From 29bf20e89b22bc600f230e4c2e66d1ccff8aea5a Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 19 Feb 2020 15:55:29 +0100 Subject: [PATCH 1/2] add razor ransomware --- clusters/ransomware.json | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 238e860..0192381 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13709,7 +13709,29 @@ }, "uuid": "05d5263f-ec23-4279-bb98-55fc233d7e89", "value": "Bart ransomware" + }, + { + "description": "Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim's desktop wallpaper. Razor renames files by appending the \".razor\" extension to their filenames. For example, it renames \"1.jpg\" to \"1.jpg.razor\", and so on. It creates a ransom note which is a text file named \"#RECOVERY#.txt\", this file contains instructions on how to contact Razor's developers (cyber criminals) and other details.\nAs stated in the \"#RECOVERY#.txt\" file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor's developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet's address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.", + "meta": { + "extensions": [ + ".razor" + ], + "ransomnotes": [ + "All your files have been ENCRYPTED!!!\nWrite to our email: \n razor2020@protonmail.ch\n ICQ:\n @razor2020\n Or contact us via jabber:\n razor2020@jxmpp.jp\nJabber (Pidgin) client installation instructions, you can find on youtube - hxxps://www.youtube.com/results?search_query=pidgin+jabber+install\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\ntell your unique ID" + ], + "ransomnotes-filenames": [ + "#RECOVERY#.txt" + ], + "ransomnotes-refs": [ + "https://www.pcrisk.com/images/stories/screenshots202002/razor-ransom-note.jpg" + ], + "refs": [ + "https://www.pcrisk.com/removal-guides/17016-razor-ransomware" + ] + }, + "uuid": "ea35282c-0686-4115-a001-bc4203549418", + "value": "Razor" } ], - "version": 80 + "version": 81 } From a61f8d7049e2857941501f2e6cca01ace83976da Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 28 Feb 2020 11:37:54 +0100 Subject: [PATCH 2/2] add extension to clop ransomware --- clusters/ransomware.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 0192381..9602fb1 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13626,7 +13626,8 @@ "meta": { "extensions": [ ".CIop", - ".Clop" + ".Clop", + ".Ciop" ], "refs": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" @@ -13733,5 +13734,5 @@ "value": "Razor" } ], - "version": 81 + "version": 82 }