misp-circl-feed/feeds/circl/misp/5b27b1a5-34c4-4896-a522-473d950d210f.json

{"Event": {"info": "OSINT - New Paradise Ransomware variant", "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}, {"colour": "#366c00", "exportable": true, "name": "circl:incident-classification=\"malware\""}, {"colour": "#002642", "exportable": true, "name": "osint:source-type=\"microblog-post\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:ransomware=\"Paradise Ransomware\""}], "publish_timestamp": "0", "timestamp": "1540563773", "Object": [{"comment": "", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "uuid": "5b27b1f9-8cf8-4ae9-9317-ee9f950d210f", "sharing_group_id": "0", "timestamp": "1529328121", "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "template_version": "4", "Attribute": [{"comment": "", "category": "Other", "uuid": "5b27b1f9-8978-422d-b610-ee9f950d210f", "timestamp": "1529328121", "to_ids": false, "value": "The new Paradise ransomware version stores the config in a section called \"trump\"...\r\n\ud83d\ude02\r\n@BleepinComputer @demonslay335", "disable_correlation": false, "object_relation": "post", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5b27b1fa-4f88-45c7-87d6-ee9f950d210f", "timestamp": "1529328122", "to_ids": false, "value": "Twitter", "disable_correlation": true, "object_relation": "type", "type": "text"}, {"comment": "", "category": "Network activity", "uuid": "5b27b1fa-8cfc-42d7-af0d-ee9f950d210f", "timestamp": "1529328122", "to_ids": true, "value": "https://twitter.com/malwrhunterteam/status/993499349199056897", "disable_correlation": false, "object_relation": "url", "type": "url"}, {"comment": "", "category": "Other", "uuid": "5b27b1fb-a848-4aec-809e-ee9f950d210f", "timestamp": "1529328123", "to_ids": false, "value": "@BleepinComputer @demonslay335", "disable_correlation": false, "object_relation": "username-quoted", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5b27b1fd-3718-46a5-b53e-ee9f950d210f", "timestamp": "1529328125", "to_ids": false, "value": "7 May 2018", "disable_correlation": false, "object_relation": "creation-date", "type": "datetime"}, {"comment": "", "category": "Other", "uuid": "5b27b1fe-3f6c-4ad0-b15d-ee9f950d210f", "timestamp": "1529328126", "to_ids": false, "value": "@malwrhunterteam", "disable_correlation": false, "object_relation": "username", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "microblog"}, {"comment": "", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "uuid": "5b27b397-a6e8-4a70-9151-ef38950d210f", "sharing_group_id": "0", "timestamp": "1529328535", "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "template_version": "4", "Attribute": [{"comment": "", "category": "Other", "uuid": "5b27b397-74fc-41f8-bb77-ef38950d210f", "timestamp": "1529328535", "to_ids": false, "value": "Latest sample of Paradise ransomware (RaaS?) still uses \"trump\" as section name ((link: https://twitter.com/malwrhunterteam/status/993499349199056897) twitter.com/malwrhuntertea\u2026) and mutex.\r\nUses GetUserDefaultLangID & checks for 12 values, then uses an IP API & 12 checks again. \r\nIf can't guess the values, see screens...\r\n@BleepinComputer @demonslay335", "disable_correlation": false, "object_relation": "post", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5b27b398-75c4-406d-aabb-ef38950d210f", "timestamp": "1529328536", "to_ids": false, "value": "Twitter", "disable_correlation": true, "object_relation": "type", "type": "text"}, {"comment": "", "category": "Network activity", "uuid": "5b27b398-f3ac-47eb-af44-ef38950d210f", "timestamp": "1529328536", "to_ids": true, "value": "https://twitter.com/malwrhunterteam/status/1005420103415017472", "disable_correlation": false, "object_relation": "url", "type": "url"}, {"comment": "", "category": "Other", "uuid": "5b27b398-c6b4-47bd-8247-ef38950d210f", "timestamp": "1529328536", "to_ids": false, "value": "@BleepinComputer @demonslay335", "disable_correlation": false, "object_relation": "username-quoted", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5b27b399-ac90-496a-ba51-ef38950d210f", "timestamp": "1529328537", "to_ids": false, "value": "9 Jun 2018", "disable_correlation": false, "object_relation": "creation-date", "type": "datetime"}, {"comment": "", "category": "Other", "uuid": "5b27b399-c524-4b8c-936b-ef38950d210f", "timestamp": "1529328537", "to_ids": false, "value": "@malwrhunterteam", "disable_correlation": false, "object_relation": "username", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "microblog"}], "analysis": "2", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5b27b3c1-d6dc-4443-b8bf-ef38950d210f", "timestamp": "1529328577", "to_ids": true, "value": "paradise@all-ransomware.info", "disable_correlation": false, "object_relation": null, "type": "email-src"}, {"comment": "Ransomnote", "category": "Payload delivery", "uuid": "5b27b3c2-aca8-4318-92e2-ef38950d210f", "timestamp": "1529328578", "to_ids": true, "value": "paradise_readme_paradise@all-ransomware.info.txt", "disable_correlation": false, "object_relation": null, "type": "email-src"}], "extends_uuid": "", "published": false, "date": "2018-06-15", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5b27b1a5-34c4-4896-a522-473d950d210f"}}