add HC7 ransomware

2017-12-07 11:25:08 +01:00 · 2017-12-07 11:25:08 +01:00 · f1b4cab10b
parent 3023039956
commit f1b4cab10b
1 changed files with 30 additions and 1 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -8605,12 +8605,41 @@
          "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try  decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files  ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin  to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n  If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:"
        ]
      }
+    },
+    {
+      "value": "HC7",
+      "description": "A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.\nOriginally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November.  As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.\nUnfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/"
+        ],
+        "extensions": [
+          ".GOTYA"
+        ],
+        "ransomnotes": [
+          "RECOVERY.txt",
+          "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK"
+        ]
+      }
+    },
+    {
+      "value": "HC6",
+      "description": "Predecessor of HC7",
+      "meta": {
+        "refs": [
+          "https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw",
+          "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/"
+        ],
+        "extensions": [
+          ".fucku"
+        ]
+      }
    }
  ],
  "source": "Various",
  "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
  "name": "Ransomware",
-  "version": 3,
+  "version": 4,
  "type": "ransomware",
  "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }