add Orangeworm, Kwampirs, Iron ransomware and Ton ransomware

2018-04-24 10:20:11 +02:00 · 2018-04-24 10:20:11 +02:00 · 11f0963468
parent 6bf2004bd5
commit 11f0963468
3 changed files with 52 additions and 3 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -9626,12 +9626,41 @@
      "description": "The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.",
      "value": "NMCRYPT Ransomware",
      "uuid": "bd71be69-fb8c-4b1f-9d96-993ab23d5f2b"
+    },
+    {
+      "value": "Iron",
+      "description": "It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.\nWe know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design)\nDMA Locker (Iron Unlocker, decryption tool)\nSatan (exclusion list)",
+      "meta": {
+        "refs": [
+          "https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html"
+        ],
+        "ransomnotes": [
+          "!HELP_YOUR_FILES.HTML",
+          "We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…"
+        ]
+      },
+      "uuid": "ba64d47c-46cd-11e8-87df-ff6252b4ea76"
+    },
+    {
+      "value": "Tron ransomware",
+      "meta": {
+        "refs": [
+          "https://twitter.com/malwrhunterteam/status/985152346773696512"
+        ],
+        "extensions": [
+          ".tron"
+        ],
+        "ransomnotes": [
+          "https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg"
+        ]
+      },
+      "uuid": "94290f1c-46ff-11e8-b9c6-ef8852c58952"
    }
  ],
  "source": "Various",
  "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
  "name": "Ransomware",
-  "version": 18,
+  "version": 19,
  "type": "ransomware",
  "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -2534,6 +2534,16 @@
        ]
      },
      "uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0"
+    },
+    {
+      "value": "Orangeworm",
+      "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.",
+      "meta": {
+        "refs": [
+          "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
+        ]
+      },
+      "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c"
    }
  ],
  "name": "Threat actor",
@ -2548,5 +2558,5 @@
  ],
  "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
  "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 37
+  "version": 38
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -11,7 +11,7 @@
  ],
  "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
  "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 64,
+  "version": 65,
  "values": [
    {
      "meta": {
@ -4130,6 +4130,16 @@
        ]
      },
      "uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb"
+    },
+    {
+      "value": "Kwampirs",
+      "description": "Once Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that provides the attackers with remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.",
+      "meta": {
+        "refs": [
+          "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
+        ]
+      },
+      "uuid": "d1e548b8-4793-11e8-8dea-6beff82cac0a"
    }
  ]
 }