mirror of https://github.com/MISP/misp-galaxy
merge hiddentear & cryptear data
Deborah Servili
parent
bc4f1a93ab
commit
2c4256f42c
|
|
@ -4174,9 +4174,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "777 or Sevleg",
|
"value": "777",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Sevleg"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".777",
|
".777",
|
||||||
"._[timestamp]_$[email]$.777",
|
"._[timestamp]_$[email]$.777",
|
||||||
|
|
@ -4192,9 +4195,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "7ev3n or 7ev3n-HONE$T",
|
"value": "7ev3n",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"7ev3n-HONE$T"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".R4A",
|
".R4A",
|
||||||
".R5A"
|
".R5A"
|
||||||
|
|
@ -4291,9 +4297,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Alpha Ransomware or AlphaLocker",
|
"value": "Alpha Ransomware",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"AlphaLocker"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".encrypt"
|
".encrypt"
|
||||||
],
|
],
|
||||||
|
|
@ -4340,18 +4349,24 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Anony or ngocanh",
|
"value": "Anony",
|
||||||
"description": "Ransomware Based on HiddenTear",
|
"description": "Ransomware Based on HiddenTear",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"ngocanh"
|
||||||
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://twitter.com/struppigel/status/842047409446387714"
|
"https://twitter.com/struppigel/status/842047409446387714"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Apocalypse or Fabiansomeware",
|
"value": "Apocalypse",
|
||||||
"description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru",
|
"description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Fabiansomeware"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".encrypted",
|
".encrypted",
|
||||||
".SecureCrypted",
|
".SecureCrypted",
|
||||||
|
|
@ -4449,9 +4464,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Bandarchor or Rakhni",
|
"value": "Bandarchor",
|
||||||
"description": "Ransomware Files might be partially encrypted",
|
"description": "Ransomware Files might be partially encrypted",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Rakhni"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".id-1235240425_help@decryptservice.info",
|
".id-1235240425_help@decryptservice.info",
|
||||||
".id-[ID]_[EMAIL_ADDRESS]"
|
".id-[ID]_[EMAIL_ADDRESS]"
|
||||||
|
|
@ -4467,9 +4485,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Bart or BaCrypt",
|
"value": "Bart",
|
||||||
"description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex",
|
"description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"BaCrypt"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".bart.zip",
|
".bart.zip",
|
||||||
".bart",
|
".bart",
|
||||||
|
|
@ -4513,9 +4534,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "BlackShades Crypter or SilentShade",
|
"value": "BlackShades Crypter",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"SilentShade"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".Silent"
|
".Silent"
|
||||||
],
|
],
|
||||||
|
|
@ -4543,8 +4567,13 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Booyah or Salam!",
|
"value": "Booyah",
|
||||||
"description": "Ransomware EXE was replaced to neutralize threat"
|
"description": "Ransomware EXE was replaced to neutralize threat",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Salami"
|
||||||
|
],
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Brazilian",
|
"value": "Brazilian",
|
||||||
|
|
@ -4796,9 +4825,14 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryLocker or Cry, CSTO, Central Security Treatment Organization",
|
"value": "CryLocker",
|
||||||
"description": "Ransomware Identifies victim locations w/Google Maps API",
|
"description": "Ransomware Identifies victim locations w/Google Maps API",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Cry",
|
||||||
|
"CSTO",
|
||||||
|
"Central Security Treatment Organization"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".cry"
|
".cry"
|
||||||
],
|
],
|
||||||
|
|
@ -4858,16 +4892,6 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Cryptear or Hidden Tear",
|
|
||||||
"description": "Ransomware",
|
|
||||||
"meta": {
|
|
||||||
"encryption": "AES-256",
|
|
||||||
"refs": [
|
|
||||||
"http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Crypter",
|
"value": "Crypter",
|
||||||
"description": "Ransomware Does not actually encrypt the files, but simply renames them",
|
"description": "Ransomware Does not actually encrypt the files, but simply renames them",
|
||||||
|
|
@ -4932,9 +4956,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryptoFinancial or Ranscam",
|
"value": "CryptoFinancial",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Ranscam"
|
||||||
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://blog.talosintel.com/2016/07/ranscam.html",
|
"http://blog.talosintel.com/2016/07/ranscam.html",
|
||||||
"https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/"
|
"https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/"
|
||||||
|
|
@ -4967,9 +4994,14 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryptoHost or Manamecrypt, Telograph, ROI Locker",
|
"value": "CryptoHost",
|
||||||
"description": "Ransomware RAR's victim's files has a GUI",
|
"description": "Ransomware RAR's victim's files has a GUI",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Manamecrypt",
|
||||||
|
"Telograph",
|
||||||
|
"ROI Locker"
|
||||||
|
],
|
||||||
"encryption": "AES-256 (RAR implementation)",
|
"encryption": "AES-256 (RAR implementation)",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/"
|
"http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/"
|
||||||
|
|
@ -5024,9 +5056,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryptoMix or Zeta",
|
"value": "CryptoMix",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Zeta"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".code",
|
".code",
|
||||||
".scl",
|
".scl",
|
||||||
|
|
@ -5188,9 +5223,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryptXXX or CryptProjectXXX",
|
"value": "CryptXXX",
|
||||||
"description": "Ransomware Comes with Bedep",
|
"description": "Ransomware Comes with Bedep",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"CryptProjectXXX"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".crypt"
|
".crypt"
|
||||||
],
|
],
|
||||||
|
|
@ -5204,9 +5242,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryptXXX 2.0 or CryptProjectXXX",
|
"value": "CryptXXX 2.0",
|
||||||
"description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.",
|
"description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"CryptProjectXXX"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".crypt"
|
".crypt"
|
||||||
],
|
],
|
||||||
|
|
@ -5221,9 +5262,13 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter",
|
"value": "CryptXXX 3.0",
|
||||||
"description": "Ransomware Comes with Bedep",
|
"description": "Ransomware Comes with Bedep",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"UltraDeCrypter",
|
||||||
|
"UltraCrypter"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".crypt",
|
".crypt",
|
||||||
".cryp1",
|
".cryp1",
|
||||||
|
|
@ -5268,9 +5313,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CTB-Faker or Citroni",
|
"value": "CTB-Faker",
|
||||||
"description": "Ransomware",
|
"description": "Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Citroni"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".ctbl",
|
".ctbl",
|
||||||
".([a-z]{6,7})"
|
".([a-z]{6,7})"
|
||||||
|
|
@ -5294,9 +5342,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "CuteRansomware or my-Little-Ransomware",
|
"value": "CuteRansomware",
|
||||||
"description": "Ransomware Based on my-Little-Ransomware",
|
"description": "Ransomware Based on my-Little-Ransomware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"my-Little-Ransomware"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".已加密",
|
".已加密",
|
||||||
".encrypted"
|
".encrypted"
|
||||||
|
|
@ -5313,9 +5364,12 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Cyber SpLiTTer Vbs or CyberSplitter",
|
"value": "Cyber SpLiTTer Vbs",
|
||||||
"description": "Ransomware Based on HiddenTear",
|
"description": "Ransomware Based on HiddenTear",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"CyberSplitter"
|
||||||
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://twitter.com/struppigel/status/778871886616862720",
|
"https://twitter.com/struppigel/status/778871886616862720",
|
||||||
"https://twitter.com/struppigel/status/806758133720698881"
|
"https://twitter.com/struppigel/status/806758133720698881"
|
||||||
|
|
@ -5514,19 +5568,29 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "EDA2 / HiddenTear or Cryptear",
|
"value": "HiddenTear",
|
||||||
"description": "Ransomware Open sourced C#",
|
"description": "Ransomware Open sourced C#",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Cryptear",
|
||||||
|
"EDA2"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".locked"
|
".locked"
|
||||||
],
|
],
|
||||||
"encryption": "AES-256"
|
"encryption": "AES-256",
|
||||||
|
"refs": [
|
||||||
|
"http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "EduCrypt or EduCrypter",
|
"value": "EduCrypt or EduCrypter",
|
||||||
"description": "Ransomware Based on Hidden Tear",
|
"description": "Ransomware Based on Hidden Tear",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Fake"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".isis",
|
".isis",
|
||||||
".locked"
|
".locked"
|
||||||
|
|
@ -5557,6 +5621,9 @@
|
||||||
"value": "El-Polocker or Los Pollos Hermanos",
|
"value": "El-Polocker or Los Pollos Hermanos",
|
||||||
"description": "Ransomware Has a GUI",
|
"description": "Ransomware Has a GUI",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Fake"
|
||||||
|
],
|
||||||
"extensions": [
|
"extensions": [
|
||||||
".ha3"
|
".ha3"
|
||||||
],
|
],
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue