MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #729 from Delta-Sierra/main 

Update Medusa Locker and others
pull/733/head
Alexandre Dulaunoy 2022-07-06 23:19:04 +02:00 committed by GitHub
parent 4638dbde86 279b89f6d9
commit 2113761e5b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 63 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
clusters/ransomware.json
View File

@ -21647,7 +21647,64 @@
"value": "MBR-ONI"
},
{
"description": "ransomware",
"description": "Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.",
"meta": {
"extensions": [
".1btc",
".matlock20",
".marlock02",
".readinstructions",
".bec",
".mylock",
".jpz.nz",
".marlock11",
".cn",
".NET1",
".key1",
".fileslocked",
".datalock",
".NZ",
".lock",
".lockfilesUS",
".deadfilesgr",
".tyco",
".lockdata7",
".rs",
".faratak",
".uslockhh",
".lockfiles",
".fileslock",
".zoomzoom",
".perfection",
".marlock13",
"n.exe",
".Readinstruction",
".marlock08",
".marlock25",
"nt_lock20",
".READINSTRUCTION",
".marlock6",
".marlock01",
".ReadInstructions"
],
"ransomnotes-filenames": [
"how_to_ recover_data.html",
"how_to_recover_data.html.marlock01",
"instructions.html",
"READINSTRUCTION.html",
"!!!HOW_TO_DECRYPT!!!",
"How_to_recovery.txt",
"readinstructions.html",
"readme_to_recover_files",
"recovery_instructions.html",
"HOW_TO_RECOVER_DATA.html",
"recovery_instruction.html"
],
"refs": [
"https://www.cisa.gov/uscert/ncas/alerts/aa22-181a",
"https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf"
]
},
"uuid": "627d603a-906f-4fbf-b922-f03eea4578fe",
"value": "MedusaLocker"
},
@ -24480,5 +24537,5 @@
"value": "Rook"
}
],
"version": 101
"version": 102
}

5
clusters/threat-actor.json
View File

@ -7398,6 +7398,7 @@
{
"description": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.\nLike most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.",
"meta": {
"country": "CN",
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/"
@ -7442,7 +7443,9 @@
"CIRCUIT PANDA",
"Temp.Overboard",
"HUAPI",
"Palmerworm"
"Palmerworm",
"G0098",
"T-APT-03"
]
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",