From e5faf4fba7169e44f82dc4b4f7d8fa94c91435a1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 16 May 2017 14:47:16 +0200 Subject: [PATCH] Input from Deborah incorporated --- clusters/ransomware.json | 4126 +++++++++++++++++++++++++++++++++++++- 1 file changed, 4108 insertions(+), 18 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 04866a6..6059d52 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1039,23 +1039,6 @@ "description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A", "value": "ZXZ Ramsomware" }, - { - "meta": { - "refs": [ - "" - ], - "ransomnotes": [ - "" - ], - "encryption": "", - "extensions": [ - "" - ], - "date": "" - }, - "description": "", - "value": "" - }, { "meta": { "refs": [ @@ -3607,7 +3590,8 @@ "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", - "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe" + "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", + "https://twitter.com/struppigel/status/846241982347427840" ], "ransomnotes": [ "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", @@ -4031,6 +4015,4112 @@ }, "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", "value": "WannaCry" + }, + { + "value": ".CryptoHasYou.", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "encryption": "AES(256)", + "ransomnotes": [ + "YOUR_FILES_ARE_LOCKED.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/CryptoHasYou.html" + ] + } + }, + { + "value": "777 or Sevleg", + "description": "Ransomware", + "meta": { + "extensions": [ + ".777", + "._[timestamp]_$[email]$.777", + "e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777" + ], + "encryption": "XOR", + "ransomnotes": [ + "read_this_file.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/777" + ] + } + }, + { + "value": "7ev3n or 7ev3n-HONE$T", + "description": "Ransomware", + "meta": { + "extensions": [ + ".R4A", + ".R5A" + ], + "ransomnotes": [ + "FILES_BACK.txt" + ], + "refs": [ + "https://github.com/hasherezade/malware_analysis/tree/master/7ev3n", + "https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", + "http://www.nyxbone.com/malware/7ev3n-HONE$T.html" + ] + } + }, + { + "value": "8lock8", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".8lock8" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" + ] + } + }, + { + "value": "AiraCrop", + "description": "Ransomware related to TeamXRat", + "meta": { + "extensions": [ + "._AiraCropEncrypted" + ], + "ransomnotes": [ + "How to decrypt your files.txt" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/796079699478900736" + ] + } + }, + { + "value": "Al-Namrood", + "description": "Ransomware", + "meta": { + "extensions": [ + ".unavailable", + ".disappeared" + ], + "ransomnotes": [ + "Read_Me.Txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/al-namrood" + ] + } + }, + { + "value": "ALFA Ransomware", + "description": "Ransomware Made by creators of Cerber", + "meta": { + "extensions": [ + ".bin" + ], + "ransomnotes": [ + "README HOW TO DECRYPT YOUR FILES.HTML" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" + ] + } + }, + { + "value": "Alma Ransomware", + "description": "Ransomware", + "meta": { + "extensions": [ + "random", + "random(x5)" + ], + "encryption": "AES-128", + "ransomnotes": [ + "Unlock_files_randomx5.html" + ], + "refs": [ + "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", + "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", + "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" + ] + } + }, + { + "value": "Alpha Ransomware or AlphaLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".encrypt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Read Me (How Decrypt) !!!!.txt" + ], + "refs": [ + "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", + "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", + "https://twitter.com/malwarebread/status/804714048499621888" + ] + } + }, + { + "value": "AMBA", + "description": "Ransomware Websites only amba@riseup.net", + "meta": { + "extensions": [ + ".amba" + ], + "ransomnotes": [ + "ПРОЧТИ_МЕНЯ.txt", + "READ_ME.txt" + ], + "refs": [ + "https://twitter.com/benkow_/status/747813034006020096" + ] + } + }, + { + "value": "AngleWare", + "description": "Ransomware", + "meta": { + "extensions": [ + ".AngleWare" + ], + "ransomnotes": [ + "READ_ME.txt" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/844531418474708993" + ] + } + }, + { + "value": "Anony or ngocanh", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/842047409446387714" + ] + } + }, + { + "value": "Apocalypse or Fabiansomeware", + "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", + "meta": { + "extensions": [ + ".encrypted", + ".SecureCrypted", + ".FuckYourData", + ".unavailable", + ".bleepYourFiles", + ".Where_my_files.txt", + "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", + "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" + ], + "encryption": "", + "ransomnotes": [ + "*.How_To_Decrypt.txt", + "*.Contact_Here_To_Recover_Your_Files.txt", + "*.Where_my_files.txt", + "*.Read_Me.Txt", + "*md5*.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/apocalypse", + "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" + ] + } + }, + { + "value": "ApocalypseVM", + "description": "Ransomware Apocalypse ransomware version which uses VMprotect", + "meta": { + "extensions": [ + ".encrypted", + ".locked" + ], + "ransomnotes": [ + "*.How_To_Get_Back.txt" + ], + "refs": [ + "http://decrypter.emsisoft.com/download/apocalypsevm" + ] + } + }, + { + "value": "AutoLocky", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locky" + ], + "encryption": "", + "ransomnotes": [ + "info.txt", + "info.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/autolocky" + ] + } + }, + { + "value": "Aw3s0m3Sc0t7", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "refs": [ + "https://twitter.com/struppigel/status/828902907668000770" + ] + } + }, + { + "value": "BadBlock", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Help Decrypt.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/badblock", + "http://www.nyxbone.com/malware/BadBlock.html", + "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" + ] + } + }, + { + "value": "BaksoCrypt", + "description": "Ransomware Based on my-Little-Ransomware", + "meta": { + "extensions": [ + ".adr" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/760482299007922176", + "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" + ] + } + }, + { + "value": "Bandarchor or Rakhni", + "description": "Ransomware Files might be partially encrypted", + "meta": { + "extensions": [ + ".id-1235240425_help@decryptservice.info", + ".id-[ID]_[EMAIL_ADDRESS]" + ], + "encryption": "AES-256", + "ransomnotes": [ + "HOW TO DECRYPT.txt" + ], + "refs": [ + "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/", + "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" + ] + } + }, + { + "value": "Bart or BaCrypt", + "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", + "meta": { + "extensions": [ + ".bart.zip", + ".bart", + ".perl" + ], + "ransomnotes": [ + "recover.txt", + "recover.bmp" + ], + "refs": [ + "http://now.avg.com/barts-shenanigans-are-no-match-for-avg/", + "http://phishme.com/rockloader-downloading-new-ransomware-bart/", + "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" + ] + } + }, + { + "value": "BitCryptor", + "description": "Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.", + "meta": { + "extensions": [ + ".clf" + ], + "refs": [ + "https://noransom.kaspersky.com/", + "" + ] + } + }, + { + "value": "BitStak", + "description": "Ransomware", + "meta": { + "extensions": [ + ".bitstak" + ], + "encryption": "Base64 + String Replacement", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip" + ] + } + }, + { + "value": "BlackShades Crypter or SilentShade", + "description": "Ransomware", + "meta": { + "extensions": [ + ".Silent" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Hacked_Read_me_to_decrypt_files.html", + "YourID.txt" + ], + "refs": [ + "http://nyxbone.com/malware/BlackShades.html" + ] + } + }, + { + "value": "Blocatto", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".blocatto" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" + ] + } + }, + { + "value": "Booyah or Salam!", + "description": "Ransomware EXE was replaced to neutralize threat" + }, + { + "value": "Brazilian", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".lock" + ], + "encryption": "AES-256", + "ransomnotes": [ + "MENSAGEM.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/brazilianRansom.html", + "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" + ] + } + }, + { + "value": "Brazilian Globe", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-%ID%_garryweber@protonmail.ch" + ], + "ransomnotes": [ + "HOW_OPEN_FILES.html" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/821831437884211201" + ] + } + }, + { + "value": "BrLock", + "description": "Ransomware", + "meta": { + "encryption": "AES", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + } + }, + { + "value": "Browlock", + "description": "Ransomware no local encryption, browser only" + }, + { + "value": "BTCWare Related to / new version of CryptXXX", + "description": "Ransomware", + "meta": { + "extensions": [ + ".btcware" + ], + "ransomnotes": [ + "#_HOW_TO_FIX_!.hta" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/845199679340011520" + ] + } + }, + { + "value": "Bucbi", + "description": "Ransomware no file name change, no extension", + "meta": { + "encryption": "GOST", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/" + ] + } + }, + { + "value": "BuyUnlockCode", + "description": "Ransomware Does not delete Shadow Copies", + "meta": { + "extensions": [ + "(.*).encoded.([A-Z0-9]{9})" + ], + "ransomnotes": [ + "BUYUNLOCKCODE.txt" + ] + } + }, + { + "value": "Central Security Treatment Organization", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cry" + ], + "ransomnotes": [ + "!Recovery_[random_chars].html", + "!Recovery_[random_chars].txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/" + ] + } + }, + { + "value": "Cerber", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cerber", + ".cerber2", + ".cerber3" + ], + "encryption": "AES", + "ransomnotes": [ + "# DECRYPT MY FILES #.html", + "# DECRYPT MY FILES #.txt", + "# DECRYPT MY FILES #.vbs", + "# README.hta", + "_{RAND}_README.jpg", + "_{RAND}_README.hta", + "_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg", + "_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta", + "_HELP_HELP_HELP_%random%.jpg", + "_HELP_HELP_HELP_%random%.hta", + "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta", + "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410" + ] + } + }, + { + "value": "Chimera", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt", + "4 random characters, e.g., .PzZs, .MKJL" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML", + "YOUR_FILES_ARE_ENCRYPTED.TXT", + ".gif" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", + "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" + ] + } + }, + { + "value": "Clock", + "description": "Ransomware Does not encrypt anything", + "meta": { + "refs": [ + "https://twitter.com/JakubKroustek/status/794956809866018816" + ] + } + }, + { + "value": "CoinVault", + "description": "Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!", + "meta": { + "extensions": [ + ".clf" + ], + "ransomnotes": [ + "wallpaper.jpg" + ], + "refs": [ + "https://noransom.kaspersky.com/" + ] + } + }, + { + "value": "Coverton", + "description": "Ransomware", + "meta": { + "extensions": [ + ".coverton", + ".enigma", + ".czvxce" + ], + "encryption": "AES-256", + "ransomnotes": [ + "!!!-WARNING-!!!.html", + "!!!-WARNING-!!!.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/" + ] + } + }, + { + "value": "Cryaki", + "description": "Ransomware", + "meta": { + "extensions": [ + ".{CRYPTENDBLACKDC}" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "", + "description": "Ransomware", + "meta": { + "extensions": [ + "" + ], + "encryption": "", + "ransomnotes": [ + "" + ], + "refs": [ + "" + ] + } + }, + { + "value": "Crybola", + "description": "Ransomware", + "meta": { + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "CryFile", + "description": "Ransomware", + "meta": { + "extensions": [ + ".criptiko", + ".criptoko", + ".criptokod", + ".cripttt", + ".aga" + ], + "encryption": "Moves bytes", + "refs": [ + "SHTODELATVAM.txt", + "Instructionaga.txt" + ], + "ransomnotes": [ + "http://virusinfo.info/showthread.php?t=185396" + ] + } + }, + { + "value": "CryLocker or Cry, CSTO, Central Security Treatment Organization", + "description": "Ransomware Identifies victim locations w/Google Maps API", + "meta": { + "extensions": [ + ".cry" + ], + "ransomnotes": [ + "!Recovery_[random_chars].html", + "!Recovery_[random_chars].txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/" + ] + } + }, + { + "value": "CrypMIC", + "description": "Ransomware CryptXXX clone/spinoff", + "meta": { + "encryption": "AES-256", + "ransomnotes": [ + "README.TXT", + "README.HTML", + "README.BMP" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" + ] + } + }, + { + "value": "Crypren", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ENCRYPTED" + ], + "encryption": "", + "ransomnotes": [ + "READ_THIS_TO_DECRYPT.html" + ], + "refs": [ + "https://github.com/pekeinfo/DecryptCrypren", + "http://www.nyxbone.com/malware/Crypren.html", + "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" + ] + } + }, + { + "value": "Crypt38", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt38" + ], + "encryption": "AES", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", + "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption" + ] + } + }, + { + "value": "Cryptear or Hidden Tear", + "description": "Ransomware", + "meta": { + "encryption": "AES-256", + "refs": [ + "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" + ] + } + }, + { + "value": "Crypter", + "description": "Ransomware Does not actually encrypt the files, but simply renames them", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/802554159564062722" + ] + } + }, + { + "value": "CryptFIle2", + "description": "Ransomware", + "meta": { + "extensions": [ + ".scl", + "id[_ID]email_xerx@usa.com.scl" + ], + "encryption": "RSA", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + } + }, + { + "value": "CryptInfinite", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crinf" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "CryptoBit", + "description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.", + "meta": { + "encryption": "AES + RSA", + "ransomnotes": [ + "OKSOWATHAPPENDTOYOURFILES.TXT" + ], + "refs": [ + "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", + "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml" + ] + } + }, + { + "value": "CryptoDefense", + "description": "Ransomware no extension change", + "meta": { + "ransomnotes": [ + "HOW_DECRYPT.TXT", + "HOW_DECRYPT.HTML", + "HOW_DECRYPT.URL" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "CryptoFinancial or Ranscam", + "description": "Ransomware", + "meta": { + "refs": [ + "http://blog.talosintel.com/2016/07/ranscam.html", + "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" + ] + } + }, + { + "value": "CryptoFortress", + "description": "Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB", + "meta": { + "extensions": [ + ".frtrss" + ], + "encryption": "AES-256 + RSA-1024", + "ransomnotes": [ + "READ IF YOU WANT YOUR FILES BACK.html" + ] + } + }, + { + "value": "CryptoGraphic Locker", + "description": "Ransomware Has a GUI. Subvariants: CoinVault BitCryptor", + "meta": { + "extensions": [ + ".clf" + ], + "ransomnotes": [ + "wallpaper.jpg" + ] + } + }, + { + "value": "CryptoHost or Manamecrypt, Telograph, ROI Locker", + "description": "Ransomware RAR's victim's files has a GUI", + "meta": { + "encryption": "AES-256 (RAR implementation)", + "refs": [ + "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" + ] + } + }, + { + "value": "CryptoJoker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crjoker" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README!!!.txt", + "GetYouFiles.txt", + "crjoker.html" + ] + } + }, + { + "value": "CryptoLocker", + "description": "Ransomware no longer relevant", + "meta": { + "extensions": [ + ".encrypted", + ".ENC" + ], + "refs": [ + "https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html", + "https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/" + ] + } + }, + { + "value": "CryptoLocker 1.0.0", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/839747940122001408" + ] + } + }, + { + "value": "CryptoLocker 5.1", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/782890104947867649" + ] + } + }, + { + "value": "CryptoMix or Zeta", + "description": "Ransomware", + "meta": { + "extensions": [ + ".code", + ".scl", + ".rmd", + ".lesli", + ".rdmk", + ".CRYPTOSHIELD", + ".CRYPTOSHIEL", + ".id_(ID_MACHINE)_email_xoomx@dr.com_.code", + ".id_*_email_zeta@dr.com", + ".id_(ID_MACHINE)_email_anx@dr.com_.scl", + ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli", + "*filename*.email[*email*]_id[*id*].rdmk" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.html (CryptXXX)", + "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", + "INSTRUCTION RESTORE FILE.TXT" + ], + "refs": [ + "http://www.nyxbone.com/malware/CryptoMix.html", + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" + ] + } + }, + { + "value": "CryptoRansomeware", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/817672617658347521" + ] + } + }, + { + "value": "CryptoRoger", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crptrgr" + ], + "encryption": "AES", + "ransomnotes": [ + "!Where_are_my_files!.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/" + ] + } + }, + { + "value": "CryptoShadow", + "description": "Ransomware", + "meta": { + "extensions": [ + ".doomed" + ], + "ransomnotes": [ + "LEER_INMEDIATAMENTE.txt" + ], + "refs": [ + "https://twitter.com/struppigel/status/821992610164277248" + ] + } + }, + { + "value": "CryptoShocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "ATTENTION.url" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/" + ] + } + }, + { + "value": "CryptoTorLocker2015", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CryptoTorLocker2015!" + ], + "ransomnotes": [ + "HOW TO DECRYPT FILES.txt", + "%Temp%\\.bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/" + ] + } + }, + { + "value": "CryptoTrooper", + "description": "Ransomware", + "meta": { + "encryption": "AES", + "refs": [ + "http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml" + ] + } + }, + { + "value": "CryptoWall 1", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "DECRYPT_INSTRUCTION.HTM", + "DECRYPT_INSTRUCTION.TXT", + "DECRYPT_INSTRUCTION.URL", + "INSTALL_TOR.URL" + ] + } + }, + { + "value": "CryptoWall 2", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.TXT", + "HELP_DECRYPT.PNG", + "HELP_DECRYPT.URL", + "HELP_DECRYPT.HTML" + ] + } + }, + { + "value": "CryptoWall 3", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.TXT", + "HELP_DECRYPT.PNG", + "HELP_DECRYPT.URL", + "HELP_DECRYPT.HTML" + ], + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", + "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" + ] + } + }, + { + "value": "CryptoWall 4", + "description": "Ransomware", + "meta": { + "extensions": [ + "., e.g. ,27p9k967z.x1nep" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.HTML", + "HELP_YOUR_FILES.PNG" + ] + } + }, + { + "value": "CryptXXX or CryptProjectXXX", + "description": "Ransomware Comes with Bedep", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "de_crypt_readme.bmp, .txt, .html" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information" + ] + } + }, + { + "value": "CryptXXX 2.0 or CryptProjectXXX", + "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + ".txt, .html, .bmp" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool", + "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" + ] + } + }, + { + "value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter", + "description": "Ransomware Comes with Bedep", + "meta": { + "extensions": [ + ".crypt", + ".cryp1", + ".crypz", + ".cryptz", + "random" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", + "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" + ] + } + }, + { + "value": "CryptXXX 3.1", + "description": "Ransomware StilerX credential stealing", + "meta": { + "extensions": [ + ".cryp1" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100" + ] + } + }, + { + "value": "CryPy", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cry" + ], + "encryption": "AES", + "ransomnotes": [ + "README_FOR_DECRYPT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/" + ] + } + }, + { + "value": "CTB-Faker or Citroni", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ctbl", + ".([a-z]{6,7})" + ], + "encryption": "RSA-2048", + "ransomnotes": [ + "AllFilesAreLocked .bmp", + "DecryptAllFiles .txt", + ".html" + ] + } + }, + { + "value": "CTB-Locker WEB", + "description": "Ransomware websites only", + "meta": { + "refs": [ + "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", + "https://github.com/eyecatchup/Critroni-php" + ] + } + }, + { + "value": "CuteRansomware or my-Little-Ransomware", + "description": "Ransomware Based on my-Little-Ransomware", + "meta": { + "extensions": [ + ".已加密", + ".encrypted" + ], + "encryption": "AES-128", + "ransomnotes": [ + "你的檔案被我們加密啦!!!.txt", + "Your files encrypted by our friends !!! txt" + ], + "refs": [ + "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", + "https://github.com/aaaddress1/my-Little-Ransomware" + ] + } + }, + { + "value": "Cyber SpLiTTer Vbs or CyberSplitter", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/778871886616862720", + "https://twitter.com/struppigel/status/806758133720698881" + ] + } + }, + { + "value": "Death Bitches", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "https://twitter.com/JaromirHorejsi/status/815555258478981121" + ] + } + }, + { + "value": "DeCrypt Protect", + "description": "Ransomware", + "meta": { + "extensions": [ + ".html" + ], + "refs": [ + "http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/" + ] + } + }, + { + "value": "DEDCryptor", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".ded" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", + "http://www.nyxbone.com/malware/DEDCryptor.html" + ] + } + }, + { + "value": "Demo", + "description": "Ransomware only encrypts .jpg files", + "meta": { + "extensions": [ + ".encrypted" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.txt" + ], + "refs": [ + "https://twitter.com/struppigel/status/798573300779745281" + ] + } + }, + { + "value": "DetoxCrypto", + "description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte", + "meta": { + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/" + ] + } + }, + { + "value": "Digisom", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Digisom Readme0.txt (0 to 9)" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/829727052316160000" + ] + } + }, + { + "value": "DirtyDecrypt", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/752586334527709184" + ] + } + }, + { + "value": "DMALocker", + "description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0", + "meta": { + "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", + "ransomnotes": [ + "cryptinfo.txt", + "decrypting.txt", + "start.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/", + "https://github.com/hasherezade/dma_unlocker", + "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", + "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" + ] + } + }, + { + "value": "DMALocker 3.0", + "description": "Ransomware", + "meta": { + "encryption": "AES-256 + XPTLOCK5.0", + "refs": [ + "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", + "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" + ] + } + }, + { + "value": "DNRansomware", + "description": "Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT", + "meta": { + "extensions": [ + ".fucked" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/822500056511213568" + ] + } + }, + { + "value": "Domino", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".domino" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README_TO_RECURE_YOUR_FILES.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/Domino.html", + "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/" + ] + } + }, + { + "value": "DoNotChange", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-7ES642406.cry", + ".Do_not_change_the_filename" + ], + "encryption": "AES-128", + "ransomnotes": [ + "HOW TO DECODE FILES!!!.txt", + "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/" + ] + } + }, + { + "value": "DummyLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".dCrypt" + ], + "refs": [ + "https://twitter.com/struppigel/status/794108322932785158" + ] + } + }, + { + "value": "DXXD", + "description": "Ransomware", + "meta": { + "extensions": [ + ".dxxd" + ], + "ransomnotes": [ + "ReadMe.TxT" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", + "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/" + ] + } + }, + { + "value": "EDA2 / HiddenTear or Cryptear", + "description": "Ransomware Open sourced C#", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256" + } + }, + { + "value": "EduCrypt or EduCrypter", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".isis", + ".locked" + ], + "ransomnotes": [ + "README.txt" + ], + "refs": [ + "http://www.filedropper.com/decrypter_1", + "https://twitter.com/JakubKroustek/status/747031171347910656" + ] + } + }, + { + "value": "EiTest", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypted" + ], + "refs": [ + "https://twitter.com/BroadAnalysis/status/845688819533930497", + "https://twitter.com/malwrhunterteam/status/845652520202616832" + ] + } + }, + { + "value": "El-Polocker or Los Pollos Hermanos", + "description": "Ransomware Has a GUI", + "meta": { + "extensions": [ + ".ha3" + ], + "encryption": "", + "ransomnotes": [ + "qwer.html", + "qwer2.html", + "locked.bmp" + ] + } + }, + { + "value": "Encoder.xxxx or Trojan.Encoder.6491", + "description": "Ransomware Coded in GO", + "meta": { + "ransomnotes": [ + "Instructions.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", + "http://vms.drweb.ru/virus/?_is=1&i=8747343" + ] + } + }, + { + "value": "encryptoJJS", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "ransomnotes": [ + "How to recover.enc" + ] + } + }, + { + "value": "Enigma", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enigma", + ".1txt" + ], + "encryption": "AES-128", + "ransomnotes": [ + "enigma.hta", + "enigma_encr.txt", + "enigma_info.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/" + ] + } + }, + { + "value": "Enjey", + "description": "Ransomware Based on RemindMe", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/839022018230112256" + ] + } + }, + { + "value": "Fairware", + "description": "Ransomware Target Linux O.S.", + "meta": { + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" + ] + } + }, + { + "value": "Fakben", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "READ ME FOR DECRYPT.txt" + ], + "refs": [ + "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code" + ] + } + }, + { + "value": "FakeCryptoLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cryptolocker" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/812312402779836416" + ] + } + }, + { + "value": "Fantom or Comrad Circle", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".fantom", + ".comrade" + ], + "encryption": "AES-128", + "ransomnotes": [ + "DECRYPT_YOUR_FILES.HTML", + "RESTORE-FILES![id]" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" + ] + } + }, + { + "value": "FenixLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".FenixIloveyou!!" + ], + "ransomnotes": [ + "Help to decrypt.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/fenixlocker", + "https://twitter.com/fwosar/status/777197255057084416" + ] + } + }, + { + "value": "FILE FROZR", + "description": "Ransomware RaaS", + "meta": { + "refs": [ + "https://twitter.com/rommeljoven17/status/846973265650335744" + ] + } + }, + { + "value": "FileLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ENCR" + ], + "refs": [ + "https://twitter.com/jiriatvirlab/status/836616468775251968" + ] + } + }, + { + "value": "FireCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".firecrypt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "[random_chars]-READ_ME.html" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" + ] + } + }, + { + "value": "Flyper", + "description": "Ransomware Based on EDA2 / HiddenTear", + "meta": { + "extensions": [ + ".locked" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/773771485643149312" + ] + } + }, + { + "value": "Fonco", + "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", + "meta": { + "ransomnotes": [ + "help-file-decrypt.enc", + "/pronk.txt" + ] + } + }, + { + "value": "FortuneCookie ", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/842302481774321664" + ] + } + }, + { + "value": "Free-Freedom or Roga", + "description": "Ransomware Unlock code is: adam or adamdude9", + "meta": { + "extensions": [ + ".madebyadam" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/812135608374226944" + ] + } + }, + { + "value": "FSociety", + "description": "Ransomware Based on EDA2 and RemindMe", + "meta": { + "extensions": [ + ".fs0ciety", + ".dll" + ], + "ransomnotes": [ + "fs0ciety.html", + "DECRYPT_YOUR_FILES.HTML" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/", + "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", + "https://twitter.com/siri_urz/status/795969998707720193" + ] + } + }, + { + "value": "Fury", + "description": "Ransomware", + "meta": { + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "GhostCrypt", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".Z81928819" + ], + "encryption": "AES-256", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", + "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/" + ] + } + }, + { + "value": "Gingerbread", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/ni_fi_70/status/796353782699425792" + ] + } + }, + { + "value": "Globe v1 or Purge", + "description": "Ransomware", + "meta": { + "extensions": [ + ".purge" + ], + "encryption": "Blowfish", + "ransomnotes": [ + "How to restore files.hta" + ], + "refs": [ + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", + "http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/" + ] + } + }, + { + "value": "GNL Locker", + "description": "Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker", + "meta": { + "extensions": [ + ".locked", + ".locked, e.g., bill.!ID!8MMnF!ID!.locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "UNLOCK_FILES_INSTRUCTIONS.html and .txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/" + ] + } + }, + { + "value": "Gomasom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt", + "!___[EMAILADDRESS]_.crypt" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "Goopic", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Your files have been crypted.html" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" + ] + } + }, + { + "value": "Gopher", + "description": "Ransomware OS X ransomware (PoC)" + }, + { + "value": "Hacked", + "description": "Ransomware Jigsaw Ransomware variant", + "meta": { + "extensions": [ + ".versiegelt", + ".encrypted", + ".payrmts", + ".locked", + ".Locked" + ], + "refs": [ + "https://twitter.com/demonslay335/status/806878803507101696" + ] + } + }, + { + "value": "HappyDayzz", + "description": "Ransomware", + "meta": { + "encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4", + "refs": [ + "https://twitter.com/malwrhunterteam/status/847114064224497666" + ] + } + }, + { + "value": "Harasom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".html" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "HDDCryptor or Mamba", + "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", + "meta": { + "encryption": "Custom (net shares), XTS-AES (disk)", + "refs": [ + "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", + "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" + ] + } + }, + { + "value": "Heimdall", + "description": "Ransomware File marker: \"Heimdall---\"", + "meta": { + "encryption": "AES-128-CBC", + "refs": [ + "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" + ] + } + }, + { + "value": "Help_dcfile", + "description": "Ransomware", + "meta": { + "extensions": [ + ".XXX" + ], + "ransomnotes": [ + "help_dcfile.txt" + ] + } + }, + { + "value": "Herbst", + "description": "Ransomware", + "meta": { + "extensions": [ + ".herbst" + ], + "encryption": "AES-256", + "refs": [ + "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" + ] + } + }, + { + "value": "Hi Buddy!", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".cry" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/hibuddy.html" + ] + } + }, + { + "value": "Hitler", + "description": "Ransomware Deletes files", + "meta": { + "extensions": [ + "removes extensions" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", + "https://twitter.com/jiriatvirlab/status/825310545800740864" + ] + } + }, + { + "value": "HolyCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + "(encrypted)" + ], + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" + ] + } + }, + { + "value": "HTCryptor", + "description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/BleepinComputer/status/803288396814839808" + ] + } + }, + { + "value": "HydraCrypt", + "description": "Ransomware CrypBoss Family", + "meta": { + "extensions": [ + "hydracrypt_ID_[\\w]{8}" + ], + "ransomnotes": [ + "README_DECRYPT_HYRDA_ID_[ID number].txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/", + "http://www.malware-traffic-analysis.net/2016/02/03/index2.html" + ] + } + }, + { + "value": "iLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/817085367144873985" + ] + } + }, + { + "value": "iLockLight", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ] + } + }, + { + "value": "International Police Association", + "description": "Ransomware CryptoTorLocker2015 variant", + "meta": { + "extensions": [ + "<6 random characters>" + ], + "ransomnotes": [ + "%Temp%\\.bmp" + ], + "refs": [ + "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" + ] + } + }, + { + "value": "iRansom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".Locked" + ], + "refs": [ + "https://twitter.com/demonslay335/status/796134264744083460" + ] + } + }, + { + "value": "JagerDecryptor", + "description": "Ransomware Prepends filenames", + "meta": { + "extensions": [ + "!ENC" + ], + "ransomnotes": [ + "Important_Read_Me.html" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/757873976047697920" + ] + } + }, + { + "value": "Jeiphoos or Encryptor RaaS or Sarento", + "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", + "meta": { + "encryption": "RC6 (files), RSA 2048 (RC6 key)", + "ransomnotes": [ + "readme_liesmich_encryptor_raas.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/RaaS.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/" + ] + } + }, + { + "value": "Jhon Woddy", + "description": "Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH", + "meta": { + "extensions": [ + ".killedXXX" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", + "https://twitter.com/BleepinComputer/status/822509105487245317" + ] + } + }, + { + "value": "Jigsaw or CryptoHitMan (subvariant)", + "description": "Ransomware Has a GUI", + "meta": { + "extensions": [ + ".btc", + ".kkk", + ".fun", + ".gws", + ".porno", + ".payransom", + ".payms", + ".paymst", + ".AFD", + ".paybtcs", + ".epic", + ".xyz", + ".encrypted", + ".hush", + ".paytounlock", + ".uk-dealer@sigaint.org", + ".gefickt", + ".nemo-hacks.at.sigaint.org" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/", + "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", + "https://twitter.com/demonslay335/status/795819556166139905" + ] + } + }, + { + "value": "Job Crypter", + "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", + "meta": { + "extensions": [ + ".locked", + ".css" + ], + "encryption": "TripleDES", + "ransomnotes": [ + "Comment débloquer mes fichiers.txt", + "Readme.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/jobcrypter.html", + "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", + "https://twitter.com/malwrhunterteam/status/828914052973858816" + ] + } + }, + { + "value": "JohnyCryptor", + "description": "Ransomware" + }, + { + "value": "KawaiiLocker", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "How Decrypt Files.txt" + ], + "refs": [ + "https://safezone.cc/resources/kawaii-decryptor.195/" + ] + } + }, + { + "value": "KeRanger", + "description": "Ransomware OS X Ransomware", + "meta": { + "extensions": [ + ".encrypted" + ], + "encryption": "AES", + "refs": [ + "http://news.drweb.com/show/?i=9877&lng=en&c=5", + "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/" + ] + } + }, + { + "value": "KeyBTC", + "description": "Ransomware", + "meta": { + "extensions": [ + "keybtc@inbox_com" + ], + "ransomnotes": [ + "DECRYPT_YOUR_FILES.txt", + "READ.txt", + "readme.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + } + }, + { + "value": "KEYHolder", + "description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address", + "meta": { + "ransomnotes": [ + "how_decrypt.gif", + "how_decrypt.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml" + ] + } + }, + { + "value": "KillerLocker", + "description": "Ransomware Possibly Portuguese dev", + "meta": { + "extensions": [ + ".rip" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/782232299840634881" + ] + } + }, + { + "value": "KimcilWare", + "description": "Ransomware websites only", + "meta": { + "extensions": [ + ".kimcilware", + ".locked" + ], + "encryption": "AES", + "refs": [ + "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", + "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/" + ] + } + }, + { + "value": "Korean", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".암호화됨" + ], + "encryption": "AES-256", + "ransomnotes": [ + "ReadMe.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/koreanRansom.html" + ] + } + }, + { + "value": "Kozy.Jozy or QC", + "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", + "meta": { + "extensions": [ + ".31392E30362E32303136_[ID-KEY]_LSBJ1", + ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" + ], + "encryption": "RSA-2048", + "ransomnotes": [ + "w.jpg" + ], + "refs": [ + "http://www.nyxbone.com/malware/KozyJozy.html", + "http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/" + ] + } + }, + { + "value": "KratosCrypt", + "description": "Ransomware kratosdimetrici@gmail.com", + "meta": { + "extensions": [ + ".kratos" + ], + "ransomnotes": [ + "README_ALL.html" + ], + "refs": [ + "https://twitter.com/demonslay335/status/746090483722686465" + ] + } + }, + { + "value": "KryptoLocker", + "description": "Ransomware Based on HiddenTear", + "meta": { + "encryption": "AES-256", + "ransomnotes": [ + "KryptoLocker_README.txt" + ] + } + }, + { + "value": "LanRan", + "description": "Ransomware Variant of open-source MyLittleRansomware", + "meta": { + "ransomnotes": [ + "@__help__@" + ], + "refs": [ + "https://twitter.com/struppigel/status/847689644854595584" + ] + } + }, + { + "value": "LeChiffre", + "description": "Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker", + "meta": { + "extensions": [ + ".LeChiffre" + ], + "ransomnotes": [ + "How to decrypt LeChiffre files.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/lechiffre", + "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/" + ] + } + }, + { + "value": "Lick", + "description": "Ransomware Variant of Kirk", + "meta": { + "extensions": [ + ".Licked" + ], + "ransomnotes": [ + "RANSOM_NOTE.txt" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/842404866614038529" + ] + } + }, + { + "value": "Linux.Encoder or Linux.Encoder.{0,3}", + "description": "Ransomware Linux Ransomware", + "meta": { + "refs": [ + "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" + ] + } + }, + { + "value": "LK Encryption", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/845183290873044994" + ] + } + }, + { + "value": "LLTP Locker", + "description": "Ransomware Targeting Spanish speaking victims", + "meta": { + "extensions": [ + ".ENCRYPTED_BY_LLTP", + ".ENCRYPTED_BY_LLTPp" + ], + "encryption": "AES-256", + "ransomnotes": [ + "LEAME.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/" + ] + } + }, + { + "value": "Locker", + "description": "Ransomware has GUI", + "meta": { + "refs": [ + "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545" + ] + } + }, + { + "value": "LockLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locklock" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_ME.TXT" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/" + ] + } + }, + { + "value": "Locky", + "description": "Ransomware Affiliations with Dridex and Necurs botnets", + "meta": { + "extensions": [ + ".locky", + ".zepto", + ".odin", + ".shit", + ".thor", + ".aesir", + ".zzzzz", + ".osiris", + "([A-F0-9]{32}).locky", + "([A-F0-9]{32}).zepto", + "([A-F0-9]{32}).odin", + "([A-F0-9]{32}).shit", + "([A-F0-9]{32}).thor", + "([A-F0-9]{32}).aesir", + "([A-F0-9]{32}).zzzzz", + "([A-F0-9]{32}).osiris" + ], + "encryption": "AES-128", + "ransomnotes": [ + "_Locky_recover_instructions.txt", + "_Locky_recover_instructions.bmp", + "_HELP_instructions.txt", + "_HELP_instructions.bmp", + "_HOWDO_text.html", + "_WHAT_is.html", + "_INSTRUCTION.html", + "DesktopOSIRIS.(bmp|htm)", + "OSIRIS-[0-9]{4}.htm" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/", + "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/" + ] + } + }, + { + "value": "Lortok", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ] + } + }, + { + "value": "LowLevel04", + "description": "Ransomware Prepends filenames", + "meta": { + "extensions": [ + "oor." + ] + } + }, + { + "value": "M4N1F3STO", + "description": "Ransomware Does not encrypt Unlock code=suckmydicknigga", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/808015275367002113" + ] + } + }, + { + "value": "Mabouia", + "description": "Ransomware OS X ransomware (PoC)" + }, + { + "value": "MacAndChess", + "description": "Ransomware Based on HiddenTear" + }, + { + "value": "Magic", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".magic" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DECRYPT_ReadMe1.TXT", + "DECRYPT_ReadMe.TXT" + ] + } + }, + { + "value": "MaktubLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + "[a-z]{4,6}" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "_DECRYPT_INFO_[extension pattern].html" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" + ] + } + }, + { + "value": "MarsJoke", + "description": "Ransomware", + "meta": { + "extensions": [ + ".a19", + ".ap19" + ], + "ransomnotes": [ + "!!! Readme For Decrypt !!!.txt", + "ReadMeFilesDecrypt!!!.txt" + ], + "refs": [ + "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", + "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker" + ] + } + }, + { + "value": "Meister", + "description": "Ransomware Targeting French victims", + "meta": { + "refs": [ + "https://twitter.com/siri_urz/status/840913419024945152" + ] + } + }, + { + "value": "Meteoritan", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "where_are_your_files.txt", + "readme_your_files_have_been_encrypted.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/844614889620561924" + ] + } + }, + { + "value": "MIRCOP or Crypt888", + "description": "Ransomware Prepends files Demands 48.48 BTC", + "meta": { + "extensions": [ + "Lock." + ], + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/", + "https://www.avast.com/ransomware-decryption-tools#!", + "http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/", + "http://www.nyxbone.com/malware/Mircop.html" + ] + } + }, + { + "value": "MireWare", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".fucked", + ".fuck" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ] + } + }, + { + "value": "Mischa or \"Petya's little brother\"", + "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", + "meta": { + "extensions": [ + ".([a-zA-Z0-9]{4})" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML", + "YOUR_FILES_ARE_ENCRYPTED.TXT " + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/" + ] + } + }, + { + "value": "MM Locker or Booyah", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + } + }, + { + "value": "Mobef or Yakes or CryptoBit", + "description": "Ransomware", + "meta": { + "extensions": [ + ".KEYZ", + ".KEYH0LES" + ], + "ransomnotes": [ + "4-14-2016-INFECTION.TXT", + "IMPORTANT.README" + ], + "refs": [ + "http://nyxbone.com/malware/Mobef.html", + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", + "http://nyxbone.com/images/articulos/malware/mobef/0.png" + ] + } + }, + { + "value": "Monument", + "description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/844826339186135040" + ] + } + }, + { + "value": "N-Splitter", + "description": "Ransomware Russian Koolova Variant", + "meta": { + "extensions": [ + ".кибер разветвитель" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/815961663644008448", + "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" + ] + } + }, + { + "value": "n1n1n1", + "description": "Ransomware Filemaker: \"333333333333\"", + "meta": { + "ransomnotes": [ + "decrypt explanations.html" + ], + "refs": [ + "https://twitter.com/demonslay335/status/790608484303712256", + "https://twitter.com/demonslay335/status/831891344897482754" + ] + } + }, + { + "value": "NanoLocker", + "description": "Ransomware no extension change, has a GUI", + "meta": { + "encryption": "AES-256 + RSA", + "ransomnotes": [ + "ATTENTION.RTF" + ], + "refs": [ + "http://github.com/Cyberclues/nanolocker-decryptor" + ] + } + }, + { + "value": "Nemucod", + "description": "Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes", + "meta": { + "extensions": [ + ".crypted" + ], + "encryption": "XOR(255) + 7zip", + "ransomnotes": [ + "Decrypted.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/nemucod", + "https://github.com/Antelox/NemucodFR", + "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", + "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/" + ] + } + }, + { + "value": "Netix or RANSOM_NETIX.A", + "description": "Ransomware", + "meta": { + "extensions": [ + "AES-256" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/" + ] + } + }, + { + "value": "Nhtnwcuf", + "description": "Ransomware Does not encrypt the files / Files are destroyed", + "meta": { + "ransomnotes": [ + "!_RECOVERY_HELP_!.txt", + "HELP_ME_PLEASE.txt" + ], + "refs": [ + "https://twitter.com/demonslay335/status/839221457360195589" + ] + } + }, + { + "value": "NMoreira or XRatTeam or XPan", + "description": "Ransomware", + "meta": { + "extensions": [ + ".maktub", + ".__AiraCropEncrypted!" + ], + "encryption": "mix of RSA and AES-256", + "ransomnotes": [ + "Recupere seus arquivos. Leia-me!.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/nmoreira", + "https://twitter.com/fwosar/status/803682662481174528" + ] + } + }, + { + "value": "NoobCrypt", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/JakubKroustek/status/757267550346641408", + "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/" + ] + } + }, + { + "value": "Nuke", + "description": "Ransomware", + "meta": { + "extensions": [ + ".nuclear55" + ], + "encryption": "AES", + "ransomnotes": [ + "!!_RECOVERY_instructions_!!.html", + "!!_RECOVERY_instructions_!!.txt" + ] + } + }, + { + "value": "Nullbyte", + "description": "Ransomware", + "meta": { + "extensions": [ + "_nullbyte" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", + "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/" + ] + } + }, + { + "value": "ODCODC", + "description": "Ransomware", + "meta": { + "extensions": [ + ".odcodc", + "C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc" + ], + "encryption": "XOR", + "ransomnotes": [ + "HOW_TO_RESTORE_FILES.txt" + ], + "refs": [ + "http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip", + "http://www.nyxbone.com/malware/odcodc.html", + "https://twitter.com/PolarToffee/status/813762510302183424", + "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png" + ] + } + }, + { + "value": "Offline ransomware or Vipasana or Cryakl", + "description": "Ransomware email addresses overlap with .777 addresses", + "meta": { + "extensions": [ + ".cbf", + "email-[params].cbf" + ], + "ransomnotes": [ + "desk.bmp", + "desk.jpg" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html" + ] + } + }, + { + "value": "OMG! Ransomware or GPCode", + "description": "Ransomware", + "meta": { + "extensions": [ + ".LOL!", + ".OMG!" + ], + "ransomnotes": [ + "how to get data.txt" + ] + } + }, + { + "value": "Operation Global III", + "description": "Ransomware Is a file infector (virus)", + "meta": { + "extensions": [ + ".EXE" + ], + "refs": [ + "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" + ] + } + }, + { + "value": "Owl or CryptoWire", + "description": "Ransomware", + "meta": { + "extensions": [ + "dummy_file.encrypted", + "dummy_file.encrypted.[extension]" + ], + "ransomnotes": [ + "log.txt" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/842342996775448576" + ] + } + }, + { + "value": "PadCrypt", + "description": "Ransomware has a live support chat", + "meta": { + "extensions": [ + ".padcrypt" + ], + "ransomnotes": [ + "IMPORTANT READ ME.txt", + "File Decrypt Help.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", + "https://twitter.com/malwrhunterteam/status/798141978810732544" + ] + } + }, + { + "value": "Padlock Screenlocker", + "description": "Ransomware Unlock code is: ajVr/G\\ RJz0R", + "meta": { + "refs": [ + "https://twitter.com/BleepinComputer/status/811635075158839296" + ] + } + }, + { + "value": "Patcher", + "description": "Ransomware Targeting macOS users", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "README!.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", + "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" + ] + } + }, + { + "value": "Petya or Goldeneye", + "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", + "meta": { + "encryption": "Modified Salsa20", + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.TXT" + ], + "refs": [ + "http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator", + "https://www.youtube.com/watch?v=mSqxFjZq_z4", + "https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/", + "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/" + ] + } + }, + { + "value": "Philadelphia", + "description": "Ransomware Coded by \"The_Rainmaker\"", + "meta": { + "extensions": [ + ".locked", + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "https://decrypter.emsisoft.com/philadelphia", + "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" + ] + } + }, + { + "value": "PizzaCrypts", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-[victim_id]-maestro@pizzacrypts.info" + ], + "refs": [ + "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip" + ] + } + }, + { + "value": "PokemonGO", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/pokemonGO.html", + "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/" + ] + } + }, + { + "value": "Polyglot", + "description": "Ransomware Immitates CTB-Locker", + "meta": { + "encryption": "AES-256", + "refs": [ + "https://support.kaspersky.com/8547", + "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" + ] + } + }, + { + "value": "PowerWare or PoshCoder", + "description": "Ransomware Open-sourced PowerShell", + "meta": { + "extensions": [ + ".locky" + ], + "encryption": "AES-128", + "refs": [ + "https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py", + "https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip", + "https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/", + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" + ] + } + }, + { + "value": "PowerWorm", + "description": "Ransomware no decryption possible, throws key away, destroys the files", + "meta": { + "encryption": "AES", + "ransomnotes": [ + "DECRYPT_INSTRUCTION.html" + ] + } + }, + { + "value": "Princess Locker", + "description": "Ransomware", + "meta": { + "extensions": [ + "[a-z]{4,6},[0-9]" + ], + "ransomnotes": [ + "!_HOW_TO_RESTORE_[extension].TXT", + "!_HOW_TO_RESTORE_[extension].html", + "!_HOW_TO_RESTORE_*id*.txt", + ".*id*", + "@_USE_TO_FIX_JJnY.txt" + ], + "refs": [ + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/" + ] + } + }, + { + "value": "PRISM", + "description": "Ransomware", + "meta": { + "refs": [ + "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" + ] + } + }, + { + "value": "Ps2exe", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/803297700175286273" + ] + } + }, + { + "value": "R", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Ransomware.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/846705481741733892" + ] + } + }, + { + "value": "R980", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "DECRYPTION INSTRUCTIONS.txt", + "rtext.txt" + ], + "refs": [ + "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" + ] + } + }, + { + "value": "RAA encryptor or RAA", + "description": "Ransomware Possible affiliation with Pony", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "!!!README!!![id].rtf" + ], + "refs": [ + "https://reaqta.com/2016/06/raa-ransomware-delivering-pony/", + "http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/" + ] + } + }, + { + "value": "Rabion", + "description": "Ransomware RaaS Copy of Ranion RaaS", + "meta": { + "refs": [ + "https://twitter.com/CryptoInsane/status/846181140025282561" + ] + } + }, + { + "value": "Radamant", + "description": "Ransomware", + "meta": { + "extensions": [ + ".RDM", + ".RRK", + ".RAD", + ".RADAMANT" + ], + "encryption": "AES-256", + "ransomnotes": [ + "YOUR_FILES.url" + ], + "refs": [ + "https://decrypter.emsisoft.com/radamant", + "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", + "http://www.nyxbone.com/malware/radamant.html" + ] + } + }, + { + "value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor", + "description": "Ransomware Files might be partially encrypted", + "meta": { + "extensions": [ + ".locked", + ".kraken", + ".darkness", + ".nochance", + ".oshit", + ".oplata@qq_com", + ".relock@qq_com", + ".crypto", + ".helpdecrypt@ukr.net", + ".pizda@qq_com", + ".dyatel@qq_com", + "_ryp", + ".nalog@qq_com", + ".chifrator@qq_com", + ".gruzin@qq_com", + ".troyancoder@qq_com", + ".encrypted", + ".cry", + ".AES256", + ".enc", + ".hb15", + ".coderksu@gmail_com_id[0-9]{2,3}", + ".crypt@india.com.[\\w]{4,12}" + ], + "ransomnotes": [ + "\\fud.bmp", + "\\paycrypt.bmp", + "\\strongcrypt.bmp", + "\\maxcrypt.bmp", + "%APPDATA%\\Roaming\\.bmp" + ], + "refs": [ + "https://support.kaspersky.com/us/viruses/disinfection/10556" + ] + } + }, + { + "value": "Ramsomeer", + "description": "Ransomware Based on the DUMB ransomware" + }, + { + "value": "Rannoh", + "description": "Ransomware", + "meta": { + "extensions": [ + "locked-.[a-zA-Z]{4}" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + } + }, + { + "value": "RanRan", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zXz" + ], + "ransomnotes": [ + "VictemKey_0_5", + "VictemKey_5_30", + "VictemKey_30_100", + "VictemKey_100_300", + "VictemKey_300_700", + "VictemKey_700_2000", + "VictemKey_2000_3000", + "VictemKey_3000", + "zXz.html" + ], + "refs": [ + "https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", + "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" + ] + } + }, + { + "value": "Ransoc", + "description": "Ransomware Doesn't encrypt user files", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", + "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" + ] + } + }, + { + "value": "Ransom32", + "description": "Ransomware no extension change, Javascript Ransomware" + }, + { + "value": "RansomLock", + "description": "Ransomware Locks the desktop", + "meta": { + "encryption": "Asymmetric 1024 ", + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" + ] + } + }, + { + "value": "RarVault", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "RarVault.htm" + ] + } + }, + { + "value": "Razy", + "description": "Ransomware", + "meta": { + "extensions": [ + ".razy", + ".fear" + ], + "encryption": "AES-128", + "refs": [ + "http://www.nyxbone.com/malware/Razy(German).html", + "http://nyxbone.com/malware/Razy.html" + ] + } + }, + { + "value": "Rector", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vscrypt", + ".infected", + ".bloc", + ".korrektor" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/4264" + ] + } + }, + { + "value": "RektLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".rekt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Readme.txt" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/4264" + ] + } + }, + { + "value": "RemindMe", + "description": "Ransomware", + "meta": { + "extensions": [ + ".remind", + ".crashed" + ], + "ransomnotes": [ + "decypt_your_files.html " + ], + "refs": [ + "http://www.nyxbone.com/malware/RemindMe.html", + "http://i.imgur.com/gV6i5SN.jpg" + ] + } + }, + { + "value": "Rokku", + "description": "Ransomware possibly related with Chimera", + "meta": { + "extensions": [ + ".rokku" + ], + "encryption": "Curve25519 + ChaCha", + "ransomnotes": [ + "README_HOW_TO_UNLOCK.TXT", + "README_HOW_TO_UNLOCK.HTML" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" + ] + } + }, + { + "value": "RoshaLock", + "description": "Ransomware Stores your files in a password protected RAR file", + "meta": { + "refs": [ + "https://twitter.com/siri_urz/status/842452104279134209" + ] + } + }, + { + "value": "Runsomewere", + "description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/801812325657440256" + ] + } + }, + { + "value": "RussianRoulette", + "description": "Ransomware Variant of the Philadelphia ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/823925410392080385" + ] + } + }, + { + "value": "SADStory", + "description": "Ransomware Variant of CryPy", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/845356853039190016" + ] + } + }, + { + "value": "Sage 2.2", + "description": "Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.", + "meta": { + "extensions": [ + ".sage" + ], + "refs": [ + "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", + "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" + ] + } + }, + { + "value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe", + "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", + "meta": { + "extensions": [ + ".encryptedAES", + ".encryptedRSA", + ".encedRSA", + ".justbtcwillhelpyou", + ".btcbtcbtc", + ".btc-help-you", + ".only-we_can-help_you", + ".iwanthelpuuu", + ".notfoundrans", + ".encmywork", + ".VforVendetta", + ".theworldisyours", + ".Whereisyourfiles", + ".helpmeencedfiles", + ".powerfulldecrypt", + ".noproblemwedecfiles", + ".weareyourfriends", + ".otherinformation", + ".letmetrydecfiles", + ".encryptedyourfiles", + ".weencedufiles", + ".iaufkakfhsaraf", + ".cifgksaffsfyghd" + ], + "encryption": "AES(256) + RSA(2096)", + "ransomnotes": [ + "HELP_DECRYPT_YOUR_FILES.html", + "###-READ-FOR-HELLPP.html", + "000-PLEASE-READ-WE-HELP.html", + "CHECK-IT-HELP-FILES.html", + "WHERE-YOUR-FILES.html", + "HELP-ME-ENCED-FILES.html", + "WE-MUST-DEC-FILES.html", + "000-No-PROBLEM-WE-DEC-FILES.html", + "TRY-READ-ME-TO-DEC.html", + "000-IF-YOU-WANT-DEC-FILES.html", + "LET-ME-TRY-DEC-FILES.html", + "001-READ-FOR-DECRYPT-FILES.html", + "READ-READ-READ.html", + "IF_WANT_FILES_BACK_PLS_READ.html", + "READ_READ_DEC_FILES.html" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf" + ] + } + }, + { + "value": "Sanction", + "description": "Ransomware Based on HiddenTear, but heavily modified keygen", + "meta": { + "extensions": [ + ".sanction" + ], + "encryption": "AES-256 + RSA-2096", + "ransomnotes": [ + "DECRYPT_YOUR_FILES.HTML" + ] + } + }, + { + "value": "Sanctions", + "description": "Ransomware", + "meta": { + "extensions": [ + ".wallet" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "RESTORE_ALL_DATA.html" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/" + ] + } + }, + { + "value": "Sardoninir", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/835955409953357825" + ] + } + }, + { + "value": "Satana", + "description": "Ransomware", + "meta": { + "extensions": [ + "Sarah_G@ausi.com___" + ], + "ransomnotes": [ + "!satana!.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", + "https://blog.kaspersky.com/satana-ransomware/12558/" + ] + } + }, + { + "value": "Scraper", + "description": "Ransomware", + "meta": { + "refs": [ + "http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/" + ] + } + }, + { + "value": "Serpico", + "description": "Ransomware DetoxCrypto Variant", + "meta": { + "encryption": "AES", + "refs": [ + "http://www.nyxbone.com/malware/Serpico.html" + ] + } + }, + { + "value": "Shark or Atom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Readme.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", + "http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/" + ] + } + }, + { + "value": "ShinoLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".shino" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/760560147131408384", + "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/" + ] + } + }, + { + "value": "Shujin or KinCrypt", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "文件解密帮助.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/chineseRansom.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" + ] + } + }, + { + "value": "Simple_Encoder", + "description": "Ransomware", + "meta": { + "extensions": [ + ".~" + ], + "encryption": "AES", + "ransomnotes": [ + "_RECOVER_INSTRUCTIONS.ini" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/" + ] + } + }, + { + "value": "SkidLocker / Pompous", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/", + "http://www.nyxbone.com/malware/SkidLocker.html" + ] + } + }, + { + "value": "Smash!", + "description": "Ransomware", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" + ] + } + }, + { + "value": "Smrss32", + "description": "Ransomware", + "meta": { + "extensions": [ + ".encrypted" + ], + "ransomnotes": [ + "_HOW_TO_Decrypt.bmp" + ] + } + }, + { + "value": "SNSLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".RSNSlocked", + ".RSplited" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_Me.txt" + ], + "refs": [ + "http://nyxbone.com/malware/SNSLocker.html", + "http://nyxbone.com/images/articulos/malware/snslocker/16.png" + ] + } + }, + { + "value": "Sport", + "description": "Ransomware", + "meta": { + "extensions": [ + ".sport" + ] + } + }, + { + "value": "Stampado", + "description": "Ransomware Coded by \"The_Rainmaker\" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Random message includes bitcoin wallet address with instructions" + ], + "refs": [ + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", + "http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/", + "https://decrypter.emsisoft.com/stampado", + "https://cdn.streamable.com/video/mp4/kfh3.mp4", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/" + ] + } + }, + { + "value": "Strictor", + "description": "Ransomware Based on EDA2, shows Guy Fawkes mask", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/Strictor.html" + ] + } + }, + { + "value": "Surprise", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".surprise", + ".tzu" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DECRYPTION_HOWTO.Notepad" + ] + } + }, + { + "value": "Survey", + "description": "Ransomware Still in development, shows FileIce survey", + "meta": { + "ransomnotes": [ + "ThxForYurTyme.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" + ] + } + }, + { + "value": "SynoLocker", + "description": "Ransomware Exploited Synology NAS firmware directly over WAN" + }, + { + "value": "SZFLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".szf" + ], + "refs": [ + "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/" + ] + } + }, + { + "value": "TeamXrat", + "description": "Ransomware", + "meta": { + "extensions": [ + ".___xratteamLucked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Como descriptografar os seus arquivos.txt" + ], + "refs": [ + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + ] + } + }, + { + "value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt", + "description": "Ransomware Factorization", + "meta": { + "extensions": [ + ".vvv", + ".ecc", + ".exx", + ".ezz", + ".abc", + ".aaa", + ".zzz", + ".xyz" + ], + "ransomnotes": [ + "HELP_TO_SAVE_FILES.txt", + "Howto_RESTORE_FILES.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.talosintel.com/teslacrypt_tool/" + ] + } + }, + { + "value": "TeslaCrypt 3.0+", + "description": "Ransomware 4.0+ has no extension", + "meta": { + "extensions": [ + ".micro", + ".xxx", + ".ttt", + ".mp3" + ], + "encryption": "AES-256 + ECHD + SHA1", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" + ] + } + }, + { + "value": "TeslaCrypt 4.1A", + "description": "Ransomware", + "meta": { + "encryption": "AES-256 + ECHD + SHA1", + "ransomnotes": [ + "RECOVER<5_chars>.html", + "RECOVER<5_chars>.png", + "RECOVER<5_chars>.txt", + "_how_recover+.txt or .html", + "help_recover_instructions+.BMP or .html or .txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", + "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", + "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", + "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", + "HELP_TO_SAVE_FILES.txt or .bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", + "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" + ] + } + }, + { + "value": "TeslaCrypt 4.2", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "RECOVER<5_chars>.html", + "RECOVER<5_chars>.png", + "RECOVER<5_chars>.txt", + "_how_recover+.txt or .html", + "help_recover_instructions+.BMP or .html or .txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", + "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", + "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", + "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", + "HELP_TO_SAVE_FILES.txt or .bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", + "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" + ] + } + }, + { + "value": "Threat Finder", + "description": "Ransomware Files cannot be decrypted Has a GUI", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.HTML" + ] + } + }, + { + "value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac", + "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", + "meta": { + "extensions": [ + ".Encrypted", + ".enc" + ], + "encryption": "AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt", + "ransomnotes": [ + "HOW_TO_RESTORE_FILES.html", + "DECRYPT_INSTRUCTIONS.html", + "DESIFROVANI_POKYNY.html", + "INSTRUCCIONES_DESCIFRADO.html", + "ISTRUZIONI_DECRITTAZIONE.html", + "ENTSCHLUSSELN_HINWEISE.html", + "ONTSLEUTELINGS_INSTRUCTIES.html", + "INSTRUCTIONS_DE_DECRYPTAGE.html", + "SIFRE_COZME_TALIMATI.html", + "wie_zum_Wiederherstellen_von_Dateien.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", + "https://twitter.com/PolarToffee/status/804008236600934403", + "http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" + ] + } + }, + { + "value": "TowerWeb", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Payment_Instructions.jpg" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/" + ] + } + }, + { + "value": "Toxcrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".toxcrypt" + ], + "ransomnotes": [ + "tox.html" + ] + } + }, + { + "value": "Trojan or BrainCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".braincrypt" + ], + "ransomnotes": [ + "!!! HOW TO DECRYPT FILES !!!.txt" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip", + "https://twitter.com/PolarToffee/status/811249250285842432" + ] + } + }, + { + "value": "Troldesh orShade, XTBL", + "description": "Ransomware May download additional malware after encryption", + "meta": { + "extensions": [ + ".breaking_bad", + ".better_call_saul", + ".xtbl", + ".da_vinci_code", + ".windows10", + ".no_more_ransom" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README.txt", + "nomoreransom_note_original.txt" + ], + "refs": [ + "https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf", + "http://www.nyxbone.com/malware/Troldesh.html", + "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/" + ] + } + }, + { + "value": "TrueCrypter", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/" + ] + } + }, + { + "value": "Turkish", + "description": "Ransomware", + "meta": { + "extensions": [ + ".sifreli" + ], + "refs": [ + "https://twitter.com/struppigel/status/821991600637313024" + ] + } + }, + { + "value": "Turkish Ransom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" + ], + "refs": [ + "http://www.nyxbone.com/malware/turkishRansom.html" + ] + } + }, + { + "value": "UmbreCrypt", + "description": "Ransomware CrypBoss Family", + "meta": { + "extensions": [ + "umbrecrypt_ID_[VICTIMID]" + ], + "encryption": "AES", + "ransomnotes": [ + "README_DECRYPT_UMBRE_ID_[victim_id].jpg", + "README_DECRYPT_UMBRE_ID_[victim_id].txt", + "default32643264.bmp", + "default432643264.jpg" + ], + "refs": [ + "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware" + ] + } + }, + { + "value": "UnblockUPC", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Files encrypted.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/" + ] + } + }, + { + "value": "Ungluk", + "description": "Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key", + "meta": { + "extensions": [ + ".H3LL", + ".0x0", + ".1999" + ], + "encryption": "AES", + "ransomnotes": [ + "READTHISNOW!!!.txt", + "Hellothere.txt", + "YOUGOTHACKED.TXT" + ] + } + }, + { + "value": "Unlock92 ", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CRRRT", + ".CCCRRRPPP" + ], + "ransomnotes": [ + "READ_ME_!.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/839038399944224768" + ] + } + }, + { + "value": "VapeLauncher", + "description": "Ransomware CryptoWire variant", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/839771195830648833" + ] + } + }, + { + "value": "VaultCrypt or CrypVault, Zlader", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vault", + ".xort", + ".trun" + ], + "encryption": "uses gpg.exe", + "ransomnotes": [ + "VAULT.txt", + "xort.txt", + "trun.txt", + ".hta | VAULT.hta" + ], + "refs": [ + "http://www.nyxbone.com/malware/russianRansom.html" + ] + } + }, + { + "value": "VBRANSOM 7", + "description": "Ransomware", + "meta": { + "extensions": [ + ".VBRANSOM" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/817851339078336513" + ] + } + }, + { + "value": "VenusLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".Venusf", + ".Venusp" + ], + "encryption": "AES-256", + "ransomnotes": [ + "ReadMe.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", + "http://www.nyxbone.com/malware/venusLocker.html" + ] + } + }, + { + "value": "Virlock", + "description": "Ransomware Polymorphism / Self-replication", + "meta": { + "extensions": [ + ".exe" + ], + "refs": [ + "http://www.nyxbone.com/malware/Virlock.html", + "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" + ] + } + }, + { + "value": "Virus-Encoder or CrySiS", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CrySiS", + ".xtbl", + ".crypt", + ".DHARMA", + ".id-########.decryptformoney@india.com.xtbl", + ".[email_address].DHARMA" + ], + "encryption": "AES-256", + "ransomnotes": [ + "How to decrypt your data.txt" + ], + "refs": [ + "http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/", + "http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip", + "http://www.nyxbone.com/malware/virus-encoder.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/" + ] + } + }, + { + "value": "WildFire Locker or Hades Locker", + "description": "Ransomware Zyklon variant", + "meta": { + "extensions": [ + ".wflx" + ], + "ransomnotes": [ + "HOW_TO_UNLOCK_FILES_README_().txt" + ], + "refs": [ + "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" + ] + } + }, + { + "value": "Xorist", + "description": "Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length", + "meta": { + "extensions": [ + ".EnCiPhErEd", + ".73i87A", + ".p5tkjw", + ".PoAr2w", + ".fileiscryptedhard", + ".encoderpass", + ".zc3791", + ".antihacker2017" + ], + "encryption": "XOR or TEA", + "ransomnotes": [ + "HOW TO DECRYPT FILES.TXT" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/2911", + "https://decrypter.emsisoft.com/xorist" + ] + } + }, + { + "value": "XRTN ", + "description": "Ransomware VaultCrypt family", + "meta": { + "extensions": [ + ".xrtn" + ] + } + }, + { + "value": "You Have Been Hacked!!!", + "description": "Ransomware Attempt to steal passwords", + "meta": { + "extensions": [ + ".Locked" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/808280549802418181" + ] + } + }, + { + "value": "Zcrypt or Zcryptor", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zcrypt" + ], + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/" + ] + } + }, + { + "value": "Zeta or CryptoMix", + "description": "Ransomware", + "meta": { + "extensions": [ + ".code", + ".scl", + ".rmd" + ], + "ransomnotes": [ + "# HELP_DECRYPT_YOUR_FILES #.TXT" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/804009831518572544" + ] + } + }, + { + "value": "Zimbra", + "description": "Ransomware mpritsken@priest.com", + "meta": { + "extensions": [ + ".crypto" + ], + "ransomnotes": [ + "how.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/" + ] + } + }, + { + "value": "Zlader / Russian or VaultCrypt, CrypVault", + "description": "Ransomware VaultCrypt family", + "meta": { + "extensions": [ + ".vault" + ], + "encryption": "RSA", + "refs": [ + "http://www.nyxbone.com/malware/russianRansom.html" + ] + } + }, + { + "value": "Zorro", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zorro" + ], + "ransomnotes": [ + "Take_Seriously (Your saving grace).txt" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/844538370323812353" + ] + } + }, + { + "value": "Zyklon or GNL Locker", + "description": "Ransomware Hidden Tear family, GNL Locker variant", + "meta": { + "extensions": [ + ".zyklon" + ] + } + }, + { + "value": "vxLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vxLock" + ] + } } ], "source": "Various",