MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #254 from Delta-Sierra/master 

add ransomwares
pull/258/head
Alexandre Dulaunoy 2018-09-05 17:37:42 +02:00 committed by GitHub
parent 0acc41131d addda6c545
commit 6ab7eac370
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 175 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
clusters/banker.json
View File

@ -828,7 +828,17 @@
},
"uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502",
"value": "Kronos"
},
{
"value": "CamuBot",
"description": "A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.\nCamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ "
]
},
"uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87"
}
],
"version": 12
"version": 13
}

173
clusters/ransomware.json
View File

@ -2850,7 +2850,8 @@
"extensions": [
".MATRIX",
".[Files4463@tuta.io]",
".[RestorFile@tutanota.com]"
".[RestorFile@tutanota.com]",
"[KOK8@protonmail.com].<random>-<random>.KOK8"
],
"ransomnotes": [
"https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png",
@ -2862,16 +2863,20 @@
"https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/2/wallpaper.jpg",
"WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!",
"https://pbs.twimg.com/media/DZ4VCRpWsAYtckw.jpg",
"https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg"
"https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg",
"#KOK8_README#.rtf"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/",
"https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html",
"https://twitter.com/rommeljoven17/status/804251901529231360",
"https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/"
"https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/demonslay335/status/1034212374805278720"
],
"synonyms": [
"Malta Ransomware"
"Malta Ransomware",
"Matrix Ransomware"
]
},
"uuid": "42ee85b9-45f8-47a3-9bab-b695ac271544",
@ -3204,7 +3209,9 @@
".wallet",
".zzzzz",
".cmb",
".id-BCBEF350.[paymentbtc@firemail.cc].cmb"
".id-BCBEF350.[paymentbtc@firemail.cc].cmb",
".bip",
".id-BCBEF350.[Beamsell@qq.com].bip"
],
"ransomnotes": [
"README.txt",
@ -3214,12 +3221,15 @@
"INFO.hta",
"https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg",
"all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc",
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam."
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.",
"all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com",
"All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam."
],
"refs": [
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/",
"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/"
"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/"
]
},
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
@ -9765,7 +9775,16 @@
"description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors dont take much time preparing the attack or the payload. Instead, theyre rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/"
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/",
"https://twitter.com/malwrhunterteam/status/1034436350748053504",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".BadNews"
],
"ransomnotes": [
"How To Decode Files.hta",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg"
]
},
"uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340",
@ -10365,7 +10384,143 @@
{
"value": "STOP Ransomware",
"uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
},
{
"value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware",
"description": "A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a \"tip\" to decrypt the files.",
"meta": {
"refs": [
"https://twitter.com/malwrhunterteam/status/1032242391665790981",
"https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/"
],
"synonyms": [
"Barack Obama's Blackmail Virus Ransomware"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg",
"Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information."
]
},
"uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e"
},
{
"value": "CryptoNar",
"description": "When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.\nIf the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/",
"https://twitter.com/malwrhunterteam/status/1034492151541977088"
],
"extensions": [
".fully.cryptoNar",
".partially.cryptoNar"
],
"ransomnotes": [
"CRYPTONAR RECOVERY INFORMATION.txt",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg"
]
},
"uuid": "10f92054-b028-11e8-a51f-2f82236ac72d"
},
{
"value": "CreamPie Ransomware",
"description": "Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/JakubKroustek/status/1033656080839139333"
],
"extensions": [
".[backdata@cock.li].CreamPie"
]
},
"uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab"
},
{
"value": "Jeff the Ransomware",
"description": "Looks to be in-development as it does not encrypt.",
"meta": {
"refs": [
"https://twitter.com/leotpsc/status/1033625496003731458",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
]
},
"uuid": "7854c8bc-b036-11e8-bfb0-4ff71e54bbb2"
},
{
"value": "Cassetto Ransomware",
"description": "Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1034213399922524160",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".cassetto"
],
"ransomnotes": [
"IMPORTANT ABOUT DECRYPT.txt",
"L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg"
]
},
"uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9"
},
{
"value": "Acroware Cryptolocker Ransomware",
"description": "Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.",
"meta": {
"refs": [
"https://twitter.com/leotpsc/status/1034346447112679430",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"synonyms": [
"Acroware Screenlocker"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg"
]
},
"uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584"
},
{
"value": "Termite Ransomware",
"description": "Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.",
"meta": {
"refs": [
"https://twitter.com/B_H101/status/1034379267956715520",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".aaaaaa"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg"
]
},
"uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412"
},
{
"value": "PICO Ransomware",
"description": "S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/siri_urz/status/1035138577934557184"
],
"synonyms": [
"Pico Ransomware"
],
"extensions": [
".PICO"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg",
"README.txt"
]
},
"uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2"
}
],
"version": 30
"version": 31
}