mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-12-02 11:47:18 +00:00
8143 lines
344 KiB
JSON
8143 lines
344 KiB
JSON
{
|
||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar",
|
||
"type": "ransomware",
|
||
"version": 1,
|
||
"name": "Ransomware",
|
||
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
|
||
"source": "Various",
|
||
"values": [
|
||
{
|
||
"value": "Nhtnwcuf Ransomware (Fake)",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
"RANDOM 3 LETTERS ARE ADDED"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoJacky Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
"RANDOM 3 LETTERS ARE ADDED"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html",
|
||
"https://twitter.com/jiriatvirlab/status/838779371750031360"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kaenlupuf Ransomware",
|
||
"description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "EnjeyCrypter Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
"example:.encrypted.contact_here_me@india.com.enjey"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/",
|
||
"https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Dangerous Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Vortex Ransomware or Ŧl๏tєгค гคภร๏๓ฬคгє",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".aes"
|
||
],
|
||
"ransomnotes": [
|
||
"Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID ="
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html",
|
||
"https://twitter.com/struppigel/status/839778905091424260"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GC47 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".fuck_you"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RozaLocker Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".enc",
|
||
".ENC"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html",
|
||
"https://twitter.com/jiriatvirlab/status/840863070733885440"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoMeister Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites."
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GG Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".GG"
|
||
],
|
||
"encryption": "AES-128",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Project34 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".Project34"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU",
|
||
"ПАРОЛЬ.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PetrWrap Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/",
|
||
"https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Karmen Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".grt"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/",
|
||
"https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/841747002438361089"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Revenge Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".REVENGE"
|
||
],
|
||
"encryption": "AES-256 + RSA-1024",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg",
|
||
"===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.",
|
||
"# !!!HELP_FILE!!! #.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
|
||
"https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Turkish FileEncryptor Ransomware or Fake CTB-Locker",
|
||
"description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg",
|
||
"FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.",
|
||
"Beni Oku.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html",
|
||
"https://twitter.com/JakubKroustek/status/842034887397908480"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kirk Ransomware & Spock Decryptor",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".kirked",
|
||
".Kirked"
|
||
],
|
||
"encryption": "AES+RSA",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png",
|
||
"!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER",
|
||
"RANSOM_NOTE.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/",
|
||
"https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/",
|
||
"http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html",
|
||
"http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges",
|
||
"https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/",
|
||
"https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ZinoCrypt Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".ZINO"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg",
|
||
"ZINO_NOTE.TXT"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html",
|
||
"https://twitter.com/demonslay335?lang=en",
|
||
"https://twitter.com/malwrhunterteam/status/842781575410597894"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crptxxx Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".crptxxx"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png",
|
||
"HOW_TO_FIX_!.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84",
|
||
"http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc",
|
||
"https://twitter.com/malwrhunterteam/status/839467168760725508"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MOTD Ransomware",
|
||
"description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png",
|
||
"motd.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/",
|
||
"https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoDevil Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".devil"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg",
|
||
"https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html",
|
||
"https://twitter.com/PolarToffee/status/843527738774507522"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FabSysCrypto Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html",
|
||
"https://twitter.com/struppigel/status/837565766073475072"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Lock2017 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
"[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is"
|
||
],
|
||
"encryption": "AES+RSA",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RedAnts Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".Horas-Bah"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ConsoleApplication1 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KRider Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "March 2017",
|
||
"extensions": [
|
||
".kr3"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/836995570384453632"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CYR-Locker Ransomware (FAKE)",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DotRansomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***",
|
||
"https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Unlock26 Ransomware",
|
||
"description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".locked-[3_random_chars]"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png",
|
||
"https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png",
|
||
"ReadMe-[3_random_chars].html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PicklesRansomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".EnCrYpTeD"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"READ_ME_TO_DECRYPT.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html",
|
||
"https://twitter.com/JakubKroustek/status/834821166116327425"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Vanguard Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "ChaCha20 and Poly1305",
|
||
"ransomnotes": [
|
||
"NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety."
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html",
|
||
"https://twitter.com/JAMESWT_MHT/status/834783231476166657"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PyL33T Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".d4nk"
|
||
],
|
||
"encryption": "ChaCha20 and Poly1305",
|
||
"ransomnotes": [
|
||
"ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** "
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html",
|
||
"https://twitter.com/Jan0fficial/status/834706668466405377"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TrumpLocker Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".trumplockerf",
|
||
".TheTrumpLockerf",
|
||
".TheTrumpLockerfp"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg",
|
||
"What happen to my files.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/",
|
||
"https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Damage Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".damage"
|
||
],
|
||
"encryption": "AES-128 OR Combination of SHA-1 and Blowfish",
|
||
"ransomnotes": [
|
||
"TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html",
|
||
"https://decrypter.emsisoft.com/damage",
|
||
"https://twitter.com/demonslay335/status/835664067843014656"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "XYZWare Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
"your files get marked with: “youarefucked”"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/833636006721122304"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "YouAreFucked Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
"your files get marked with: “youarefucked”"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png"
|
||
],
|
||
"refs": [
|
||
"https://www.enigmasoftware.com/youarefuckedransomware-removal/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptConsole 2.0 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png",
|
||
"How decrypt files.hta"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BarRax Ransomware or BarRaxCrypt Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".barRex",
|
||
".BarRax"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html",
|
||
"https://twitter.com/demonslay335/status/835668540367777792"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoLocker by NTK Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "UserFilesLocker Ransomware or CzechoSlovak Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".ENCR"
|
||
],
|
||
"encryption": "AES-256+RSA",
|
||
"ransomnotes": [
|
||
"All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)",
|
||
"https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AvastVirusinfo Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".A9v9Ahu4-000"
|
||
],
|
||
"encryption": "AES-256+RSA",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017_03_01_archive.html",
|
||
"https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FabSysCrypto Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "AES-256+RSA",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SuchSecurity Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PleaseRead Ransomware or VHDLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kasiski Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
"[KASISKI]"
|
||
],
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg",
|
||
"INSTRUCCIONES.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html",
|
||
"https://twitter.com/MarceloRivero/status/832302976744173570",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fake Locky Ransomware or Locky Impersonator Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/",
|
||
"https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html",
|
||
"https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoShield 1.0 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)"
|
||
],
|
||
"encryption": "AES(256)/ROT-13",
|
||
"ransomnotes": [
|
||
"# RESTORING FILES #.txt",
|
||
"# RESTORING FILES #.html",
|
||
"https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Hermes Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: \"HERMES\"",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png",
|
||
"https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png",
|
||
"DECRYPT_INFORMATION.html",
|
||
"UNIQUE_ID_DO_NOT_REMOVE"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/",
|
||
"https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/",
|
||
"https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LoveLock Ransomware or Love2Lock Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".hasp"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Wcry Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".wcry"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DUMB Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png",
|
||
"https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html",
|
||
"https://twitter.com/bleepincomputer/status/816053140147597312?lang=en"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "X-Files",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".b0C",
|
||
".b0C.x"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017_02_01_archive.html",
|
||
"https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Polski Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".aes"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "YourRansom Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)",
|
||
"meta": {
|
||
"date": "February 2016",
|
||
"extensions": [
|
||
".yourransom"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png",
|
||
"README.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/",
|
||
"https://twitter.com/_ddoxer/status/827555507741274113"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ranion RaasRansomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service",
|
||
"meta": {
|
||
"date": "February 2016",
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html",
|
||
"https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Potato Ransomware",
|
||
"description": "Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".potato"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"How to recover my files.txt",
|
||
"README.png",
|
||
"README.html",
|
||
"https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)",
|
||
"description": "This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.",
|
||
"meta": {
|
||
"date": "December 2016/January 2017",
|
||
"extensions": [
|
||
".-opentoyou@india.com"
|
||
],
|
||
"encryption": "RC4",
|
||
"ransomnotes": [
|
||
"!!!.txt",
|
||
"1.bmp",
|
||
"1.jpg",
|
||
"https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg",
|
||
"Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RansomPlus",
|
||
"description": "Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"YOUR FILES ARE ENCRYPTED!!!.txt",
|
||
"https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png",
|
||
"YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool."
|
||
],
|
||
"refs": [
|
||
"http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html",
|
||
"https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html",
|
||
"https://twitter.com/jiriatvirlab/status/825411602535088129"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptConsole",
|
||
"description": "This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ",
|
||
".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"How decrypt files.hta",
|
||
"Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/",
|
||
"https://twitter.com/PolarToffee/status/824705553201057794"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ZXZ Ramsomware",
|
||
"description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".zxz"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310",
|
||
"https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "",
|
||
"description": "",
|
||
"meta": {
|
||
"date": "",
|
||
"extensions": [
|
||
""
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
""
|
||
],
|
||
"refs": [
|
||
""
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "VxLock Ransomware",
|
||
"description": "Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".vxlock"
|
||
],
|
||
"encryption": "AES+RSA",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FunFact Ransomware",
|
||
"description": "Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "AES+RSA",
|
||
"ransomnotes": [
|
||
"note.iti",
|
||
"Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/funfact.html",
|
||
"http://www.enigmasoftware.com/funfactransomware-removal/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ZekwaCrypt Ransomware",
|
||
"description": "First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".<7_random_letters>"
|
||
],
|
||
"encryption": "AES+RSA",
|
||
"ransomnotes": [
|
||
"encrypted_readme.txt",
|
||
"_<encrypt extensions>_encrypted_readme.txt",
|
||
"https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png",
|
||
"WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html",
|
||
"http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sage 2.0 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".sage"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png",
|
||
"https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png",
|
||
"!Recovery_[3_random_chars].html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html",
|
||
"https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/",
|
||
"http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom",
|
||
"https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/",
|
||
"https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CloudSword Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"Warning警告.html",
|
||
"https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html",
|
||
"http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/",
|
||
"https://twitter.com/BleepinComputer/status/822653335681593345"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DN or DoNotOpen Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".killedXXX"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg",
|
||
"https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GarryWeber Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".id-<ID>_garryweber@protonmail.ch"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"HOW_OPEN_FILES.html",
|
||
"https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg",
|
||
"https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/garryweber.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Satan Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".stn"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png",
|
||
"HELP_DECRYPT_FILES.html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html",
|
||
"https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/",
|
||
"https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/",
|
||
"https://twitter.com/Xylit0l/status/821757718885236740",
|
||
"https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Havoc or HavocCrypt Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".HavocCrypt"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoSweetTooth Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"IMPORTANTE_LEER.html",
|
||
"RECUPERAR_ARCHIVOS.html",
|
||
"https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html",
|
||
"http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kaandsona Ransomware or RansomTroll Ransomware or Käändsõna Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".kencf"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png",
|
||
"You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html",
|
||
"https://twitter.com/BleepinComputer/status/819927858437099520"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LambdaLocker Ransomware",
|
||
"description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".lambda_l0cked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_IT.hTmL",
|
||
"https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html",
|
||
"http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "NMoreia 2.0 Ransomware or HakunaMatataRansomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".HakunaMatata"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"Recovers files yako.html",
|
||
"https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html",
|
||
"https://id-ransomware.blogspot.co.il/2016_03_01_archive.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Marlboro Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".oops"
|
||
],
|
||
"encryption": "XOR",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png",
|
||
"https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png",
|
||
"_HELP_Recover_Files_.html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/marlboro.html",
|
||
"https://decrypter.emsisoft.com/marlboro",
|
||
"https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Spora Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "AES+RSA",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png",
|
||
"[Infection-ID].HTML"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html",
|
||
"https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware",
|
||
"http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoKill Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".crypto"
|
||
],
|
||
"encryption": "AES+RSA",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "All_Your_Documents Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
"AES+RSA"
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SerbRansom 2017 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".velikasrbija"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg",
|
||
"https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html",
|
||
"https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/",
|
||
"https://twitter.com/malwrhunterteam/status/830116190873849856"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fadesoft Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/829768819031805953",
|
||
"https://twitter.com/malwrhunterteam/status/838700700586684416"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HugeMe Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".encypted"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html",
|
||
"https://www.ozbargain.com.au/node/228888?page=3",
|
||
"https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DynA-Crypt Ransomware or DynA CryptoLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Serpent 2017 Ransomware or Serpent Danish Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Erebus 2017 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "ROT-23",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg",
|
||
"README.HTML"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cyber Drill Exercise or Ransomuhahawhere",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cancer Ransomware FAKE",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.",
|
||
"meta": {
|
||
"date": "February 2017",
|
||
"extensions": [
|
||
".cancer"
|
||
],
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "UpdateHost Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html",
|
||
"https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Nemesis Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".v8dp"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Evil Ransomware or File0Locked KZ Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".file0locked",
|
||
".evillock"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"HOW_TO_DECRYPT_YOUR_FILES.TXT",
|
||
"HOW_TO_DECRYPT_YOUR_FILES.HTML",
|
||
"https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png",
|
||
"https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html",
|
||
"http://www.enigmasoftware.com/evilransomware-removal/",
|
||
"http://usproins.com/evil-ransomware-is-lurking/",
|
||
"https://twitter.com/jiriatvirlab/status/818443491713884161",
|
||
"https://twitter.com/PolarToffee/status/826508611878793219"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ocelot Ransomware or Ocelot Locker Ransomware (FAKE RANSOMWARE)",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg",
|
||
"https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/817648547231371264"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SkyName Ransomware or Blablabla Ransomware",
|
||
"description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"INFOK1.txt",
|
||
"https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png",
|
||
"https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/817079028725190656"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MafiaWare Ransomware or Depsex Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".locked-by-mafia"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png",
|
||
"READ_ME.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/",
|
||
"https://twitter.com/BleepinComputer/status/817069320937345024"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Globe3 Ransomware or Purge Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".decrypt2017",
|
||
".hnumkhotep",
|
||
".badnews",
|
||
".globe",
|
||
".[random].bit",
|
||
".[random].encrypted",
|
||
".[random].raid10",
|
||
".[random].globe",
|
||
".[mia.kokers@aol.com]",
|
||
".unlockv@india.com",
|
||
".rescuers@india.com.3392cYAn548QZeUf.lock",
|
||
".locked",
|
||
".decrypt2017",
|
||
".hnumkhotep"
|
||
],
|
||
"encryption": "AES-256+RSA or RC4",
|
||
"ransomnotes": [
|
||
"How To Recover Encrypted Files.hta",
|
||
"https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png",
|
||
"https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/",
|
||
"https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/",
|
||
"https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html",
|
||
"https://decrypter.emsisoft.com/globe3"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BleedGreen Ransomware or FireCrypt Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".firecrypt"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BTCamant Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".BTC"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"BTC_DECRYPT_FILES.txt",
|
||
"BTC_DECRYPT_FILES.html",
|
||
"https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/btcamant.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "X3M Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
"_x3m",
|
||
"_r9oj",
|
||
"_locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GOG Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".LOCKED"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"DecryptFile.txt",
|
||
"https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png",
|
||
"https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html",
|
||
"https://twitter.com/BleepinComputer/status/816112218815266816"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "EdgeLocker",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".edgel"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html",
|
||
"https://twitter.com/BleepinComputer/status/815392891338194945"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Red Alert",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"MESSAGE.txt",
|
||
"https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html",
|
||
"https://twitter.com/JaromirHorejsi/status/815557601312329728"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "First",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "XCrypt Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "Twofish",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg",
|
||
"Xhelp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html",
|
||
"https://twitter.com/JakubKroustek/status/825790584971472902"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "7Zipper Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".7zipper"
|
||
],
|
||
"encryption": "Twofish",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html",
|
||
"https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zyka Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".lock",
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html",
|
||
"https://www.pcrisk.com/removal-guides/10899-zyka-ransomware",
|
||
"https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip",
|
||
"https://twitter.com/GrujaRS/status/826153382557712385"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SureRansom Ransomeware (Fake)",
|
||
"description": "It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"encryption": "AES-256 (fake)",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html",
|
||
"http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Netflix Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".se"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg",
|
||
"https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/",
|
||
"https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/",
|
||
"http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012",
|
||
"https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg",
|
||
"https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoShield 1.0 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMixfamily.",
|
||
"meta": {
|
||
"date": "January 2017",
|
||
"extensions": [
|
||
".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"# RESTORING FILES #.txt",
|
||
"# RESTORING FILES #.html",
|
||
"https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2017/01/cryptoshield-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Merry Christmas, Merry X-Mas or MRCR",
|
||
"description": "It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.",
|
||
"meta": {
|
||
"date": " December 2016",
|
||
"extensions": [
|
||
".MRCR1",
|
||
".PEGS1",
|
||
".RARE1",
|
||
".RMCM1",
|
||
".MERRY"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"YOUR_FILES_ARE_DEAD.HTA",
|
||
"MERRY_I_LOVE_YOU_BRUCE.HTA",
|
||
"https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png",
|
||
"https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/",
|
||
"http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/",
|
||
"https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/",
|
||
"https://decrypter.emsisoft.com/mrcr"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Seoirse Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".seoire"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KillDisk Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.",
|
||
"meta": {
|
||
"date": "November/December 2016",
|
||
"encryption": "AES-256+RSA",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/",
|
||
"https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/",
|
||
"http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/",
|
||
"http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware",
|
||
"http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/",
|
||
"https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DeriaLock Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".deria"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif",
|
||
"unlock-everybody.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/",
|
||
""
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BadEncript Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".bript"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"More.html",
|
||
"https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png",
|
||
"More.html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html",
|
||
"https://twitter.com/demonslay335/status/813064189719805952"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AdamLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".adam"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Alphabet Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".alphabet"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html",
|
||
"https://twitter.com/PolarToffee/status/812331918633172992"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KoKoKrypt Ransomware or KokoLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".kokolocker"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html",
|
||
"http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "L33TAF Locker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".l33tAF"
|
||
],
|
||
"encryption": "AES-256+RSA",
|
||
"ransomnotes": [
|
||
"YOU_HAVE_BEEN_HACKED.txt",
|
||
"https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PClock4 Ransomware or PClock SysGop Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"encryption": "AES-256+RSA",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Guster Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256+RSA",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html",
|
||
"https://twitter.com/BleepinComputer/status/812131324979007492"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Roga",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".madebyadam"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoLocker3 Ransomware or Fake CryptoLocker",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".cryptolocker"
|
||
],
|
||
"encryption": "AES-128+RSA",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ProposalCrypt Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".crypted"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html",
|
||
"http://www.archersecuritygroup.com/what-is-ransomware/",
|
||
"https://twitter.com/demonslay335/status/812002960083394560",
|
||
"https://twitter.com/malwrhunterteam/status/811613888705859586"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Manifestus Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/",
|
||
"https://twitter.com/struppigel/status/811587154983981056"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "EnkripsiPC Ransomware or IDRANSOMv3 or Manifestus",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".fucked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html",
|
||
"https://twitter.com/demonslay335/status/811343914712100872",
|
||
"https://twitter.com/BleepinComputer/status/811264254481494016",
|
||
"https://twitter.com/struppigel/status/811587154983981056"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BrainCrypt Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".braincrypt"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png",
|
||
"https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MSN CryptoLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png",
|
||
"RESTORE_YOUR_FILES.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html",
|
||
"https://twitter.com/struppigel/status/810766686005719040"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoBlock Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"encryption": "RSA-2048",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html",
|
||
"https://twitter.com/drProct0r/status/810500976415281154"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AES-NI Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".aes256"
|
||
],
|
||
"encryption": "AES-256 (ECB) + RSA-2048",
|
||
"ransomnotes": [
|
||
"!!! READ THIS -IMPORTANT !!!.txt",
|
||
"https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Koolova Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fake Globe Ransomware or Globe Imposter",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg",
|
||
"HOW_OPEN_FILES.hta"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/",
|
||
"https://twitter.com/fwosar/status/812421183245287424",
|
||
"https://decrypter.emsisoft.com/globeimposter",
|
||
"https://twitter.com/malwrhunterteam/status/809795402421641216"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "V8Locker Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".v8"
|
||
],
|
||
"encryption": "RSA",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cryptorium (Fake Ransomware)",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".ENC"
|
||
],
|
||
"encryption": "RSA",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Antihacker2017 Ransomware",
|
||
"description": "It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".antihacker2017"
|
||
],
|
||
"encryption": "XOR",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CIA Special Agent 767 Ransomware (FAKE!!!)",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html",
|
||
"https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/",
|
||
"https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LoveServer Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kraken Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".kraken",
|
||
"[base64].kraken"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png",
|
||
"https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png",
|
||
"_HELP_YOUR_FILES.html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Antix Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PayDay Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".sexy"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg",
|
||
"!!!!!ATENÇÃO!!!!!.html"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html",
|
||
"https://twitter.com/BleepinComputer/status/808316635094380544"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Slimhem Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "M4N1F3STO Ransomware (FAKE!!!!!)",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins",
|
||
"https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Dale Ransomware or DaleLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".DALE"
|
||
],
|
||
"encryption": "AES+RSA-512",
|
||
"ransomnotes": [
|
||
""
|
||
],
|
||
"refs": [
|
||
""
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "UltraLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".locked (added before the ending, not to the ending, for example: file.locked.doc"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html",
|
||
"https://twitter.com/struppigel/status/807161652663742465"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AES_KEY_GEN_ASSIST Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".pre_alpha"
|
||
],
|
||
"encryption": "AES-256 and RSA-2048",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html",
|
||
"https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Code Virus Ransomware ",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".locky"
|
||
],
|
||
"encryption": "AES-256 and RSA-2048",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg",
|
||
"https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FLKR Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
"_morf56@meta.ua_"
|
||
],
|
||
"encryption": "Blowfish",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PopCorn Time Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".kok",
|
||
".filock"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png",
|
||
"https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg",
|
||
"restore_your_files.html",
|
||
"restore_your_files.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HackedLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".hacked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GoldenEye Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".<random_8_chars>"
|
||
],
|
||
"encryption": "AES(CBC)",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg",
|
||
"https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/",
|
||
"https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sage Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".sage"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/",
|
||
"https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SQ_ Ransomware or VO_ Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".VO_"
|
||
],
|
||
"encryption": "AES and RSA-1024",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Matrix or Malta Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…",
|
||
"meta": {
|
||
"date": "December 2016",
|
||
"extensions": [
|
||
".MATRIX"
|
||
],
|
||
"encryption": "AES and RSA",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png",
|
||
"[5 numbers]-MATRIX-README.RTF"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/",
|
||
"https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html",
|
||
"https://twitter.com/rommeljoven17/status/804251901529231360"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Satan666 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RIP (Phoenix) Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".R.i.P"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG",
|
||
"Important!.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html",
|
||
"https://twitter.com/BleepinComputer/status/804810315456200704"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Locked-In Ransomware or NoValid Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".novalid"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg",
|
||
"RESTORE_CORUPTED_FILES.HTML"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/",
|
||
"https://twitter.com/struppigel/status/807169774098796544"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Chartwig Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RenLocker Ransomware (FAKE)",
|
||
"description": "It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".crypter"
|
||
],
|
||
"encryption": "Rename > Ren + Locker",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Thanksgiving Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html",
|
||
"https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html",
|
||
"https://twitter.com/BleepinComputer/status/801486420368093184"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CockBlocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".hannah"
|
||
],
|
||
"encryption": "RSA",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html",
|
||
"https://twitter.com/jiriatvirlab/status/801910919739674624"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Lomix Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html",
|
||
"https://twitter.com/siri_urz/status/801815087082274816"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "OzozaLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".locked",
|
||
".Locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG",
|
||
"HOW TO DECRYPT YOU FILES.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html",
|
||
"https://decrypter.emsisoft.com/ozozalocker",
|
||
"https://twitter.com/malwrhunterteam/status/801503401867673603"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crypute Ransomware or m0on Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".mo0n"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html",
|
||
"https://www.bleepingcomputer.com/virus-removal/threat/ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "NMoreira Ransomware or Fake Maktub Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".maktub"
|
||
],
|
||
"encryption": "AES-256 + RSA",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG",
|
||
"https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html",
|
||
"https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "VindowsLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".vindows"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html",
|
||
"https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph",
|
||
"https://rol.im/VindowsUnlocker.zip",
|
||
"https://twitter.com/JakubKroustek/status/800729944112427008",
|
||
"https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Donald Trump 2 Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".ENCRYPTED"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg",
|
||
"https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/"
|
||
],
|
||
"refs": [
|
||
"http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Nagini Ransomware or Voldemort Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"encryption": "RSA",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg"
|
||
],
|
||
"refs": [
|
||
"http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ShellLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".l0cked",
|
||
".L0cker"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html",
|
||
"https://twitter.com/JakubKroustek/status/799388289337671680"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Chip Ransomware or ChipLocker Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".CHIP",
|
||
".DALE"
|
||
],
|
||
"encryption": "AES + RSA-512",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG",
|
||
"CHIP_FILES.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html",
|
||
"http://malware-traffic-analysis.net/2016/11/17/index.html",
|
||
"https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Dharma Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".dharma",
|
||
".wallet",
|
||
".zzzzz"
|
||
],
|
||
"encryption": "AES + RSA-512",
|
||
"ransomnotes": [
|
||
"README.txt",
|
||
"README.jpg",
|
||
"Info.hta"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Angela Merkel Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".angelamerkel"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/798268218364358656"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoLuck Ransomware or YafunnLocker",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".<hex_id>_luck"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG",
|
||
"https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG",
|
||
"%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt."
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html",
|
||
"http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/",
|
||
"https://twitter.com/malwareforme/status/798258032115322880",
|
||
"https://twitter.com/malwareforme/status/798258032115322880"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crypton Ransomware, or Nemesis or X3M",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
"_crypt",
|
||
".id-_locked",
|
||
".id-_locked_by_krec",
|
||
".id-_locked_by_perfect",
|
||
".id-_x3m",
|
||
".id-_r9oj",
|
||
".id-_garryweber@protonmail.ch",
|
||
".id-_steaveiwalker@india.com_",
|
||
".id-_julia.crown@india.com_",
|
||
".id-_tom.cruz@india.com_",
|
||
".id-_CarlosBoltehero@india.com_",
|
||
".id-_maria.lopez1@india.com_"
|
||
],
|
||
"encryption": "AES-256 + RSA + SHA-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html",
|
||
"https://decrypter.emsisoft.com/crypton",
|
||
"https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/",
|
||
"https://twitter.com/JakubKroustek/status/829353444632825856"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Karma Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".karma"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png",
|
||
"# DECRYPT MY FILES #.html",
|
||
"# DECRYPT MY FILES #.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "WickedLocker HT Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PClock3 Ransomware or PClock SuppTeam Ransomware orCryptoLocker clone or WinPlock",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES or XOR",
|
||
"ransomnotes": [
|
||
"Your files are locked !.txt",
|
||
"Your files are locked !!.txt",
|
||
"Your files are locked !!!.txt",
|
||
"Your files are locked !!!!.txt",
|
||
"%AppData%\\WinCL\\winclwp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/",
|
||
"https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html",
|
||
"http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/",
|
||
"https://decrypter.emsisoft.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kolobo Ransomware or Kolobocheg Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".kolobocheg@aol.com_"
|
||
],
|
||
"encryption": "XOR and RSA",
|
||
"ransomnotes": [
|
||
"https://www.ransomware.wiki/tag/kolobo/"
|
||
],
|
||
"refs": [
|
||
"https://www.ransomware.wiki/tag/kolobo/",
|
||
"https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html",
|
||
"https://forum.drweb.com/index.php?showtopic=315142"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PaySafeGen (German) Ransomware or Paysafecard Generator 2016",
|
||
"description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".cry_"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html",
|
||
"https://twitter.com/JakubKroustek/status/796083768155078656"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Telecrypt Ransomware",
|
||
"description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".Xcri"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html",
|
||
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
|
||
"http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked",
|
||
"https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3",
|
||
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
|
||
"https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CerberTear Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".cerber"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html",
|
||
"https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/",
|
||
"https://twitter.com/struppigel/status/795630452128227333"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FuckSociety Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe > FuckSociety",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".dll"
|
||
],
|
||
"encryption": "RSA-4096",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PayDOS Ransomware or Serpent Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".dng",
|
||
".serpent"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html",
|
||
"HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html",
|
||
"https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/",
|
||
"https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "zScreenLocker Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".dng"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html",
|
||
"https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/",
|
||
"https://twitter.com/struppigel/status/794077145349967872"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Gremit Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".rnsmwr"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html",
|
||
"https://twitter.com/struppigel/status/794444032286060544",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Hollycrypt Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".hollycrypt"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BTCLocker Ransomware or BTC Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".BTC"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kangaroo Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".crypted_file"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png",
|
||
"filename.Instructions_Data_Recovery.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DummyEncrypter Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".dCrypt"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Encryptss77 Ransomware or SFX Monster Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".dCrypt"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"YOUR FILES ARE ENCRYPTED THAT THEIR DECRYPT SEND EMAIL US AT encryptss77@gmail.com IN MESSAGE INDICATE IP ADDRESS OF COMPUTER WHERE YOU SAW THIS MESSAGE YOU CAN FIND IT ON 2IP.RU WE WILL REPLY TO YOU WITHIN 24 HOURS"
|
||
],
|
||
"refs": [
|
||
"http://virusinfo.info/showthread.php?t=201710",
|
||
"https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "WinRarer Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".ace"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Russian Globe Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".blackblock"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"YOUR FILES HAVE BEEN ENCRYPTED! Your personal ID ***** Your file have been encrypted with a powerful strain of a virus called ransomware. Your files are encrypted using the same methods banks and the military use. There is currently no possible way to decrypt files with the private key. Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info necessary to decrypt all your files, quickly and easily."
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ZeroCrypt Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "November 2016",
|
||
"extensions": [
|
||
".zn2016"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RotorCrypt(RotoCrypt, Tar) Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".c400",
|
||
".c300"
|
||
],
|
||
"encryption": "RSA",
|
||
"ransomnotes": [
|
||
"Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ishtar Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
"ISHTAR-. (prefix)"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"FOR FILE DISCRIPTION, PLEASE CONTACT YOU@edtonmail@protonmail.com Or BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standard encryption order: AES 256 + RSA 2048. > A unique AES key is created for each file. > Decryption is impossible without the ISHTAR.DATA file (see% APPDATA% directory). ----- TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com OR TO BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standart encryption routine: AES 256 + RSA 2048. > Every AES key is unique per file. > Decryption is impossible without ISHTAR.DATA file (see% APPDATA% path)."
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MasterBuster Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".hcked"
|
||
],
|
||
"ransomnotes": [
|
||
"IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020",
|
||
"https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg",
|
||
"CreatesReadThisFileImportant.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html",
|
||
"https://twitter.com/struppigel/status/791943837874651136"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "JackPot Ransomware or Jack.Pot Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".coin"
|
||
],
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html",
|
||
"https://twitter.com/struppigel/status/791639214152617985",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ONYX Ransomeware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".Encryption:"
|
||
],
|
||
"ransomnotes": [
|
||
"All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.",
|
||
"https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html",
|
||
"https://twitter.com/struppigel/status/791557636164558848",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "IFN643 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".inf643"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html",
|
||
"https://twitter.com/struppigel/status/791576159960072192",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Alcatraz Locker Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".Alcatraz"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg",
|
||
"https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg",
|
||
"ransomed.hTmL"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/",
|
||
"https://twitter.com/PolarToffee/status/792796055020642304"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Esmeralda Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.",
|
||
"https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html",
|
||
"https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "EncrypTile Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fileice Ransomware Survey Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html",
|
||
"https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoWire Ransomeware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg",
|
||
"https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html",
|
||
"https://twitter.com/struppigel/status/791554654664552448",
|
||
"https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Hucky Ransomware or Hungarian Locky Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".locky",
|
||
"[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky"
|
||
],
|
||
"encryption": "AES-128+RSA",
|
||
"ransomnotes": [
|
||
"https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png",
|
||
"!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!",
|
||
"_Adatok_visszaallitasahoz_utasitasok.txt",
|
||
"_locky_recover_instructions.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html",
|
||
"https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Winnix Cryptor Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".wnx"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team",
|
||
"YOUR FILES ARE ENCRYPTED!.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html",
|
||
"https://twitter.com/PolarToffee/status/811940037638111232"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AngryDuck Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".adk"
|
||
],
|
||
"encryption": "AES-512",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg",
|
||
"ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html",
|
||
"https://twitter.com/demonslay335/status/790334746488365057"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Lock93 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".lock93"
|
||
],
|
||
"encryption": "AES-512",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg",
|
||
"https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/789882488365678592"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ASN1 Encoder Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"encryption": "AES-512",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG",
|
||
"!!!!!readme!!!!!.htm"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html",
|
||
"https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Click Me Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".hacked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price."
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html",
|
||
"https://www.youtube.com/watch?v=Xe30kV4ip8w"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AiraCrop Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".hacked"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "JapanLocker Ransomware & SHC Ransomware, SHCLocker ,SyNcryption",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
"#LOCK#"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html",
|
||
"https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker",
|
||
"https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php",
|
||
"https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Anubis Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".coded"
|
||
],
|
||
"encryption": "AES(256)",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg",
|
||
"Decryption Instructions.txt"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html",
|
||
"http://nyxbone.com/malware/Anubis.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "XTPLocker 5.0 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Exotic Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".exotic",
|
||
"random.exotic"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg",
|
||
"https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg",
|
||
"https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/",
|
||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/",
|
||
"https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware",
|
||
"https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "APT Ransomware v.2",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".dll"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Windows_Security Ransonware or WS Go Ransonware, Trojan.Encoder.6491",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html",
|
||
"https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "NCrypt Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".NCRYPT",
|
||
".ncrypt"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Venis Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".venis"
|
||
],
|
||
"encryption": "AES-2048",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html",
|
||
"https://twitter.com/Antelox/status/785849412635521024",
|
||
"http://pastebin.com/HuK99Xmj"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Enigma 2 Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".1txt"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"We encrypt important files on your computer: documents, databases, photos, videos and keys. Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know. Encrypted files have .1txt extension. It decrypts files without the private key IMPOSSIBLE. \nIf you want to get the files back: \n1) Install the Tor Browser http://www.torproject.org/ \n2) Locate the desktop key to access E_N_I_G_M_A.RSA site (password is encrypted in the key of your files) \n3) Go to the website http://kf2uimw5omtgveu6.onion/ into a torus-browser and log in using E_N_I_G_M_A.RSA \n4) Follow the instructions on the website and download the decoder \nC:\\Documents and Settings\\Администратор\\Рабочийстол\\E_N_I_G_M_A.RSA - The path to the key file on the desktop C:\\DOCUME~1\\9335~1\\LOCALS~1\\Temp\\E_N_I_G_M_A.RSA - The path to the key file in TMP directory"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Deadly Ransomware or Deadly for a Good Purpose Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html",
|
||
"https://twitter.com/malwrhunterteam/status/785533373007728640"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Comrade Circle Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".comrade"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg",
|
||
"https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG",
|
||
"https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Globe2 Ransomware or Purge Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".raid10",
|
||
".[random].raid10",
|
||
".blt",
|
||
".globe",
|
||
".[random].blt",
|
||
".encrypted",
|
||
".[random].globe",
|
||
".[random].encrypted",
|
||
".mia.kokers@aol.com",
|
||
".[mia.kokers@aol.com]",
|
||
".lovewindows",
|
||
".openforyou@india.com",
|
||
".<email>.<random>"
|
||
],
|
||
"encryption": "AES-256 or Blowfish",
|
||
"ransomnotes": [
|
||
"https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html",
|
||
"https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kostya Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".k0stya"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg",
|
||
"https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html",
|
||
"http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fs0ciety Locker Ransomware",
|
||
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
|
||
"meta": {
|
||
"date": "October 2016",
|
||
"extensions": [
|
||
".comrade"
|
||
],
|
||
"encryption": "AES-256 CBC",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.htm"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Erebus Ransomware",
|
||
"description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet",
|
||
"meta": {
|
||
"date": "September 2016",
|
||
"extensions": [
|
||
".ecrypt"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png"
|
||
],
|
||
"refs": [
|
||
"https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": ".CryptoHasYou.",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"encryption": "AES(256)",
|
||
"ransomnotes": [
|
||
"YOUR_FILES_ARE_LOCKED.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/CryptoHasYou.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "777 or Sevleg",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".777",
|
||
"._[timestamp]_$[email]$.777",
|
||
"e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777"
|
||
],
|
||
"encryption": "XOR",
|
||
"ransomnotes": [
|
||
"read_this_file.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/777"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "7ev3n or 7ev3n-HONE$T",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".R4A",
|
||
".R5A"
|
||
],
|
||
"ransomnotes": [
|
||
"FILES_BACK.txt"
|
||
],
|
||
"refs": [
|
||
"https://github.com/hasherezade/malware_analysis/tree/master/7ev3n",
|
||
"https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be",
|
||
"http://www.nyxbone.com/malware/7ev3n-HONE$T.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "8lock8",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"extensions": [
|
||
".8lock8"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_IT.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AiraCrop",
|
||
"description": "Ransomware related to TeamXRat",
|
||
"meta": {
|
||
"extensions": [
|
||
"._AiraCropEncrypted"
|
||
],
|
||
"ransomnotes": [
|
||
"How to decrypt your files.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/PolarToffee/status/796079699478900736"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Al-Namrood",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".unavailable",
|
||
".disappeared"
|
||
],
|
||
"ransomnotes": [
|
||
"Read_Me.Txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/al-namrood"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ALFA Ransomware",
|
||
"description": "Ransomware Made by creators of Cerber",
|
||
"meta": {
|
||
"extensions": [
|
||
".bin"
|
||
],
|
||
"ransomnotes": [
|
||
"README HOW TO DECRYPT YOUR FILES.HTML"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Alma Ransomware",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"random",
|
||
"random(x5)"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"Unlock_files_randomx5.html"
|
||
],
|
||
"refs": [
|
||
"https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283",
|
||
"https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter",
|
||
"http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Alpha Ransomware or AlphaLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypt"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Read Me (How Decrypt) !!!!.txt"
|
||
],
|
||
"refs": [
|
||
"http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip",
|
||
"http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/",
|
||
"https://twitter.com/malwarebread/status/804714048499621888"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AMBA",
|
||
"description": "Ransomware Websites only amba@riseup.net",
|
||
"meta": {
|
||
"extensions": [
|
||
".amba"
|
||
],
|
||
"ransomnotes": [
|
||
"ПРОЧТИ_МЕНЯ.txt",
|
||
"READ_ME.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/benkow_/status/747813034006020096"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AngleWare",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".AngleWare"
|
||
],
|
||
"ransomnotes": [
|
||
"READ_ME.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/844531418474708993"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Anony or ngocanh",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/842047409446387714"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Apocalypse or Fabiansomeware",
|
||
"description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypted",
|
||
".SecureCrypted",
|
||
".FuckYourData",
|
||
".unavailable",
|
||
".bleepYourFiles",
|
||
".Where_my_files.txt",
|
||
"[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]",
|
||
"*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}"
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
"*.How_To_Decrypt.txt",
|
||
"*.Contact_Here_To_Recover_Your_Files.txt",
|
||
"*.Where_my_files.txt",
|
||
"*.Read_Me.Txt",
|
||
"*md5*.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/apocalypse",
|
||
"http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ApocalypseVM",
|
||
"description": "Ransomware Apocalypse ransomware version which uses VMprotect",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypted",
|
||
".locked"
|
||
],
|
||
"ransomnotes": [
|
||
"*.How_To_Get_Back.txt"
|
||
],
|
||
"refs": [
|
||
"http://decrypter.emsisoft.com/download/apocalypsevm"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "AutoLocky",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".locky"
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
"info.txt",
|
||
"info.html"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/autolocky"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Aw3s0m3Sc0t7",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/828902907668000770"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BadBlock",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Help Decrypt.html"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/badblock",
|
||
"http://www.nyxbone.com/malware/BadBlock.html",
|
||
"http://www.nyxbone.com/images/articulos/malware/badblock/5.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BaksoCrypt",
|
||
"description": "Ransomware Based on my-Little-Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".adr"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/760482299007922176",
|
||
"https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Bandarchor or Rakhni",
|
||
"description": "Ransomware Files might be partially encrypted",
|
||
"meta": {
|
||
"extensions": [
|
||
".id-1235240425_help@decryptservice.info",
|
||
".id-[ID]_[EMAIL_ADDRESS]"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"HOW TO DECRYPT.txt"
|
||
],
|
||
"refs": [
|
||
"https://reaqta.com/2016/03/bandarchor-ransomware-still-active/",
|
||
"https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Bart or BaCrypt",
|
||
"description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex",
|
||
"meta": {
|
||
"extensions": [
|
||
".bart.zip",
|
||
".bart",
|
||
".perl"
|
||
],
|
||
"ransomnotes": [
|
||
"recover.txt",
|
||
"recover.bmp"
|
||
],
|
||
"refs": [
|
||
"http://now.avg.com/barts-shenanigans-are-no-match-for-avg/",
|
||
"http://phishme.com/rockloader-downloading-new-ransomware-bart/",
|
||
"https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BitCryptor",
|
||
"description": "Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.",
|
||
"meta": {
|
||
"extensions": [
|
||
".clf"
|
||
],
|
||
"refs": [
|
||
"https://noransom.kaspersky.com/",
|
||
""
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BitStak",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".bitstak"
|
||
],
|
||
"encryption": "Base64 + String Replacement",
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BlackShades Crypter or SilentShade",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".Silent"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Hacked_Read_me_to_decrypt_files.html",
|
||
"YourID.txt"
|
||
],
|
||
"refs": [
|
||
"http://nyxbone.com/malware/BlackShades.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Blocatto",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"extensions": [
|
||
".blocatto"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Booyah or Salam!",
|
||
"description": "Ransomware EXE was replaced to neutralize threat"
|
||
},
|
||
{
|
||
"value": "Brazilian",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".lock"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"MENSAGEM.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/brazilianRansom.html",
|
||
"http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Brazilian Globe",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".id-%ID%_garryweber@protonmail.ch"
|
||
],
|
||
"ransomnotes": [
|
||
"HOW_OPEN_FILES.html"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/821831437884211201"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BrLock",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Browlock",
|
||
"description": "Ransomware no local encryption, browser only"
|
||
},
|
||
{
|
||
"value": "BTCWare Related to / new version of CryptXXX",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".btcware"
|
||
],
|
||
"ransomnotes": [
|
||
"#_HOW_TO_FIX_!.hta"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/845199679340011520"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Bucbi",
|
||
"description": "Ransomware no file name change, no extension",
|
||
"meta": {
|
||
"encryption": "GOST",
|
||
"refs": [
|
||
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "BuyUnlockCode",
|
||
"description": "Ransomware Does not delete Shadow Copies",
|
||
"meta": {
|
||
"extensions": [
|
||
"(.*).encoded.([A-Z0-9]{9})"
|
||
],
|
||
"ransomnotes": [
|
||
"BUYUNLOCKCODE.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Central Security Treatment Organization",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".cry"
|
||
],
|
||
"ransomnotes": [
|
||
"!Recovery_[random_chars].html",
|
||
"!Recovery_[random_chars].txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cerber",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".cerber",
|
||
".cerber2",
|
||
".cerber3"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"# DECRYPT MY FILES #.html",
|
||
"# DECRYPT MY FILES #.txt",
|
||
"# DECRYPT MY FILES #.vbs",
|
||
"# README.hta",
|
||
"_{RAND}_README.jpg",
|
||
"_{RAND}_README.hta",
|
||
"_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg",
|
||
"_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta",
|
||
"_HELP_HELP_HELP_%random%.jpg",
|
||
"_HELP_HELP_HELP_%random%.hta",
|
||
"_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta",
|
||
"_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg"
|
||
],
|
||
"refs": [
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/",
|
||
"https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Chimera",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt",
|
||
"4 random characters, e.g., .PzZs, .MKJL"
|
||
],
|
||
"ransomnotes": [
|
||
"YOUR_FILES_ARE_ENCRYPTED.HTML",
|
||
"YOUR_FILES_ARE_ENCRYPTED.TXT",
|
||
"<random>.gif"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/",
|
||
"https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Clock",
|
||
"description": "Ransomware Does not encrypt anything",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/794956809866018816"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CoinVault",
|
||
"description": "Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!",
|
||
"meta": {
|
||
"extensions": [
|
||
".clf"
|
||
],
|
||
"ransomnotes": [
|
||
"wallpaper.jpg"
|
||
],
|
||
"refs": [
|
||
"https://noransom.kaspersky.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Coverton",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".coverton",
|
||
".enigma",
|
||
".czvxce"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"!!!-WARNING-!!!.html",
|
||
"!!!-WARNING-!!!.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cryaki",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".{CRYPTENDBLACKDC}"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
""
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
""
|
||
],
|
||
"refs": [
|
||
""
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crybola",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryFile",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".criptiko",
|
||
".criptoko",
|
||
".criptokod",
|
||
".cripttt",
|
||
".aga"
|
||
],
|
||
"encryption": "Moves bytes",
|
||
"refs": [
|
||
"SHTODELATVAM.txt",
|
||
"Instructionaga.txt"
|
||
],
|
||
"ransomnotes": [
|
||
"http://virusinfo.info/showthread.php?t=185396"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryLocker or Cry, CSTO, Central Security Treatment Organization",
|
||
"description": "Ransomware Identifies victim locations w/Google Maps API",
|
||
"meta": {
|
||
"extensions": [
|
||
".cry"
|
||
],
|
||
"ransomnotes": [
|
||
"!Recovery_[random_chars].html",
|
||
"!Recovery_[random_chars].txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CrypMIC",
|
||
"description": "Ransomware CryptXXX clone/spinoff",
|
||
"meta": {
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"README.TXT",
|
||
"README.HTML",
|
||
"README.BMP"
|
||
],
|
||
"refs": [
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crypren",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".ENCRYPTED"
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
"READ_THIS_TO_DECRYPT.html"
|
||
],
|
||
"refs": [
|
||
"https://github.com/pekeinfo/DecryptCrypren",
|
||
"http://www.nyxbone.com/malware/Crypren.html",
|
||
"http://www.nyxbone.com/images/articulos/malware/crypren/0.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crypt38",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt38"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip",
|
||
"https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cryptear or Hidden Tear",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Crypter",
|
||
"description": "Ransomware Does not actually encrypt the files, but simply renames them",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/jiriatvirlab/status/802554159564062722"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptFIle2",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".scl",
|
||
"id[_ID]email_xerx@usa.com.scl"
|
||
],
|
||
"encryption": "RSA",
|
||
"refs": [
|
||
"https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptInfinite",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crinf"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoBit",
|
||
"description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.",
|
||
"meta": {
|
||
"encryption": "AES + RSA",
|
||
"ransomnotes": [
|
||
"OKSOWATHAPPENDTOYOURFILES.TXT"
|
||
],
|
||
"refs": [
|
||
"http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/",
|
||
"http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoDefense",
|
||
"description": "Ransomware no extension change",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"HOW_DECRYPT.TXT",
|
||
"HOW_DECRYPT.HTML",
|
||
"HOW_DECRYPT.URL"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoFinancial or Ranscam",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"http://blog.talosintel.com/2016/07/ranscam.html",
|
||
"https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoFortress",
|
||
"description": "Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB",
|
||
"meta": {
|
||
"extensions": [
|
||
".frtrss"
|
||
],
|
||
"encryption": "AES-256 + RSA-1024",
|
||
"ransomnotes": [
|
||
"READ IF YOU WANT YOUR FILES BACK.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoGraphic Locker",
|
||
"description": "Ransomware Has a GUI. Subvariants: CoinVault BitCryptor",
|
||
"meta": {
|
||
"extensions": [
|
||
".clf"
|
||
],
|
||
"ransomnotes": [
|
||
"wallpaper.jpg"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoHost or Manamecrypt, Telograph, ROI Locker",
|
||
"description": "Ransomware RAR's victim's files has a GUI",
|
||
"meta": {
|
||
"encryption": "AES-256 (RAR implementation)",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoJoker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crjoker"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"README!!!.txt",
|
||
"GetYouFiles.txt",
|
||
"crjoker.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoLocker",
|
||
"description": "Ransomware no longer relevant",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypted",
|
||
".ENC"
|
||
],
|
||
"refs": [
|
||
"https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html",
|
||
"https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoLocker 1.0.0",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/839747940122001408"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoLocker 5.1",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/782890104947867649"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoMix or Zeta",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".code",
|
||
".scl",
|
||
".rmd",
|
||
".lesli",
|
||
".rdmk",
|
||
".CRYPTOSHIELD",
|
||
".CRYPTOSHIEL",
|
||
".id_(ID_MACHINE)_email_xoomx@dr.com_.code",
|
||
".id_*_email_zeta@dr.com",
|
||
".id_(ID_MACHINE)_email_anx@dr.com_.scl",
|
||
".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli",
|
||
"*filename*.email[*email*]_id[*id*].rdmk"
|
||
],
|
||
"ransomnotes": [
|
||
"HELP_YOUR_FILES.html (CryptXXX)",
|
||
"HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)",
|
||
"INSTRUCTION RESTORE FILE.TXT"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/CryptoMix.html",
|
||
"https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoRansomeware",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/817672617658347521"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoRoger",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crptrgr"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"!Where_are_my_files!.html"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoShadow",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".doomed"
|
||
],
|
||
"ransomnotes": [
|
||
"LEER_INMEDIATAMENTE.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/821992610164277248"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoShocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"ATTENTION.url"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoTorLocker2015",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".CryptoTorLocker2015!"
|
||
],
|
||
"ransomnotes": [
|
||
"HOW TO DECRYPT FILES.txt",
|
||
"%Temp%\\<random>.bmp"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoTrooper",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoWall 1",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"DECRYPT_INSTRUCTION.HTM",
|
||
"DECRYPT_INSTRUCTION.TXT",
|
||
"DECRYPT_INSTRUCTION.URL",
|
||
"INSTALL_TOR.URL"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoWall 2",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"HELP_DECRYPT.TXT",
|
||
"HELP_DECRYPT.PNG",
|
||
"HELP_DECRYPT.URL",
|
||
"HELP_DECRYPT.HTML"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoWall 3",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"HELP_DECRYPT.TXT",
|
||
"HELP_DECRYPT.PNG",
|
||
"HELP_DECRYPT.URL",
|
||
"HELP_DECRYPT.HTML"
|
||
],
|
||
"refs": [
|
||
"https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/",
|
||
"https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptoWall 4",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"<random>.<random>, e.g. ,27p9k967z.x1nep"
|
||
],
|
||
"ransomnotes": [
|
||
"HELP_YOUR_FILES.HTML",
|
||
"HELP_YOUR_FILES.PNG"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptXXX or CryptProjectXXX",
|
||
"description": "Ransomware Comes with Bedep",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"ransomnotes": [
|
||
"de_crypt_readme.bmp, .txt, .html"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||
"http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptXXX 2.0 or CryptProjectXXX",
|
||
"description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"ransomnotes": [
|
||
"<personal-ID>.txt, .html, .bmp"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||
"https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool",
|
||
"http://blogs.cisco.com/security/cryptxxx-technical-deep-dive"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter",
|
||
"description": "Ransomware Comes with Bedep",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt",
|
||
".cryp1",
|
||
".crypz",
|
||
".cryptz",
|
||
"random"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||
"http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/",
|
||
"http://blogs.cisco.com/security/cryptxxx-technical-deep-dive"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryptXXX 3.1",
|
||
"description": "Ransomware StilerX credential stealing",
|
||
"meta": {
|
||
"extensions": [
|
||
".cryp1"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||
"https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CryPy",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".cry"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"README_FOR_DECRYPT.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CTB-Faker or Citroni",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".ctbl",
|
||
".([a-z]{6,7})"
|
||
],
|
||
"encryption": "RSA-2048",
|
||
"ransomnotes": [
|
||
"AllFilesAreLocked <user_id>.bmp",
|
||
"DecryptAllFiles <user_id>.txt",
|
||
"<random>.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CTB-Locker WEB",
|
||
"description": "Ransomware websites only",
|
||
"meta": {
|
||
"refs": [
|
||
"https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/",
|
||
"https://github.com/eyecatchup/Critroni-php"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "CuteRansomware or my-Little-Ransomware",
|
||
"description": "Ransomware Based on my-Little-Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".已加密",
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"你的檔案被我們加密啦!!!.txt",
|
||
"Your files encrypted by our friends !!! txt"
|
||
],
|
||
"refs": [
|
||
"https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool",
|
||
"https://github.com/aaaddress1/my-Little-Ransomware"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Cyber SpLiTTer Vbs or CyberSplitter",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/778871886616862720",
|
||
"https://twitter.com/struppigel/status/806758133720698881"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Death Bitches",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"ransomnotes": [
|
||
"READ_IT.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JaromirHorejsi/status/815555258478981121"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DeCrypt Protect",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".html"
|
||
],
|
||
"refs": [
|
||
"http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DEDCryptor",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".ded"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/",
|
||
"http://www.nyxbone.com/malware/DEDCryptor.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Demo",
|
||
"description": "Ransomware only encrypts .jpg files",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"ransomnotes": [
|
||
"HELP_YOUR_FILES.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/798573300779745281"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DetoxCrypto",
|
||
"description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte",
|
||
"meta": {
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Digisom",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Digisom Readme0.txt (0 to 9)"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/PolarToffee/status/829727052316160000"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DirtyDecrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/demonslay335/status/752586334527709184"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DMALocker",
|
||
"description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0",
|
||
"meta": {
|
||
"encryption": "AES-256 in ECB mode, Version 2-4 also RSA",
|
||
"ransomnotes": [
|
||
"cryptinfo.txt",
|
||
"decrypting.txt",
|
||
"start.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/",
|
||
"https://github.com/hasherezade/dma_unlocker",
|
||
"https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg",
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DMALocker 3.0",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"encryption": "AES-256 + XPTLOCK5.0",
|
||
"refs": [
|
||
"https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg",
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DNRansomware",
|
||
"description": "Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT",
|
||
"meta": {
|
||
"extensions": [
|
||
".fucked"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/822500056511213568"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Domino",
|
||
"description": "Ransomware Based on Hidden Tear",
|
||
"meta": {
|
||
"extensions": [
|
||
".domino"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"README_TO_RECURE_YOUR_FILES.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/Domino.html",
|
||
"http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DoNotChange",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".id-7ES642406.cry",
|
||
".Do_not_change_the_filename"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"HOW TO DECODE FILES!!!.txt",
|
||
"КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DummyLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".dCrypt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/794108322932785158"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "DXXD",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".dxxd"
|
||
],
|
||
"ransomnotes": [
|
||
"ReadMe.TxT"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/",
|
||
"https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "EDA2 / HiddenTear or Cryptear",
|
||
"description": "Ransomware Open sourced C#",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256"
|
||
}
|
||
},
|
||
{
|
||
"value": "EduCrypt or EduCrypter",
|
||
"description": "Ransomware Based on Hidden Tear",
|
||
"meta": {
|
||
"extensions": [
|
||
".isis",
|
||
".locked"
|
||
],
|
||
"ransomnotes": [
|
||
"README.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.filedropper.com/decrypter_1",
|
||
"https://twitter.com/JakubKroustek/status/747031171347910656"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "EiTest",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypted"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BroadAnalysis/status/845688819533930497",
|
||
"https://twitter.com/malwrhunterteam/status/845652520202616832"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "El-Polocker or Los Pollos Hermanos",
|
||
"description": "Ransomware Has a GUI",
|
||
"meta": {
|
||
"extensions": [
|
||
".ha3"
|
||
],
|
||
"encryption": "",
|
||
"ransomnotes": [
|
||
"qwer.html",
|
||
"qwer2.html",
|
||
"locked.bmp"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Encoder.xxxx or Trojan.Encoder.6491",
|
||
"description": "Ransomware Coded in GO",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Instructions.html"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/",
|
||
"http://vms.drweb.ru/virus/?_is=1&i=8747343"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "encryptoJJS",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"ransomnotes": [
|
||
"How to recover.enc"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Enigma",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".enigma",
|
||
".1txt"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"enigma.hta",
|
||
"enigma_encr.txt",
|
||
"enigma_info.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Enjey",
|
||
"description": "Ransomware Based on RemindMe",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/839022018230112256"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fairware",
|
||
"description": "Ransomware Target Linux O.S.",
|
||
"meta": {
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fakben",
|
||
"description": "Ransomware Based on Hidden Tear",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"ransomnotes": [
|
||
"READ ME FOR DECRYPT.txt"
|
||
],
|
||
"refs": [
|
||
"https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FakeCryptoLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".cryptolocker"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/PolarToffee/status/812312402779836416"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fantom or Comrad Circle",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".fantom",
|
||
".comrade"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"DECRYPT_YOUR_FILES.HTML",
|
||
"RESTORE-FILES![id]"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FenixLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".FenixIloveyou!!"
|
||
],
|
||
"ransomnotes": [
|
||
"Help to decrypt.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/fenixlocker",
|
||
"https://twitter.com/fwosar/status/777197255057084416"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FILE FROZR",
|
||
"description": "Ransomware RaaS",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/rommeljoven17/status/846973265650335744"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FileLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".ENCR"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/jiriatvirlab/status/836616468775251968"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FireCrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".firecrypt"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"[random_chars]-READ_ME.html"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Flyper",
|
||
"description": "Ransomware Based on EDA2 / HiddenTear",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/773771485643149312"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fonco",
|
||
"description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"help-file-decrypt.enc",
|
||
"<startupfolder>/pronk.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FortuneCookie ",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/842302481774321664"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Free-Freedom or Roga",
|
||
"description": "Ransomware Unlock code is: adam or adamdude9",
|
||
"meta": {
|
||
"extensions": [
|
||
".madebyadam"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/812135608374226944"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "FSociety",
|
||
"description": "Ransomware Based on EDA2 and RemindMe",
|
||
"meta": {
|
||
"extensions": [
|
||
".fs0ciety",
|
||
".dll"
|
||
],
|
||
"ransomnotes": [
|
||
"fs0ciety.html",
|
||
"DECRYPT_YOUR_FILES.HTML"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/",
|
||
"http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/",
|
||
"https://twitter.com/siri_urz/status/795969998707720193"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Fury",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GhostCrypt",
|
||
"description": "Ransomware Based on Hidden Tear",
|
||
"meta": {
|
||
"extensions": [
|
||
".Z81928819"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip",
|
||
"http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Gingerbread",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/ni_fi_70/status/796353782699425792"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Globe v1 or Purge",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".purge"
|
||
],
|
||
"encryption": "Blowfish",
|
||
"ransomnotes": [
|
||
"How to restore files.hta"
|
||
],
|
||
"refs": [
|
||
"https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221",
|
||
"http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "GNL Locker",
|
||
"description": "Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked",
|
||
"<ID>.locked, e.g., bill.!ID!8MMnF!ID!.locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"UNLOCK_FILES_INSTRUCTIONS.html and .txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Gomasom",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt",
|
||
"!___[EMAILADDRESS]_.crypt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Goopic",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Your files have been crypted.html"
|
||
],
|
||
"refs": [
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Gopher",
|
||
"description": "Ransomware OS X ransomware (PoC)"
|
||
},
|
||
{
|
||
"value": "Hacked",
|
||
"description": "Ransomware Jigsaw Ransomware variant",
|
||
"meta": {
|
||
"extensions": [
|
||
".versiegelt",
|
||
".encrypted",
|
||
".payrmts",
|
||
".locked",
|
||
".Locked"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/demonslay335/status/806878803507101696"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HappyDayzz",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4",
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/847114064224497666"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Harasom",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".html"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HDDCryptor or Mamba",
|
||
"description": "Ransomware Uses https://diskcryptor.net for full disk encryption",
|
||
"meta": {
|
||
"encryption": "Custom (net shares), XTS-AES (disk)",
|
||
"refs": [
|
||
"https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho",
|
||
"blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Heimdall",
|
||
"description": "Ransomware File marker: \"Heimdall---\"",
|
||
"meta": {
|
||
"encryption": "AES-128-CBC",
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Help_dcfile",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".XXX"
|
||
],
|
||
"ransomnotes": [
|
||
"help_dcfile.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Herbst",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".herbst"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Hi Buddy!",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"extensions": [
|
||
".cry"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/hibuddy.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Hitler",
|
||
"description": "Ransomware Deletes files",
|
||
"meta": {
|
||
"extensions": [
|
||
"removes extensions"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/",
|
||
"https://twitter.com/jiriatvirlab/status/825310545800740864"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HolyCrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"(encrypted)"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HTCryptor",
|
||
"description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/803288396814839808"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "HydraCrypt",
|
||
"description": "Ransomware CrypBoss Family",
|
||
"meta": {
|
||
"extensions": [
|
||
"hydracrypt_ID_[\\w]{8}"
|
||
],
|
||
"ransomnotes": [
|
||
"README_DECRYPT_HYRDA_ID_[ID number].txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/",
|
||
"http://www.malware-traffic-analysis.net/2016/02/03/index2.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "iLock",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crime"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/817085367144873985"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "iLockLight",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crime"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "International Police Association",
|
||
"description": "Ransomware CryptoTorLocker2015 variant",
|
||
"meta": {
|
||
"extensions": [
|
||
"<6 random characters>"
|
||
],
|
||
"ransomnotes": [
|
||
"%Temp%\\<random>.bmp"
|
||
],
|
||
"refs": [
|
||
"http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "iRansom",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".Locked"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/demonslay335/status/796134264744083460"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "JagerDecryptor",
|
||
"description": "Ransomware Prepends filenames",
|
||
"meta": {
|
||
"extensions": [
|
||
"!ENC"
|
||
],
|
||
"ransomnotes": [
|
||
"Important_Read_Me.html"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/757873976047697920"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Jeiphoos or Encryptor RaaS or Sarento",
|
||
"description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.",
|
||
"meta": {
|
||
"encryption": "RC6 (files), RSA 2048 (RC6 key)",
|
||
"ransomnotes": [
|
||
"readme_liesmich_encryptor_raas.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/RaaS.html",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Jhon Woddy",
|
||
"description": "Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH",
|
||
"meta": {
|
||
"extensions": [
|
||
".killedXXX"
|
||
],
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip",
|
||
"https://twitter.com/BleepinComputer/status/822509105487245317"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Jigsaw or CryptoHitMan (subvariant)",
|
||
"description": "Ransomware Has a GUI",
|
||
"meta": {
|
||
"extensions": [
|
||
".btc",
|
||
".kkk",
|
||
".fun",
|
||
".gws",
|
||
".porno",
|
||
".payransom",
|
||
".payms",
|
||
".paymst",
|
||
".AFD",
|
||
".paybtcs",
|
||
".epic",
|
||
".xyz",
|
||
".encrypted",
|
||
".hush",
|
||
".paytounlock",
|
||
".uk-dealer@sigaint.org",
|
||
".gefickt",
|
||
".nemo-hacks.at.sigaint.org"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/",
|
||
"https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/",
|
||
"https://twitter.com/demonslay335/status/795819556166139905"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Job Crypter",
|
||
"description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked",
|
||
".css"
|
||
],
|
||
"encryption": "TripleDES",
|
||
"ransomnotes": [
|
||
"Comment débloquer mes fichiers.txt",
|
||
"Readme.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/jobcrypter.html",
|
||
"http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html",
|
||
"https://twitter.com/malwrhunterteam/status/828914052973858816"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "JohnyCryptor",
|
||
"description": "Ransomware"
|
||
},
|
||
{
|
||
"value": "KawaiiLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"How Decrypt Files.txt"
|
||
],
|
||
"refs": [
|
||
"https://safezone.cc/resources/kawaii-decryptor.195/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KeRanger",
|
||
"description": "Ransomware OS X Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"http://news.drweb.com/show/?i=9877&lng=en&c=5",
|
||
"http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KeyBTC",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"keybtc@inbox_com"
|
||
],
|
||
"ransomnotes": [
|
||
"DECRYPT_YOUR_FILES.txt",
|
||
"READ.txt",
|
||
"readme.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KEYHolder",
|
||
"description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"how_decrypt.gif",
|
||
"how_decrypt.html"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KillerLocker",
|
||
"description": "Ransomware Possibly Portuguese dev",
|
||
"meta": {
|
||
"extensions": [
|
||
".rip"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/782232299840634881"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KimcilWare",
|
||
"description": "Ransomware websites only",
|
||
"meta": {
|
||
"extensions": [
|
||
".kimcilware",
|
||
".locked"
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it",
|
||
"http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Korean",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"extensions": [
|
||
".암호화됨"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"ReadMe.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/koreanRansom.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Kozy.Jozy or QC",
|
||
"description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com",
|
||
"meta": {
|
||
"extensions": [
|
||
".31392E30362E32303136_[ID-KEY]_LSBJ1",
|
||
".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})"
|
||
],
|
||
"encryption": "RSA-2048",
|
||
"ransomnotes": [
|
||
"w.jpg"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/KozyJozy.html",
|
||
"http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KratosCrypt",
|
||
"description": "Ransomware kratosdimetrici@gmail.com",
|
||
"meta": {
|
||
"extensions": [
|
||
".kratos"
|
||
],
|
||
"ransomnotes": [
|
||
"README_ALL.html"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/demonslay335/status/746090483722686465"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "KryptoLocker",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"KryptoLocker_README.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LanRan",
|
||
"description": "Ransomware Variant of open-source MyLittleRansomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"@__help__@"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/847689644854595584"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LeChiffre",
|
||
"description": "Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker",
|
||
"meta": {
|
||
"extensions": [
|
||
".LeChiffre"
|
||
],
|
||
"ransomnotes": [
|
||
"How to decrypt LeChiffre files.html"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/lechiffre",
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Lick",
|
||
"description": "Ransomware Variant of Kirk",
|
||
"meta": {
|
||
"extensions": [
|
||
".Licked"
|
||
],
|
||
"ransomnotes": [
|
||
"RANSOM_NOTE.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/842404866614038529"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Linux.Encoder or Linux.Encoder.{0,3}",
|
||
"description": "Ransomware Linux Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LK Encryption",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/845183290873044994"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LLTP Locker",
|
||
"description": "Ransomware Targeting Spanish speaking victims",
|
||
"meta": {
|
||
"extensions": [
|
||
".ENCRYPTED_BY_LLTP",
|
||
".ENCRYPTED_BY_LLTPp"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"LEAME.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Locker",
|
||
"description": "Ransomware has GUI",
|
||
"meta": {
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LockLock",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".locklock"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_ME.TXT"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Locky",
|
||
"description": "Ransomware Affiliations with Dridex and Necurs botnets",
|
||
"meta": {
|
||
"extensions": [
|
||
".locky",
|
||
".zepto",
|
||
".odin",
|
||
".shit",
|
||
".thor",
|
||
".aesir",
|
||
".zzzzz",
|
||
".osiris",
|
||
"([A-F0-9]{32}).locky",
|
||
"([A-F0-9]{32}).zepto",
|
||
"([A-F0-9]{32}).odin",
|
||
"([A-F0-9]{32}).shit",
|
||
"([A-F0-9]{32}).thor",
|
||
"([A-F0-9]{32}).aesir",
|
||
"([A-F0-9]{32}).zzzzz",
|
||
"([A-F0-9]{32}).osiris"
|
||
],
|
||
"encryption": "AES-128",
|
||
"ransomnotes": [
|
||
"_Locky_recover_instructions.txt",
|
||
"_Locky_recover_instructions.bmp",
|
||
"_HELP_instructions.txt",
|
||
"_HELP_instructions.bmp",
|
||
"_HOWDO_text.html",
|
||
"_WHAT_is.html",
|
||
"_INSTRUCTION.html",
|
||
"DesktopOSIRIS.(bmp|htm)",
|
||
"OSIRIS-[0-9]{4}.htm"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/",
|
||
"https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/",
|
||
"https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Lortok",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crime"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "LowLevel04",
|
||
"description": "Ransomware Prepends filenames",
|
||
"meta": {
|
||
"extensions": [
|
||
"oor."
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "M4N1F3STO",
|
||
"description": "Ransomware Does not encrypt Unlock code=suckmydicknigga",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/jiriatvirlab/status/808015275367002113"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Mabouia",
|
||
"description": "Ransomware OS X ransomware (PoC)"
|
||
},
|
||
{
|
||
"value": "MacAndChess",
|
||
"description": "Ransomware Based on HiddenTear"
|
||
},
|
||
{
|
||
"value": "Magic",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".magic"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"DECRYPT_ReadMe1.TXT",
|
||
"DECRYPT_ReadMe.TXT"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MaktubLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"[a-z]{4,6}"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"_DECRYPT_INFO_[extension pattern].html"
|
||
],
|
||
"refs": [
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MarsJoke",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".a19",
|
||
".ap19"
|
||
],
|
||
"ransomnotes": [
|
||
"!!! Readme For Decrypt !!!.txt",
|
||
"ReadMeFilesDecrypt!!!.txt"
|
||
],
|
||
"refs": [
|
||
"https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/",
|
||
"https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Meister",
|
||
"description": "Ransomware Targeting French victims",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/siri_urz/status/840913419024945152"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Meteoritan",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"where_are_your_files.txt",
|
||
"readme_your_files_have_been_encrypted.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/844614889620561924"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MIRCOP or Crypt888",
|
||
"description": "Ransomware Prepends files Demands 48.48 BTC",
|
||
"meta": {
|
||
"extensions": [
|
||
"Lock."
|
||
],
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/",
|
||
"https://www.avast.com/ransomware-decryption-tools#!",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/",
|
||
"http://www.nyxbone.com/malware/Mircop.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MireWare",
|
||
"description": "Ransomware Based on HiddenTear",
|
||
"meta": {
|
||
"extensions": [
|
||
".fucked",
|
||
".fuck"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_IT.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Mischa or \"Petya's little brother\"",
|
||
"description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe",
|
||
"meta": {
|
||
"extensions": [
|
||
".([a-zA-Z0-9]{4})"
|
||
],
|
||
"ransomnotes": [
|
||
"YOUR_FILES_ARE_ENCRYPTED.HTML",
|
||
"YOUR_FILES_ARE_ENCRYPTED.TXT "
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "MM Locker or Booyah",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_IT.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Mobef or Yakes or CryptoBit",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".KEYZ",
|
||
".KEYH0LES"
|
||
],
|
||
"ransomnotes": [
|
||
"4-14-2016-INFECTION.TXT",
|
||
"IMPORTANT.README"
|
||
],
|
||
"refs": [
|
||
"http://nyxbone.com/malware/Mobef.html",
|
||
"http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/",
|
||
"http://nyxbone.com/images/articulos/malware/mobef/0.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Monument",
|
||
"description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/844826339186135040"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "N-Splitter",
|
||
"description": "Ransomware Russian Koolova Variant",
|
||
"meta": {
|
||
"extensions": [
|
||
".кибер разветвитель"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/815961663644008448",
|
||
"https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "n1n1n1",
|
||
"description": "Ransomware Filemaker: \"333333333333\"",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"decrypt explanations.html"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/demonslay335/status/790608484303712256",
|
||
"https://twitter.com/demonslay335/status/831891344897482754"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "NanoLocker",
|
||
"description": "Ransomware no extension change, has a GUI",
|
||
"meta": {
|
||
"encryption": "AES-256 + RSA",
|
||
"ransomnotes": [
|
||
"ATTENTION.RTF"
|
||
],
|
||
"refs": [
|
||
"http://github.com/Cyberclues/nanolocker-decryptor"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Nemucod",
|
||
"description": "Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypted"
|
||
],
|
||
"encryption": "XOR(255) + 7zip",
|
||
"ransomnotes": [
|
||
"Decrypted.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/nemucod",
|
||
"https://github.com/Antelox/NemucodFR",
|
||
"http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/",
|
||
"https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Netix or RANSOM_NETIX.A",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"AES-256"
|
||
],
|
||
"refs": [
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Nhtnwcuf",
|
||
"description": "Ransomware Does not encrypt the files / Files are destroyed",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"!_RECOVERY_HELP_!.txt",
|
||
"HELP_ME_PLEASE.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/demonslay335/status/839221457360195589"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "NMoreira or XRatTeam or XPan",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".maktub",
|
||
".__AiraCropEncrypted!"
|
||
],
|
||
"encryption": "mix of RSA and AES-256",
|
||
"ransomnotes": [
|
||
"Recupere seus arquivos. Leia-me!.txt"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/nmoreira",
|
||
"https://twitter.com/fwosar/status/803682662481174528"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "NoobCrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/757267550346641408",
|
||
"https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Nuke",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".nuclear55"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"!!_RECOVERY_instructions_!!.html",
|
||
"!!_RECOVERY_instructions_!!.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Nullbyte",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"_nullbyte"
|
||
],
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip",
|
||
"https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ODCODC",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".odcodc",
|
||
"C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc"
|
||
],
|
||
"encryption": "XOR",
|
||
"ransomnotes": [
|
||
"HOW_TO_RESTORE_FILES.txt"
|
||
],
|
||
"refs": [
|
||
"http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip",
|
||
"http://www.nyxbone.com/malware/odcodc.html",
|
||
"https://twitter.com/PolarToffee/status/813762510302183424",
|
||
"http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Offline ransomware or Vipasana or Cryakl",
|
||
"description": "Ransomware email addresses overlap with .777 addresses",
|
||
"meta": {
|
||
"extensions": [
|
||
".cbf",
|
||
"email-[params].cbf"
|
||
],
|
||
"ransomnotes": [
|
||
"desk.bmp",
|
||
"desk.jpg"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547",
|
||
"http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "OMG! Ransomware or GPCode",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".LOL!",
|
||
".OMG!"
|
||
],
|
||
"ransomnotes": [
|
||
"how to get data.txt"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Operation Global III",
|
||
"description": "Ransomware Is a file infector (virus)",
|
||
"meta": {
|
||
"extensions": [
|
||
".EXE"
|
||
],
|
||
"refs": [
|
||
"http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Owl or CryptoWire",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"dummy_file.encrypted",
|
||
"dummy_file.encrypted.[extension]"
|
||
],
|
||
"ransomnotes": [
|
||
"log.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/842342996775448576"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PadCrypt",
|
||
"description": "Ransomware has a live support chat",
|
||
"meta": {
|
||
"extensions": [
|
||
".padcrypt"
|
||
],
|
||
"ransomnotes": [
|
||
"IMPORTANT READ ME.txt",
|
||
"File Decrypt Help.html"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/",
|
||
"https://twitter.com/malwrhunterteam/status/798141978810732544"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Padlock Screenlocker",
|
||
"description": "Ransomware Unlock code is: ajVr/G\\ RJz0R",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/811635075158839296"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Patcher",
|
||
"description": "Ransomware Targeting macOS users",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"ransomnotes": [
|
||
"README!.txt"
|
||
],
|
||
"refs": [
|
||
"https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/",
|
||
"https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Petya or Goldeneye",
|
||
"description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe",
|
||
"meta": {
|
||
"encryption": "Modified Salsa20",
|
||
"ransomnotes": [
|
||
"YOUR_FILES_ARE_ENCRYPTED.TXT"
|
||
],
|
||
"refs": [
|
||
"http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator",
|
||
"https://www.youtube.com/watch?v=mSqxFjZq_z4",
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/",
|
||
"https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Philadelphia",
|
||
"description": "Ransomware Coded by \"The_Rainmaker\"",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked",
|
||
"<file_hash>.locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/philadelphia",
|
||
"www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PizzaCrypts",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".id-[victim_id]-maestro@pizzacrypts.info"
|
||
],
|
||
"refs": [
|
||
"http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PokemonGO",
|
||
"description": "Ransomware Based on Hidden Tear",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/pokemonGO.html",
|
||
"http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Polyglot",
|
||
"description": "Ransomware Immitates CTB-Locker",
|
||
"meta": {
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"https://support.kaspersky.com/8547",
|
||
"https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PowerWare or PoshCoder",
|
||
"description": "Ransomware Open-sourced PowerShell",
|
||
"meta": {
|
||
"extensions": [
|
||
".locky"
|
||
],
|
||
"encryption": "AES-128",
|
||
"refs": [
|
||
"https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py",
|
||
"https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip",
|
||
"https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/",
|
||
"http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PowerWorm",
|
||
"description": "Ransomware no decryption possible, throws key away, destroys the files",
|
||
"meta": {
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"DECRYPT_INSTRUCTION.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Princess Locker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"[a-z]{4,6},[0-9]"
|
||
],
|
||
"ransomnotes": [
|
||
"!_HOW_TO_RESTORE_[extension].TXT",
|
||
"!_HOW_TO_RESTORE_[extension].html",
|
||
"!_HOW_TO_RESTORE_*id*.txt",
|
||
".*id*",
|
||
"@_USE_TO_FIX_JJnY.txt"
|
||
],
|
||
"refs": [
|
||
"https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/",
|
||
"https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/",
|
||
"https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "PRISM",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ps2exe",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/jiriatvirlab/status/803297700175286273"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "R",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Ransomware.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/846705481741733892"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "R980",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypt"
|
||
],
|
||
"ransomnotes": [
|
||
"DECRYPTION INSTRUCTIONS.txt",
|
||
"rtext.txt"
|
||
],
|
||
"refs": [
|
||
"https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RAA encryptor or RAA",
|
||
"description": "Ransomware Possible affiliation with Pony",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"ransomnotes": [
|
||
"!!!README!!![id].rtf"
|
||
],
|
||
"refs": [
|
||
"https://reaqta.com/2016/06/raa-ransomware-delivering-pony/",
|
||
"http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Rabion",
|
||
"description": "Ransomware RaaS Copy of Ranion RaaS",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/CryptoInsane/status/846181140025282561"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Radamant",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".RDM",
|
||
".RRK",
|
||
".RAD",
|
||
".RADAMANT"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"YOUR_FILES.url"
|
||
],
|
||
"refs": [
|
||
"https://decrypter.emsisoft.com/radamant",
|
||
"http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/",
|
||
"http://www.nyxbone.com/malware/radamant.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor",
|
||
"description": "Ransomware Files might be partially encrypted",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked",
|
||
".kraken",
|
||
".darkness",
|
||
".nochance",
|
||
".oshit",
|
||
".oplata@qq_com",
|
||
".relock@qq_com",
|
||
".crypto",
|
||
".helpdecrypt@ukr.net",
|
||
".pizda@qq_com",
|
||
".dyatel@qq_com",
|
||
"_ryp",
|
||
".nalog@qq_com",
|
||
".chifrator@qq_com",
|
||
".gruzin@qq_com",
|
||
".troyancoder@qq_com",
|
||
".encrypted",
|
||
".cry",
|
||
".AES256",
|
||
".enc",
|
||
".hb15",
|
||
".coderksu@gmail_com_id[0-9]{2,3}",
|
||
".crypt@india.com.[\\w]{4,12}"
|
||
],
|
||
"ransomnotes": [
|
||
"<startup folder>\\fud.bmp",
|
||
"<startup folder>\\paycrypt.bmp",
|
||
"<startup folder>\\strongcrypt.bmp",
|
||
"<startup folder>\\maxcrypt.bmp",
|
||
"%APPDATA%\\Roaming\\<random name>.bmp"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/us/viruses/disinfection/10556"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ramsomeer",
|
||
"description": "Ransomware Based on the DUMB ransomware"
|
||
},
|
||
{
|
||
"value": "Rannoh",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"locked-<original name>.[a-zA-Z]{4}"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/8547"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RanRan",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".zXz"
|
||
],
|
||
"ransomnotes": [
|
||
"VictemKey_0_5",
|
||
"VictemKey_5_30",
|
||
"VictemKey_30_100",
|
||
"VictemKey_100_300",
|
||
"VictemKey_300_700",
|
||
"VictemKey_700_2000",
|
||
"VictemKey_2000_3000",
|
||
"VictemKey_3000",
|
||
"zXz.html"
|
||
],
|
||
"refs": [
|
||
"https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption",
|
||
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/",
|
||
"https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ransoc",
|
||
"description": "Ransomware Doesn't encrypt user files",
|
||
"meta": {
|
||
"refs": [
|
||
"https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles",
|
||
"https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ransom32",
|
||
"description": "Ransomware no extension change, Javascript Ransomware"
|
||
},
|
||
{
|
||
"value": "RansomLock",
|
||
"description": "Ransomware Locks the desktop",
|
||
"meta": {
|
||
"encryption": "Asymmetric 1024 ",
|
||
"refs": [
|
||
"https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RarVault",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"RarVault.htm"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Razy",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".razy",
|
||
".fear"
|
||
],
|
||
"encryption": "AES-128",
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/Razy(German).html",
|
||
"http://nyxbone.com/malware/Razy.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Rector",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".vscrypt",
|
||
".infected",
|
||
".bloc",
|
||
".korrektor"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/4264"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RektLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".rekt"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Readme.txt"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/4264"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RemindMe",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".remind",
|
||
".crashed"
|
||
],
|
||
"ransomnotes": [
|
||
"decypt_your_files.html "
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/RemindMe.html",
|
||
"http://i.imgur.com/gV6i5SN.jpg"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Rokku",
|
||
"description": "Ransomware possibly related with Chimera",
|
||
"meta": {
|
||
"extensions": [
|
||
".rokku"
|
||
],
|
||
"encryption": "Curve25519 + ChaCha",
|
||
"ransomnotes": [
|
||
"README_HOW_TO_UNLOCK.TXT",
|
||
"README_HOW_TO_UNLOCK.HTML"
|
||
],
|
||
"refs": [
|
||
"https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RoshaLock",
|
||
"description": "Ransomware Stores your files in a password protected RAR file",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/siri_urz/status/842452104279134209"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Runsomewere",
|
||
"description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/801812325657440256"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "RussianRoulette",
|
||
"description": "Ransomware Variant of the Philadelphia ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/823925410392080385"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SADStory",
|
||
"description": "Ransomware Variant of CryPy",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/845356853039190016"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sage 2.2",
|
||
"description": "Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.",
|
||
"meta": {
|
||
"extensions": [
|
||
".sage"
|
||
],
|
||
"refs": [
|
||
"https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate",
|
||
"https://malwarebreakdown.com/2017/03/10/finding-a-good-man/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe",
|
||
"description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena",
|
||
"meta": {
|
||
"extensions": [
|
||
".encryptedAES",
|
||
".encryptedRSA",
|
||
".encedRSA",
|
||
".justbtcwillhelpyou",
|
||
".btcbtcbtc",
|
||
".btc-help-you",
|
||
".only-we_can-help_you",
|
||
".iwanthelpuuu",
|
||
".notfoundrans",
|
||
".encmywork",
|
||
".VforVendetta",
|
||
".theworldisyours",
|
||
".Whereisyourfiles",
|
||
".helpmeencedfiles",
|
||
".powerfulldecrypt",
|
||
".noproblemwedecfiles",
|
||
".weareyourfriends",
|
||
".otherinformation",
|
||
".letmetrydecfiles",
|
||
".encryptedyourfiles",
|
||
".weencedufiles",
|
||
".iaufkakfhsaraf",
|
||
".cifgksaffsfyghd"
|
||
],
|
||
"encryption": "AES(256) + RSA(2096)",
|
||
"ransomnotes": [
|
||
"HELP_DECRYPT_YOUR_FILES.html",
|
||
"###-READ-FOR-HELLPP.html",
|
||
"000-PLEASE-READ-WE-HELP.html",
|
||
"CHECK-IT-HELP-FILES.html",
|
||
"WHERE-YOUR-FILES.html",
|
||
"HELP-ME-ENCED-FILES.html",
|
||
"WE-MUST-DEC-FILES.html",
|
||
"000-No-PROBLEM-WE-DEC-FILES.html",
|
||
"TRY-READ-ME-TO-DEC.html",
|
||
"000-IF-YOU-WANT-DEC-FILES.html",
|
||
"LET-ME-TRY-DEC-FILES.html",
|
||
"001-READ-FOR-DECRYPT-FILES.html",
|
||
"READ-READ-READ.html",
|
||
"IF_WANT_FILES_BACK_PLS_READ.html",
|
||
"READ_READ_DEC_FILES.html"
|
||
],
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip",
|
||
"http://blog.talosintel.com/2016/03/samsam-ransomware.html",
|
||
"http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sanction",
|
||
"description": "Ransomware Based on HiddenTear, but heavily modified keygen",
|
||
"meta": {
|
||
"extensions": [
|
||
".sanction"
|
||
],
|
||
"encryption": "AES-256 + RSA-2096",
|
||
"ransomnotes": [
|
||
"DECRYPT_YOUR_FILES.HTML"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sanctions",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".wallet"
|
||
],
|
||
"encryption": "AES-256 + RSA-2048",
|
||
"ransomnotes": [
|
||
"RESTORE_ALL_DATA.html"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sardoninir",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/835955409953357825"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Satana",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
"Sarah_G@ausi.com___"
|
||
],
|
||
"ransomnotes": [
|
||
"!satana!.txt"
|
||
],
|
||
"refs": [
|
||
"https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/",
|
||
"https://blog.kaspersky.com/satana-ransomware/12558/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Scraper",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Serpico",
|
||
"description": "Ransomware DetoxCrypto Variant",
|
||
"meta": {
|
||
"encryption": "AES",
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/Serpico.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Shark or Atom",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Readme.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/",
|
||
"http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "ShinoLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".shino"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/760560147131408384",
|
||
"http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Shujin or KinCrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"文件解密帮助.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/chineseRansom.html",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Simple_Encoder",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".~"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"_RECOVER_INSTRUCTIONS.ini"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SkidLocker / Pompous",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_IT.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/",
|
||
"http://www.nyxbone.com/malware/SkidLocker.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Smash!",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Smrss32",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".encrypted"
|
||
],
|
||
"ransomnotes": [
|
||
"_HOW_TO_Decrypt.bmp"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SNSLocker",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".RSNSlocked",
|
||
".RSplited"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"READ_Me.txt"
|
||
],
|
||
"refs": [
|
||
"http://nyxbone.com/malware/SNSLocker.html",
|
||
"http://nyxbone.com/images/articulos/malware/snslocker/16.png"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Sport",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".sport"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Stampado",
|
||
"description": "Ransomware Coded by \"The_Rainmaker\" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Random message includes bitcoin wallet address with instructions"
|
||
],
|
||
"refs": [
|
||
"https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221",
|
||
"http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/",
|
||
"https://decrypter.emsisoft.com/stampado",
|
||
"https://cdn.streamable.com/video/mp4/kfh3.mp4",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Strictor",
|
||
"description": "Ransomware Based on EDA2, shows Guy Fawkes mask",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/Strictor.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Surprise",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".surprise",
|
||
".tzu"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"DECRYPTION_HOWTO.Notepad"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Survey",
|
||
"description": "Ransomware Still in development, shows FileIce survey",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"ThxForYurTyme.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "SynoLocker",
|
||
"description": "Ransomware Exploited Synology NAS firmware directly over WAN"
|
||
},
|
||
{
|
||
"value": "SZFLocker",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".szf"
|
||
],
|
||
"refs": [
|
||
"http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TeamXrat",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".___xratteamLucked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"Como descriptografar os seus arquivos.txt"
|
||
],
|
||
"refs": [
|
||
"https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt",
|
||
"description": "Ransomware Factorization",
|
||
"meta": {
|
||
"extensions": [
|
||
".vvv",
|
||
".ecc",
|
||
".exx",
|
||
".ezz",
|
||
".abc",
|
||
".aaa",
|
||
".zzz",
|
||
".xyz"
|
||
],
|
||
"ransomnotes": [
|
||
"HELP_TO_SAVE_FILES.txt",
|
||
"Howto_RESTORE_FILES.html"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
|
||
"http://www.talosintel.com/teslacrypt_tool/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TeslaCrypt 3.0+",
|
||
"description": "Ransomware 4.0+ has no extension",
|
||
"meta": {
|
||
"extensions": [
|
||
".micro",
|
||
".xxx",
|
||
".ttt",
|
||
".mp3"
|
||
],
|
||
"encryption": "AES-256 + ECHD + SHA1",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
|
||
"http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/",
|
||
"https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TeslaCrypt 4.1A",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"encryption": "AES-256 + ECHD + SHA1",
|
||
"ransomnotes": [
|
||
"RECOVER<5_chars>.html",
|
||
"RECOVER<5_chars>.png",
|
||
"RECOVER<5_chars>.txt",
|
||
"_how_recover+<random 3 chars>.txt or .html",
|
||
"help_recover_instructions+<random 3 chars>.BMP or .html or .txt",
|
||
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt, .html or .png",
|
||
"Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt",
|
||
"RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp",
|
||
"HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp",
|
||
"HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt",
|
||
"HELP_TO_SAVE_FILES.txt or .bmp"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
|
||
"http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/",
|
||
"https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/",
|
||
"https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain",
|
||
"https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TeslaCrypt 4.2",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"RECOVER<5_chars>.html",
|
||
"RECOVER<5_chars>.png",
|
||
"RECOVER<5_chars>.txt",
|
||
"_how_recover+<random 3 chars>.txt or .html",
|
||
"help_recover_instructions+<random 3 chars>.BMP or .html or .txt",
|
||
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt, .html or .png",
|
||
"Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt",
|
||
"RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp",
|
||
"HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp",
|
||
"HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt",
|
||
"HELP_TO_SAVE_FILES.txt or .bmp"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
|
||
"http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/",
|
||
"https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/",
|
||
"http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Threat Finder",
|
||
"description": "Ransomware Files cannot be decrypted Has a GUI",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"HELP_DECRYPT.HTML"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac",
|
||
"description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted",
|
||
"meta": {
|
||
"extensions": [
|
||
".Encrypted",
|
||
".enc"
|
||
],
|
||
"encryption": "AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt",
|
||
"ransomnotes": [
|
||
"HOW_TO_RESTORE_FILES.html",
|
||
"DECRYPT_INSTRUCTIONS.html",
|
||
"DESIFROVANI_POKYNY.html",
|
||
"INSTRUCCIONES_DESCIFRADO.html",
|
||
"ISTRUZIONI_DECRITTAZIONE.html",
|
||
"ENTSCHLUSSELN_HINWEISE.html",
|
||
"ONTSLEUTELINGS_INSTRUCTIES.html",
|
||
"INSTRUCTIONS_DE_DECRYPTAGE.html",
|
||
"SIFRE_COZME_TALIMATI.html",
|
||
"wie_zum_Wiederherstellen_von_Dateien.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/",
|
||
"https://twitter.com/PolarToffee/status/804008236600934403",
|
||
"http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TowerWeb",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Payment_Instructions.jpg"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Toxcrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".toxcrypt"
|
||
],
|
||
"ransomnotes": [
|
||
"tox.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Trojan or BrainCrypt",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".braincrypt"
|
||
],
|
||
"ransomnotes": [
|
||
"!!! HOW TO DECRYPT FILES !!!.txt"
|
||
],
|
||
"refs": [
|
||
"https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip",
|
||
"https://twitter.com/PolarToffee/status/811249250285842432"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Troldesh orShade, XTBL",
|
||
"description": "Ransomware May download additional malware after encryption",
|
||
"meta": {
|
||
"extensions": [
|
||
".breaking_bad",
|
||
".better_call_saul",
|
||
".xtbl",
|
||
".da_vinci_code",
|
||
".windows10",
|
||
".no_more_ransom"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"README<number>.txt",
|
||
"nomoreransom_note_original.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf",
|
||
"http://www.nyxbone.com/malware/Troldesh.html",
|
||
"https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "TrueCrypter",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".enc"
|
||
],
|
||
"encryption": "AES-256",
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Turkish",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".sifreli"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/821991600637313024"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Turkish Ransom",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".locked"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/turkishRansom.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "UmbreCrypt",
|
||
"description": "Ransomware CrypBoss Family",
|
||
"meta": {
|
||
"extensions": [
|
||
"umbrecrypt_ID_[VICTIMID]"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"README_DECRYPT_UMBRE_ID_[victim_id].jpg",
|
||
"README_DECRYPT_UMBRE_ID_[victim_id].txt",
|
||
"default32643264.bmp",
|
||
"default432643264.jpg"
|
||
],
|
||
"refs": [
|
||
"http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "UnblockUPC",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"ransomnotes": [
|
||
"Files encrypted.txt"
|
||
],
|
||
"refs": [
|
||
"https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Ungluk",
|
||
"description": "Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key",
|
||
"meta": {
|
||
"extensions": [
|
||
".H3LL",
|
||
".0x0",
|
||
".1999"
|
||
],
|
||
"encryption": "AES",
|
||
"ransomnotes": [
|
||
"READTHISNOW!!!.txt",
|
||
"Hellothere.txt",
|
||
"YOUGOTHACKED.TXT"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Unlock92 ",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".CRRRT",
|
||
".CCCRRRPPP"
|
||
],
|
||
"ransomnotes": [
|
||
"READ_ME_!.txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/839038399944224768"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "VapeLauncher",
|
||
"description": "Ransomware CryptoWire variant",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/839771195830648833"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "VaultCrypt or CrypVault, Zlader",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".vault",
|
||
".xort",
|
||
".trun"
|
||
],
|
||
"encryption": "uses gpg.exe",
|
||
"ransomnotes": [
|
||
"VAULT.txt",
|
||
"xort.txt",
|
||
"trun.txt",
|
||
"<random>.hta | VAULT.hta"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/russianRansom.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "VBRANSOM 7",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".VBRANSOM"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/817851339078336513"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "VenusLocker",
|
||
"description": "Ransomware Based on EDA2",
|
||
"meta": {
|
||
"extensions": [
|
||
".Venusf",
|
||
".Venusp"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"ReadMe.txt"
|
||
],
|
||
"refs": [
|
||
"https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social",
|
||
"http://www.nyxbone.com/malware/venusLocker.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Virlock",
|
||
"description": "Ransomware Polymorphism / Self-replication",
|
||
"meta": {
|
||
"extensions": [
|
||
".exe"
|
||
],
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/Virlock.html",
|
||
"http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Virus-Encoder or CrySiS",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".CrySiS",
|
||
".xtbl",
|
||
".crypt",
|
||
".DHARMA",
|
||
".id-########.decryptformoney@india.com.xtbl",
|
||
".[email_address].DHARMA"
|
||
],
|
||
"encryption": "AES-256",
|
||
"ransomnotes": [
|
||
"How to decrypt your data.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/",
|
||
"http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip",
|
||
"http://www.nyxbone.com/malware/virus-encoder.html",
|
||
"http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "WannaCry",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"refs": [
|
||
"https://twitter.com/struppigel/status/846241982347427840"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "WildFire Locker or Hades Locker",
|
||
"description": "Ransomware Zyklon variant",
|
||
"meta": {
|
||
"extensions": [
|
||
".wflx"
|
||
],
|
||
"ransomnotes": [
|
||
"HOW_TO_UNLOCK_FILES_README_(<ID>).txt"
|
||
],
|
||
"refs": [
|
||
"https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Xorist",
|
||
"description": "Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length",
|
||
"meta": {
|
||
"extensions": [
|
||
".EnCiPhErEd",
|
||
".73i87A",
|
||
".p5tkjw",
|
||
".PoAr2w",
|
||
".fileiscryptedhard",
|
||
".encoderpass",
|
||
".zc3791",
|
||
".antihacker2017"
|
||
],
|
||
"encryption": "XOR or TEA",
|
||
"ransomnotes": [
|
||
"HOW TO DECRYPT FILES.TXT"
|
||
],
|
||
"refs": [
|
||
"https://support.kaspersky.com/viruses/disinfection/2911",
|
||
"https://decrypter.emsisoft.com/xorist"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "XRTN ",
|
||
"description": "Ransomware VaultCrypt family",
|
||
"meta": {
|
||
"extensions": [
|
||
".xrtn"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "You Have Been Hacked!!!",
|
||
"description": "Ransomware Attempt to steal passwords",
|
||
"meta": {
|
||
"extensions": [
|
||
".Locked"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/malwrhunterteam/status/808280549802418181"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zcrypt or Zcryptor",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".zcrypt"
|
||
],
|
||
"refs": [
|
||
"https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zeta or CryptoMix",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".code",
|
||
".scl",
|
||
".rmd"
|
||
],
|
||
"ransomnotes": [
|
||
"# HELP_DECRYPT_YOUR_FILES #.TXT"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/JakubKroustek/status/804009831518572544"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zimbra",
|
||
"description": "Ransomware mpritsken@priest.com",
|
||
"meta": {
|
||
"extensions": [
|
||
".crypto"
|
||
],
|
||
"ransomnotes": [
|
||
"how.txt"
|
||
],
|
||
"refs": [
|
||
"http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zlader / Russian or VaultCrypt, CrypVault",
|
||
"description": "Ransomware VaultCrypt family",
|
||
"meta": {
|
||
"extensions": [
|
||
".vault"
|
||
],
|
||
"encryption": "RSA",
|
||
"refs": [
|
||
"http://www.nyxbone.com/malware/russianRansom.html"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zorro",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".zorro"
|
||
],
|
||
"ransomnotes": [
|
||
"Take_Seriously (Your saving grace).txt"
|
||
],
|
||
"refs": [
|
||
"https://twitter.com/BleepinComputer/status/844538370323812353"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "Zyklon or GNL Locker",
|
||
"description": "Ransomware Hidden Tear family, GNL Locker variant",
|
||
"meta": {
|
||
"extensions": [
|
||
".zyklon"
|
||
]
|
||
}
|
||
},
|
||
{
|
||
"value": "vxLock",
|
||
"description": "Ransomware",
|
||
"meta": {
|
||
"extensions": [
|
||
".vxLock"
|
||
]
|
||
}
|
||
}
|
||
],
|
||
"authors": [
|
||
"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
|
||
"http://pastebin.com/raw/GHgpWjar"
|
||
]
|
||
}
|