{ "type": "bundle", "id": "bundle--5b27bbde-0ba0-4bd3-ad7d-469c950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-24T07:47:22.000Z", "modified": "2018-09-24T07:47:22.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "grouping", "spec_version": "2.1", "id": "grouping--5b27bbde-0ba0-4bd3-ad7d-469c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-09-24T07:47:22.000Z", "modified": "2018-09-24T07:47:22.000Z", "name": "OSINT - The Week in Ransomware - June 15th 2018 - DBGer, Scarab, and More", "context": "suspicious-activity", "object_refs": [ "observed-data--5b27bc4b-aaf8-4f92-ac83-49c5950d210f", "url--5b27bc4b-aaf8-4f92-ac83-49c5950d210f", "indicator--5b27bc9a-f144-45a4-bd58-c52c950d210f", "indicator--5b28a8be-3360-4a66-93b5-493f950d210f", "indicator--5b28a8be-4208-4cc4-88d6-44ad950d210f", "indicator--5b28a8bf-8898-4434-ab42-4719950d210f", "indicator--5b28a8bf-cd38-4eb7-982c-4630950d210f", "indicator--5b28b323-83e4-4492-a760-4f4e950d210f", "indicator--5b28b324-f6ec-47e8-a3a6-4e10950d210f", "indicator--5b28cc3c-df58-41f5-8416-4134950d210f", "indicator--5b28cc3c-05d0-4539-8e15-4116950d210f", "indicator--5b28cea4-fab4-46e5-b593-4efb950d210f", "indicator--5b28cea5-0318-42a6-b336-49bc950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "malware_classification:malware-category=\"Ransomware\"", "osint:source-type=\"blog-post\"", "misp-galaxy:ransomware=\"Donut\"", "misp-galaxy:ransomware=\"NemeS1S Ransomware\"", "misp-galaxy:ransomware=\"Paradise Ransomware\"", "misp-galaxy:ransomware=\"RotorCrypt(RotoCrypt, Tar) Ransomware\"", "misp-galaxy:ransomware=\"B2DR Ransomware\"", "misp-galaxy:ransomware=\"Scarab\"", "misp-galaxy:ransomware=\"YYTO Ransomware\"", "misp-galaxy:ransomware=\"Xorist\"", "misp-galaxy:ransomware=\"DBGer Ransomware\"", "misp-galaxy:ransomware=\"Unnamed ramsomware 2\"", "misp-galaxy:ransomware=\"Everbe Ransomware\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b27bc4b-aaf8-4f92-ac83-49c5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-18T14:06:16.000Z", "modified": "2018-06-18T14:06:16.000Z", "first_observed": "2018-06-18T14:06:16Z", "last_observed": "2018-06-18T14:06:16Z", "number_observed": 1, "object_refs": [ "url--5b27bc4b-aaf8-4f92-ac83-49c5950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"", "osint:source-type=\"blog-post\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5b27bc4b-aaf8-4f92-ac83-49c5950d210f", "value": "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b27bc9a-f144-45a4-bd58-c52c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-18T14:07:22.000Z", "modified": "2018-06-18T14:07:22.000Z", "description": "B2DR Ransomware Ransomnote", "pattern": "[file:name = 'ScrewYou.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-18T14:07:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28a8be-3360-4a66-93b5-493f950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T06:55:24.000Z", "modified": "2018-06-19T06:55:24.000Z", "description": "YYTO Ransomware", "pattern": "[email-message:from_ref.value = 'codyprince92@mail.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T06:55:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28a8be-4208-4cc4-88d6-44ad950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T06:55:24.000Z", "modified": "2018-06-19T06:55:24.000Z", "description": "YYTO Ransomware", "pattern": "[url:value = 'https://www.torproject.org/download/download-easy.html.en']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T06:55:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"url\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28a8bf-8898-4434-ab42-4719950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T06:55:24.000Z", "modified": "2018-06-19T06:55:24.000Z", "description": "YYTO Ransomware", "pattern": "[domain-name:value = 'torbox3uiot6wchz.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T06:55:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"domain\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28a8bf-cd38-4eb7-982c-4630950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T06:55:24.000Z", "modified": "2018-06-19T06:55:24.000Z", "description": "YYTO Ransomware", "pattern": "[email-message:from_ref.value = 'codyprince@torbox3uiot6wchz.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T06:55:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28b323-83e4-4492-a760-4f4e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T07:39:15.000Z", "modified": "2018-06-19T07:39:15.000Z", "description": "B2DR Ransomware", "pattern": "[email-message:from_ref.value = 'ssananunak1987@protonmail.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T07:39:15Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28b324-f6ec-47e8-a3a6-4e10950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T07:39:16.000Z", "modified": "2018-06-19T07:39:16.000Z", "description": "B2DR Ransomware", "pattern": "[email-message:from_ref.value = 'ssananunak1987@torbox3uiot6wchz.onion']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T07:39:16Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28cc3c-df58-41f5-8416-4134950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T09:26:20.000Z", "modified": "2018-06-19T09:26:20.000Z", "description": "Everbe", "pattern": "[email-message:from_ref.value = 'everbe@airmail.cc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T09:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28cc3c-05d0-4539-8e15-4116950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T09:26:20.000Z", "modified": "2018-06-19T09:26:20.000Z", "description": "Everbe", "pattern": "[file:name = '!=How_recovery_files=!.txt']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T09:26:20Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28cea4-fab4-46e5-b593-4efb950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T09:36:36.000Z", "modified": "2018-06-19T09:36:36.000Z", "description": "Scarab ransomware", "pattern": "[email-message:from_ref.value = 'mr.leen@protonmail.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T09:36:36Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b28cea5-0318-42a6-b336-49bc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2018-06-19T09:36:37.000Z", "modified": "2018-06-19T09:36:37.000Z", "description": "Scarab ransomware", "pattern": "[file:name = 'INSTRUCTIONS FOR RESTORING FILES.TXT']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-06-19T09:36:37Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"filename\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }