diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7fc48885..803f1d9d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -348,7 +348,6 @@ "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", "motd.txt" ], - "encryption": "", "extensions": [ ".enc" ], @@ -1374,7 +1373,6 @@ "ransomnotes": [ "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" ], - "encryption": "", "extensions": [ "AES+RSA" ], @@ -2011,8 +2009,7 @@ "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/", - "" + "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", @@ -4377,7 +4374,6 @@ "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" ], - "encryption": "", "ransomnotes": [ "*.How_To_Decrypt.txt", "*.Contact_Here_To_Recover_Your_Files.txt", @@ -4414,7 +4410,6 @@ "extensions": [ ".locky" ], - "encryption": "", "ransomnotes": [ "info.txt", "info.html" @@ -4515,8 +4510,7 @@ ".clf" ], "refs": [ - "https://noransom.kaspersky.com/", - "" + "https://noransom.kaspersky.com/" ] } }, @@ -4572,7 +4566,7 @@ "meta": { "synonyms": [ "Salami" - ], + ] } }, { @@ -4778,22 +4772,6 @@ ] } }, - { - "value": "", - "description": "Ransomware", - "meta": { - "extensions": [ - "" - ], - "encryption": "", - "ransomnotes": [ - "" - ], - "refs": [ - "" - ] - } - }, { "value": "Crybola", "description": "Ransomware", @@ -4867,7 +4845,6 @@ "extensions": [ ".ENCRYPTED" ], - "encryption": "", "ransomnotes": [ "READ_THIS_TO_DECRYPT.html" ], @@ -5585,11 +5562,11 @@ } }, { - "value": "EduCrypt or EduCrypter", + "value": "EduCrypt", "description": "Ransomware Based on Hidden Tear", "meta": { "synonyms": [ - "Fake" + "EduCrypter" ], "extensions": [ ".isis", @@ -5618,16 +5595,15 @@ } }, { - "value": "El-Polocker or Los Pollos Hermanos", + "value": "El-Polocker", "description": "Ransomware Has a GUI", "meta": { "synonyms": [ - "Fake" + "Los Pollos Hermanos" ], "extensions": [ ".ha3" ], - "encryption": "", "ransomnotes": [ "qwer.html", "qwer2.html", @@ -5636,9 +5612,12 @@ } }, { - "value": "Encoder.xxxx or Trojan.Encoder.6491", + "value": "Encoder.xxxx", "description": "Ransomware Coded in GO", "meta": { + "synonyms": [ + "Trojan.Encoder.6491" + ], "ransomnotes": [ "Instructions.html" ], @@ -5725,9 +5704,12 @@ } }, { - "value": "Fantom or Comrad Circle", + "value": "Fantom", "description": "Ransomware Based on EDA2", "meta": { + "synonyms": [ + "Comrad Circle" + ], "extensions": [ ".fantom", ".comrade" @@ -5827,9 +5809,12 @@ } }, { - "value": "Free-Freedom or Roga", + "value": "Free-Freedom", "description": "Ransomware Unlock code is: adam or adamdude9", "meta": { + "synonyms": [ + "Roga" + ], "extensions": [ ".madebyadam" ], @@ -5890,9 +5875,12 @@ } }, { - "value": "Globe v1 or Purge", + "value": "Globe v1", "description": "Ransomware", "meta": { + "synonyms": [ + "Purge" + ], "extensions": [ ".purge" ], @@ -5991,9 +5979,12 @@ } }, { - "value": "HDDCryptor or Mamba", + "value": "HDDCryptor", "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", "meta": { + "synonyms": [ + "Mamba" + ], "encryption": "Custom (net shares), XTS-AES (disk)", "refs": [ "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", @@ -6164,9 +6155,13 @@ } }, { - "value": "Jeiphoos or Encryptor RaaS or Sarento", + "value": "Jeiphoos", "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", "meta": { + "synonyms": [ + "Encryptor RaaS", + "Sarento" + ], "encryption": "RC6 (files), RSA 2048 (RC6 key)", "ransomnotes": [ "readme_liesmich_encryptor_raas.txt" @@ -6191,9 +6186,12 @@ } }, { - "value": "Jigsaw or CryptoHitMan (subvariant)", + "value": "Jigsaw", "description": "Ransomware Has a GUI", "meta": { + "synonyms": [ + "CryptoHitMan" + ], "extensions": [ ".btc", ".kkk", @@ -6346,9 +6344,12 @@ } }, { - "value": "Kozy.Jozy or QC", + "value": "Kozy.Jozy", "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", "meta": { + "synonyms": [ + "QC" + ], "extensions": [ ".31392E30362E32303136_[ID-KEY]_LSBJ1", ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" @@ -6432,9 +6433,12 @@ } }, { - "value": "Linux.Encoder or Linux.Encoder.{0,3}", + "value": "Linux.Encoder", "description": "Ransomware Linux Ransomware", "meta": { + "synonyms": [ + "Linux.Encoder.{0,3}" + ], "refs": [ "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" ] @@ -6639,9 +6643,12 @@ } }, { - "value": "MIRCOP or Crypt888", + "value": "MIRCOP", "description": "Ransomware Prepends files Demands 48.48 BTC", "meta": { + "synonyms": [ + "Crypt888" + ], "extensions": [ "Lock." ], @@ -6669,9 +6676,12 @@ } }, { - "value": "Mischa or \"Petya's little brother\"", + "value": "Mischa", "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", "meta": { + "synonyms": [ + "\"Petya's little brother\"" + ], "extensions": [ ".([a-zA-Z0-9]{4})" ], @@ -6685,9 +6695,12 @@ } }, { - "value": "MM Locker or Booyah", + "value": "MM Locker", "description": "Ransomware Based on EDA2", "meta": { + "synonyms": [ + "Booyah" + ], "extensions": [ ".locked" ], @@ -6701,9 +6714,13 @@ } }, { - "value": "Mobef or Yakes or CryptoBit", + "value": "Mobef", "description": "Ransomware", "meta": { + "synonyms": [ + "Yakes", + "CryptoBit" + ], "extensions": [ ".KEYZ", ".KEYH0LES" @@ -6787,9 +6804,12 @@ } }, { - "value": "Netix or RANSOM_NETIX.A", + "value": "Netix", "description": "Ransomware", "meta": { + "synonyms": [ + "RANSOM_NETIX.A" + ], "extensions": [ "AES-256" ], @@ -6812,9 +6832,13 @@ } }, { - "value": "NMoreira or XRatTeam or XPan", + "value": "NMoreira", "description": "Ransomware", "meta": { + "synonyms": [ + "XRatTeam", + "XPan" + ], "extensions": [ ".maktub", ".__AiraCropEncrypted!" @@ -6887,9 +6911,13 @@ } }, { - "value": "Offline ransomware or Vipasana or Cryakl", + "value": "Offline ransomware", "description": "Ransomware email addresses overlap with .777 addresses", "meta": { + "synonyms": [ + "Vipasana", + "Cryakl" + ], "extensions": [ ".cbf", "email-[params].cbf" @@ -6905,9 +6933,12 @@ } }, { - "value": "OMG! Ransomware or GPCode", + "value": "OMG! Ransomware", "description": "Ransomware", "meta": { + "synonyms": [ + "GPCode" + ], "extensions": [ ".LOL!", ".OMG!" @@ -6930,9 +6961,12 @@ } }, { - "value": "Owl or CryptoWire", + "value": "Owl", "description": "Ransomware", "meta": { + "synonyms": [ + "CryptoWire" + ], "extensions": [ "dummy_file.encrypted", "dummy_file.encrypted.[extension]" @@ -6988,9 +7022,12 @@ } }, { - "value": "Petya or Goldeneye", + "value": "Petya", "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", "meta": { + "synonyms": [ + "Goldeneye" + ], "encryption": "Modified Salsa20", "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.TXT" @@ -7056,9 +7093,12 @@ } }, { - "value": "PowerWare or PoshCoder", + "value": "PowerWare", "description": "Ransomware Open-sourced PowerShell", "meta": { + "synonyms": [ + "PoshCoder" + ], "extensions": [ ".locky" ], @@ -7149,9 +7189,12 @@ } }, { - "value": "RAA encryptor or RAA", + "value": "RAA encryptor", "description": "Ransomware Possible affiliation with Pony", "meta": { + "synonyms": [ + "RAA" + ], "extensions": [ ".locked" ], @@ -7195,9 +7238,20 @@ } }, { - "value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor", + "value": "Rakhni", "description": "Ransomware Files might be partially encrypted", "meta": { + "synonyms": [ + "Agent.iih", + "Aura", + "Autoit", + "Pletor", + "Rotor", + "Lamer", + "Isda", + "Cryptokluchen", + "Bandarchor" + ], "extensions": [ ".locked", ".kraken", @@ -7439,9 +7493,15 @@ } }, { - "value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe", + "value": "Samas-Samsam", "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", "meta": { + "synonyms": [ + "samsam.exe", + "MIKOPONI.exe", + "RikiRafael.exe", + "showmehowto.exe" + ], "extensions": [ ".encryptedAES", ".encryptedRSA", @@ -7569,9 +7629,12 @@ } }, { - "value": "Shark or Atom", + "value": "Shark", "description": "Ransomware", "meta": { + "synonyms": [ + "Atom" + ], "extensions": [ ".locked" ], @@ -7599,9 +7662,12 @@ } }, { - "value": "Shujin or KinCrypt", + "value": "Shujin", "description": "Ransomware", "meta": { + "synonyms": [ + "KinCrypt" + ], "ransomnotes": [ "文件解密帮助.txt" ], @@ -7628,9 +7694,12 @@ } }, { - "value": "SkidLocker / Pompous", + "value": "SkidLocker", "description": "Ransomware Based on EDA2", "meta": { + "synonyms": [ + "Pompous" + ], "extensions": [ ".locked" ], @@ -7784,9 +7853,12 @@ } }, { - "value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt", + "value": "TeslaCrypt 0.x - 2.2.0", "description": "Ransomware Factorization", "meta": { + "synonyms": [ + "AlphaCrypt" + ], "extensions": [ ".vvv", ".ecc", @@ -7834,14 +7906,20 @@ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", - "_how_recover+.txt or .html", - "help_recover_instructions+.BMP or .html or .txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "_how_recover+.txt", + "_how_recover+.html", + "help_recover_instructions+.html", + "help_recover_instructions+.txt", + "help_recover_instructions+.BMP", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", - "HELP_TO_SAVE_FILES.txt or .bmp" + "HELP_TO_SAVE_FILES.txt", + "HELP_TO_SAVE_FILES.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", @@ -7859,14 +7937,20 @@ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", - "_how_recover+.txt or .html", - "help_recover_instructions+.BMP or .html or .txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png", + "_how_recover+.txt", + "_how_recover+.html", + "help_recover_instructions+.BMP", + "help_recover_instructions+.html", + "help_recover_instructions+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", - "HELP_TO_SAVE_FILES.txt or .bmp" + "HELP_TO_SAVE_FILES.txt", + "HELP_TO_SAVE_FILES.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", @@ -7886,9 +7970,14 @@ } }, { - "value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac", + "value": "TorrentLocker", "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", "meta": { + "synonyms": [ + "Crypt0L0cker", + "CryptoFortress", + "Teerac" + ], "extensions": [ ".Encrypted", ".enc" @@ -7938,9 +8027,12 @@ } }, { - "value": "Trojan or BrainCrypt", + "value": "Trojan", "description": "Ransomware", "meta": { + "synonyms": [ + "BrainCrypt" + ], "extensions": [ ".braincrypt" ], @@ -8092,9 +8184,13 @@ } }, { - "value": "VaultCrypt or CrypVault, Zlader", + "value": "VaultCrypt", "description": "Ransomware", "meta": { + "synonyms": [ + "CrypVault", + "Zlader" + ], "extensions": [ ".vault", ".xort", @@ -8156,9 +8252,12 @@ } }, { - "value": "Virus-Encoder or CrySiS", + "value": "Virus-Encoder", "description": "Ransomware", "meta": { + "synonyms": [ + "CrySiS" + ], "extensions": [ ".CrySiS", ".xtbl", @@ -8180,9 +8279,12 @@ } }, { - "value": "WildFire Locker or Hades Locker", + "value": "WildFire Locker", "description": "Ransomware Zyklon variant", "meta": { + "synonyms": [ + "Hades Locker" + ], "extensions": [ ".wflx" ], @@ -8240,9 +8342,12 @@ } }, { - "value": "Zcrypt or Zcryptor", + "value": "Zcrypt", "description": "Ransomware", "meta": { + "synonyms": [ + "Zcryptor" + ], "extensions": [ ".zcrypt" ], @@ -8252,9 +8357,12 @@ } }, { - "value": "Zeta or CryptoMix", + "value": "Zeta", "description": "Ransomware", "meta": { + "synonyms": [ + "CryptoMix" + ], "extensions": [ ".code", ".scl", @@ -8284,9 +8392,14 @@ } }, { - "value": "Zlader / Russian or VaultCrypt, CrypVault", + "value": "Zlader", "description": "Ransomware VaultCrypt family", "meta": { + "synonyms": [ + "Russian", + "VaultCrypt", + "CrypVault" + ], "extensions": [ ".vault" ], @@ -8312,9 +8425,12 @@ } }, { - "value": "Zyklon or GNL Locker", + "value": "Zyklon", "description": "Ransomware Hidden Tear family, GNL Locker variant", "meta": { + "synonyms": [ + "GNL Locker" + ], "extensions": [ ".zyklon" ]