MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add/update ransomware based on ransomlook

pull/821/head
Delta-Sierra 2023-02-23 14:15:09 +01:00
parent 6460fde2e4
commit 55725c771e
1 changed files with 157 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
clusters/ransomware.json
View File

@ -24437,6 +24437,12 @@
"meta": {
"date": "June 2021",
"encryption": "AES",
"links": [
"http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion",
"http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion",
"http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/api/blog/all/0/6",
"http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/"
],
"ransomnotes-refs": [
"https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png"
],
@ -24927,7 +24933,157 @@
"description": "Ransomware",
"uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42",
"value": "Karakurt"
},
{
"description": "0mega, a new ransomware operation, has been observed targeting organizations around the world. The ransomware operators are launching double-extortion attacks and demanding millions of dollars as ransom.\n\n0mega ransomware operation launched in May and has already claimed multiple victims.\n0mega maintains a dedicated data leak site that the attackers use to post stolen data if the demanded ransom is not paid.\nThe leak site currently hosts 152 GB of data stolen from an electronics repair firm in an attack that happened in May.\nHowever, an additional victim has since been removed, implying that they might have paid the ransom to the 0mega group.\n\nHow does it work?\nHackers add the .0mega extension to the encrypted files names and create ransom notes (DECRYPT-FILES[.]txt).\nThe ransom note has a link to a Tor payment negotiation site with a support chat to reach out to the ransomware group.\nTo log in to this site, the victims are asked to upload their ransom notes with a unique Base64-encoded blob identity.",
"meta": {
"extensions": [
".0mega "
],
"links": [
"http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion/",
"https://0mega.cc/"
],
"ransomnotes-filenames": [
"DECRYPT-FILES.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/",
"https://cyware.com/news/new-0mega-ransomware-joins-the-double-extortion-threat-landscape-158fb321"
]
},
"uuid": "91a085dc-9667-4dcd-9434-8cbb53e592fe",
"value": "0Mega"
},
{
"description": "Abraham's Ax announced their existence and mission through social media channels such as Twitter posts on November 8, 2022.\nAbraham's Ax use a WordPress blog as the basis for their leak sites. Abraham's Ax site is available in Hebrew, Farsi, and English. The site also provides versions available via Tor websites, although it appeared to be under construction at the time of analysis. Used domain is registered with EgenSajt.se",
"meta": {
"links": [
" http://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onion/ "
],
"refs": [
"https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff"
],
"synonyms": [
"Abrahams_Ax"
]
},
"uuid": "72892710-57ef-4bbb-8b80-752e036797f3",
"value": "Abraham's Ax"
},
{
"description": "Ransomware",
"meta": {
"links": [
"http://hitlerransomware[.]000webhostapp[.]com/",
"http://hitleransomware[.]cf/"
],
"refs": [
"https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/malware/hitler_ransomware.txt",
"https://twitter.com/fr0s7_/status/1460229982278541315"
]
},
"related": [
{
"dest-uuid": "8807752b-bd26-45a7-ba34-c8ddd8e5781d",
"tags": [
"estimative-language:likelihood-probability=\"unlikely\""
],
"type": "similar"
}
],
"uuid": "71b02418-6b06-48e3-8636-32287f8e0b1d",
"value": "aGl0bGVyCg"
},
{
"description": "Once installed, Ako will attempt to delete Volume Shadow Copies and disable recovery services. It will then begin to encrypt all files that do not match a hard-coded list using an unknown algorithm. Whilst this is happening, Ako will scan the affected network for any connected devices or drives for it to propagate to.",
"meta": {
"extensions": [
".A4Wz1b",
".861C7c",
".jJNm9j"
],
"links": [
" http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion"
],
"ransomnotes": [
"Your network have been locked.\n\nAll your files, documents, photos, databases and other important data are encrypted and have the extension: *******\n\nBackups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.\nFrom this moment, it will be impossible to use files until they are decrypted.\n\nThe only method of recovering files is to purchase an unique private key.\nOnly we can give you this key and only we can recovery your files.\n\nTo get info (decrypt your files) follow this steps:\n1) Download and install Tor Browser: hxxps://www.torproject.org/download/\n2) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2th cw5gz75qncv7rbhyad.onion/I8VC6PIEQL8JFKHM\n3) Paste your ID in form (you can find your ID below)\n\n!! ATTENTION !!\n!! Any third - party software may damage encrypted data but not recover.\n!! DO NOT MODIFY ENCRYPTED FILES\n!! DO NOT CHANGE YOUR ID\n!! DO NOT REMOVE YOUR ID.KEY FILE\n\n --- BEGIN PERSONAL ID ---\n\n --- END PERSONAL ID ---",
"Your network have been locked.\n\nAll your files, documents, photos, databases and other important data are encrypted and have the extension: ******\n\nBackups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.\nFrom this moment, it will be impossible to use files until they are decrypted.\n\nThe only method of recovering files is to purchase an unique private key.\nOnly we can give you this key and only we can recovery your files.\n\nTo get info (decrypt your files) contact us at (email)\ndavidgoldman@cock.li or portedhiggens@firemail.cc\n\nAnd send me your ID\n\n!!ATTENTION !!\n!!Any third - party software may damage encrypted data but not recover.\n!!DO NOT MODIFY ENCRYPTED FILES\n!!DO NOT CHANGE YOUR KEY\n\n--- YOUR ID ---\n-\n--- YOUR ID ---",
"Your network has been hacked and locked.\n\nAll files on each host in the network have been encrypted with a strong algorithm.\n\nBackups were either encrypted or deleted or backup disks were formatted.\nShadow copies also removed. Any 3rd party software may damage encrypted data but not recover.\n\nWe have decryption software for your situation.\nNo decryption software is available in the public.\n\nDO NOT RESET OR SHUTDOWN - files may be damaged.\nDO NOT RENAME OR MOVE the encrypted and readme files.\nDO NOT DELETE readme files.\n\nTo get info (decrypt your files) follow this instructions:\n1) [Recommended] via Tor Browser:\na) Download and install Tor Browser: hxxps://www.torproject.org/download/\nb) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/AXYIRRUPSQTS3AHT\n\n2) If you have any problems connecting or using TOR network:\na) Open our website: hxxps://buydecrypt.hk/AXYIRRUPSQTS3AHT\nb) Follow the instructions on the site.\n\nThe faster you get in contact - the lower price you can expect.\n\nExt: .A4Wz1b\nWhen you open our page, paste this key in form:\n\n-",
"Your network has been hacked and locked.\n\nAll files on each host in the network have been encrypted with a strong algorithm.\nDo not worry, we have decryption software for your situation.\n\nWe have also downloaded a lot of sensitive information from your network, so in case of not paying this data will be released.\nIf you dont believe we have any data you can contact us and ask a proof.\nDont forget about GDPR.\n\nWhen you pay us the data will be removed from our disks and decryptor will be given to you, so you can restore all your files.\n\nTo get info (decrypt your files) contact us at and send your key (see it below):\n\ndtddecrypt@protonmail.com or dtddesht@tutanota.com\n\nTo confirm our honest intentions, you can decrypt any file for free.\nThe faster you get in contact - the lower price you can expect.\n\nDecryption of your files with the help of third-party company may cause increased price. (they add their fee to our)\nDo not reset or shutdown - files may be damaged.\nDo not rename or move the encrypted and readme files.\nDo not delete readme files.\n\nMachine ID: .861C7c\nYour key:\n\n-",
"To get info (decrypt your files) contact us at (email) and send your key (see it below)\ndtddecrypt@protonmail.com or dtddesht@tutanota.com\n\n\nThe faster you get in contact - the lower price you can expect.\n\nMachine ID: .861C7c\nKey:\n\n-",
"--- We apologize! ---\nYour network have been locked.\n\n------------------------------\n| Whats happened?\n------------------------------\n\nAll your files, documents, photos, databases and other important data are encrypted and have the extension: .jJNm9j\n\nBackups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.\nFrom this moment, it will be impossible to use files until they are decrypted.\n\nThe only method of recovering files is to purchase an unique private key.\nOnly we can give you this key and only we can recovery your files.\n\n------------------------------\n| Guarantees?\n------------------------------\n\nAs you read above, files can be decrypted only using our private key and a special program.\nThe only guarantees we can give are decryption of your any file.\nSo you can decrypt any file from your system for free on our website.\nWe guarantee that you can recovery all your files. But you have not so enough time.\n\n------------------------------\n| How to recovery my files?\n------------------------------\n\nTo get info (decrypt your files) you have 1 way:\n\n1) [Recommended] via Tor Browser:\na) Download and install Tor Browser: hxxps://www.torproject.org/download/\nb) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2 thcw5gz75qncv7rbhyad.onion/I8VC6PIEQL8JFKHM\n\nWhen you open our website, put the following key in the input form:\n\n-\n\n!! ATTENTION !!\n!! Any third - party software may damage encrypted data but not recover. !!\n!! DO NOT MODIFY ENCRYPTED FILES !!\n!! DO NOT CHANGE YOUR ID !!\n!! DO NOT REMOVE YOUR ID.KEY FILE !!\n"
],
"ransomnotes-filenames": [
"ako-readme.txt"
],
"ransomnotes-refs": [
"https://www.pcrisk.com/images/stories/screenshots202001/ako-ransom-note.jpg"
],
"refs": [
"https://digital.nhs.uk/cyber-alerts/2020/cc-3345",
"https://www.pcrisk.com/removal-guides/16737-ako-ransomware",
"https://www.pcrisk.com/images/stories/screenshots202001/ako-ransom-note-second_variant.jpg",
"https://www.pcrisk.com/images/stories/screenshots202004/ako-ransomware-update-2020-04-09-text-file.jpg",
"https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-text-file.jpg",
"https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-html-file.jpg",
"https://www.pcrisk.com/images/stories/screenshots202010/ako-ransomware-update-2020-10-15-text-file.gif"
],
"synonyms": [
"MedusaReborn"
]
},
"uuid": "7de070ce-4b63-4d3c-be73-1ede22565faf",
"value": "Ako"
},
{
"description": "Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels.\nThe group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches.\nTheir latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.",
"meta": {
"links": [
"http://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onion/"
],
"synonyms": "Arvin Club"
},
"uuid": "2dfc1668-e338-47f0-ba6c-b4bc3046881e",
"value": "Arvinclub"
},
{
"description": "AtomSilo is a new Ransomware recently seen in September 2021 during one of their attacks by exploiting a recently revealed vulnerability (CVE-2021-26084) in Atlassians Confluence Collaboration Software for initial access. The Ransomware used the double extortion method which is gaining popularity among ransomware threat actors where they first, exfiltrate the confidential information and as a second step encrypt the system files.",
"meta": {
"extensions": [
".ATOMSILO"
],
"links": [
"http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion",
"http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion/list.html"
],
"ransomenotes-files": [
"README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta"
],
"ransomnotes": [
"Atom Slio\nInstructions\nWARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!\n\n--------------------------------------\nWe are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.\n\nBut dont worry, your files are safe, provided that you are willing to pay the ransom.\n\nAny forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently!\n\nThe only way to decrypt your files safely is to buy the special decryption software from us.\n\nThe price of decryption software is 1000000 dollars.\nIf you pay within 48 hours, you only need to pay 500000 dollars. No price reduction is accepted.\n\nWe only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others.\n\nYou have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files\n\n--------------------------------------\n\nTime starts at 0:00 on September 11\n--------------------------------------\nSurvival time 1 Day 14 Hour 26 Min 59 Sec\n\n--------------------------------------\n\nYou can contact us with the following email:\n\nEmail:arvato@atomsilo.com\nIf this email can't be contacted, you can find the latest email address on the following website:\n\nhxxp://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion\n\n--------------------------------------\n\nIf you dont know how to open this dark web site, please follow the steps below to installation and use TorBrowser:\n\nrun your Internet browser\nenter or copy the address hxxps://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER\nwait for the site loading\non the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed\nrun TorBrowser\nconnect with the button \"Connect\" (if you use the English version)\na normal Internet browser window will be opened after the initialization\ntype or copy the address in this browser address bar and press ENTER\nthe site should be loaded; if for some reason the site is not loading wait for a moment and try again.\nIf you have any problems during installation or use of TorBrowser, please, visit hxxps://www.youtube.com and type request in the search bar \"Install TorBrowser Windows\" and you will find a lot of training videos about TorBrowser installation and use.\n\n--------------------------------------\n\nAdditional information:\n\nYou will find the instructions (\"README-FILE-#COMPUTER#-#TIME#.hta\") for restoring your files in any folder with your encrypted files.\n\nThe instructions \"README-FILE-#COMPUTER#-#TIME#.hta\" in the folders with your encrypted files are not viruses! The instructions \"README-FILE-#COMPUTER#-#TIME#.hta\" will help you to decrypt your files.\n\nRemember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions."
],
"ransomnotes-refs": [
"https://www.cyfirma.com/media/2021/10/Fig-2.png",
"https://www.cyfirma.com/media/2021/10/Fig-2-B.png",
"https://www.pcrisk.com/images/stories/screenshots202109/atomsilo-ransomware-ransom-note-in-gif-image.gif"
],
"refs": [
"https://www.cyfirma.com/outofband/malware-research-on-atomsilo-ransomware/",
"https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion",
"https://twitter.com/siri_urz/status/1437664046556274694",
"https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/",
"https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/",
"https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/",
"https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo"
]
},
"uuid": "a322f03f-4bc8-455f-b302-e8724c46f80c",
"value": "Atomsilo"
}
],
"version": 112
"version": 113
}