Merge pull request #296 from Delta-Sierra/master

update ransomware galaxy
pull/297/head
Deborah Servili 2018-11-07 09:19:23 +01:00 committed by GitHub
commit 954264c084
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 91 additions and 12 deletions

View File

@ -2907,7 +2907,10 @@
".[Files4463@tuta.io]",
".[RestorFile@tutanota.com]",
"[KOK8@protonmail.com].<random>-<random>.KOK8",
".FOX"
".FOX",
".EMAN50",
".GMAN",
".NOBAD"
],
"ransomnotes": [
"https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png",
@ -2922,7 +2925,11 @@
"https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg",
"#KOK8_README#.rtf",
"#FOX_README#.rtf",
"HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!"
"HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!",
"!README_GMAN!.rtf",
"#README_EMAN50#.rtf",
"https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg",
"#NOBAD_README#.rtf"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/",
@ -2931,7 +2938,10 @@
"https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/demonslay335/status/1034212374805278720",
"https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/"
"https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/demonslay335/status/1049314118409306112",
"https://twitter.com/demonslay335/status/1050118985210048512"
],
"synonyms": [
"Malta Ransomware",
@ -3270,7 +3280,9 @@
".cmb",
".id-BCBEF350.[paymentbtc@firemail.cc].cmb",
".bip",
".id-BCBEF350.[Beamsell@qq.com].bip"
".id-BCBEF350.[Beamsell@qq.com].bip",
".boost",
".[Darknes@420blaze.it].waifu"
],
"ransomnotes": [
"README.txt",
@ -3288,7 +3300,9 @@
"https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html",
"https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/",
"https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/"
"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/demonslay335/status/1049313390097813504"
]
},
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
@ -3771,13 +3785,23 @@
".c400",
".c300",
"!@!@!@_contact mail___boroznsalyuda@gmail.com___!@!@.psd",
"!@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR"
"!@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR",
"!@#$%^&-()_+.1C"
],
"ransomnotes": [
"Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!"
"Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!",
"INFO.txt",
"Для связи с нами используйте почту\ninkognitoman@tutamail.com\ninkognitoman@firemail.cc"
],
"refs": [
"https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html"
"https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/demonslay335/status/1050117756094476289"
],
"synonyms": [
"RotorCrypt",
"RotoCrypt",
"Tar Ransomware"
]
},
"uuid": "63991ed9-98dc-4f24-a0a6-ff58e489c263",
@ -9966,14 +9990,18 @@
".[suupport@protonmail.com].scarab",
".fastrecovery@airmail.cc",
".files-xmail@cock.li.TXT",
".leen"
".leen",
".qweuirtksd"
],
"ransomnotes": [
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
"HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT",
"Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!",
"INSTRUCTIONS FOR RESTORING FILES.TXT",
"Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam."
"Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.",
"!!!ReadMeToDecrypt.txt",
"Attention, all your files are encrypted with the AES cbc-128 algorithm!\n\n It's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n\n To do this, send me several encrypted files to kathi.bell.1997@outlook.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48 from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48\nAfter payment, send me a letter to kathi.bell.1997@outlook.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at kathi.bell.1997@outlook.com\n\n As a bonus, I will tell you how hacked your computer is and how to protect it in the future.",
"Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future."
],
"refs": [
"https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/",
@ -9983,7 +10011,9 @@
"https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/",
"https://twitter.com/demonslay335/status/1006222754385924096",
"https://twitter.com/demonslay335/status/1006908267862396928",
"https://twitter.com/demonslay335/status/1007694117449682945"
"https://twitter.com/demonslay335/status/1007694117449682945",
"https://twitter.com/demonslay335/status/1049316344183836672",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/"
]
},
"uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4",
@ -11143,7 +11173,56 @@
},
"uuid": "c0dffb94-dcee-11e8-81b9-3791d1c6638f",
"value": "CommonRansom"
},
{
"description": "MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.",
"meta": {
"refs": [
"https://twitter.com/malwrhunterteam/status/1048616343975682048",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/"
],
"synonyms": [
"Godsomware v1.0",
"Ransomware God Crypt"
]
},
"uuid": "7074f228-e0ee-11e8-9c49-7fc798e92ddbx§",
"value": "God Crypt Joke Ransomware"
},
{
"description": "Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.",
"meta": {
"extensions": [
".encr"
],
"ransomnotes": [
"readmy.txt",
"Attention! All your files are encrypted!\nTo recover your files and access them,\nsend a message with your id to email DecryptFox@protonmail.com\n \nPlease note when installing or running antivirus will be deleted\n important file to decrypt your files and data will be lost forever!!!!\n \nYou have 5 attempts to enter the code. If you exceed this\nthe number, all the data, will be irreversibly corrupted. Be\ncareful when entering the code!\n \nyour id [redacted 32 lowercase hex]"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://twitter.com/demonslay335/status/1049325784979132417"
]
},
"uuid": "a920dea5-9f30-4fa2-9665-63f306874381",
"value": "DecryptFox Ransomware"
},
{
"description": "Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named #RECOVERY_FILES#.txt",
"meta": {
"extensions": [
".garrantydecrypt"
],
"ransomnotes": [
"#RECOVERY_FILES#.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/"
]
},
"uuid": "f251740b-1594-460a-a378-371f3a2ae92c",
"value": "garrantydecrypt"
}
],
"version": 40
"version": 41
}