{ "type": "bundle", "id": "bundle--59d48b3a-e3b4-4eb4-b675-464a950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:34.000Z", "modified": "2017-10-04T08:35:34.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--59d48b3a-e3b4-4eb4-b675-464a950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:34.000Z", "modified": "2017-10-04T08:35:34.000Z", "name": "OSINT - Locky Ransomware switches to the Lukitus extension for Encrypted Files", "context": "suspicious-activity", "object_refs": [ "observed-data--59d49d4f-52c8-4e09-bd43-403202de0b81", "url--59d49d4f-52c8-4e09-bd43-403202de0b81", "indicator--59d49d4f-4f50-4514-a127-4f5f02de0b81", "indicator--59d49d4f-6b7c-4c33-ba06-4ca402de0b81", "indicator--59d49275-d7a4-4ea5-8c42-4b36950d210f", "indicator--59d49275-93ec-4c5b-8354-447c950d210f", "indicator--59d49275-4930-42bf-b458-42ef950d210f", "x-misp-attribute--59d48ba1-8cf0-4f6a-94e8-4771950d210f", "observed-data--59d48b5b-42a4-4f3e-b70d-4429950d210f", "url--59d48b5b-42a4-4f3e-b70d-4429950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:ransomware=\"Locky\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d49d4f-52c8-4e09-bd43-403202de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "first_observed": "2017-10-04T08:35:27Z", "last_observed": "2017-10-04T08:35:27Z", "number_observed": 1, "object_refs": [ "url--59d49d4f-52c8-4e09-bd43-403202de0b81" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d49d4f-52c8-4e09-bd43-403202de0b81", "value": "https://www.virustotal.com/file/29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035/analysis/1506937290/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d49d4f-4f50-4514-a127-4f5f02de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "description": "- Xchecked via VT: 29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035", "pattern": "[file:hashes.MD5 = '4baa57a08c90b78d16c634c22385a748']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:35:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"md5\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d49d4f-6b7c-4c33-ba06-4ca402de0b81", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "description": "- Xchecked via VT: 29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035", "pattern": "[file:hashes.SHA1 = '365da6a9e46ef2746b01cb9189f44ff4c330bd0a']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:35:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha1\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d49275-d7a4-4ea5-8c42-4b36950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "pattern": "[file:hashes.SHA256 = '29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:35:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"sha256\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d49275-93ec-4c5b-8354-447c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "description": "Ransomnote", "pattern": "[file:name = 'lukitus.bmp']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:35:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59d49275-4930-42bf-b458-42ef950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "description": "Ransomnote", "pattern": "[file:name = 'lukitus.htm']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2017-10-04T08:35:27Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--59d48ba1-8cf0-4f6a-94e8-4771950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "labels": [ "misp:type=\"comment\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ], "x_misp_category": "External analysis", "x_misp_type": "comment", "x_misp_value": "Today a new Locky Ransomware variant was discovered by Rommel Joven that switches to the .lukitus extension for encrypted files. It is important to note that if you are infected with this ransomware, you are not infected with the Lukitus Ransomware, as some sites may call it. You are instead infected by Locky, which is using the .lukitus extension. There is a difference." }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--59d48b5b-42a4-4f3e-b70d-4429950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-10-04T08:35:27.000Z", "modified": "2017-10-04T08:35:27.000Z", "first_observed": "2017-10-04T08:35:27Z", "last_observed": "2017-10-04T08:35:27Z", "number_observed": 1, "object_refs": [ "url--59d48b5b-42a4-4f3e-b70d-4429950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--59d48b5b-42a4-4f3e-b70d-4429950d210f", "value": "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }