misp-galaxy/clusters/ransomware.json

870 lines
20 KiB
JSON
Raw Normal View History

2017-01-30 15:45:20 +01:00
{
"authors": [
2017-01-31 09:11:26 +01:00
"Various"
2017-01-30 15:45:20 +01:00
],
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"type": "ransomware",
"version": 1,
"name": "Ransomware",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"values": [
{
"description": "AES(256); .enc; ",
"value": ".CryptoHasYou."
},
{
"description": "Sevleg; XOR; .777; ._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777; ",
"value": "777"
},
{
"description": "7ev3n-HONE$T; .R4A .R5A; ",
"value": "7ev3n"
},
{
"description": "AES; .7h9r; ",
"value": "7h9r"
},
{
"description": "AES (256); .8lock8; ",
"value": "8lock8"
},
{
"description": ".bin; ",
"value": "Alfa Ransomware"
},
{
"description": "AES(128); random; random(x5); ",
"value": "Alma Ransomware"
},
{
"description": "AlphaLocker; AES(256); .encrypt; ",
"value": "Alpha Ransomware"
},
{
"description": ".amba; ",
"value": "AMBA"
},
{
"description": ".adk; ",
"value": "Angry Duck"
},
{
"description": "Fabiansomeware; .encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt; ",
"value": "Apocalypse"
},
{
"description": ".encrypted .locked; ",
"value": "ApocalypseVM"
},
{
"description": ".locky; ",
"value": "AutoLocky"
},
{
"description": "",
"value": "BadBlock"
},
{
"description": ".adr; ",
"value": "BaksoCrypt"
},
{
"description": "Rakhni; AES(256); .id-[ID]_[EMAIL_ADDRESS]; ",
"value": "Bandarchor"
},
{
"description": "BaCrypt; .bart.zip .bart .perl; ",
"value": "Bart"
},
{
"description": ".clf; ",
"value": "BitCryptor"
},
{
"description": "Base64 + String Replacement; .bitstak; ",
"value": "BitStak"
},
{
"description": "SilentShade; AES (256); .Silent; ",
"value": "BlackShades Crypter"
},
{
"description": "AES (256); .blocatto; ",
"value": "Blocatto"
},
{
"description": "Salam!; ",
"value": "Booyah"
},
{
"description": "AES(256); .lock; ",
"value": "Brazilian"
},
{
"description": "AES; ",
"value": "BrLock"
},
{
"description": "",
"value": "Browlock"
},
{
"description": "GOST; ; ",
"value": "Bucbi"
},
{
"description": "(.*).encoded.([A-Z0-9]{9}); ",
"value": "BuyUnlockCode"
},
{
"description": ".cry; ",
"value": "Central Security Treatment Organization"
},
{
"description": "AES; .cerber .cerber2 .cerber3; ",
"value": "Cerber"
},
{
"description": ".crypt 4 random characters, e.g., .PzZs, .MKJL; ",
"value": "Chimera"
},
{
"description": ".clf; ",
"value": "CoinVault"
},
{
"description": "AES(256); .coverton .enigma .czvxce; ",
"value": "Coverton"
},
{
"description": ".{CRYPTENDBLACKDC}; ",
"value": "Cryaki"
},
{
"description": "",
"value": "Crybola"
},
{
"description": "Moves bytes; .criptiko .criptoko .criptokod .cripttt .aga; ",
"value": "CryFile"
},
{
"description": "Cry, CSTO; .cry; ",
"value": "CryLocker"
},
{
"description": "AES(256); ",
"value": "CrypMIC"
},
{
"description": ".ENCRYPTED; ",
"value": "Crypren"
},
{
"description": "AES; .crypt38; ",
"value": "Crypt38"
},
{
"description": "Hidden Tear; AES(256); ",
"value": "Cryptear"
},
{
"description": "RSA; .scl; id[_ID]email_xerx@usa.com.scl; ",
"value": "CryptFIle2"
},
{
"description": ".crinf; ",
"value": "CryptInfinite"
},
{
"description": "AES and RSA; ",
"value": "CryptoBit"
},
{
"description": "",
"value": "CryptoDefense"
},
{
"description": "Ranscam; ",
"value": "CryptoFinancial"
},
{
"description": "AES (256), RSA (1024); .frtrss; ",
"value": "CryptoFortress"
},
{
"description": ".clf; ",
"value": "CryptoGraphic Locker"
},
{
"description": "Manamecrypt, Telograph, ROI Locker; AES(256) (RAR implementation); ",
"value": "CryptoHost"
},
{
"description": "AES-256; .crjoker; ",
"value": "CryptoJoker"
},
{
"description": ".encrypted .ENC; ",
"value": "CryptoLocker"
},
{
"description": "[A-F0-9]{8}_luck; ",
"value": "CryptoLuck / YafunnLocker"
},
{
"description": "Zeta; .code .scl; .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl; ",
"value": "CryptoMix"
},
{
"description": "AES; .crptrgr; ",
"value": "CryptoRoger"
},
{
"description": "AES; .locked; ",
"value": "CryptoShocker"
},
{
"description": ".CryptoTorLocker2015!; ",
"value": "CryptoTorLocker2015"
},
{
"description": "no filename change; ",
"value": "CryptoWall 1"
},
{
"description": "no filename change; ",
"value": "CryptoWall 2"
},
{
"description": "no filename change; ",
"value": "CryptoWall 3"
},
{
"description": "<random>.<random>, e.g., 27p9k967z.x1nep; ",
"value": "CryptoWall 4"
},
{
"description": "CryptProjectXXX; .crypt; ",
"value": "CryptXXX"
},
{
"description": "CryptProjectXXX; .crypt; ",
"value": "CryptXXX 2.0"
},
{
"description": "UltraDeCrypter UltraCrypter; .crypt .cryp1 .crypz .cryptz random; ",
"value": "CryptXXX 3.0"
},
{
"description": ".cryp1; ",
"value": "CryptXXX 3.1"
},
{
"description": "",
"value": "CTB-Faker"
},
{
"description": "Citroni; RSA(2048); .ctbl ; .([a-z]{6,7}); ",
"value": "CTB-Locker"
},
{
"description": "AES(256); ",
"value": "CTB-Locker WEB"
},
{
"description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ",
"value": "CuteRansomware"
},
{
"description": "",
"value": "Deadly for a Good Purpose"
},
{
"description": ".html; ",
"value": "DeCrypt Protect"
},
{
"description": "AES-256; .ded; ",
"value": "DEDCryptor"
},
{
"description": "Based on Detox: Calipso We are all Pokemons Nullbyte; AES; ",
"value": "DetoxCrypto"
},
{
"description": "",
"value": "DirtyDecrypt"
},
{
"description": "AES(256) in ECB mode, Version 2-4 also RSA; ",
"value": "DMALocker"
},
{
"description": "AES(256); ",
"value": "DMALocker 3.0"
},
{
"description": "AES(256); .domino; ",
"value": "Domino"
},
{
"description": "Cryptear; AES(256); .locked; ",
"value": "EDA2 / HiddenTear"
},
{
"description": "EduCrypter; .isis .locked; ",
"value": "EduCrypt"
},
{
"description": "Los Pollos Hermanos; .ha3; ",
"value": "El-Polocker"
},
{
"description": "Trojan.Encoder.6491; ",
"value": "Encoder.xxxx"
},
{
"description": "AES (128); .enigma .1txt; ",
"value": "Enigma"
},
{
"description": ".exotic; ",
"value": "Exotic"
},
{
"description": "",
"value": "Fairware"
},
{
"description": ".locked; ",
"value": "Fakben"
},
{
"description": "Variants: Comrade Circle; AES(128); .fantom; ",
"value": "Fantom"
},
{
"description": "",
"value": "Fonco"
},
{
"description": "",
"value": "FSociety"
},
{
"description": "",
"value": "Fury"
},
{
"description": "AES (256); .Z81928819; ",
"value": "GhostCrypt"
},
{
"description": "Purge; Blowfish; .purge; ",
"value": "Globe v1"
},
{
"description": "Purge; Blowfish; .<email>.<random> e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg; ",
"value": "Globe v2"
},
{
"description": "Purge; RC4; .globe or random; ",
"value": "Globe v3"
},
{
"description": "Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker; AES (256); .locked; <ID>.locked, e.g., bill.!ID!8MMnF!ID!.locked; ",
"value": "GNL Locker"
},
{
"description": ".crypt; !___[EMAILADDRESS]_.crypt; ",
"value": "Gomasom"
},
{
"description": "",
"value": "Goopic"
},
{
"description": "",
"value": "Gopher"
},
{
"description": ".html; ",
"value": "Harasom"
},
{
"description": "Mamba; Custom (net shares), XTS-AES (disk); ",
"value": "HDDCryptor"
},
{
"description": ".herbst; ",
"value": "Herbst"
},
{
"description": "AES(256); .cry ; ",
"value": "Hi Buddy!"
},
{
"description": "removes extensions; ",
"value": "Hitler"
},
{
"description": "AES; (encrypted); ",
"value": "HolyCrypt"
},
{
"description": "Hungarian Locky (Hucky); AES, RSA (hardcoded); .locky; [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky; ",
"value": "Hucky"
},
{
"description": "hydracrypt_ID_[\\w]{8}; ",
"value": "HydraCrypt"
},
{
"description": ".crime; ",
"value": "iLock"
},
{
"description": ".crime; ",
"value": "iLockLight"
},
{
"description": "<6 random characters>; ",
"value": "International Police Association"
},
{
"description": "!ENC; ",
"value": "JagerDecryptor"
},
{
"description": "Encryptor RaaS, Sarento; RC6 (files), RSA 2048 (RC6 key); ",
"value": "Jeiphoos"
},
{
"description": "CryptoHitMan (subvariant); AES(256); .btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz; ",
"value": "Jigsaw"
},
{
"description": "TripleDES; .locked .css; ",
"value": "Job Crypter"
},
{
"description": "AES; .encrypted; ",
"value": "KeRanger"
},
{
"description": "keybtc@inbox_com ; ",
"value": "KeyBTC"
},
{
"description": "",
"value": "KEYHolder"
},
{
"description": ".rip; ",
"value": "Killer Locker"
},
{
"description": "AES; .kimcilware .locked; ",
"value": "KimcilWare"
},
{
"description": "AES(256); .암호화됨; ",
"value": "Korean"
},
{
"description": ".kostya; ",
"value": "Kostya"
},
{
"description": "QC; RSA(2048); .31392E30362E32303136_[ID-KEY]_LSBJ1; .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}); ",
"value": "Kozy.Jozy"
},
{
"description": ".kratos; ",
"value": "KratosCrypt"
},
{
"description": "AES(256); ",
"value": "KryptoLocker"
},
{
"description": ".LeChiffre; ",
"value": "LeChiffre"
},
{
"description": "Linux.Encoder.{0,3}; ",
"value": "Linux.Encoder"
},
{
"description": "",
"value": "Locker"
},
{
"description": "AES(128); .locky .zepto .odin .shit .thor .asier .zzzzz .osiris; ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris; ",
"value": "Locky"
},
{
"description": ".lock93; ",
"value": "Lock93"
},
{
"description": ".crime; ",
"value": "Lortok"
},
{
"description": "oor.; ",
"value": "LowLevel04"
},
{
"description": "",
"value": "Mabouia"
},
{
"description": "AES(256); .magic; ",
"value": "Magic"
},
{
"description": "AES(256), RSA (2048); [a-z]{4,6}; ",
"value": "MaktubLocker"
},
{
"description": "Crypt888; AES; Lock.; ",
"value": "MIRCOP"
},
{
"description": "AES(256); .fucked, .fuck; ",
"value": "MireWare"
},
{
"description": "\"Petya's little brother\"; .([a-zA-Z0-9]{4}); ",
"value": "Mischa"
},
{
"description": "Booyah; AES(256); .locked; ",
"value": "MM Locker"
},
{
"description": "Yakes CryptoBit; .KEYZ .KEYH0LES; ",
"value": "Mobef"
},
{
"description": "",
"value": "n1n1n1"
},
{
"description": "",
"value": "Nagini"
},
{
"description": "AES (256), RSA; ",
"value": "NanoLocker"
},
{
"description": "XOR(255) 7zip; .crypted; ",
"value": "Nemucod"
},
{
"description": "",
"value": "NoobCrypt"
},
{
"description": "XOR; .odcodc; C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc; ",
"value": "ODCODC"
},
{
"description": "Vipasana, Cryakl; .cbf; email-[params].cbf; ",
"value": "Offline ransomware"
},
{
"description": "GPCode; .LOL! .OMG!; ",
"value": "OMG! Ransomware"
},
{
"description": "",
"value": "Onyx"
},
{
"description": ".EXE; ",
"value": "Operation Global III"
},
{
"description": ".padcrypt; ",
"value": "PadCrypt"
},
{
"description": "XOR; ",
"value": "PClock"
},
{
"description": "Goldeneye; Modified Salsa20; ",
"value": "Petya"
},
{
"description": "AES(256); .locked; <file_hash>.locked; ",
"value": "Philadelphia"
},
{
"description": ".id-[victim_id]-maestro@pizzacrypts.info; ",
"value": "PizzaCrypts"
},
{
"description": "AES(256); .locked; ",
"value": "PokemonGO"
},
{
"description": "AES(256); .filock; ",
"value": "Popcorn Time"
},
{
"description": "AES(256); ",
"value": "Polyglot"
},
{
"description": "PoshCoder; AES(128); .locky; ",
"value": "PowerWare"
},
{
"description": "AES, but throws key away, destroys the files; ",
"value": "PowerWorm"
},
{
"description": "",
"value": "PRISM"
},
{
"description": ".crypt; ",
"value": "R980"
},
{
"description": "RAA; .locked; ",
"value": "RAA encryptor"
},
{
"description": "AES(256); .RDM .RRK .RAD .RADAMANT; ",
"value": "Radamant"
},
{
"description": "Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor; .locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15; .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\\w]{4,12}; ",
"value": "Rakhni"
},
{
"description": "locked-<original name>.[a-zA-Z]{4}; ",
"value": "Rannoh"
},
{
"description": "",
"value": "Ransom32"
},
{
"description": "Asymmetric 1024 ; ",
"value": "RansomLock"
},
{
"description": ".vscrypt .infected .bloc .korrektor; ",
"value": "Rector"
},
{
"description": "AES(256); .rekt; ",
"value": "RektLocker"
},
{
"description": ".remind .crashed; ",
"value": "RemindMe"
},
{
"description": "Curve25519 + ChaCha; .rokku; ",
"value": "Rokku"
},
{
"description": "samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe; AES(256) + RSA(2096); .encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork; ",
"value": "Samas-Samsam"
},
{
"description": "AES(256) + RSA(2096); .sanction; ",
"value": "Sanction"
},
{
"description": "Sarah_G@ausi.com___; ",
"value": "Satana"
},
{
"description": "",
"value": "Scraper"
},
{
"description": "AES; ",
"value": "Serpico"
},
{
"description": "Atom; .locked; ",
"value": "Shark"
},
{
"description": ".shino; ",
"value": "ShinoLocker"
},
{
"description": "KinCrypt; ",
"value": "Shujin"
},
{
"description": "AES; .~; ",
"value": "Simple_Encoder"
},
{
"description": "AES(256); .locked; ",
"value": "SkidLocker / Pompous"
},
{
"description": ".encrypted; ",
"value": "Smrss32"
},
{
"description": "AES(256); .RSNSlocked .RSplited; ",
"value": "SNSLocker"
},
{
"description": ".sport; ",
"value": "Sport"
},
{
"description": "AES(256); .locked; ",
"value": "Stampado"
},
{
"description": "AES(256); .locked; ",
"value": "Strictor"
},
{
"description": "AES(256); .surprise .tzu; ",
"value": "Surprise"
},
{
"description": "",
"value": "Survey"
},
{
"description": "",
"value": "SynoLocker"
},
{
"description": ".szf; ",
"value": "SZFLocker"
},
{
"description": "Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic; .xcri; ",
"value": "TeleCrypt"
},
{
"description": "AlphaCrypt; .vvv .ecc .exx .ezz .abc .aaa .zzz .xyz; ",
"value": "TeslaCrypt 0.x - 2.2.0"
},
{
"description": "AES(256) + ECHD + SHA1; .micro .xxx .ttt .mp3; ",
"value": "TeslaCrypt 3.0+"
},
{
"description": "AES(256) + ECHD + SHA1; ",
"value": "TeslaCrypt 4.1A"
},
{
"description": "",
"value": "TeslaCrypt 4.2"
},
{
"description": "",
"value": "Threat Finder"
},
{
"description": "Crypt0L0cker (subvariant); AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt; .Encrypted .enc; ",
"value": "TorrentLocker"
},
{
"description": "",
"value": "TowerWeb"
},
{
"description": ".toxcrypt; ",
"value": "Toxcrypt"
},
{
"description": "Shade XTBL; AES(256); .better_call_saul .xtbl .da_vinci_code .windows10; ",
"value": "Troldesh"
},
{
"description": "AES(256); .enc; ",
"value": "TrueCrypter"
},
{
"description": "AES(256); .locked; ",
"value": "Turkish Ransom"
},
{
"description": "AES; umbrecrypt_ID_[VICTIMID]; ",
"value": "UmbreCrypt"
},
{
"description": "AES; .H3LL .0x0 .1999; ",
"value": "Ungluk"
},
{
"description": ".CRRRT .CCCRRRPPP; ",
"value": "Unlock92"
},
{
"description": "CrypVault Zlader; uses gpg.exe; .vault .xort .trun; ",
"value": "VaultCrypt"
},
{
"description": "",
"value": "VenisRansomware"
},
{
"description": "AES(256); .Venusf .Venusp; ",
"value": "VenusLocker"
},
{
"description": ".exe; ",
"value": "Virlock"
},
{
"description": "Crysis; AES(256); .CrySiS .xtbl; .id-########.decryptformoney@india.com.xtbl; ",
"value": "Virus-Encoder"
},
{
"description": ".wflx; ",
"value": "WildFire Locker"
},
{
"description": "XOR or TEA; .EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791; ",
"value": "Xorist"
},
{
"description": ".xrtn; ",
"value": "XRTN "
},
{
"description": "Zcryptor; .zcrypt; ",
"value": "Zcrypt"
},
{
"description": ".crypto; ",
"value": "Zimbra"
},
{
"description": "VaultCrypt CrypVault; RSA; .vault; ",
"value": "Zlader / Russian"
},
{
"description": "GNL Locker; .zyklon; ",
"value": "Zyklon"
2017-02-09 08:46:21 +01:00
},
{
"description": "AES; ",
"value": "Erebus"
2017-01-30 15:45:20 +01:00
}
],
"source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml"
}