From b6b1c7171a287f2d5d6467346685fdecec2cfad7 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 23 Nov 2018 16:15:48 +0100
Subject: [PATCH 1/4] Add Rotexy

---
 clusters/tool.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/tool.json b/clusters/tool.json
index 9969af3..836fdc5 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7420,6 +7420,19 @@
       },
       "uuid": "6ab71ed6-e5c7-4545-a46e-6445e78758ed",
       "value": "PNG Dropper"
+    },
+    {
+      "description": "A mobile spyware that turned into a banking trojan with ransomware capabilities managed to launch over 70,000 attacks in the course of just three months.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/rotexy-mobile-trojan-launches-70k-attacks-in-three-months/"
+        ],
+        "synonyms": [
+          "SMSThief"
+        ]
+      },
+      "uuid": "43dec915-2511-4275-8007-685402ffab08",
+      "value": "Rotexy"
     }
   ],
   "version": 102

From 9f5e10abf614d8eb4c1b060eb28f648a56965f18 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 23 Nov 2018 16:16:58 +0100
Subject: [PATCH 2/4] fix version

---
 clusters/tool.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 836fdc5..89463f0 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -7435,5 +7435,5 @@
       "value": "Rotexy"
     }
   ],
-  "version": 102
+  "version": 103
 }

From e5487305f1652efe863bbf38482e114fc3f831d1 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 26 Nov 2018 08:33:11 +0100
Subject: [PATCH 3/4] add Aurora Ransomware synonym

---
 clusters/ransomware.json | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 856dc88..cd6158b 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10704,7 +10704,11 @@
         "refs": [
           "https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm",
           "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/",
-          "https://twitter.com/demonslay335/status/1004435398687379456"
+          "https://twitter.com/demonslay335/status/1004435398687379456",
+          "https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/"
+        ],
+        "synonyms": [
+          "Zorro Ransomware"
         ]
       },
       "uuid": "3ee0664e-706d-11e8-800d-9f690298b437",
@@ -11353,5 +11357,5 @@
       "value": "PyCL Ransomware"
     }
   ],
-  "version": 43
+  "version": 44
 }

From 6f255c0999aef27bc513f40f046d22b61a240068 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 26 Nov 2018 09:30:54 +0100
Subject: [PATCH 4/4] add Aurora Ransomware metadata

---
 clusters/ransomware.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index cd6158b..736a5d4 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -10697,9 +10697,22 @@
     {
       "description": "Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.",
       "meta": {
+        "extensions": [
+          ".aurora",
+          ".animus",
+          ".Aurora",
+          ".desu",
+          ".ONI"
+        ],
         "ransomnotes": [
           "#RECOVERY-PC#.txt",
-          "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #=========================="
+          "==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================",
+          "!-GET_MY_FILES-!.txt",
+          "@_RESTORE-FILES_@.txt",
+          "%UserProfile%wall.i",
+          "https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg",
+          "https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg",
+          "==========================# zorro ransomware #==========================\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nRandom key is encrypted with RSA public key (2048 bit)\n.We STRONGLY RECOMMEND you NOT to use any \"decryption tools\".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you need to get the RSA-key from us.\n--\nTo obtain an RSA-key, follow these steps in order:\n1. pay this sum 500$  to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac\n2. write on the e-mail ochennado@tutanota.com or anastacialove21@mail.com indicating in the letter this ID-[id] and BTC-purse, from which paid.\nIn the reply letter you will receive an RSA-key and instructions on what to do next.\nWe guarantee you the recovery of files, if you do it right.\n==========================# zorro ransomware #=========================="
         ],
         "refs": [
           "https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm",