diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 736a5d45..c5a57b4b 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3291,7 +3291,8 @@ ".adobe", ".tron", ".AUDIT", - ".cccmn" + ".cccmn", + ".fire" ], "ransomnotes": [ "README.txt", @@ -3319,7 +3320,9 @@ "https://twitter.com/JakubKroustek/status/1038680437508501504", "https://twitter.com/demonslay335/status/1059521042383814657", "https://twitter.com/demonslay335/status/1059940414147489792", - "https://twitter.com/JakubKroustek/status/1060825783197933568" + "https://twitter.com/JakubKroustek/status/1060825783197933568", + "https://twitter.com/JakubKroustek/status/1064061275863425025", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" ] }, "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", @@ -10011,7 +10014,8 @@ ".qweuirtksd", ".mammon", ".omerta", - ".bomber" + ".bomber", + ".CRYPTO" ], "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", @@ -10023,7 +10027,9 @@ "!!!ReadMeToDecrypt.txt", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n\n It's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n\n To do this, send me several encrypted files to kathi.bell.1997@outlook.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48 from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48\nAfter payment, send me a letter to kathi.bell.1997@outlook.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at kathi.bell.1997@outlook.com\n\n As a bonus, I will tell you how hacked your computer is and how to protect it in the future.", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg", + "HOW TO RECOVER ENCRYPTED FILES.TXT", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -10857,14 +10863,16 @@ "extensions": [ ".[everbe@airmail.cc].everbe", ".embrace", - "pain" + "pain", + ".[yoursalvations@protonmail.ch].neverdies@tutanota.com" ], "ransomnotes": [ - "!=How_recovery_files=!.txt", - "Hi !\nIf you want restore your files write on email - everbe@airmail.cc\nIn the subject write - id-de9bcb" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsoIB_0U0AAXgEz[1].jpg" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/" + "https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/", + "https://twitter.com/malwrhunterteam/status/1065675918000234497", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" ] }, "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2", @@ -10970,6 +10978,24 @@ "value": "KEYPASS" }, { + "description": "Emmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.", + "meta": { + "extensions": [ + ".INFOWAIT", + "-DATASTOP", + ".PUMA" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsW33OQXgAAwJzv[1].jpg", + "!readme.txt", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsobVENXcAAR3GC[1].jpg" + ], + "refs": [ + "https://twitter.com/Emm_ADC_Soft/status/1064459080016760833", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", + "https://twitter.com/MarceloRivero/status/1065694365056679936" + ] + }, "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5", "value": "STOP Ransomware" }, @@ -11335,7 +11361,6 @@ "value": "M@r1a ransomware" }, { - "description": "", "meta": { "extensions": [ "(enc) prepend" @@ -11368,6 +11393,63 @@ }, "uuid": "f7fa6978-c932-4e62-b4fc-3fbbbc195602", "value": "PyCL Ransomware" + }, + { + "description": "MalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.", + "meta": { + "extensions": [ + ".Vapor" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/vapor.jpg" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/1063769884608348160", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/" + ] + }, + "uuid": "f53205a0-7a8f-41d1-a427-bf3ab9bd77bb", + "value": "Vapor Ransomware" + }, + { + "description": "GrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.", + "meta": { + "extensions": [ + ".Horsuke " + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsPVGaHXcAAtnXz[1].jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", + "https://twitter.com/GrujaRS/status/1063930127610986496" + ] + }, + "uuid": "677aeb47-587d-40a4-80b7-22672ba1160c", + "value": "EnyBenyHorsuke Ransomware" + }, + { + "meta": { + "extensions": [ + ".demonslay335_you_cannot_decrypt_me!", + ".malwarehunterteam" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg", + "!=How_recovery_files=!.html" + ], + "refs": [ + "https://twitter.com/petrovic082/status/1065223932637315074", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/", + "https://twitter.com/demonslay335/status/1066099799705960448" + ], + "synonyms": [ + "DelphiMorix" + ] + }, + "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4", + "value": "DeLpHiMoRix" } ], "version": 44 diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 10db40cc..33489c78 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6028,7 +6028,17 @@ }, "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", "value": "INDRIK SPIDER" + }, + { + "description": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + ] + }, + "uuid": "608a903a-8145-4fd1-84bc-235e278480bf", + "value": "DNSpionage" } ], - "version": 81 + "version": 82 }