diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 24a46d22..1eb74010 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -121,7 +121,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "GC47 Ransomware" + "value": "GC47 Ransomware" }, { "meta": { @@ -171,7 +171,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016", - "value": "GG Ransomware" + "value": "GG Ransomware" }, { "meta": { @@ -268,7 +268,7 @@ "date": "March 2017" }, "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Turkish FileEncryptor Ransomware" + "value": "Turkish FileEncryptor Ransomware" }, { "meta": { @@ -294,7 +294,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero", - "value": "Kirk Ransomware & Spock Decryptor" + "value": "Kirk Ransomware & Spock Decryptor" }, { "meta": { @@ -335,7 +335,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass", - "value": "Crptxxx Ransomware" + "value": "Crptxxx Ransomware" }, { "meta": { @@ -422,7 +422,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "RedAnts Ransomware" + "value": "RedAnts Ransomware" }, { "meta": { @@ -436,7 +436,7 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ConsoleApplication1 Ransomware" + "value": "ConsoleApplication1 Ransomware" }, { "meta": { @@ -461,7 +461,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", - "value": "CYR-Locker Ransomware (FAKE)" + "value": "CYR-Locker Ransomware (FAKE)" }, { "meta": { @@ -532,7 +532,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware", - "value": "Vanguard Ransomware" + "value": "Vanguard Ransomware" }, { "meta": { @@ -550,7 +550,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PyL33T Ransomware" + "value": "PyL33T Ransomware" }, { "meta": { @@ -626,7 +626,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "YouAreFucked Ransomware" + "value": "YouAreFucked Ransomware" }, { "meta": { @@ -641,12 +641,12 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", - "value": "CryptConsole 2.0 Ransomware" + "value": "CryptConsole 2.0 Ransomware" }, { "meta": { "synonyms": [ - "BarRaxCrypt  Ransomware" + "BarRaxCrypt Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", @@ -660,7 +660,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "BarRax  Ransomware" + "value": "BarRax Ransomware" }, { "meta": { @@ -674,12 +674,12 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoLocker by NTK Ransomware" + "value": "CryptoLocker by NTK Ransomware" }, { "meta": { "synonyms": [ - "CzechoSlovak Ransomware" + "CzechoSlovak Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html" @@ -695,7 +695,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "UserFilesLocker Ransomware" + "value": "UserFilesLocker Ransomware" }, { "meta": { @@ -710,7 +710,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", - "value": "AvastVirusinfo Ransomware" + "value": "AvastVirusinfo Ransomware" }, { "meta": { @@ -738,7 +738,7 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "SuchSecurity Ransomware" + "value": "SuchSecurity Ransomware" }, { "meta": { @@ -856,7 +856,7 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "LoveLock Ransomware or Love2Lock Ransomware" + "value": "LoveLock Ransomware or Love2Lock Ransomware" }, { "meta": { @@ -1034,7 +1034,7 @@ ], "encryption": "AES", "extensions": [ - ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", + ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", ".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters" ], "date": "January 2017" @@ -1096,7 +1096,7 @@ "encrypted_readme.txt", "__encrypted_readme.txt", "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", - "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" ], "encryption": "AES+RSA", "extensions": [ @@ -1144,7 +1144,7 @@ "encryption": "AES", "date": "January 2017" }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", "value": "CloudSword Ransomware" }, { @@ -1379,7 +1379,7 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "All_Your_Documents Ransomware" + "value": "All_Your_Documents Ransomware" }, { "meta": { @@ -1428,7 +1428,7 @@ "ransomnotes": [ "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" ], - "encryption": "AES-256 + RSA-2048", + "encryption": "AES-256 + RSA-2048", "extensions": [ ".encypted" ], @@ -1449,7 +1449,7 @@ "ransomnotes": [ "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" ], - "encryption": "AES-256 + RSA-2048", + "encryption": "AES-256 + RSA-2048", "extensions": [ ".crypt" ], @@ -1461,7 +1461,7 @@ { "meta": { "synonyms": [ - "Serpent Danish Ransomware" + "Serpent Danish Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html" @@ -1469,7 +1469,7 @@ "ransomnotes": [ "==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================" ], - "encryption": "AES-256 + RSA-2048", + "encryption": "AES-256 + RSA-2048", "extensions": [ ".crypt" ], @@ -1568,7 +1568,7 @@ { "meta": { "synonyms": [ - "File0Locked KZ Ransomware" + "File0Locked KZ Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html", @@ -2076,13 +2076,13 @@ ], "date": "December 2016" }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.", "value": "Alphabet Ransomware" }, { "meta": { "synonyms": [ - "KokoLocker  Ransomware" + "KokoLocker Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html", @@ -2097,7 +2097,7 @@ ], "date": "December 2016" }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", "value": "KoKoKrypt Ransomware" }, { @@ -2173,7 +2173,7 @@ { "meta": { "synonyms": [ - "Fake CryptoLocker" + "Fake CryptoLocker" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html" @@ -2224,7 +2224,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.", - "value": "Manifestus Ransomware " + "value": "Manifestus Ransomware " }, { "meta": { @@ -2297,7 +2297,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS", - "value": "CryptoBlock Ransomware " + "value": "CryptoBlock Ransomware " }, { "meta": { @@ -2308,14 +2308,14 @@ "!!! READ THIS -IMPORTANT !!!.txt", "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" ], - "encryption": "AES-256 (ECB) + RSA-2048", + "encryption": "AES-256 (ECB) + RSA-2048", "extensions": [ ".aes256" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "AES-NI Ransomware " + "value": "AES-NI Ransomware " }, { "meta": { @@ -2438,7 +2438,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.", - "value": "LoveServer Ransomware " + "value": "LoveServer Ransomware " }, { "meta": { @@ -2491,7 +2491,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear", - "value": "PayDay Ransomware " + "value": "PayDay Ransomware " }, { "meta": { @@ -2513,14 +2513,14 @@ "https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html" ], "ransomnotes": [ - "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", + "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" ], "encryption": "AES-256", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!", - "value": "M4N1F3STO Ransomware (FAKE!!!!!)" + "value": "M4N1F3STO Ransomware (FAKE!!!!!)" }, { "meta": { @@ -2533,7 +2533,7 @@ ], "date": "December 2016" }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE", "value": "Dale Ransomware" }, { @@ -2589,7 +2589,7 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Code Virus Ransomware " + "value": "Code Virus Ransomware " }, { "meta": { @@ -2697,7 +2697,7 @@ "ransomnotes": [ "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" ], - "encryption": "AES and RSA-1024", + "encryption": "AES and RSA-1024", "extensions": [ ".VO_" ], @@ -2720,7 +2720,7 @@ "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", "[5 numbers]-MATRIX-README.RTF" ], - "encryption": "AES and RSA", + "encryption": "AES and RSA", "extensions": [ ".MATRIX" ], @@ -2783,7 +2783,7 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe", - "value": "Locked-In Ransomware or NoValid Ransomware" + "value": "Locked-In Ransomware or NoValid Ransomware" }, { "meta": { @@ -2910,7 +2910,7 @@ { "meta": { "synonyms": [ - "Fake Maktub Ransomware" + "Fake Maktub Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html", @@ -2985,7 +2985,7 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", - "value": "Nagini Ransomware" + "value": "Nagini Ransomware" }, { "meta": { @@ -3049,7 +3049,7 @@ ], "date": "November 2016" }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS  > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant", + "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant", "value": "Dharma Ransomware" }, { @@ -3170,7 +3170,7 @@ { "meta": { "synonyms": [ - "PClock SuppTeam Ransomware", + "PClock SuppTeam Ransomware", "WinPlock", "CryptoLocker clone" ], @@ -3194,7 +3194,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", - "value": "PClock3 Ransomware" + "value": "PClock3 Ransomware" }, { "meta": { @@ -3258,7 +3258,7 @@ "date": "November 2016" }, "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.", - "value": "Telecrypt Ransomware" + "value": "Telecrypt Ransomware" }, { "meta": { @@ -3290,7 +3290,7 @@ ], "date": "November 2016" }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe  > FuckSociety", + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe > FuckSociety", "value": "FuckSociety Ransomware" }, { @@ -3351,7 +3351,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Gremit Ransomware" + "value": "Gremit Ransomware" }, { "meta": { @@ -3407,7 +3407,7 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda", - "value": "Kangaroo Ransomware" + "value": "Kangaroo Ransomware" }, { "meta": { @@ -4082,7 +4082,7 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Globe2 Ransomware" + "value": "Globe2 Ransomware" }, { "meta": { diff --git a/clusters/rat.json b/clusters/rat.json index 29793a7e..dba05799 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -1161,6 +1161,15 @@ }, "description": "Backdoor.NetDevil allows a hacker to remotely control an infected computer.", "value": "NetDevil" + }, + { + "meta": { + "refs": [ + "https://www.digitrustgroup.com/nanocore-not-your-average-rat/" + ] + }, + "description": "In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.\nDigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.", + "value": "NanoCore" } ] } diff --git a/clusters/tool.json b/clusters/tool.json index 753e21ef..9e2fb77b 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -389,7 +389,8 @@ "Backdoor" ], "refs": [ - "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/", + "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf" ], "synonyms": [ "Etso", @@ -1629,7 +1630,8 @@ { "meta": { "synonyms": [ - "Floki Bot" + "Floki Bot", + "Floki" ], "refs": [ "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", @@ -2798,6 +2800,15 @@ ] } }, + { + "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", + "value": "Hackshit", + "meta": { + "refs": [ + "https://resources.netskope.com/h/i/352356475-phishing-as-a-service-phishing-revamped" + ] + } + }, { "value": "Moneygram Adwind", "meta": { @@ -2805,6 +2816,116 @@ "https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/" ] } - } + }, + { + "description": " Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections.", + "value": "Banload", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/banload", + "http://blog.trendmicro.com/trendlabs-security-intelligence/banload-limits-targets-via-security-plugin/", + "https://securingtomorrow.mcafee.com/mcafee-labs/banload-trojan-targets-brazilians-with-malware-downloads/" + ] + } + }, + { + "description": "This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.", + "value": "Smoke Loader", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" + ], + "synonyms": [ + "Dofoil" + ] + } + }, + { + "description": "The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).", + "value": "LockPoS", + "meta": { + "refs": [ + "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" + ] + } + }, + { + "description": "Win.Worm.Fadok drops several files. %AppData%\\RAC\\mls.exe or %AppData%\\RAC\\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.", + "value": "Fadok", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm%3AWin32%2FFadok.A", + "http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html" + ], + "synonyms": [ + "Win32/Fadok" + ] + } + }, + { + "description": "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.", + "value": "Loki Bot", + "meta": { + "refs": [ + "https://phishme.com/loki-bot-malware/" + ] + } + }, + { + "description": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. \nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:", + "value": "KONNI", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" + ] + } + }, + { + "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", + "value": "SpyDealer", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + ] + } + }, + { + "description": "", + "value": "", + "meta": { + "refs": [ + "" + ] + } + }, + { + "description": "", + "value": "", + "meta": { + "refs": [ + "" + ] + } + }, + { + "description": "", + "value": "", + "meta": { + "refs": [ + "" + ] + } + }, + { + "description": "", + "value": "", + "meta": { + "refs": [ + "" + ] + } + }, + ] }