add several clusters

2018-12-06 16:13:51 +01:00 · 2018-12-06 16:13:51 +01:00 · 5a725e71ef
parent ac2b5dbe05
commit 5a725e71ef
3 changed files with 73 additions and 6 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -3292,7 +3292,10 @@
          ".tron",
          ".AUDIT",
          ".cccmn",
-          ".fire"
+          ".fire",
+          ".myjob",
+          ".[cyberwars@qq.com].war",
+          ".risk"
        ],
        "ransomnotes": [
          "README.txt",
@ -10015,7 +10018,9 @@
          ".mammon",
          ".omerta",
          ".bomber",
-          ".CRYPTO"
+          ".CRYPTO",
+          ".lolita",
+          ".stevenseagal@airmail.cc"
        ],
        "ransomnotes": [
          "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
@ -10027,7 +10032,9 @@
          "!!!ReadMeToDecrypt.txt",
          "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.",
          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg",
-          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg"
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg",
+          "_How to restore files.TXT",
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg"
        ],
        "refs": [
          "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
@ -11448,7 +11455,55 @@
      },
      "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4",
      "value": "DeLpHiMoRix"
+    },
+    {
+      "description": "@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.",
+      "meta": {
+        "extensions": [
+          ".PERSONAL_ID:.Nuclear"
+        ],
+        "ransomnotes": [
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg",
+          "https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg",
+          "https://pbs.twimg.com/media/Ds4IYbfWsAECNuJ.jpg"
+        ],
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/",
+          "https://twitter.com/GrujaRS/status/1066799421080461312",
+          "https://www.youtube.com/watch?v=_aaFon7FVbc"
+        ]
+      },
+      "uuid": "950d5501-b5eb-4f53-b33d-76e789912c16",
+      "value": "EnyBeny Nuclear Ransomware"
+    },
+    {
+      "description": "Michael Gillespie discovered a new ransomware that renamed encrypted files to \"[[email]][original].[random].lucky\" and drops a ransom note named _How_To_Decrypt_My_File_.txt.",
+      "meta": {
+        "extensions": [
+          "[<email>]<original>.<random>.lucky"
+        ],
+        "ransomnotes": [
+          "_How_To_Decrypt_My_File_.txt",
+          "I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]"
+        ],
+        "refs": [
+          "https://twitter.com/demonslay335/status/1067109661076262913",
+          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/"
+        ]
+      },
+      "uuid": "a8eb9743-dfb6-4e13-a95e-e68153df94e9",
+      "value": "Lucky Ransomware"
+    },
+    {
+      "description": "Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/"
+        ]
+      },
+      "uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5",
+      "value": "WeChat Ransom"
    }
  ],
-  "version": 44
+  "version": 45
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -563,7 +563,9 @@
          "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
        ],
        "synonyms": [
-          "Operation Tropic Trooper"
+          "Operation Tropic Trooper",
+          "Operation TropicTrooper",
+          "TropicTrooper"
        ]
      },
      "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89",
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -7433,7 +7433,17 @@
      },
      "uuid": "43dec915-2511-4275-8007-685402ffab08",
      "value": "Rotexy"
+    },
+    {
+      "description": "A recently discovered cryptomining operation forces access to Windows servers to use their CPU cycles for mining Monero coins. Detected six months ago, the activity went through multiple stages of evolution.\nSince it was spotted in mid-June, the malware received two updates and the number of attacks keeps increasing.\nThe researchers at CheckPoint analyzed the new threat and gave it the name KingMiner. They found that it targets Microsoft IIS and SQL Servers in particular and runs a brute-force attack to gain access. Once in, the malware determines the CPU architecture and checks for older versions of itself to remove them.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-kingminer-threat-shows-cryptominer-evolution/"
+        ]
+      },
+      "uuid": "a9467439-48d8-4f68-9519-560bb6430f0c",
+      "value": "KingMiner"
    }
  ],
-  "version": 103
+  "version": 104
 }