From b4751d396ae36d2ae06e9245675348bc8dc27e03 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 30 Jan 2019 12:07:19 +0100
Subject: [PATCH 1/2] add LockerGoga ransomware

---
 clusters/ransomware.json | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 47c39e0..9f5d814 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -11730,7 +11730,25 @@
       },
       "uuid": "09fa0e0a-f0b2-46ea-8477-653e627b1c22",
       "value": "BitPaymer"
+    },
+    {
+      "meta": {
+        "extensions": [
+          ".locked"
+        ],
+        "ransomnotes-filenames": [
+          "README-NOW.txt"
+        ],
+        "ransomnotes-refs": [
+          "https://www.bleepstatic.com/images/news/u/1100723/Ransomware/LockerGoga-ransom-note.png"
+        ],
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/"
+        ]
+      },
+      "uuid": "1e19dae5-80c3-4358-abcd-2bf0ba4c76fe",
+      "value": "LockerGoga"
     }
   ],
-  "version": 49
+  "version": 50
 }

From 233b7f3aff6e2191221b4ef7830556947f8450cb Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 31 Jan 2019 18:48:19 +0100
Subject: [PATCH 2/2] add APT39

---
 clusters/threat-actor.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8450504..3a0fc8a 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -6208,7 +6208,20 @@
       },
       "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726",
       "value": "Silence group"
+    },
+    {
+      "description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.",
+      "meta": {
+        "refs": [
+          "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html"
+        ],
+        "synonyms": [
+          "APT 39"
+        ]
+      },
+      "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
+      "value": "APT39"
     }
   ],
-  "version": 88
+  "version": 89
 }