From ad07b70a03829d52fc4a2218ddb2c36b264d4889 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 31 Oct 2018 14:52:40 +0100 Subject: [PATCH] add ransomwares --- clusters/ransomware.json | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index a44901d..ce462e5 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11107,7 +11107,43 @@ }, "uuid": "76bfb132-cc70-11e8-8623-bb3f209be6c9", "value": "SAVEfiles" + }, + { + "description": "The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim's are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back. This ransomware uses AES encryption with a static password of \"dnwls07193147\", so it is easily decryptable.", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "Warning!!!!!!.txt", + "https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg", + "한국어: 경고!!! 모든 문서, 사진, 데이테베이스 및 기타 중요한 파일이 암호화되었습니다!!\n당신은 돈을 지불해야 합니다\n비트코인 5만원을 fasfry2323@naver.com로 보내십시오 비트코인 지불코드: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 결제 사이트 http://www.localbitcoins.com/ \nEnglish: Warning!!! All your documents, photos, databases and other important personal files were encrypted!!\nYou have to pay for it.\nSend fifty thousand won to fasfry2323@naver.com Bitcoin payment code: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Payment site http://www.localbitcoins.com/" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/" + ] + }, + "uuid": "c06a1938-dcee-11e8-bc74-474b0080f0e5", + "value": "File-Locker" + }, + { + "description": "A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files.", + "meta": { + "extensions": [ + ".[old@nuke.africa].CommonRansom" + ], + "ransomnotes": [ + "DECRYPTING.txt", + "https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg", + "+-----------------------+\n¦----+CommonRansom+-----¦\n+-----------------------+\nHello dear friend,\nYour files were encrypted!\nYou have only 12 hours to decrypt it\nIn case of no answer our team will delete your decryption password\nWrite back to our e-mail: old@nuke.africa\n\n\nIn your message you have to write:\n1. This ID-[VICTIM_ID]\n2. [IP_ADDRESS]:PORT(rdp) of infected machine\n3. Username:Password with admin rights\n4. Time when you have paid 0.1 btc to this bitcoin wallet:\n35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF\n\n\nAfter payment our team will decrypt your files immediatly\n\n\nFree decryption as guarantee:\n1. File must be less than 10MB\n2. Only .txt or .lnk files, no databases\n3. Only 5 files\n\n\nHow to obtain bitcoin:\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/" + ] + }, + "uuid": "c0dffb94-dcee-11e8-81b9-3791d1c6638f", + "value": "CommonRansom" } ], - "version": 39 + "version": 40 }