From da331d6ca6a75ca4a20a56e78194c24227f12811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Mon, 30 Jan 2017 15:45:20 +0100 Subject: [PATCH] add ransomware galaxy --- clusters/ransomware.json | 865 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 865 insertions(+) create mode 100644 clusters/ransomware.json diff --git a/clusters/ransomware.json b/clusters/ransomware.json new file mode 100644 index 0000000..d8943dd --- /dev/null +++ b/clusters/ransomware.json @@ -0,0 +1,865 @@ +{ + "authors": [ + "authorname" + ], + "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", + "type": "ransomware", + "version": 1, + "name": "Ransomware", + "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", + "values": [ + { + "description": "AES(256); .enc; ", + "value": ".CryptoHasYou." + }, + { + "description": "Sevleg; XOR; .777; ._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777; ", + "value": "777" + }, + { + "description": "7ev3n-HONE$T; .R4A .R5A; ", + "value": "7ev3n" + }, + { + "description": "AES; .7h9r; ", + "value": "7h9r" + }, + { + "description": "AES (256); .8lock8; ", + "value": "8lock8" + }, + { + "description": ".bin; ", + "value": "Alfa Ransomware" + }, + { + "description": "AES(128); random; random(x5); ", + "value": "Alma Ransomware" + }, + { + "description": "AlphaLocker; AES(256); .encrypt; ", + "value": "Alpha Ransomware" + }, + { + "description": ".amba; ", + "value": "AMBA" + }, + { + "description": ".adk; ", + "value": "Angry Duck" + }, + { + "description": "Fabiansomeware; .encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt; ", + "value": "Apocalypse" + }, + { + "description": ".encrypted .locked; ", + "value": "ApocalypseVM" + }, + { + "description": ".locky; ", + "value": "AutoLocky" + }, + { + "description": "", + "value": "BadBlock" + }, + { + "description": ".adr; ", + "value": "BaksoCrypt" + }, + { + "description": "Rakhni; AES(256); .id-[ID]_[EMAIL_ADDRESS]; ", + "value": "Bandarchor" + }, + { + "description": "BaCrypt; .bart.zip .bart .perl; ", + "value": "Bart" + }, + { + "description": ".clf; ", + "value": "BitCryptor" + }, + { + "description": "Base64 + String Replacement; .bitstak; ", + "value": "BitStak" + }, + { + "description": "SilentShade; AES (256); .Silent; ", + "value": "BlackShades Crypter" + }, + { + "description": "AES (256); .blocatto; ", + "value": "Blocatto" + }, + { + "description": "Salam!; ", + "value": "Booyah" + }, + { + "description": "AES(256); .lock; ", + "value": "Brazilian" + }, + { + "description": "AES; ", + "value": "BrLock" + }, + { + "description": "", + "value": "Browlock" + }, + { + "description": "GOST; ; ", + "value": "Bucbi" + }, + { + "description": "(.*).encoded.([A-Z0-9]{9}); ", + "value": "BuyUnlockCode" + }, + { + "description": ".cry; ", + "value": "Central Security Treatment Organization" + }, + { + "description": "AES; .cerber .cerber2 .cerber3; ", + "value": "Cerber" + }, + { + "description": ".crypt 4 random characters, e.g., .PzZs, .MKJL; ", + "value": "Chimera" + }, + { + "description": ".clf; ", + "value": "CoinVault" + }, + { + "description": "AES(256); .coverton .enigma .czvxce; ", + "value": "Coverton" + }, + { + "description": ".{CRYPTENDBLACKDC}; ", + "value": "Cryaki" + }, + { + "description": "", + "value": "Crybola" + }, + { + "description": "Moves bytes; .criptiko .criptoko .criptokod .cripttt .aga; ", + "value": "CryFile" + }, + { + "description": "Cry, CSTO; .cry; ", + "value": "CryLocker" + }, + { + "description": "AES(256); ", + "value": "CrypMIC" + }, + { + "description": ".ENCRYPTED; ", + "value": "Crypren" + }, + { + "description": "AES; .crypt38; ", + "value": "Crypt38" + }, + { + "description": "Hidden Tear; AES(256); ", + "value": "Cryptear" + }, + { + "description": "RSA; .scl; id[_ID]email_xerx@usa.com.scl; ", + "value": "CryptFIle2" + }, + { + "description": ".crinf; ", + "value": "CryptInfinite" + }, + { + "description": "AES and RSA; ", + "value": "CryptoBit" + }, + { + "description": "", + "value": "CryptoDefense" + }, + { + "description": "Ranscam; ", + "value": "CryptoFinancial" + }, + { + "description": "AES (256), RSA (1024); .frtrss; ", + "value": "CryptoFortress" + }, + { + "description": ".clf; ", + "value": "CryptoGraphic Locker" + }, + { + "description": "Manamecrypt, Telograph, ROI Locker; AES(256) (RAR implementation); ", + "value": "CryptoHost" + }, + { + "description": "AES-256; .crjoker; ", + "value": "CryptoJoker" + }, + { + "description": ".encrypted .ENC; ", + "value": "CryptoLocker" + }, + { + "description": "[A-F0-9]{8}_luck; ", + "value": "CryptoLuck / YafunnLocker" + }, + { + "description": "Zeta; .code .scl; .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl; ", + "value": "CryptoMix" + }, + { + "description": "AES; .crptrgr; ", + "value": "CryptoRoger" + }, + { + "description": "AES; .locked; ", + "value": "CryptoShocker" + }, + { + "description": ".CryptoTorLocker2015!; ", + "value": "CryptoTorLocker2015" + }, + { + "description": "no filename change; ", + "value": "CryptoWall 1" + }, + { + "description": "no filename change; ", + "value": "CryptoWall 2" + }, + { + "description": "no filename change; ", + "value": "CryptoWall 3" + }, + { + "description": "., e.g., 27p9k967z.x1nep; ", + "value": "CryptoWall 4" + }, + { + "description": "CryptProjectXXX; .crypt; ", + "value": "CryptXXX" + }, + { + "description": "CryptProjectXXX; .crypt; ", + "value": "CryptXXX 2.0" + }, + { + "description": "UltraDeCrypter UltraCrypter; .crypt .cryp1 .crypz .cryptz random; ", + "value": "CryptXXX 3.0" + }, + { + "description": ".cryp1; ", + "value": "CryptXXX 3.1" + }, + { + "description": "", + "value": "CTB-Faker" + }, + { + "description": "Citroni; RSA(2048); .ctbl ; .([a-z]{6,7}); ", + "value": "CTB-Locker" + }, + { + "description": "AES(256); ", + "value": "CTB-Locker WEB" + }, + { + "description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ", + "value": "CuteRansomware" + }, + { + "description": "", + "value": "Deadly for a Good Purpose" + }, + { + "description": ".html; ", + "value": "DeCrypt Protect" + }, + { + "description": "AES-256; .ded; ", + "value": "DEDCryptor" + }, + { + "description": "Based on Detox: Calipso We are all Pokemons Nullbyte; AES; ", + "value": "DetoxCrypto" + }, + { + "description": "", + "value": "DirtyDecrypt" + }, + { + "description": "AES(256) in ECB mode, Version 2-4 also RSA; ", + "value": "DMALocker" + }, + { + "description": "AES(256); ", + "value": "DMALocker 3.0" + }, + { + "description": "AES(256); .domino; ", + "value": "Domino" + }, + { + "description": "Cryptear; AES(256); .locked; ", + "value": "EDA2 / HiddenTear" + }, + { + "description": "EduCrypter; .isis .locked; ", + "value": "EduCrypt" + }, + { + "description": "Los Pollos Hermanos; .ha3; ", + "value": "El-Polocker" + }, + { + "description": "Trojan.Encoder.6491; ", + "value": "Encoder.xxxx" + }, + { + "description": "AES (128); .enigma .1txt; ", + "value": "Enigma" + }, + { + "description": ".exotic; ", + "value": "Exotic" + }, + { + "description": "", + "value": "Fairware" + }, + { + "description": ".locked; ", + "value": "Fakben" + }, + { + "description": "Variants: Comrade Circle; AES(128); .fantom; ", + "value": "Fantom" + }, + { + "description": "", + "value": "Fonco" + }, + { + "description": "", + "value": "FSociety" + }, + { + "description": "", + "value": "Fury" + }, + { + "description": "AES (256); .Z81928819; ", + "value": "GhostCrypt" + }, + { + "description": "Purge; Blowfish; .purge; ", + "value": "Globe v1" + }, + { + "description": "Purge; Blowfish; .. e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg; ", + "value": "Globe v2" + }, + { + "description": "Purge; RC4; .globe or random; ", + "value": "Globe v3" + }, + { + "description": "Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker; AES (256); .locked; .locked, e.g., bill.!ID!8MMnF!ID!.locked; ", + "value": "GNL Locker" + }, + { + "description": ".crypt; !___[EMAILADDRESS]_.crypt; ", + "value": "Gomasom" + }, + { + "description": "", + "value": "Goopic" + }, + { + "description": "", + "value": "Gopher" + }, + { + "description": ".html; ", + "value": "Harasom" + }, + { + "description": "Mamba; Custom (net shares), XTS-AES (disk); ", + "value": "HDDCryptor" + }, + { + "description": ".herbst; ", + "value": "Herbst" + }, + { + "description": "AES(256); .cry ; ", + "value": "Hi Buddy!" + }, + { + "description": "removes extensions; ", + "value": "Hitler" + }, + { + "description": "AES; (encrypted); ", + "value": "HolyCrypt" + }, + { + "description": "Hungarian Locky (Hucky); AES, RSA (hardcoded); .locky; [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky; ", + "value": "Hucky" + }, + { + "description": "hydracrypt_ID_[\\w]{8}; ", + "value": "HydraCrypt" + }, + { + "description": ".crime; ", + "value": "iLock" + }, + { + "description": ".crime; ", + "value": "iLockLight" + }, + { + "description": "<6 random characters>; ", + "value": "International Police Association" + }, + { + "description": "!ENC; ", + "value": "JagerDecryptor" + }, + { + "description": "Encryptor RaaS, Sarento; RC6 (files), RSA 2048 (RC6 key); ", + "value": "Jeiphoos" + }, + { + "description": "CryptoHitMan (subvariant); AES(256); .btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz; ", + "value": "Jigsaw" + }, + { + "description": "TripleDES; .locked .css; ", + "value": "Job Crypter" + }, + { + "description": "AES; .encrypted; ", + "value": "KeRanger" + }, + { + "description": "keybtc@inbox_com ; ", + "value": "KeyBTC" + }, + { + "description": "", + "value": "KEYHolder" + }, + { + "description": ".rip; ", + "value": "Killer Locker" + }, + { + "description": "AES; .kimcilware .locked; ", + "value": "KimcilWare" + }, + { + "description": "AES(256); .암호화됨; ", + "value": "Korean" + }, + { + "description": ".kostya; ", + "value": "Kostya" + }, + { + "description": "QC; RSA(2048); .31392E30362E32303136_[ID-KEY]_LSBJ1; .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}); ", + "value": "Kozy.Jozy" + }, + { + "description": ".kratos; ", + "value": "KratosCrypt" + }, + { + "description": "AES(256); ", + "value": "KryptoLocker" + }, + { + "description": ".LeChiffre; ", + "value": "LeChiffre" + }, + { + "description": "Linux.Encoder.{0,3}; ", + "value": "Linux.Encoder" + }, + { + "description": "", + "value": "Locker" + }, + { + "description": "AES(128); .locky .zepto .odin .shit .thor .asier .zzzzz .osiris; ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris; ", + "value": "Locky" + }, + { + "description": ".lock93; ", + "value": "Lock93" + }, + { + "description": ".crime; ", + "value": "Lortok" + }, + { + "description": "oor.; ", + "value": "LowLevel04" + }, + { + "description": "", + "value": "Mabouia" + }, + { + "description": "AES(256); .magic; ", + "value": "Magic" + }, + { + "description": "AES(256), RSA (2048); [a-z]{4,6}; ", + "value": "MaktubLocker" + }, + { + "description": "Crypt888; AES; Lock.; ", + "value": "MIRCOP" + }, + { + "description": "AES(256); .fucked, .fuck; ", + "value": "MireWare" + }, + { + "description": "\"Petya's little brother\"; .([a-zA-Z0-9]{4}); ", + "value": "Mischa" + }, + { + "description": "Booyah; AES(256); .locked; ", + "value": "MM Locker" + }, + { + "description": "Yakes CryptoBit; .KEYZ .KEYH0LES; ", + "value": "Mobef" + }, + { + "description": "", + "value": "n1n1n1" + }, + { + "description": "", + "value": "Nagini" + }, + { + "description": "AES (256), RSA; ", + "value": "NanoLocker" + }, + { + "description": "XOR(255) 7zip; .crypted; ", + "value": "Nemucod" + }, + { + "description": "", + "value": "NoobCrypt" + }, + { + "description": "XOR; .odcodc; C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc; ", + "value": "ODCODC" + }, + { + "description": "Vipasana, Cryakl; .cbf; email-[params].cbf; ", + "value": "Offline ransomware" + }, + { + "description": "GPCode; .LOL! .OMG!; ", + "value": "OMG! Ransomware" + }, + { + "description": "", + "value": "Onyx" + }, + { + "description": ".EXE; ", + "value": "Operation Global III" + }, + { + "description": ".padcrypt; ", + "value": "PadCrypt" + }, + { + "description": "XOR; ", + "value": "PClock" + }, + { + "description": "Goldeneye; Modified Salsa20; ", + "value": "Petya" + }, + { + "description": "AES(256); .locked; .locked; ", + "value": "Philadelphia" + }, + { + "description": ".id-[victim_id]-maestro@pizzacrypts.info; ", + "value": "PizzaCrypts" + }, + { + "description": "AES(256); .locked; ", + "value": "PokemonGO" + }, + { + "description": "AES(256); .filock; ", + "value": "Popcorn Time" + }, + { + "description": "AES(256); ", + "value": "Polyglot" + }, + { + "description": "PoshCoder; AES(128); .locky; ", + "value": "PowerWare" + }, + { + "description": "AES, but throws key away, destroys the files; ", + "value": "PowerWorm" + }, + { + "description": "", + "value": "PRISM" + }, + { + "description": ".crypt; ", + "value": "R980" + }, + { + "description": "RAA; .locked; ", + "value": "RAA encryptor" + }, + { + "description": "AES(256); .RDM .RRK .RAD .RADAMANT; ", + "value": "Radamant" + }, + { + "description": "Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor; .locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15; .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\\w]{4,12}; ", + "value": "Rakhni" + }, + { + "description": "locked-.[a-zA-Z]{4}; ", + "value": "Rannoh" + }, + { + "description": "", + "value": "Ransom32" + }, + { + "description": "Asymmetric 1024 ; ", + "value": "RansomLock" + }, + { + "description": ".vscrypt .infected .bloc .korrektor; ", + "value": "Rector" + }, + { + "description": "AES(256); .rekt; ", + "value": "RektLocker" + }, + { + "description": ".remind .crashed; ", + "value": "RemindMe" + }, + { + "description": "Curve25519 + ChaCha; .rokku; ", + "value": "Rokku" + }, + { + "description": "samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe; AES(256) + RSA(2096); .encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork; ", + "value": "Samas-Samsam" + }, + { + "description": "AES(256) + RSA(2096); .sanction; ", + "value": "Sanction" + }, + { + "description": "Sarah_G@ausi.com___; ", + "value": "Satana" + }, + { + "description": "", + "value": "Scraper" + }, + { + "description": "AES; ", + "value": "Serpico" + }, + { + "description": "Atom; .locked; ", + "value": "Shark" + }, + { + "description": ".shino; ", + "value": "ShinoLocker" + }, + { + "description": "KinCrypt; ", + "value": "Shujin" + }, + { + "description": "AES; .~; ", + "value": "Simple_Encoder" + }, + { + "description": "AES(256); .locked; ", + "value": "SkidLocker / Pompous" + }, + { + "description": ".encrypted; ", + "value": "Smrss32" + }, + { + "description": "AES(256); .RSNSlocked .RSplited; ", + "value": "SNSLocker" + }, + { + "description": ".sport; ", + "value": "Sport" + }, + { + "description": "AES(256); .locked; ", + "value": "Stampado" + }, + { + "description": "AES(256); .locked; ", + "value": "Strictor" + }, + { + "description": "AES(256); .surprise .tzu; ", + "value": "Surprise" + }, + { + "description": "", + "value": "Survey" + }, + { + "description": "", + "value": "SynoLocker" + }, + { + "description": ".szf; ", + "value": "SZFLocker" + }, + { + "description": "Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic; .xcri; ", + "value": "TeleCrypt" + }, + { + "description": "AlphaCrypt; .vvv .ecc .exx .ezz .abc .aaa .zzz .xyz; ", + "value": "TeslaCrypt 0.x - 2.2.0" + }, + { + "description": "AES(256) + ECHD + SHA1; .micro .xxx .ttt .mp3; ", + "value": "TeslaCrypt 3.0+" + }, + { + "description": "AES(256) + ECHD + SHA1; ", + "value": "TeslaCrypt 4.1A" + }, + { + "description": "", + "value": "TeslaCrypt 4.2" + }, + { + "description": "", + "value": "Threat Finder" + }, + { + "description": "Crypt0L0cker (subvariant); AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt; .Encrypted .enc; ", + "value": "TorrentLocker" + }, + { + "description": "", + "value": "TowerWeb" + }, + { + "description": ".toxcrypt; ", + "value": "Toxcrypt" + }, + { + "description": "Shade XTBL; AES(256); .better_call_saul .xtbl .da_vinci_code .windows10; ", + "value": "Troldesh" + }, + { + "description": "AES(256); .enc; ", + "value": "TrueCrypter" + }, + { + "description": "AES(256); .locked; ", + "value": "Turkish Ransom" + }, + { + "description": "AES; umbrecrypt_ID_[VICTIMID]; ", + "value": "UmbreCrypt" + }, + { + "description": "AES; .H3LL .0x0 .1999; ", + "value": "Ungluk" + }, + { + "description": ".CRRRT .CCCRRRPPP; ", + "value": "Unlock92" + }, + { + "description": "CrypVault Zlader; uses gpg.exe; .vault .xort .trun; ", + "value": "VaultCrypt" + }, + { + "description": "", + "value": "VenisRansomware" + }, + { + "description": "AES(256); .Venusf .Venusp; ", + "value": "VenusLocker" + }, + { + "description": ".exe; ", + "value": "Virlock" + }, + { + "description": "Crysis; AES(256); .CrySiS .xtbl; .id-########.decryptformoney@india.com.xtbl; ", + "value": "Virus-Encoder" + }, + { + "description": ".wflx; ", + "value": "WildFire Locker" + }, + { + "description": "XOR or TEA; .EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791; ", + "value": "Xorist" + }, + { + "description": ".xrtn; ", + "value": "XRTN " + }, + { + "description": "Zcryptor; .zcrypt; ", + "value": "Zcrypt" + }, + { + "description": ".crypto; ", + "value": "Zimbra" + }, + { + "description": "VaultCrypt CrypVault; RSA; .vault; ", + "value": "Zlader / Russian" + }, + { + "description": "GNL Locker; .zyklon; ", + "value": "Zyklon" + } + ], + "source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml" +}