MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add synonym and cleaning

pull/53/head
Deborah Servili 2017-05-18 11:18:32 +02:00
parent 2c4256f42c
commit 3b93a773e5
1 changed files with 191 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

266
clusters/ransomware.json
View File

@ -348,7 +348,6 @@
"https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png",
"motd.txt"
],
"encryption": "",
"extensions": [
".enc"
],
@ -1374,7 +1373,6 @@
"ransomnotes": [
"https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png"
],
"encryption": "",
"extensions": [
"AES+RSA"
],
@ -2011,8 +2009,7 @@
"meta": {
"refs": [
"https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html",
"https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/",
""
"https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/"
],
"ransomnotes": [
"https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif",
@ -4377,7 +4374,6 @@
"[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]",
"*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}"
],
"encryption": "",
"ransomnotes": [
"*.How_To_Decrypt.txt",
"*.Contact_Here_To_Recover_Your_Files.txt",
@ -4414,7 +4410,6 @@
"extensions": [
".locky"
],
"encryption": "",
"ransomnotes": [
"info.txt",
"info.html"
@ -4515,8 +4510,7 @@
".clf"
],
"refs": [
"https://noransom.kaspersky.com/",
""
"https://noransom.kaspersky.com/"
]
}
},
@ -4572,7 +4566,7 @@
"meta": {
"synonyms": [
"Salami"
],
]
}
},
{
@ -4778,22 +4772,6 @@
]
}
},
{
"value": "",
"description": "Ransomware",
"meta": {
"extensions": [
""
],
"encryption": "",
"ransomnotes": [
""
],
"refs": [
""
]
}
},
{
"value": "Crybola",
"description": "Ransomware",
@ -4867,7 +4845,6 @@
"extensions": [
".ENCRYPTED"
],
"encryption": "",
"ransomnotes": [
"READ_THIS_TO_DECRYPT.html"
],
@ -5585,11 +5562,11 @@
}
},
{
"value": "EduCrypt or EduCrypter",
"value": "EduCrypt",
"description": "Ransomware Based on Hidden Tear",
"meta": {
"synonyms": [
"Fake"
"EduCrypter"
],
"extensions": [
".isis",
@ -5618,16 +5595,15 @@
}
},
{
"value": "El-Polocker or Los Pollos Hermanos",
"value": "El-Polocker",
"description": "Ransomware Has a GUI",
"meta": {
"synonyms": [
"Fake"
"Los Pollos Hermanos"
],
"extensions": [
".ha3"
],
"encryption": "",
"ransomnotes": [
"qwer.html",
"qwer2.html",
@ -5636,9 +5612,12 @@
}
},
{
"value": "Encoder.xxxx or Trojan.Encoder.6491",
"value": "Encoder.xxxx",
"description": "Ransomware Coded in GO",
"meta": {
"synonyms": [
"Trojan.Encoder.6491"
],
"ransomnotes": [
"Instructions.html"
],
@ -5725,9 +5704,12 @@
}
},
{
"value": "Fantom or Comrad Circle",
"value": "Fantom",
"description": "Ransomware Based on EDA2",
"meta": {
"synonyms": [
"Comrad Circle"
],
"extensions": [
".fantom",
".comrade"
@ -5827,9 +5809,12 @@
}
},
{
"value": "Free-Freedom or Roga",
"value": "Free-Freedom",
"description": "Ransomware Unlock code is: adam or adamdude9",
"meta": {
"synonyms": [
"Roga"
],
"extensions": [
".madebyadam"
],
@ -5890,9 +5875,12 @@
}
},
{
"value": "Globe v1 or Purge",
"value": "Globe v1",
"description": "Ransomware",
"meta": {
"synonyms": [
"Purge"
],
"extensions": [
".purge"
],
@ -5991,9 +5979,12 @@
}
},
{
"value": "HDDCryptor or Mamba",
"value": "HDDCryptor",
"description": "Ransomware Uses https://diskcryptor.net for full disk encryption",
"meta": {
"synonyms": [
"Mamba"
],
"encryption": "Custom (net shares), XTS-AES (disk)",
"refs": [
"https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho",
@ -6164,9 +6155,13 @@
}
},
{
"value": "Jeiphoos or Encryptor RaaS or Sarento",
"value": "Jeiphoos",
"description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.",
"meta": {
"synonyms": [
"Encryptor RaaS",
"Sarento"
],
"encryption": "RC6 (files), RSA 2048 (RC6 key)",
"ransomnotes": [
"readme_liesmich_encryptor_raas.txt"
@ -6191,9 +6186,12 @@
}
},
{
"value": "Jigsaw or CryptoHitMan (subvariant)",
"value": "Jigsaw",
"description": "Ransomware Has a GUI",
"meta": {
"synonyms": [
"CryptoHitMan"
],
"extensions": [
".btc",
".kkk",
@ -6346,9 +6344,12 @@
}
},
{
"value": "Kozy.Jozy or QC",
"value": "Kozy.Jozy",
"description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com",
"meta": {
"synonyms": [
"QC"
],
"extensions": [
".31392E30362E32303136_[ID-KEY]_LSBJ1",
".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})"
@ -6432,9 +6433,12 @@
}
},
{
"value": "Linux.Encoder or Linux.Encoder.{0,3}",
"value": "Linux.Encoder",
"description": "Ransomware Linux Ransomware",
"meta": {
"synonyms": [
"Linux.Encoder.{0,3}"
],
"refs": [
"https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/"
]
@ -6639,9 +6643,12 @@
}
},
{
"value": "MIRCOP or Crypt888",
"value": "MIRCOP",
"description": "Ransomware Prepends files Demands 48.48 BTC",
"meta": {
"synonyms": [
"Crypt888"
],
"extensions": [
"Lock."
],
@ -6669,9 +6676,12 @@
}
},
{
"value": "Mischa or \"Petya's little brother\"",
"value": "Mischa",
"description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe",
"meta": {
"synonyms": [
"\"Petya's little brother\""
],
"extensions": [
".([a-zA-Z0-9]{4})"
],
@ -6685,9 +6695,12 @@
}
},
{
"value": "MM Locker or Booyah",
"value": "MM Locker",
"description": "Ransomware Based on EDA2",
"meta": {
"synonyms": [
"Booyah"
],
"extensions": [
".locked"
],
@ -6701,9 +6714,13 @@
}
},
{
"value": "Mobef or Yakes or CryptoBit",
"value": "Mobef",
"description": "Ransomware",
"meta": {
"synonyms": [
"Yakes",
"CryptoBit"
],
"extensions": [
".KEYZ",
".KEYH0LES"
@ -6787,9 +6804,12 @@
}
},
{
"value": "Netix or RANSOM_NETIX.A",
"value": "Netix",
"description": "Ransomware",
"meta": {
"synonyms": [
"RANSOM_NETIX.A"
],
"extensions": [
"AES-256"
],
@ -6812,9 +6832,13 @@
}
},
{
"value": "NMoreira or XRatTeam or XPan",
"value": "NMoreira",
"description": "Ransomware",
"meta": {
"synonyms": [
"XRatTeam",
"XPan"
],
"extensions": [
".maktub",
".__AiraCropEncrypted!"
@ -6887,9 +6911,13 @@
}
},
{
"value": "Offline ransomware or Vipasana or Cryakl",
"value": "Offline ransomware",
"description": "Ransomware email addresses overlap with .777 addresses",
"meta": {
"synonyms": [
"Vipasana",
"Cryakl"
],
"extensions": [
".cbf",
"email-[params].cbf"
@ -6905,9 +6933,12 @@
}
},
{
"value": "OMG! Ransomware or GPCode",
"value": "OMG! Ransomware",
"description": "Ransomware",
"meta": {
"synonyms": [
"GPCode"
],
"extensions": [
".LOL!",
".OMG!"
@ -6930,9 +6961,12 @@
}
},
{
"value": "Owl or CryptoWire",
"value": "Owl",
"description": "Ransomware",
"meta": {
"synonyms": [
"CryptoWire"
],
"extensions": [
"dummy_file.encrypted",
"dummy_file.encrypted.[extension]"
@ -6988,9 +7022,12 @@
}
},
{
"value": "Petya or Goldeneye",
"value": "Petya",
"description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe",
"meta": {
"synonyms": [
"Goldeneye"
],
"encryption": "Modified Salsa20",
"ransomnotes": [
"YOUR_FILES_ARE_ENCRYPTED.TXT"
@ -7056,9 +7093,12 @@
}
},
{
"value": "PowerWare or PoshCoder",
"value": "PowerWare",
"description": "Ransomware Open-sourced PowerShell",
"meta": {
"synonyms": [
"PoshCoder"
],
"extensions": [
".locky"
],
@ -7149,9 +7189,12 @@
}
},
{
"value": "RAA encryptor or RAA",
"value": "RAA encryptor",
"description": "Ransomware Possible affiliation with Pony",
"meta": {
"synonyms": [
"RAA"
],
"extensions": [
".locked"
],
@ -7195,9 +7238,20 @@
}
},
{
"value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor",
"value": "Rakhni",
"description": "Ransomware Files might be partially encrypted",
"meta": {
"synonyms": [
"Agent.iih",
"Aura",
"Autoit",
"Pletor",
"Rotor",
"Lamer",
"Isda",
"Cryptokluchen",
"Bandarchor"
],
"extensions": [
".locked",
".kraken",
@ -7439,9 +7493,15 @@
}
},
{
"value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe",
"value": "Samas-Samsam",
"description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena",
"meta": {
"synonyms": [
"samsam.exe",
"MIKOPONI.exe",
"RikiRafael.exe",
"showmehowto.exe"
],
"extensions": [
".encryptedAES",
".encryptedRSA",
@ -7569,9 +7629,12 @@
}
},
{
"value": "Shark or Atom",
"value": "Shark",
"description": "Ransomware",
"meta": {
"synonyms": [
"Atom"
],
"extensions": [
".locked"
],
@ -7599,9 +7662,12 @@
}
},
{
"value": "Shujin or KinCrypt",
"value": "Shujin",
"description": "Ransomware",
"meta": {
"synonyms": [
"KinCrypt"
],
"ransomnotes": [
"文件解密帮助.txt"
],
@ -7628,9 +7694,12 @@
}
},
{
"value": "SkidLocker / Pompous",
"value": "SkidLocker",
"description": "Ransomware Based on EDA2",
"meta": {
"synonyms": [
"Pompous"
],
"extensions": [
".locked"
],
@ -7784,9 +7853,12 @@
}
},
{
"value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt",
"value": "TeslaCrypt 0.x - 2.2.0",
"description": "Ransomware Factorization",
"meta": {
"synonyms": [
"AlphaCrypt"
],
"extensions": [
".vvv",
".ecc",
@ -7834,14 +7906,20 @@
"RECOVER<5_chars>.html",
"RECOVER<5_chars>.png",
"RECOVER<5_chars>.txt",
"_how_recover+<random 3 chars>.txt or .html",
"help_recover_instructions+<random 3 chars>.BMP or .html or .txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt, .html or .png",
"_how_recover+<random 3 chars>.txt",
"_how_recover+<random 3 chars>.html",
"help_recover_instructions+<random 3 chars>.html",
"help_recover_instructions+<random 3 chars>.txt",
"help_recover_instructions+<random 3 chars>.BMP",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.html",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.png",
"Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt",
"RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp",
"HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp",
"HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt",
"HELP_TO_SAVE_FILES.txt or .bmp"
"HELP_TO_SAVE_FILES.txt",
"HELP_TO_SAVE_FILES.bmp"
],
"refs": [
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
@ -7859,14 +7937,20 @@
"RECOVER<5_chars>.html",
"RECOVER<5_chars>.png",
"RECOVER<5_chars>.txt",
"_how_recover+<random 3 chars>.txt or .html",
"help_recover_instructions+<random 3 chars>.BMP or .html or .txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt, .html or .png",
"_how_recover+<random 3 chars>.txt",
"_how_recover+<random 3 chars>.html",
"help_recover_instructions+<random 3 chars>.BMP",
"help_recover_instructions+<random 3 chars>.html",
"help_recover_instructions+<random 3 chars>.txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.html",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.png",
"Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt",
"RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp",
"HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp",
"HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt",
"HELP_TO_SAVE_FILES.txt or .bmp"
"HELP_TO_SAVE_FILES.txt",
"HELP_TO_SAVE_FILES.bmp"
],
"refs": [
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
@ -7886,9 +7970,14 @@
}
},
{
"value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac",
"value": "TorrentLocker",
"description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted",
"meta": {
"synonyms": [
"Crypt0L0cker",
"CryptoFortress",
"Teerac"
],
"extensions": [
".Encrypted",
".enc"
@ -7938,9 +8027,12 @@
}
},
{
"value": "Trojan or BrainCrypt",
"value": "Trojan",
"description": "Ransomware",
"meta": {
"synonyms": [
"BrainCrypt"
],
"extensions": [
".braincrypt"
],
@ -8092,9 +8184,13 @@
}
},
{
"value": "VaultCrypt or CrypVault, Zlader",
"value": "VaultCrypt",
"description": "Ransomware",
"meta": {
"synonyms": [
"CrypVault",
"Zlader"
],
"extensions": [
".vault",
".xort",
@ -8156,9 +8252,12 @@
}
},
{
"value": "Virus-Encoder or CrySiS",
"value": "Virus-Encoder",
"description": "Ransomware",
"meta": {
"synonyms": [
"CrySiS"
],
"extensions": [
".CrySiS",
".xtbl",
@ -8180,9 +8279,12 @@
}
},
{
"value": "WildFire Locker or Hades Locker",
"value": "WildFire Locker",
"description": "Ransomware Zyklon variant",
"meta": {
"synonyms": [
"Hades Locker"
],
"extensions": [
".wflx"
],
@ -8240,9 +8342,12 @@
}
},
{
"value": "Zcrypt or Zcryptor",
"value": "Zcrypt",
"description": "Ransomware",
"meta": {
"synonyms": [
"Zcryptor"
],
"extensions": [
".zcrypt"
],
@ -8252,9 +8357,12 @@
}
},
{
"value": "Zeta or CryptoMix",
"value": "Zeta",
"description": "Ransomware",
"meta": {
"synonyms": [
"CryptoMix"
],
"extensions": [
".code",
".scl",
@ -8284,9 +8392,14 @@
}
},
{
"value": "Zlader / Russian or VaultCrypt, CrypVault",
"value": "Zlader",
"description": "Ransomware VaultCrypt family",
"meta": {
"synonyms": [
"Russian",
"VaultCrypt",
"CrypVault"
],
"extensions": [
".vault"
],
@ -8312,9 +8425,12 @@
}
},
{
"value": "Zyklon or GNL Locker",
"value": "Zyklon",
"description": "Ransomware Hidden Tear family, GNL Locker variant",
"meta": {
"synonyms": [
"GNL Locker"
],
"extensions": [
".zyklon"
]