Merge pull request #305 from Delta-Sierra/master

Add Rotexy
2018-11-26 20:46:04 +01:00 · 2018-11-26 20:46:04 +01:00 · 0b6ed2cd49
parent a1c315bd95 6f255c0999
commit 0b6ed2cd49
2 changed files with 34 additions and 4 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -10697,14 +10697,31 @@
    {
      "description": "Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.",
      "meta": {
+        "extensions": [
+          ".aurora",
+          ".animus",
+          ".Aurora",
+          ".desu",
+          ".ONI"
+        ],
        "ransomnotes": [
          "#RECOVERY-PC#.txt",
-          "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #=========================="
+          "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================",
+          "!-GET_MY_FILES-!.txt",
+          "@_RESTORE-FILES_@.txt",
+          "%UserProfile%wall.i",
+          "https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg",
+          "https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg",
+          "==========================# zorro ransomware #==========================\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nRandom key is encrypted with RSA public key (2048 bit)\n.We STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you need to get the RSA-key from us.\n--\nTo obtain an RSA-key, follow these steps in order:\n1. pay this sum 500$  to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac\n2. write on the e-mail ochennado@tutanota.com or anastacialove21@mail.com indicating in the letter this ID-[id] and BTC-purse, from which paid.\nIn the reply letter you will receive an RSA-key and instructions on what to do next.\nWe guarantee you the recovery of files, if you do it right.\n==========================# zorro ransomware #=========================="
        ],
        "refs": [
          "https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm",
          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
-          "https://twitter.com/demonslay335/status/1004435398687379456"
+          "https://twitter.com/demonslay335/status/1004435398687379456",
+          "https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/"
+        ],
+        "synonyms": [
+          "Zorro Ransomware"
        ]
      },
      "uuid": "3ee0664e-706d-11e8-800d-9f690298b437",
@ -11353,5 +11370,5 @@
      "value": "PyCL Ransomware"
    }
  ],
-  "version": 43
+  "version": 44
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -7420,7 +7420,20 @@
      },
      "uuid": "6ab71ed6-e5c7-4545-a46e-6445e78758ed",
      "value": "PNG Dropper"
+    },
+    {
+      "description": "A mobile spyware that turned into a banking trojan with ransomware capabilities managed to launch over 70,000 attacks in the course of just three months.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/rotexy-mobile-trojan-launches-70k-attacks-in-three-months/"
+        ],
+        "synonyms": [
+          "SMSThief"
+        ]
+      },
+      "uuid": "43dec915-2511-4275-8007-685402ffab08",
+      "value": "Rotexy"
    }
  ],
-  "version": 102
+  "version": 103
 }