add several ransomware and threat actors

2019-01-14 16:28:15 +01:00 · 2019-01-14 16:28:15 +01:00 · 61093f6f07
parent 90d2bf7bc1
commit 61093f6f07
2 changed files with 64 additions and 2 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -301,10 +301,14 @@
          ".Kirked"
        ],
        "ransomnotes": [
-          "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png",
-          "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin.  You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'.  Sign up at one of these exchange sites and send the payment to the address below.  Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet):   3000375  -199390 0  0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices:    Days   :Monero: Offer Expires\n    0-2    :  50      : 03/18/17 15:32:14\n    3-7    :  100     : 03/23/17 15:32:14\n    8-14   :  200     : 03/30/17 15:32:14\n    15-30  :  500     : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below.  Include the payment ID from step 1.  Active email addresses:   kirk.help@scryptmail.com    kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'.  Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. &gt; IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files.    Corrupted files cannot be retrieved.    Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER",
+          "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin.  You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'.  Sign up at one of these exchange sites and send the payment to the address below.  Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet):   3000375  -199390 0  0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices:    Days   :Monero: Offer Expires\n    0-2    :  50      : 03/18/17 15:32:14\n    3-7    :  100     : 03/23/17 15:32:14\n    8-14   :  200     : 03/30/17 15:32:14\n    15-30  :  500     : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below.  Include the payment ID from step 1.  Active email addresses:   kirk.help@scryptmail.com    kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'.  Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. &gt; IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files.    Corrupted files cannot be retrieved.    Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER"
+        ],
+        "ransomnotes-filenames": [
          "RANSOM_NOTE.txt"
        ],
+        "ransomnotes-refs": [
+          "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png"
+        ],
        "refs": [
          "https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html",
          "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/",
@ -11699,6 +11703,33 @@
      },
      "uuid": "e37ddc9e-8ceb-4817-a17e-755aa379ed14",
      "value": "Djvu"
+    },
+    {
+      "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
+      "meta": {
+        "ransomnotes-filenames": [
+          "RyukReadMe.txt"
+        ],
+        "ransomnotes-refs": [
+          "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig3.png",
+          "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig4.png"
+        ],
+        "refs": [
+          "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
+        ]
+      },
+      "uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718",
+      "value": "Ryuk ransomware"
+    },
+    {
+      "description": "In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.",
+      "meta": {
+        "refs": [
+          "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
+        ]
+      },
+      "uuid": "09fa0e0a-f0b2-46ea-8477-653e627b1c22",
+      "value": "BitPaymer"
    }
  ],
  "version": 48
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -6138,6 +6138,37 @@
      },
      "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
      "value": "TA505"
+    },
+    {
+      "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.",
+      "meta": {
+        "refs": [
+          "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
+        ]
+      },
+      "uuid": "4db86f94-661e-458c-8ce3-ce7ab79af489",
+      "value": "GRIM SPIDER"
+    },
+    {
+      "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
+      "meta": {
+        "refs": [
+          "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
+        ]
+      },
+      "uuid": "ce20f612-e2cd-4a61-8c23-5405971ec401",
+      "value": "WIZARD SPIDER"
+    },
+    {
+      "description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.",
+      "meta": {
+        "refs": [
+          "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+          "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/"
+        ]
+      },
+      "uuid": "b28d82bc-4f77-4956-b595-8c5d6a1a842b",
+      "value": "MUMMY SPIDER"
    }
  ],
  "version": 85