162 lines
5.8 KiB
JSON
162 lines
5.8 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-06-30",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Apocalypse: Ransomware which targets companies through insecure RDP",
|
||
|
"publish_timestamp": "1467288991",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1467288974",
|
||
|
"uuid": "57750a68-58c8-4323-8c93-c828950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#006c6c",
|
||
|
"name": "ecsirt:malicious-code=\"ransomware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#2c4f00",
|
||
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3b7500",
|
||
|
"name": "circl:incident-classification=\"malware\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288191",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "57750a7f-c27c-4526-a5fd-49ef950d210f",
|
||
|
"value": "Beyond a shadow of a doubt 2016 has been the year of the ransomware. So it comes as no surprise that new ransomware families are popping up on weekly basis. Emsisoft has been on the frontline battling ransomware for years now, providing users with valuable tools allowing them to recover their files after ransomware attacks. As a result Emsisoft researchers often find themselves at the receiving end of hate from ransomware authors. Late last year, we took a look at Radamant, whose authors included some rather unkind messages after our research team broke their amateurish ransomware. Today, we want to take a look at a new ransomware family Apocalypse, that reared its ugly head about 2 months ago, that recently started spewing insults towards our team as well."
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288214",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57750a96-b80c-4b3e-ac7f-c826950d210f",
|
||
|
"value": "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "email addresses are used in the ransom note",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288278",
|
||
|
"to_ids": true,
|
||
|
"type": "campaign-id",
|
||
|
"uuid": "57750ad6-bc78-4a06-9be6-4701950d210f",
|
||
|
"value": "r.compress@us1.l.a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "email addresses are used in the ransom note",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288278",
|
||
|
"to_ids": true,
|
||
|
"type": "campaign-id",
|
||
|
"uuid": "57750ad6-2164-47f6-a1ba-46c9950d210f",
|
||
|
"value": "dr.compress@bk.ru"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "email addresses are used in the ransom note",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288278",
|
||
|
"to_ids": true,
|
||
|
"type": "campaign-id",
|
||
|
"uuid": "57750ad6-0da8-489a-8259-427a950d210f",
|
||
|
"value": "dr.jimbo@bk.ru"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "email addresses are used in the ransom note",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288279",
|
||
|
"to_ids": true,
|
||
|
"type": "campaign-id",
|
||
|
"uuid": "57750ad7-1094-4d92-ae00-4d08950d210f",
|
||
|
"value": "dr.decrypter@bk.ru"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "email addresses are used in the ransom note",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288279",
|
||
|
"to_ids": true,
|
||
|
"type": "campaign-id",
|
||
|
"uuid": "57750ad7-cec0-4910-8544-4577950d210f",
|
||
|
"value": "decryptionservice@mail.ru"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "New sample",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288493",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57750bad-5ea4-48c3-bb28-c825950d210f",
|
||
|
"value": "ac70f2517698ca81bf161645413f168c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "New sample - Xchecked via VT: ac70f2517698ca81bf161645413f168c",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288974",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57750d8e-92a8-480c-a5b0-d08c02de0b81",
|
||
|
"value": "aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "New sample - Xchecked via VT: ac70f2517698ca81bf161645413f168c",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288975",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57750d8f-1bc0-4991-a6ab-d08c02de0b81",
|
||
|
"value": "70a255c076bd108b0654ae58b6f805efd2ad9613"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "New sample - Xchecked via VT: ac70f2517698ca81bf161645413f168c",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1467288975",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57750d8f-5d80-4464-9471-d08c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5/analysis/1466865459/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|