From 2c4256f42c94ee56345cc9a8079335007bea40ed Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 May 2017 10:18:45 +0200 Subject: [PATCH] merge hiddentear & cryptear data --- clusters/ransomware.json | 131 +++++++++++++++++++++++++++++---------- 1 file changed, 99 insertions(+), 32 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e9af3ee5..7fc48885 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -4174,9 +4174,12 @@ } }, { - "value": "777 or Sevleg", + "value": "777", "description": "Ransomware", "meta": { + "synonyms": [ + "Sevleg" + ], "extensions": [ ".777", "._[timestamp]_$[email]$.777", @@ -4192,9 +4195,12 @@ } }, { - "value": "7ev3n or 7ev3n-HONE$T", + "value": "7ev3n", "description": "Ransomware", "meta": { + "synonyms": [ + "7ev3n-HONE$T" + ], "extensions": [ ".R4A", ".R5A" @@ -4291,9 +4297,12 @@ } }, { - "value": "Alpha Ransomware or AlphaLocker", + "value": "Alpha Ransomware", "description": "Ransomware", "meta": { + "synonyms": [ + "AlphaLocker" + ], "extensions": [ ".encrypt" ], @@ -4340,18 +4349,24 @@ } }, { - "value": "Anony or ngocanh", + "value": "Anony", "description": "Ransomware Based on HiddenTear", "meta": { + "synonyms": [ + "ngocanh" + ], "refs": [ "https://twitter.com/struppigel/status/842047409446387714" ] } }, { - "value": "Apocalypse or Fabiansomeware", + "value": "Apocalypse", "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", "meta": { + "synonyms": [ + "Fabiansomeware" + ], "extensions": [ ".encrypted", ".SecureCrypted", @@ -4449,9 +4464,12 @@ } }, { - "value": "Bandarchor or Rakhni", + "value": "Bandarchor", "description": "Ransomware Files might be partially encrypted", "meta": { + "synonyms": [ + "Rakhni" + ], "extensions": [ ".id-1235240425_help@decryptservice.info", ".id-[ID]_[EMAIL_ADDRESS]" @@ -4467,9 +4485,12 @@ } }, { - "value": "Bart or BaCrypt", + "value": "Bart", "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", "meta": { + "synonyms": [ + "BaCrypt" + ], "extensions": [ ".bart.zip", ".bart", @@ -4513,9 +4534,12 @@ } }, { - "value": "BlackShades Crypter or SilentShade", + "value": "BlackShades Crypter", "description": "Ransomware", "meta": { + "synonyms": [ + "SilentShade" + ], "extensions": [ ".Silent" ], @@ -4543,8 +4567,13 @@ } }, { - "value": "Booyah or Salam!", - "description": "Ransomware EXE was replaced to neutralize threat" + "value": "Booyah", + "description": "Ransomware EXE was replaced to neutralize threat", + "meta": { + "synonyms": [ + "Salami" + ], + } }, { "value": "Brazilian", @@ -4796,9 +4825,14 @@ } }, { - "value": "CryLocker or Cry, CSTO, Central Security Treatment Organization", + "value": "CryLocker", "description": "Ransomware Identifies victim locations w/Google Maps API", "meta": { + "synonyms": [ + "Cry", + "CSTO", + "Central Security Treatment Organization" + ], "extensions": [ ".cry" ], @@ -4858,16 +4892,6 @@ ] } }, - { - "value": "Cryptear or Hidden Tear", - "description": "Ransomware", - "meta": { - "encryption": "AES-256", - "refs": [ - "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" - ] - } - }, { "value": "Crypter", "description": "Ransomware Does not actually encrypt the files, but simply renames them", @@ -4932,9 +4956,12 @@ } }, { - "value": "CryptoFinancial or Ranscam", + "value": "CryptoFinancial", "description": "Ransomware", "meta": { + "synonyms": [ + "Ranscam" + ], "refs": [ "http://blog.talosintel.com/2016/07/ranscam.html", "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" @@ -4967,9 +4994,14 @@ } }, { - "value": "CryptoHost or Manamecrypt, Telograph, ROI Locker", + "value": "CryptoHost", "description": "Ransomware RAR's victim's files has a GUI", "meta": { + "synonyms": [ + "Manamecrypt", + "Telograph", + "ROI Locker" + ], "encryption": "AES-256 (RAR implementation)", "refs": [ "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" @@ -5024,9 +5056,12 @@ } }, { - "value": "CryptoMix or Zeta", + "value": "CryptoMix", "description": "Ransomware", "meta": { + "synonyms": [ + "Zeta" + ], "extensions": [ ".code", ".scl", @@ -5188,9 +5223,12 @@ } }, { - "value": "CryptXXX or CryptProjectXXX", + "value": "CryptXXX", "description": "Ransomware Comes with Bedep", "meta": { + "synonyms": [ + "CryptProjectXXX" + ], "extensions": [ ".crypt" ], @@ -5204,9 +5242,12 @@ } }, { - "value": "CryptXXX 2.0 or CryptProjectXXX", + "value": "CryptXXX 2.0", "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", "meta": { + "synonyms": [ + "CryptProjectXXX" + ], "extensions": [ ".crypt" ], @@ -5221,9 +5262,13 @@ } }, { - "value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter", + "value": "CryptXXX 3.0", "description": "Ransomware Comes with Bedep", "meta": { + "synonyms": [ + "UltraDeCrypter", + "UltraCrypter" + ], "extensions": [ ".crypt", ".cryp1", @@ -5268,9 +5313,12 @@ } }, { - "value": "CTB-Faker or Citroni", + "value": "CTB-Faker", "description": "Ransomware", "meta": { + "synonyms": [ + "Citroni" + ], "extensions": [ ".ctbl", ".([a-z]{6,7})" @@ -5294,9 +5342,12 @@ } }, { - "value": "CuteRansomware or my-Little-Ransomware", + "value": "CuteRansomware", "description": "Ransomware Based on my-Little-Ransomware", "meta": { + "synonyms": [ + "my-Little-Ransomware" + ], "extensions": [ ".已加密", ".encrypted" @@ -5313,9 +5364,12 @@ } }, { - "value": "Cyber SpLiTTer Vbs or CyberSplitter", + "value": "Cyber SpLiTTer Vbs", "description": "Ransomware Based on HiddenTear", "meta": { + "synonyms": [ + "CyberSplitter" + ], "refs": [ "https://twitter.com/struppigel/status/778871886616862720", "https://twitter.com/struppigel/status/806758133720698881" @@ -5514,19 +5568,29 @@ } }, { - "value": "EDA2 / HiddenTear or Cryptear", + "value": "HiddenTear", "description": "Ransomware Open sourced C#", "meta": { + "synonyms": [ + "Cryptear", + "EDA2" + ], "extensions": [ ".locked" ], - "encryption": "AES-256" + "encryption": "AES-256", + "refs": [ + "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" + ] } }, { "value": "EduCrypt or EduCrypter", "description": "Ransomware Based on Hidden Tear", "meta": { + "synonyms": [ + "Fake" + ], "extensions": [ ".isis", ".locked" @@ -5557,6 +5621,9 @@ "value": "El-Polocker or Los Pollos Hermanos", "description": "Ransomware Has a GUI", "meta": { + "synonyms": [ + "Fake" + ], "extensions": [ ".ha3" ],