9 @@ }, { "meta": { + "synonyms": [ + "Deadly for a Good Purpose Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html", "https://twitter.com/malwrhunterteam/status/785533373007728640" @@ -3938,7 +4033,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...", - "value": "Deadly Ransomware or Deadly for a Good Purpose Ransomware" + "value": "Deadly Ransomware" }, { "meta": { @@ -3961,6 +4056,9 @@ }, { "meta": { + "synonyms": [ + "Purge Ransomware" + ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html", "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221" @@ -3987,7 +4085,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Globe2 Ransomware or Purge Ransomware" + "value": "Globe2 Ransomware" }, { "meta": { From 2c4256f42c94ee56345cc9a8079335007bea40ed Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 May 2017 10:18:45 +0200 Subject: [PATCH 6/9] merge hiddentear & cryptear data --- clusters/ransomware.json | 131 +++++++++++++++++++++++++++++---------- 1 file changed, 99 insertions(+), 32 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e9af3ee..7fc4888 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -4174,9 +4174,12 @@ } }, { - "value": "777 or Sevleg", + "value": "777", "description": "Ransomware", "meta": { + "synonyms": [ + "Sevleg" + ], "extensions": [ ".777", "._[timestamp]_$[email]$.777", @@ -4192,9 +4195,12 @@ } }, { - "value": "7ev3n or 7ev3n-HONE$T", + "value": "7ev3n", "description": "Ransomware", "meta": { + "synonyms": [ + "7ev3n-HONE$T" + ], "extensions": [ ".R4A", ".R5A" @@ -4291,9 +4297,12 @@ } }, { - "value": "Alpha Ransomware or AlphaLocker", + "value": "Alpha Ransomware", "description": "Ransomware", "meta": { + "synonyms": [ + "AlphaLocker" + ], "extensions": [ ".encrypt" ], @@ -4340,18 +4349,24 @@ } }, { - "value": "Anony or ngocanh", + "value": "Anony", "description": "Ransomware Based on HiddenTear", "meta": { + "synonyms": [ + "ngocanh" + ], "refs": [ "https://twitter.com/struppigel/status/842047409446387714" ] } }, { - "value": "Apocalypse or Fabiansomeware", + "value": "Apocalypse", "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", "meta": { + "synonyms": [ + "Fabiansomeware" + ], "extensions": [ ".encrypted", ".SecureCrypted", @@ -4449,9 +4464,12 @@ } }, { - "value": "Bandarchor or Rakhni", + "value": "Bandarchor", "description": "Ransomware Files might be partially encrypted", "meta": { + "synonyms": [ + "Rakhni" + ], "extensions": [ ".id-1235240425_help@decryptservice.info", ".id-[ID]_[EMAIL_ADDRESS]" @@ -4467,9 +4485,12 @@ } }, { - "value": "Bart or BaCrypt", + "value": "Bart", "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", "meta": { + "synonyms": [ + "BaCrypt" + ], "extensions": [ ".bart.zip", ".bart", @@ -4513,9 +4534,12 @@ } }, { - "value": "BlackShades Crypter or SilentShade", + "value": "BlackShades Crypter", "description": "Ransomware", "meta": { + "synonyms": [ + "SilentShade" + ], "extensions": [ ".Silent" ], @@ -4543,8 +4567,13 @@ } }, { - "value": "Booyah or Salam!", - "description": "Ransomware EXE was replaced to neutralize threat" + "value": "Booyah", + "description": "Ransomware EXE was replaced to neutralize threat", + "meta": { + "synonyms": [ + "Salami" + ], + } }, { "value": "Brazilian", @@ -4796,9 +4825,14 @@ } }, { - "value": "CryLocker or Cry, CSTO, Central Security Treatment Organization", + "value": "CryLocker", "description": "Ransomware Identifies victim locations w/Google Maps API", "meta": { + "synonyms": [ + "Cry", + "CSTO", + "Central Security Treatment Organization" + ], "extensions": [ ".cry" ], @@ -4858,16 +4892,6 @@ ] } }, - { - "value": "Cryptear or Hidden Tear", - "description": "Ransomware", - "meta": { - "encryption": "AES-256", - "refs": [ - "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" - ] - } - }, { "value": "Crypter", "description": "Ransomware Does not actually encrypt the files, but simply renames them", @@ -4932,9 +4956,12 @@ } }, { - "value": "CryptoFinancial or Ranscam", + "value": "CryptoFinancial", "description": "Ransomware", "meta": { + "synonyms": [ + "Ranscam" + ], "refs": [ "http://blog.talosintel.com/2016/07/ranscam.html", "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" @@ -4967,9 +4994,14 @@ } }, { - "value": "CryptoHost or Manamecrypt, Telograph, ROI Locker", + "value": "CryptoHost", "description": "Ransomware RAR's victim's files has a GUI", "meta": { + "synonyms": [ + "Manamecrypt", + "Telograph", + "ROI Locker" + ], "encryption": "AES-256 (RAR implementation)", "refs": [ "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" @@ -5024,9 +5056,12 @@ } }, { - "value": "CryptoMix or Zeta", + "value": "CryptoMix", "description": "Ransomware", "meta": { + "synonyms": [ + "Zeta" + ], "extensions": [ ".code", ".scl", @@ -5188,9 +5223,12 @@ } }, { - "value": "CryptXXX or CryptProjectXXX", + "value": "CryptXXX", "description": "Ransomware Comes with Bedep", "meta": { + "synonyms": [ + "CryptProjectXXX" + ], "extensions": [ ".crypt" ], @@ -5204,9 +5242,12 @@ } }, { - "value": "CryptXXX 2.0 or CryptProjectXXX", + "value": "CryptXXX 2.0", "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", "meta": { + "synonyms": [ + "CryptProjectXXX" + ], "extensions": [ ".crypt" ], @@ -5221,9 +5262,13 @@ } }, { - "value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter", + "value": "CryptXXX 3.0", "description": "Ransomware Comes with Bedep", "meta": { + "synonyms": [ + "UltraDeCrypter", + "UltraCrypter" + ], "extensions": [ ".crypt", ".cryp1", @@ -5268,9 +5313,12 @@ } }, { - "value": "CTB-Faker or Citroni", + "value": "CTB-Faker", "description": "Ransomware", "meta": { + "synonyms": [ + "Citroni" + ], "extensions": [ ".ctbl", ".([a-z]{6,7})" @@ -5294,9 +5342,12 @@ } }, { - "value": "CuteRansomware or my-Little-Ransomware", + "value": "CuteRansomware", "description": "Ransomware Based on my-Little-Ransomware", "meta": { + "synonyms": [ + "my-Little-Ransomware" + ], "extensions": [ ".已加密", ".encrypted" @@ -5313,9 +5364,12 @@ } }, { - "value": "Cyber SpLiTTer Vbs or CyberSplitter", + "value": "Cyber SpLiTTer Vbs", "description": "Ransomware Based on HiddenTear", "meta": { + "synonyms": [ + "CyberSplitter" + ], "refs": [ "https://twitter.com/struppigel/status/778871886616862720", "https://twitter.com/struppigel/status/806758133720698881" @@ -5514,19 +5568,29 @@ } }, { - "value": "EDA2 / HiddenTear or Cryptear", + "value": "HiddenTear", "description": "Ransomware Open sourced C#", "meta": { + "synonyms": [ + "Cryptear", + "EDA2" + ], "extensions": [ ".locked" ], - "encryption": "AES-256" + "encryption": "AES-256", + "refs": [ + "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" + ] } }, { "value": "EduCrypt or EduCrypter", "description": "Ransomware Based on Hidden Tear", "meta": { + "synonyms": [ + "Fake" + ], "extensions": [ ".isis", ".locked" @@ -5557,6 +5621,9 @@ "value": "El-Polocker or Los Pollos Hermanos", "description": "Ransomware Has a GUI", "meta": { + "synonyms": [ + "Fake" + ], "extensions": [ ".ha3" ], From 3b93a773e5d4147b21dcd8fa6fbd91af6efa33f2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 May 2017 11:18:32 +0200 Subject: [PATCH 7/9] add synonym and cleaning --- clusters/ransomware.json | 266 ++++++++++++++++++++++++++++----------- 1 file changed, 191 insertions(+), 75 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7fc4888..803f1d9 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -348,7 +348,6 @@ "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", "motd.txt" ], - "encryption": "", "extensions": [ ".enc" ], @@ -1374,7 +1373,6 @@ "ransomnotes": [ "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" ], - "encryption": "", "extensions": [ "AES+RSA" ], @@ -2011,8 +2009,7 @@ "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/", - "" + "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", @@ -4377,7 +4374,6 @@ "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" ], - "encryption": "", "ransomnotes": [ "*.How_To_Decrypt.txt", "*.Contact_Here_To_Recover_Your_Files.txt", @@ -4414,7 +4410,6 @@ "extensions": [ ".locky" ], - "encryption": "", "ransomnotes": [ "info.txt", "info.html" @@ -4515,8 +4510,7 @@ ".clf" ], "refs": [ - "https://noransom.kaspersky.com/", - "" + "https://noransom.kaspersky.com/" ] } }, @@ -4572,7 +4566,7 @@ "meta": { "synonyms": [ "Salami" - ], + ] } }, { @@ -4778,22 +4772,6 @@ ] } }, - { - "value": "", - "description": "Ransomware", - "meta": { - "extensions": [ - "" - ], - "encryption": "", - "ransomnotes": [ - "" - ], - "refs": [ - "" - ] - } - }, { "value": "Crybola", "description": "Ransomware", @@ -4867,7 +4845,6 @@ "extensions": [ ".ENCRYPTED" ], - "encryption": "", "ransomnotes": [ "READ_THIS_TO_DECRYPT.html" ], @@ -5585,11 +5562,11 @@ } }, { - "value": "EduCrypt or EduCrypter", + "value": "EduCrypt", "description": "Ransomware Based on Hidden Tear", "meta": { "synonyms": [ - "Fake" + "EduCrypter" ], "extensions": [ ".isis", @@ -5618,16 +5595,15 @@ } }, { - "value": "El-Polocker or Los Pollos Hermanos", + "value": "El-Polocker", "description": "Ransomware Has a GUI", "meta": { "synonyms": [ - "Fake" + "Los Pollos Hermanos" ], "extensions": [ ".ha3" ], - "encryption": "", "ransomnotes": [ "qwer.html", "qwer2.html", @@ -5636,9 +5612,12 @@ } }, { - "value": "Encoder.xxxx or Trojan.Encoder.6491", + "value": "Encoder.xxxx", "description": "Ransomware Coded in GO", "meta": { + "synonyms": [ + "Trojan.Encoder.6491" + ], "ransomnotes": [ "Instructions.html" ], @@ -5725,9 +5704,12 @@ } }, { - "value": "Fantom or Comrad Circle", + "value": "Fantom", "description": "Ransomware Based on EDA2", "meta": { + "synonyms": [ + "Comrad Circle" + ], "extensions": [ ".fantom", ".comrade" @@ -5827,9 +5809,12 @@ } }, { - "value": "Free-Freedom or Roga", + "value": "Free-Freedom", "description": "Ransomware Unlock code is: adam or adamdude9", "meta": { + "synonyms": [ + "Roga" + ], "extensions": [ ".madebyadam" ], @@ -5890,9 +5875,12 @@ } }, { - "value": "Globe v1 or Purge", + "value": "Globe v1", "description": "Ransomware", "meta": { + "synonyms": [ + "Purge" + ], "extensions": [ ".purge" ], @@ -5991,9 +5979,12 @@ } }, { - "value": "HDDCryptor or Mamba", + "value": "HDDCryptor", "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", "meta": { + "synonyms": [ + "Mamba" + ], "encryption": "Custom (net shares), XTS-AES (disk)", "refs": [ "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", @@ -6164,9 +6155,13 @@ } }, { - "value": "Jeiphoos or Encryptor RaaS or Sarento", + "value": "Jeiphoos", "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", "meta": { + "synonyms": [ + "Encryptor RaaS", + "Sarento" + ], "encryption": "RC6 (files), RSA 2048 (RC6 key)", "ransomnotes": [ "readme_liesmich_encryptor_raas.txt" @@ -6191,9 +6186,12 @@ } }, { - "value": "Jigsaw or CryptoHitMan (subvariant)", + "value": "Jigsaw", "description": "Ransomware Has a GUI", "meta": { + "synonyms": [ + "CryptoHitMan" + ], "extensions": [ ".btc", ".kkk", @@ -6346,9 +6344,12 @@ } }, { - "value": "Kozy.Jozy or QC", + "value": "Kozy.Jozy", "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", "meta": { + "synonyms": [ + "QC" + ], "extensions": [ ".31392E30362E32303136_[ID-KEY]_LSBJ1", ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" @@ -6432,9 +6433,12 @@ } }, { - "value": "Linux.Encoder or Linux.Encoder.{0,3}", + "value": "Linux.Encoder", "description": "Ransomware Linux Ransomware", "meta": { + "synonyms": [ + "Linux.Encoder.{0,3}" + ], "refs": [ "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" ] @@ -6639,9 +6643,12 @@ } }, { - "value": "MIRCOP or Crypt888", + "value": "MIRCOP", "description": "Ransomware Prepends files Demands 48.48 BTC", "meta": { + "synonyms": [ + "Crypt888" + ], "extensions": [ "Lock." ], @@ -6669,9 +6676,12 @@ } }, { - "value": "Mischa or \"Petya's little brother\"", + "value": "Mischa", "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", "meta": { + "synonyms": [ + "\"Petya's little brother\"" + ], "extensions": [ ".([a-zA-Z0-9]{4})" ], @@ -6685,9 +6695,12 @@ } }, { - "value": "MM Locker or Booyah", + "value": "MM Locker", "description": "Ransomware Based on EDA2", "meta": { + "synonyms": [ + "Booyah" + ], "extensions": [ ".locked" ], @@ -6701,9 +6714,13 @@ } }, { - "value": "Mobef or Yakes or CryptoBit", + "value": "Mobef", "description": "Ransomware", "meta": { + "synonyms": [ + "Yakes", + "CryptoBit" + ], "extensions": [ ".KEYZ", ".KEYH0LES" @@ -6787,9 +6804,12 @@ } }, { - "value": "Netix or RANSOM_NETIX.A", + "value": "Netix", "description": "Ransomware", "meta": { + "synonyms": [ + "RANSOM_NETIX.A" + ], "extensions": [ "AES-256" ], @@ -6812,9 +6832,13 @@ } }, { - "value": "NMoreira or XRatTeam or XPan", + "value": "NMoreira", "description": "Ransomware", "meta": { + "synonyms": [ + "XRatTeam", + "XPan" + ], "extensions": [ ".maktub", ".__AiraCropEncrypted!" @@ -6887,9 +6911,13 @@ } }, { - "value": "Offline ransomware or Vipasana or Cryakl", + "value": "Offline ransomware", "description": "Ransomware email addresses overlap with .777 addresses", "meta": { + "synonyms": [ + "Vipasana", + "Cryakl" + ], "extensions": [ ".cbf", "email-[params].cbf" @@ -6905,9 +6933,12 @@ } }, { - "value": "OMG! Ransomware or GPCode", + "value": "OMG! Ransomware", "description": "Ransomware", "meta": { + "synonyms": [ + "GPCode" + ], "extensions": [ ".LOL!", ".OMG!" @@ -6930,9 +6961,12 @@ } }, { - "value": "Owl or CryptoWire", + "value": "Owl", "description": "Ransomware", "meta": { + "synonyms": [ + "CryptoWire" + ], "extensions": [ "dummy_file.encrypted", "dummy_file.encrypted.[extension]" @@ -6988,9 +7022,12 @@ } }, { - "value": "Petya or Goldeneye", + "value": "Petya", "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", "meta": { + "synonyms": [ + "Goldeneye" + ], "encryption": "Modified Salsa20", "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.TXT" @@ -7056,9 +7093,12 @@ } }, { - "value": "PowerWare or PoshCoder", + "value": "PowerWare", "description": "Ransomware Open-sourced PowerShell", "meta": { + "synonyms": [ + "PoshCoder" + ], "extensions": [ ".locky" ], @@ -7149,9 +7189,12 @@ } }, { - "value": "RAA encryptor or RAA", + "value": "RAA encryptor", "description": "Ransomware Possible affiliation with Pony", "meta": { + "synonyms": [ + "RAA" + ], "extensions": [ ".locked" ], @@ -7195,9 +7238,20 @@ } }, { - "value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor", + "value": "Rakhni", "description": "Ransomware Files might be partially encrypted", "meta": { + "synonyms": [ + "Agent.iih", + "Aura", + "Autoit", + "Pletor", + "Rotor", + "Lamer", + "Isda", + "Cryptokluchen", + "Bandarchor" + ], "extensions": [ ".locked", ".kraken", @@ -7439,9 +7493,15 @@ } }, { - "value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe", + "value": "Samas-Samsam", "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", "meta": { + "synonyms": [ + "samsam.exe", + "MIKOPONI.exe", + "RikiRafael.exe", + "showmehowto.exe" + ], "extensions": [ ".encryptedAES", ".encryptedRSA", @@ -7569,9 +7629,12 @@ } }, { - "value": "Shark or Atom", + "value": "Shark", "description": "Ransomware", "meta": { + "synonyms": [ + "Atom" + ], "extensions": [ ".locked" ], @@ -7599,9 +7662,12 @@ } }, { - "value": "Shujin or KinCrypt", + "value": "Shujin", "description": "Ransomware", "meta": { + "synonyms": [ + "KinCrypt" + ], "ransomnotes": [ "文件解密帮助.txt" ], @@ -7628,9 +7694,12 @@ } }, { - "value": "SkidLocker / Pompous", + "value": "SkidLocker", "description": "Ransomware Based on EDA2", "meta": { + "synonyms": [ + "Pompous" + ], "extensions": [ ".locked" ], @@ -7784,9 +7853,12 @@ } }, { - "value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt", + "value": "TeslaCrypt 0.x - 2.2.0", "description": "Ransomware Factorization", "meta": { + "synonyms": [ + "AlphaCrypt" + ], "extensions": [ ".vvv", ".ecc", @@ -7834,14 +7906,20 @@ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", - "_how_recover+.txt or .html", - "help_recover_instructions+.BMP or .html or .txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "_how_recover+.txt", + "_how_recover+.html", + "help_recover_instructions+.html", + "help_recover_instructions+.txt", + "help_recover_instructions+.BMP", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", - "HELP_TO_SAVE_FILES.txt or .bmp" + "HELP_TO_SAVE_FILES.txt", + "HELP_TO_SAVE_FILES.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", @@ -7859,14 +7937,20 @@ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", - "_how_recover+.txt or .html", - "help_recover_instructions+.BMP or .html or .txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "_how_recover+.txt", + "_how_recover+.html", + "help_recover_instructions+.BMP", + "help_recover_instructions+.html", + "help_recover_instructions+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", - "HELP_TO_SAVE_FILES.txt or .bmp" + "HELP_TO_SAVE_FILES.txt", + "HELP_TO_SAVE_FILES.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", @@ -7886,9 +7970,14 @@ } }, { - "value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac", + "value": "TorrentLocker", "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", "meta": { + "synonyms": [ + "Crypt0L0cker", + "CryptoFortress", + "Teerac" + ], "extensions": [ ".Encrypted", ".enc" @@ -7938,9 +8027,12 @@ } }, { - "value": "Trojan or BrainCrypt", + "value": "Trojan", "description": "Ransomware", "meta": { + "synonyms": [ + "BrainCrypt" + ], "extensions": [ ".braincrypt" ], @@ -8092,9 +8184,13 @@ } }, { - "value": "VaultCrypt or CrypVault, Zlader", + "value": "VaultCrypt", "description": "Ransomware", "meta": { + "synonyms": [ + "CrypVault", + "Zlader" + ], "extensions": [ ".vault", ".xort", @@ -8156,9 +8252,12 @@ } }, { - "value": "Virus-Encoder or CrySiS", + "value": "Virus-Encoder", "description": "Ransomware", "meta": { + "synonyms": [ + "CrySiS" + ], "extensions": [ ".CrySiS", ".xtbl", @@ -8180,9 +8279,12 @@ } }, { - "value": "WildFire Locker or Hades Locker", + "value": "WildFire Locker", "description": "Ransomware Zyklon variant", "meta": { + "synonyms": [ + "Hades Locker" + ], "extensions": [ ".wflx" ], @@ -8240,9 +8342,12 @@ } }, { - "value": "Zcrypt or Zcryptor", + "value": "Zcrypt", "description": "Ransomware", "meta": { + "synonyms": [ + "Zcryptor" + ], "extensions": [ ".zcrypt" ], @@ -8252,9 +8357,12 @@ } }, { - "value": "Zeta or CryptoMix", + "value": "Zeta", "description": "Ransomware", "meta": { + "synonyms": [ + "CryptoMix" + ], "extensions": [ ".code", ".scl", @@ -8284,9 +8392,14 @@ } }, { - "value": "Zlader / Russian or VaultCrypt, CrypVault", + "value": "Zlader", "description": "Ransomware VaultCrypt family", "meta": { + "synonyms": [ + "Russian", + "VaultCrypt", + "CrypVault" + ], "extensions": [ ".vault" ], @@ -8312,9 +8425,12 @@ } }, { - "value": "Zyklon or GNL Locker", + "value": "Zyklon", "description": "Ransomware Hidden Tear family, GNL Locker variant", "meta": { + "synonyms": [ + "GNL Locker" + ], "extensions": [ ".zyklon" ] From 7fee4f3a1bc1ea59ce2970bd7867d0dec6647c60 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 May 2017 13:59:47 +0200 Subject: [PATCH 8/9] add Uiwik ransomware --- clusters/ransomware.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 803f1d9..26b0a4a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1239,7 +1239,7 @@ "IMPORTANTE_LEER.html", "RECUPERAR_ARCHIVOS.html", "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" - ], + ],Yamuraiha "encryption": "AES", "extensions": [ ".locked" @@ -8465,6 +8465,22 @@ ] } } + { + "value": "Uiwix Ransomware", + "description": "Using EternalBlue SMB Exploit To Infect Victims", + "meta": { + "extensions": [ + "._[10_digit_victim_id].UIWIX" + ], + "encryption": "may be a mixture of AES and RC4.", + "ransomnotes": [ + "_DECODE_FILES.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/" + ] + } + } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", From 14835361f732fa184d0bfcf0e9a0e6ec9599ce92 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 May 2017 14:01:49 +0200 Subject: [PATCH 9/9] jq 'n ##COMMA## --- clusters/ransomware.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 26b0a4a..dc15566 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1239,7 +1239,7 @@ "IMPORTANTE_LEER.html", "RECUPERAR_ARCHIVOS.html", "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" - ],Yamuraiha + ], "encryption": "AES", "extensions": [ ".locked" @@ -8464,7 +8464,7 @@ "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" ] } - } + }, { "value": "Uiwix Ransomware", "description": "Using EternalBlue SMB Exploit To Infect Victims",