MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

merge hiddentear & cryptear data

pull/53/head
Deborah Servili 2017-05-18 10:18:45 +02:00
parent bc4f1a93ab
commit 2c4256f42c
1 changed files with 99 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
clusters/ransomware.json
View File

@ -4174,9 +4174,12 @@
}
},
{
"value": "777 or Sevleg",
"value": "777",
"description": "Ransomware",
"meta": {
"synonyms": [
"Sevleg"
],
"extensions": [
".777",
"._[timestamp]_$[email]$.777",
@ -4192,9 +4195,12 @@
}
},
{
"value": "7ev3n or 7ev3n-HONE$T",
"value": "7ev3n",
"description": "Ransomware",
"meta": {
"synonyms": [
"7ev3n-HONE$T"
],
"extensions": [
".R4A",
".R5A"
@ -4291,9 +4297,12 @@
}
},
{
"value": "Alpha Ransomware or AlphaLocker",
"value": "Alpha Ransomware",
"description": "Ransomware",
"meta": {
"synonyms": [
"AlphaLocker"
],
"extensions": [
".encrypt"
],
@ -4340,18 +4349,24 @@
}
},
{
"value": "Anony or ngocanh",
"value": "Anony",
"description": "Ransomware Based on HiddenTear",
"meta": {
"synonyms": [
"ngocanh"
],
"refs": [
"https://twitter.com/struppigel/status/842047409446387714"
]
}
},
{
"value": "Apocalypse or Fabiansomeware",
"value": "Apocalypse",
"description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru",
"meta": {
"synonyms": [
"Fabiansomeware"
],
"extensions": [
".encrypted",
".SecureCrypted",
@ -4449,9 +4464,12 @@
}
},
{
"value": "Bandarchor or Rakhni",
"value": "Bandarchor",
"description": "Ransomware Files might be partially encrypted",
"meta": {
"synonyms": [
"Rakhni"
],
"extensions": [
".id-1235240425_help@decryptservice.info",
".id-[ID]_[EMAIL_ADDRESS]"
@ -4467,9 +4485,12 @@
}
},
{
"value": "Bart or BaCrypt",
"value": "Bart",
"description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex",
"meta": {
"synonyms": [
"BaCrypt"
],
"extensions": [
".bart.zip",
".bart",
@ -4513,9 +4534,12 @@
}
},
{
"value": "BlackShades Crypter or SilentShade",
"value": "BlackShades Crypter",
"description": "Ransomware",
"meta": {
"synonyms": [
"SilentShade"
],
"extensions": [
".Silent"
],
@ -4543,8 +4567,13 @@
}
},
{
"value": "Booyah or Salam!",
"description": "Ransomware EXE was replaced to neutralize threat"
"value": "Booyah",
"description": "Ransomware EXE was replaced to neutralize threat",
"meta": {
"synonyms": [
"Salami"
],
}
},
{
"value": "Brazilian",
@ -4796,9 +4825,14 @@
}
},
{
"value": "CryLocker or Cry, CSTO, Central Security Treatment Organization",
"value": "CryLocker",
"description": "Ransomware Identifies victim locations w/Google Maps API",
"meta": {
"synonyms": [
"Cry",
"CSTO",
"Central Security Treatment Organization"
],
"extensions": [
".cry"
],
@ -4858,16 +4892,6 @@
]
}
},
{
"value": "Cryptear or Hidden Tear",
"description": "Ransomware",
"meta": {
"encryption": "AES-256",
"refs": [
"http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html"
]
}
},
{
"value": "Crypter",
"description": "Ransomware Does not actually encrypt the files, but simply renames them",
@ -4932,9 +4956,12 @@
}
},
{
"value": "CryptoFinancial or Ranscam",
"value": "CryptoFinancial",
"description": "Ransomware",
"meta": {
"synonyms": [
"Ranscam"
],
"refs": [
"http://blog.talosintel.com/2016/07/ranscam.html",
"https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/"
@ -4967,9 +4994,14 @@
}
},
{
"value": "CryptoHost or Manamecrypt, Telograph, ROI Locker",
"value": "CryptoHost",
"description": "Ransomware RAR's victim's files has a GUI",
"meta": {
"synonyms": [
"Manamecrypt",
"Telograph",
"ROI Locker"
],
"encryption": "AES-256 (RAR implementation)",
"refs": [
"http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/"
@ -5024,9 +5056,12 @@
}
},
{
"value": "CryptoMix or Zeta",
"value": "CryptoMix",
"description": "Ransomware",
"meta": {
"synonyms": [
"Zeta"
],
"extensions": [
".code",
".scl",
@ -5188,9 +5223,12 @@
}
},
{
"value": "CryptXXX or CryptProjectXXX",
"value": "CryptXXX",
"description": "Ransomware Comes with Bedep",
"meta": {
"synonyms": [
"CryptProjectXXX"
],
"extensions": [
".crypt"
],
@ -5204,9 +5242,12 @@
}
},
{
"value": "CryptXXX 2.0 or CryptProjectXXX",
"value": "CryptXXX 2.0",
"description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.",
"meta": {
"synonyms": [
"CryptProjectXXX"
],
"extensions": [
".crypt"
],
@ -5221,9 +5262,13 @@
}
},
{
"value": "CryptXXX 3.0 or UltraDeCrypter or UltraCrypter",
"value": "CryptXXX 3.0",
"description": "Ransomware Comes with Bedep",
"meta": {
"synonyms": [
"UltraDeCrypter",
"UltraCrypter"
],
"extensions": [
".crypt",
".cryp1",
@ -5268,9 +5313,12 @@
}
},
{
"value": "CTB-Faker or Citroni",
"value": "CTB-Faker",
"description": "Ransomware",
"meta": {
"synonyms": [
"Citroni"
],
"extensions": [
".ctbl",
".([a-z]{6,7})"
@ -5294,9 +5342,12 @@
}
},
{
"value": "CuteRansomware or my-Little-Ransomware",
"value": "CuteRansomware",
"description": "Ransomware Based on my-Little-Ransomware",
"meta": {
"synonyms": [
"my-Little-Ransomware"
],
"extensions": [
".已加密",
".encrypted"
@ -5313,9 +5364,12 @@
}
},
{
"value": "Cyber SpLiTTer Vbs or CyberSplitter",
"value": "Cyber SpLiTTer Vbs",
"description": "Ransomware Based on HiddenTear",
"meta": {
"synonyms": [
"CyberSplitter"
],
"refs": [
"https://twitter.com/struppigel/status/778871886616862720",
"https://twitter.com/struppigel/status/806758133720698881"
@ -5514,19 +5568,29 @@
}
},
{
"value": "EDA2 / HiddenTear or Cryptear",
"value": "HiddenTear",
"description": "Ransomware Open sourced C#",
"meta": {
"synonyms": [
"Cryptear",
"EDA2"
],
"extensions": [
".locked"
],
"encryption": "AES-256"
"encryption": "AES-256",
"refs": [
"http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html"
]
}
},
{
"value": "EduCrypt or EduCrypter",
"description": "Ransomware Based on Hidden Tear",
"meta": {
"synonyms": [
"Fake"
],
"extensions": [
".isis",
".locked"
@ -5557,6 +5621,9 @@
"value": "El-Polocker or Los Pollos Hermanos",
"description": "Ransomware Has a GUI",
"meta": {
"synonyms": [
"Fake"
],
"extensions": [
".ha3"
],