MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add synonym and cleaning

pull/53/head
Deborah Servili 2017-05-18 11:18:32 +02:00
parent 2c4256f42c
commit 3b93a773e5
1 changed files with 191 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

266
clusters/ransomware.json
View File

@ -348,7 +348,6 @@
"https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png",
"motd.txt" "motd.txt"
], ],
"encryption": "",
"extensions": [ "extensions": [
".enc" ".enc"
], ],
@ -1374,7 +1373,6 @@
"ransomnotes": [ "ransomnotes": [
"https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png"
], ],
"encryption": "",
"extensions": [ "extensions": [
"AES+RSA" "AES+RSA"
], ],
@ -2011,8 +2009,7 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html",
"https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/", "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/"
""
], ],
"ransomnotes": [ "ransomnotes": [
"https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif",
@ -4377,7 +4374,6 @@
"[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]",
"*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}"
], ],
"encryption": "",
"ransomnotes": [ "ransomnotes": [
"*.How_To_Decrypt.txt", "*.How_To_Decrypt.txt",
"*.Contact_Here_To_Recover_Your_Files.txt", "*.Contact_Here_To_Recover_Your_Files.txt",
@ -4414,7 +4410,6 @@
"extensions": [ "extensions": [
".locky" ".locky"
], ],
"encryption": "",
"ransomnotes": [ "ransomnotes": [
"info.txt", "info.txt",
"info.html" "info.html"
@ -4515,8 +4510,7 @@
".clf" ".clf"
], ],
"refs": [ "refs": [
"https://noransom.kaspersky.com/", "https://noransom.kaspersky.com/"
""
] ]
} }
}, },
@ -4572,7 +4566,7 @@
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Salami" "Salami"
], ]
} }
}, },
{ {
@ -4778,22 +4772,6 @@
] ]
} }
}, },
{
"value": "",
"description": "Ransomware",
"meta": {
"extensions": [
""
],
"encryption": "",
"ransomnotes": [
""
],
"refs": [
""
]
}
},
{ {
"value": "Crybola", "value": "Crybola",
"description": "Ransomware", "description": "Ransomware",
@ -4867,7 +4845,6 @@
"extensions": [ "extensions": [
".ENCRYPTED" ".ENCRYPTED"
], ],
"encryption": "",
"ransomnotes": [ "ransomnotes": [
"READ_THIS_TO_DECRYPT.html" "READ_THIS_TO_DECRYPT.html"
], ],
@ -5585,11 +5562,11 @@
} }
}, },
{ {
"value": "EduCrypt or EduCrypter", "value": "EduCrypt",
"description": "Ransomware Based on Hidden Tear", "description": "Ransomware Based on Hidden Tear",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Fake" "EduCrypter"
], ],
"extensions": [ "extensions": [
".isis", ".isis",
@ -5618,16 +5595,15 @@
} }
}, },
{ {
"value": "El-Polocker or Los Pollos Hermanos", "value": "El-Polocker",
"description": "Ransomware Has a GUI", "description": "Ransomware Has a GUI",
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Fake" "Los Pollos Hermanos"
], ],
"extensions": [ "extensions": [
".ha3" ".ha3"
], ],
"encryption": "",
"ransomnotes": [ "ransomnotes": [
"qwer.html", "qwer.html",
"qwer2.html", "qwer2.html",
@ -5636,9 +5612,12 @@
} }
}, },
{ {
"value": "Encoder.xxxx or Trojan.Encoder.6491", "value": "Encoder.xxxx",
"description": "Ransomware Coded in GO", "description": "Ransomware Coded in GO",
"meta": { "meta": {
"synonyms": [
"Trojan.Encoder.6491"
],
"ransomnotes": [ "ransomnotes": [
"Instructions.html" "Instructions.html"
], ],
@ -5725,9 +5704,12 @@
} }
}, },
{ {
"value": "Fantom or Comrad Circle", "value": "Fantom",
"description": "Ransomware Based on EDA2", "description": "Ransomware Based on EDA2",
"meta": { "meta": {
"synonyms": [
"Comrad Circle"
],
"extensions": [ "extensions": [
".fantom", ".fantom",
".comrade" ".comrade"
@ -5827,9 +5809,12 @@
} }
}, },
{ {
"value": "Free-Freedom or Roga", "value": "Free-Freedom",
"description": "Ransomware Unlock code is: adam or adamdude9", "description": "Ransomware Unlock code is: adam or adamdude9",
"meta": { "meta": {
"synonyms": [
"Roga"
],
"extensions": [ "extensions": [
".madebyadam" ".madebyadam"
], ],
@ -5890,9 +5875,12 @@
} }
}, },
{ {
"value": "Globe v1 or Purge", "value": "Globe v1",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"Purge"
],
"extensions": [ "extensions": [
".purge" ".purge"
], ],
@ -5991,9 +5979,12 @@
} }
}, },
{ {
"value": "HDDCryptor or Mamba", "value": "HDDCryptor",
"description": "Ransomware Uses https://diskcryptor.net for full disk encryption", "description": "Ransomware Uses https://diskcryptor.net for full disk encryption",
"meta": { "meta": {
"synonyms": [
"Mamba"
],
"encryption": "Custom (net shares), XTS-AES (disk)", "encryption": "Custom (net shares), XTS-AES (disk)",
"refs": [ "refs": [
"https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho",
@ -6164,9 +6155,13 @@
} }
}, },
{ {
"value": "Jeiphoos or Encryptor RaaS or Sarento", "value": "Jeiphoos",
"description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.",
"meta": { "meta": {
"synonyms": [
"Encryptor RaaS",
"Sarento"
],
"encryption": "RC6 (files), RSA 2048 (RC6 key)", "encryption": "RC6 (files), RSA 2048 (RC6 key)",
"ransomnotes": [ "ransomnotes": [
"readme_liesmich_encryptor_raas.txt" "readme_liesmich_encryptor_raas.txt"
@ -6191,9 +6186,12 @@
} }
}, },
{ {
"value": "Jigsaw or CryptoHitMan (subvariant)", "value": "Jigsaw",
"description": "Ransomware Has a GUI", "description": "Ransomware Has a GUI",
"meta": { "meta": {
"synonyms": [
"CryptoHitMan"
],
"extensions": [ "extensions": [
".btc", ".btc",
".kkk", ".kkk",
@ -6346,9 +6344,12 @@
} }
}, },
{ {
"value": "Kozy.Jozy or QC", "value": "Kozy.Jozy",
"description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com",
"meta": { "meta": {
"synonyms": [
"QC"
],
"extensions": [ "extensions": [
".31392E30362E32303136_[ID-KEY]_LSBJ1", ".31392E30362E32303136_[ID-KEY]_LSBJ1",
".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})"
@ -6432,9 +6433,12 @@
} }
}, },
{ {
"value": "Linux.Encoder or Linux.Encoder.{0,3}", "value": "Linux.Encoder",
"description": "Ransomware Linux Ransomware", "description": "Ransomware Linux Ransomware",
"meta": { "meta": {
"synonyms": [
"Linux.Encoder.{0,3}"
],
"refs": [ "refs": [
"https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/"
] ]
@ -6639,9 +6643,12 @@
} }
}, },
{ {
"value": "MIRCOP or Crypt888", "value": "MIRCOP",
"description": "Ransomware Prepends files Demands 48.48 BTC", "description": "Ransomware Prepends files Demands 48.48 BTC",
"meta": { "meta": {
"synonyms": [
"Crypt888"
],
"extensions": [ "extensions": [
"Lock." "Lock."
], ],
@ -6669,9 +6676,12 @@
} }
}, },
{ {
"value": "Mischa or \"Petya's little brother\"", "value": "Mischa",
"description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe",
"meta": { "meta": {
"synonyms": [
"\"Petya's little brother\""
],
"extensions": [ "extensions": [
".([a-zA-Z0-9]{4})" ".([a-zA-Z0-9]{4})"
], ],
@ -6685,9 +6695,12 @@
} }
}, },
{ {
"value": "MM Locker or Booyah", "value": "MM Locker",
"description": "Ransomware Based on EDA2", "description": "Ransomware Based on EDA2",
"meta": { "meta": {
"synonyms": [
"Booyah"
],
"extensions": [ "extensions": [
".locked" ".locked"
], ],
@ -6701,9 +6714,13 @@
} }
}, },
{ {
"value": "Mobef or Yakes or CryptoBit", "value": "Mobef",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"Yakes",
"CryptoBit"
],
"extensions": [ "extensions": [
".KEYZ", ".KEYZ",
".KEYH0LES" ".KEYH0LES"
@ -6787,9 +6804,12 @@
} }
}, },
{ {
"value": "Netix or RANSOM_NETIX.A", "value": "Netix",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"RANSOM_NETIX.A"
],
"extensions": [ "extensions": [
"AES-256" "AES-256"
], ],
@ -6812,9 +6832,13 @@
} }
}, },
{ {
"value": "NMoreira or XRatTeam or XPan", "value": "NMoreira",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"XRatTeam",
"XPan"
],
"extensions": [ "extensions": [
".maktub", ".maktub",
".__AiraCropEncrypted!" ".__AiraCropEncrypted!"
@ -6887,9 +6911,13 @@
} }
}, },
{ {
"value": "Offline ransomware or Vipasana or Cryakl", "value": "Offline ransomware",
"description": "Ransomware email addresses overlap with .777 addresses", "description": "Ransomware email addresses overlap with .777 addresses",
"meta": { "meta": {
"synonyms": [
"Vipasana",
"Cryakl"
],
"extensions": [ "extensions": [
".cbf", ".cbf",
"email-[params].cbf" "email-[params].cbf"
@ -6905,9 +6933,12 @@
} }
}, },
{ {
"value": "OMG! Ransomware or GPCode", "value": "OMG! Ransomware",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"GPCode"
],
"extensions": [ "extensions": [
".LOL!", ".LOL!",
".OMG!" ".OMG!"
@ -6930,9 +6961,12 @@
} }
}, },
{ {
"value": "Owl or CryptoWire", "value": "Owl",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"CryptoWire"
],
"extensions": [ "extensions": [
"dummy_file.encrypted", "dummy_file.encrypted",
"dummy_file.encrypted.[extension]" "dummy_file.encrypted.[extension]"
@ -6988,9 +7022,12 @@
} }
}, },
{ {
"value": "Petya or Goldeneye", "value": "Petya",
"description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe",
"meta": { "meta": {
"synonyms": [
"Goldeneye"
],
"encryption": "Modified Salsa20", "encryption": "Modified Salsa20",
"ransomnotes": [ "ransomnotes": [
"YOUR_FILES_ARE_ENCRYPTED.TXT" "YOUR_FILES_ARE_ENCRYPTED.TXT"
@ -7056,9 +7093,12 @@
} }
}, },
{ {
"value": "PowerWare or PoshCoder", "value": "PowerWare",
"description": "Ransomware Open-sourced PowerShell", "description": "Ransomware Open-sourced PowerShell",
"meta": { "meta": {
"synonyms": [
"PoshCoder"
],
"extensions": [ "extensions": [
".locky" ".locky"
], ],
@ -7149,9 +7189,12 @@
} }
}, },
{ {
"value": "RAA encryptor or RAA", "value": "RAA encryptor",
"description": "Ransomware Possible affiliation with Pony", "description": "Ransomware Possible affiliation with Pony",
"meta": { "meta": {
"synonyms": [
"RAA"
],
"extensions": [ "extensions": [
".locked" ".locked"
], ],
@ -7195,9 +7238,20 @@
} }
}, },
{ {
"value": "Rakhni or Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Isda, Cryptokluchen, Bandarchor", "value": "Rakhni",
"description": "Ransomware Files might be partially encrypted", "description": "Ransomware Files might be partially encrypted",
"meta": { "meta": {
"synonyms": [
"Agent.iih",
"Aura",
"Autoit",
"Pletor",
"Rotor",
"Lamer",
"Isda",
"Cryptokluchen",
"Bandarchor"
],
"extensions": [ "extensions": [
".locked", ".locked",
".kraken", ".kraken",
@ -7439,9 +7493,15 @@
} }
}, },
{ {
"value": "Samas-Samsam or samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe", "value": "Samas-Samsam",
"description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena",
"meta": { "meta": {
"synonyms": [
"samsam.exe",
"MIKOPONI.exe",
"RikiRafael.exe",
"showmehowto.exe"
],
"extensions": [ "extensions": [
".encryptedAES", ".encryptedAES",
".encryptedRSA", ".encryptedRSA",
@ -7569,9 +7629,12 @@
} }
}, },
{ {
"value": "Shark or Atom", "value": "Shark",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"Atom"
],
"extensions": [ "extensions": [
".locked" ".locked"
], ],
@ -7599,9 +7662,12 @@
} }
}, },
{ {
"value": "Shujin or KinCrypt", "value": "Shujin",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"KinCrypt"
],
"ransomnotes": [ "ransomnotes": [
"文件解密帮助.txt" "文件解密帮助.txt"
], ],
@ -7628,9 +7694,12 @@
} }
}, },
{ {
"value": "SkidLocker / Pompous", "value": "SkidLocker",
"description": "Ransomware Based on EDA2", "description": "Ransomware Based on EDA2",
"meta": { "meta": {
"synonyms": [
"Pompous"
],
"extensions": [ "extensions": [
".locked" ".locked"
], ],
@ -7784,9 +7853,12 @@
} }
}, },
{ {
"value": "TeslaCrypt 0.x - 2.2.0 or AlphaCrypt", "value": "TeslaCrypt 0.x - 2.2.0",
"description": "Ransomware Factorization", "description": "Ransomware Factorization",
"meta": { "meta": {
"synonyms": [
"AlphaCrypt"
],
"extensions": [ "extensions": [
".vvv", ".vvv",
".ecc", ".ecc",
@ -7834,14 +7906,20 @@
"RECOVER<5_chars>.html", "RECOVER<5_chars>.html",
"RECOVER<5_chars>.png", "RECOVER<5_chars>.png",
"RECOVER<5_chars>.txt", "RECOVER<5_chars>.txt",
"_how_recover+<random 3 chars>.txt or .html", "_how_recover+<random 3 chars>.txt",
"help_recover_instructions+<random 3 chars>.BMP or .html or .txt", "_how_recover+<random 3 chars>.html",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt, .html or .png", "help_recover_instructions+<random 3 chars>.html",
"help_recover_instructions+<random 3 chars>.txt",
"help_recover_instructions+<random 3 chars>.BMP",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.html",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.png",
"Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt",
"RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp", "RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp",
"HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp", "HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp",
"HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt", "HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt",
"HELP_TO_SAVE_FILES.txt or .bmp" "HELP_TO_SAVE_FILES.txt",
"HELP_TO_SAVE_FILES.bmp"
], ],
"refs": [ "refs": [
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
@ -7859,14 +7937,20 @@
"RECOVER<5_chars>.html", "RECOVER<5_chars>.html",
"RECOVER<5_chars>.png", "RECOVER<5_chars>.png",
"RECOVER<5_chars>.txt", "RECOVER<5_chars>.txt",
"_how_recover+<random 3 chars>.txt or .html", "_how_recover+<random 3 chars>.txt",
"help_recover_instructions+<random 3 chars>.BMP or .html or .txt", "_how_recover+<random 3 chars>.html",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt, .html or .png", "help_recover_instructions+<random 3 chars>.BMP",
"help_recover_instructions+<random 3 chars>.html",
"help_recover_instructions+<random 3 chars>.txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.txt",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.html",
"_H_e_l_p_RECOVER_INSTRUCTIONS+<random 3 char>.png",
"Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt",
"RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp", "RESTORE_FILES_<random 5 chars>.TXT , e.g. restore_files_kksli.bmp",
"HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp", "HELP_RESTORE_FILES_<random 5 chars>.TXT , e.g. help_restore_files_kksli.bmp",
"HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt", "HOWTO_RECOVER_FILES_<random 5 chars>.TXT. e.g. howto_recover_files_xeyye.txt",
"HELP_TO_SAVE_FILES.txt or .bmp" "HELP_TO_SAVE_FILES.txt",
"HELP_TO_SAVE_FILES.bmp"
], ],
"refs": [ "refs": [
"http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/",
@ -7886,9 +7970,14 @@
} }
}, },
{ {
"value": "TorrentLocker or Crypt0L0cker, CryptoFortress, Teerac", "value": "TorrentLocker",
"description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted",
"meta": { "meta": {
"synonyms": [
"Crypt0L0cker",
"CryptoFortress",
"Teerac"
],
"extensions": [ "extensions": [
".Encrypted", ".Encrypted",
".enc" ".enc"
@ -7938,9 +8027,12 @@
} }
}, },
{ {
"value": "Trojan or BrainCrypt", "value": "Trojan",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"BrainCrypt"
],
"extensions": [ "extensions": [
".braincrypt" ".braincrypt"
], ],
@ -8092,9 +8184,13 @@
} }
}, },
{ {
"value": "VaultCrypt or CrypVault, Zlader", "value": "VaultCrypt",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"CrypVault",
"Zlader"
],
"extensions": [ "extensions": [
".vault", ".vault",
".xort", ".xort",
@ -8156,9 +8252,12 @@
} }
}, },
{ {
"value": "Virus-Encoder or CrySiS", "value": "Virus-Encoder",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"CrySiS"
],
"extensions": [ "extensions": [
".CrySiS", ".CrySiS",
".xtbl", ".xtbl",
@ -8180,9 +8279,12 @@
} }
}, },
{ {
"value": "WildFire Locker or Hades Locker", "value": "WildFire Locker",
"description": "Ransomware Zyklon variant", "description": "Ransomware Zyklon variant",
"meta": { "meta": {
"synonyms": [
"Hades Locker"
],
"extensions": [ "extensions": [
".wflx" ".wflx"
], ],
@ -8240,9 +8342,12 @@
} }
}, },
{ {
"value": "Zcrypt or Zcryptor", "value": "Zcrypt",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"Zcryptor"
],
"extensions": [ "extensions": [
".zcrypt" ".zcrypt"
], ],
@ -8252,9 +8357,12 @@
} }
}, },
{ {
"value": "Zeta or CryptoMix", "value": "Zeta",
"description": "Ransomware", "description": "Ransomware",
"meta": { "meta": {
"synonyms": [
"CryptoMix"
],
"extensions": [ "extensions": [
".code", ".code",
".scl", ".scl",
@ -8284,9 +8392,14 @@
} }
}, },
{ {
"value": "Zlader / Russian or VaultCrypt, CrypVault", "value": "Zlader",
"description": "Ransomware VaultCrypt family", "description": "Ransomware VaultCrypt family",
"meta": { "meta": {
"synonyms": [
"Russian",
"VaultCrypt",
"CrypVault"
],
"extensions": [ "extensions": [
".vault" ".vault"
], ],
@ -8312,9 +8425,12 @@
} }
}, },
{ {
"value": "Zyklon or GNL Locker", "value": "Zyklon",
"description": "Ransomware Hidden Tear family, GNL Locker variant", "description": "Ransomware Hidden Tear family, GNL Locker variant",
"meta": { "meta": {
"synonyms": [
"GNL Locker"
],
"extensions": [ "extensions": [
".zyklon" ".zyklon"
] ]