add some ransomwares & threat actors

2018-04-16 09:24:11 +02:00 · 2018-04-16 09:24:11 +02:00 · c785ee6384
parent 1a18ffb3eb
commit c785ee6384
2 changed files with 69 additions and 2 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -9436,12 +9436,69 @@
        ]
      },
      "uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340"
+    },
+    {
+      "value": "Magniber Ransomware",
+      "description": "Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/",
+          "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/"
+        ],
+        "extensions": [
+          ".ihsdj",
+          ".kgpvwnr"
+        ],
+        "ransomnotes": [
+          "READ_ME_FOR_DECRYPT_[id].txt",
+          " ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!\n ====================================================================================================\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n\n The only 1 way to decrypt your files is to receive the private key and decryption program.\n\n Any attempts to restore your files with the third-party software will be fatal for your files!\n ====================================================================================================\n To receive the private key and decryption program follow the instructions below:\n\n 1. Download \"Tor Browser\" from https://www.torproject.org/ and install it.\n\n 2. In the \"Tor Browser\" open your personal page here:\n\n\n http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513\n\n\n Note! This page is available via \"Tor Browser\" only.\n ====================================================================================================\n Also you can use temporary addresses on your personal page without using \"Tor Browser\":\n\n\n http://[victim_id].bankme.date/EP866p5M93wDS513\n\n http://[victim_id].jobsnot.services/EP866p5M93wDS513\n\n http://[victim_id].carefit.agency/EP866p5M93wDS513\n\n http://[victim_id].hotdisk.world/EP866p5M93wDS513\n\n\n Note! These are temporary addresses! They will be available for a limited amount of time!"
+        ]
+      },
+      "uuid": "a0c1790a-3ee7-11e8-9774-93351d675a9e"
+    },
+    {
+      "value": "Vurten",
+      "meta": {
+        "refs": [
+          "https://twitter.com/siri_urz/status/981191281195044867"
+        ],
+        "extensions": [
+          ".improved"
+        ],
+        "ransomnotes": [
+          "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg",
+          "UNCRYPT.README"
+        ]
+      },
+      "uuid": "7666e948-3f09-11e8-b0b2-af79c067d856"
+    },
+    {
+      "value": "Reveton ransomware",
+      "description": "A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/",
+          "https://en.wikipedia.org/wiki/Ransomware#Reveton",
+          "https://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed-explained-and-eliminated/"
+        ]
+      },
+      "uuid": "1912ec68-4145-11e8-ac06-9b6643035a71"
+    },
+    {
+      "value": "Fusob",
+      "description": "Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob.\nLike a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well.\nIn order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob.\nWhen Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively.\nFusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.",
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Ransomware#Fusob"
+        ]
+      },
+      "uuid": "c921d9ac-4145-11e8-965b-df5002d4cad8"
    }
  ],
  "source": "Various",
  "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
  "name": "Ransomware",
-  "version": 14,
+  "version": 15,
  "type": "ransomware",
  "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -2524,6 +2524,16 @@
        "country": "IR"
      },
      "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e"
+    },
+    {
+      "value": "Operation Parliament",
+      "description": "Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage – they involve gaining access to top legislative, executive and judicial bodies around the world.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/operation-parliament-who-is-doing-what/85237/"
+        ]
+      },
+      "uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0"
    }
  ],
  "name": "Threat actor",
@ -2538,5 +2548,5 @@
  ],
  "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
  "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 36
+  "version": 37
 }