MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #834 from Delta-Sierra/main 

more ransomwares from ransomlook
pull/835/head
Alexandre Dulaunoy 2023-04-12 10:17:24 +02:00 committed by GitHub
parent 3cc7e03af6 8c831d70c8
commit f877cb4d08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 726 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

731
clusters/ransomware.json
View File

@ -3878,6 +3878,9 @@
"extensions": [
".karma"
],
"links": [
"http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion"
],
"payment-method": "Bitcoin",
"price": "0.5",
"ransomnotes-filenames": [
@ -11475,6 +11478,9 @@
{
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
"meta": {
"links": [
"http://xqkz2rmrqkeqf6sjbrb47jfwnqxcd4o2zvaxxzrpbh2piknms37rw2ad.onion/"
],
"payment-method": "Bitcoin",
"price": "2 100 $",
"ransomnotes-filenames": [
@ -13830,6 +13836,11 @@
{
"description": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called \"Sodinokibi.\" Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.",
"meta": {
"links": [
"http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/",
"http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/",
"http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/Blog"
],
"refs": [
"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
],
@ -13870,12 +13881,24 @@
{
"description": "A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.",
"meta": {
"links": [
"http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion"
],
"payment-method": "Bitcoin",
"price": "1000 $",
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections"
]
},
"related": [
{
"dest-uuid": "d12f369c-f776-468a-8abf-8000b1b30642",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"value": "Nemty"
},
@ -13965,6 +13988,9 @@
"description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.",
"meta": {
"encryption": "ChaCha20 and RSA",
"links": [
"http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion"
],
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.maze",
"https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/",
@ -14131,6 +14157,9 @@
{
"description": "Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data",
"meta": {
"links": [
"https://robinhoodleaks.tumblr.com"
],
"refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
],
@ -14212,6 +14241,9 @@
".locked",
".pysa"
],
"links": [
"http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/partners.html"
],
"ransomnotes-filenames": [
"RECOVER_YOUR_DATA.txt"
],
@ -14270,6 +14302,9 @@
"extensions": [
".encrypt"
],
"links": [
"http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion"
],
"ransomnotes": [
"All your data has been locked(crypted).\nHow to unclock(decrypt) instruction located in this TOR website:\nhttp://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]\nUse TOR browser for access .onion websites.\nhttps://duckduckgo.com/html?q=tor+browser+how+to\n\nDo NOT remove this file and NOT remove last line in this file!\n[base64 encoded encrypted data]"
],
@ -14323,6 +14358,10 @@
{
"description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomwares cartel. It also follows some of Mazes tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.",
"meta": {
"links": [
"http://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion/",
"http://nbzzb6sa6xuura2z.onion"
],
"ransomnotes-filenames": [
"YOUR_FILES_ARE_ENCRYPTED.HTML"
],
@ -14349,6 +14388,9 @@
".abcd",
".LockBit"
],
"links": [
"http://lockbitkodidilol.onion"
],
"ransomnotes-filenames": [
"Restore-My-Files.txt"
],
@ -14363,6 +14405,15 @@
"ABCD ransomware"
]
},
"related": [
{
"dest-uuid": "c09f73fd-c3c3-42b1-b355-b03ca4941110",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
"value": "LockBit"
},
@ -14427,6 +14478,9 @@
".dbe",
".0s"
],
"links": [
"http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/"
],
"ransomnotes": [
"Greetings, Texas Department of Transportation!\nRead this message CAREFULLY and contact someone from IT department..\nYour files are securely ENCRYPTED.\nNo third party decryption software EXISTS.\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all Files\nFrom all aFFected systems ANY TIME.\nEncrypted File SHOULD NOT contain sensitive inFormation (technical, backups, databases, large documents).\nThe rest oF data will be available aFter the PAYMENT.\ninfrastructure rebuild will cost you MUCH more.\nContact us ONLY if you officially represent the whole affected network.\nThe ONLY attachments we accept are non archived encrypted files For test decryption.\nSpeak ENGLISH when contacting us.\nMail us: ***@protonmail.com\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\nThe PRICE depends on how quickly you do it. "
],
@ -14487,6 +14541,11 @@
{
"description": "Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.",
"meta": {
"links": [
"http://rgleak7op734elep.onion",
"http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/",
"http://p6o7m73ujalhgkiv.onion"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/",
"https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
@ -21117,7 +21176,10 @@
{
"description": "ransomware",
"meta": {
"date": "December 2020"
"date": "December 2020",
"links": [
"http://ixltdyumdlthrtgx.onion"
]
},
"related": [
{
@ -21726,6 +21788,11 @@
".marlock01",
".ReadInstructions"
],
"links": [
"https://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion",
"http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion/",
"http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion"
],
"ransomnotes-filenames": [
"how_to_ recover_data.html",
"how_to_recover_data.html.marlock01",
@ -21883,7 +21950,21 @@
"value": "NazCrypt"
},
{
"description": "ransomware",
"description": "According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.",
"meta": {
"links": [
"http://hxt254aygrsziejn.onion"
]
},
"related": [
{
"dest-uuid": "5fb75933-1ed5-4512-a062-d39865eedab0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "d12f369c-f776-468a-8abf-8000b1b30642",
"value": "Nefilim"
},
@ -22178,7 +22259,12 @@
"value": "Project57"
},
{
"description": "ransomware",
"description": "PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.",
"meta": {
"links": [
"http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion"
]
},
"related": [
{
"dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
@ -22733,6 +22819,12 @@
},
{
"description": "ransomware",
"meta": {
"links": [
"http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion",
"https://snatch.press/"
]
},
"uuid": "1a58eeac-26dc-40e6-8182-22cd461ba736",
"value": "Snatch"
},
@ -23583,6 +23675,11 @@
},
{
"description": "ransomware",
"meta": {
"links": [
"http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion"
]
},
"uuid": "b8b0933a-896a-45d1-8284-ebc55dff1f98",
"value": "Exorcist"
},
@ -23895,7 +23992,10 @@
{
"description": "ransomware",
"meta": {
"date": "November 2020"
"date": "November 2020",
"links": [
"http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion/"
]
},
"uuid": "678bc24d-a5c3-4ddd-9292-40958afa3492",
"value": "Pay2Key"
@ -23968,6 +24068,9 @@
"description": "ransomware",
"meta": {
"date": "November 2020",
"links": [
"http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion"
],
"synonyms": [
"FiveHands"
]
@ -24431,6 +24534,10 @@
".ragnarok",
".ragnarok_cry"
],
"links": [
"http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion",
"http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/"
],
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro",
"https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/"
@ -24659,9 +24766,15 @@
{
"description": "Ransomware",
"meta": {
"links": [
"http://mountnewsokhwilx.onion"
],
"refs": [
"https://www.cyclonis.com/mount-locker-ransomware-more-dangerous",
"https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game"
],
"synonyms": [
"Mount-Locker"
]
},
"uuid": "1da28691-684a-4cd2-b2f8-e80a123e150c",
@ -24681,6 +24794,9 @@
{
"description": "Ransomware",
"meta": {
"links": [
"http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion/"
],
"refs": [
"https://twitter.com/malwrhunterteam/status/1501857263493001217",
"https://dissectingmalwa.re/blog/pandora"
@ -24692,6 +24808,9 @@
{
"description": "Ransomware",
"meta": {
"links": [
"http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion"
],
"refs": [
"https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk",
"https://twitter.com/techyteachme/status/1464317136944435209"
@ -24734,6 +24853,9 @@
{
"description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
"meta": {
"links": [
"http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion/"
],
"ransomnotes-refs": [
"https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
],
@ -24747,6 +24869,11 @@
{
"description": "First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.",
"meta": {
"links": [
"http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/",
"http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion",
"http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion/v1/companies/disclosed"
],
"ransomnotes": [
"Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:v \n http://hive[REDACTED].onion/\n \n Login: [REDACTED]\n Password: [REDACTED]\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not modify, rename or delete *.key.abc12 files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed.",
"Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:\n \n http://hive[REDACTED].onion/\n \n Login: test_hive_username\n Password: test_hive_password\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not delete or reinstall VMs. There will be nothing to decrypt.\n- Do not modify, rename or delete *.key files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed"
@ -24768,6 +24895,10 @@
{
"description": "",
"meta": {
"links": [
"http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion/",
"http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion"
],
"ransomnotes-refs": [
"https://www.guidepointsecurity.com/wp-content/uploads/2021/04/Anonymized-Ransom-Note-1-1024x655.png"
],
@ -24922,6 +25053,11 @@
},
{
"description": "Ransomware",
"meta": {
"links": [
"http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onion/"
]
},
"uuid": "549c9766-b45d-4d14-86e8-e6a74d69d067",
"value": "RedAlert"
},
@ -24995,6 +25131,12 @@
},
{
"description": "Ransomware",
"meta": {
"links": [
"http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion",
"http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion"
]
},
"uuid": "fec32bbf-c4f8-499d-8e2a-743bcdd071e7",
"value": "PLAY Ransomware"
},
@ -25010,6 +25152,14 @@
},
{
"description": "Ransomware",
"meta": {
"links": [
"https://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onion/",
"https://www.karanews.live",
"https://karakurt.tech",
"https://karaleaks.com"
]
},
"uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42",
"value": "Karakurt"
},
@ -25453,7 +25603,578 @@
},
"uuid": "50fdc311-e6c5-4843-9b91-24d66afbdb8d",
"value": "Donutleaks"
},
{
"meta": {
"links": [
"http://h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/"
]
},
"uuid": "14658178-6fea-43bb-ae11-4ae5c2f14560",
"value": "Endurance"
},
{
"meta": {
"links": [
"http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion/posts"
]
},
"uuid": "11a458b9-df9c-486f-8556-2ae662df2802",
"value": "Entropy"
},
{
"meta": {
"links": [
"http://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion"
]
},
"uuid": "3a074223-6c97-48ca-b019-50a16a37e956",
"value": "Ep918"
},
{
"meta": {
"links": [
"http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/"
]
},
"uuid": "3c2835b1-53de-4755-ac0f-48dff1e53745",
"value": "Everest"
},
{
"meta": {
"links": [
"http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion/"
]
},
"uuid": "34c540d5-70ad-44cc-b5a2-cd8ec7e2efd6",
"value": "Freecivilian"
},
{
"meta": {
"links": [
"http://hkk62og3s2tce2gipcdxg3m27z4b62mrmml6ugctzdxs25o26q3a4mid.onion/"
]
},
"uuid": "29408532-b5d3-47ab-9b31-1ea63a084e45",
"value": "Fsteam"
},
{
"meta": {
"links": [
"http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion/"
]
},
"uuid": "506716cf-7e60-46e5-a853-c8a67fe696f9",
"value": "Grief"
},
{
"meta": {
"links": [
"http://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion/"
]
},
"uuid": "267b7b61-ed82-4809-aafe-9d2487c56f19",
"value": "Groove"
},
{
"meta": {
"links": [
"http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion/login.php",
"http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php"
]
},
"uuid": "949fe61d-6df6-4f36-996b-c58bbbc5140f",
"value": "Haron"
},
{
"meta": {
"links": [
"http://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.onion"
]
},
"uuid": "3c5832ae-3961-423e-8331-218a7aa6e5db",
"value": "Hotarus"
},
{
"meta": {
"links": [
"http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion/board/leak_list/",
"http://7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd.onion/board/victim_list/"
]
},
"uuid": "deea56de-1237-46bf-9ea7-4e1a3b3acd10",
"value": "Icefire"
},
{
"meta": {
"links": [
"https://justice-blade.io"
]
},
"uuid": "71a6edfe-9764-4c9b-b528-e0ee7b73c110",
"value": "Justice_Blade"
},
{
"meta": {
"links": [
"https://kelvinsecteamcyber.wixsite.com/my-site/items"
]
},
"uuid": "3c61d677-a2a6-40fb-aadd-72974f68e62c",
"value": "Kelvin Security"
},
{
"meta": {
"links": [
"https://t.me/minsaudebr"
]
},
"uuid": "e2e035aa-eb95-48af-98a7-f18ddfcc347b",
"value": "Lapsus$"
},
{
"meta": {
"links": [
"http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion/"
]
},
"uuid": "7dea3669-5ec4-4bdf-898f-c3a9f796365e",
"value": "Lilith"
},
{
"meta": {
"links": [
"http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion/",
"http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion",
"http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion",
"http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion",
"http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion",
"http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion",
"http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion",
"http://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onion",
"http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion",
"http://lockbitapt.uz",
"http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion",
"http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion",
"http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion",
"http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion",
"http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion",
"http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion",
"http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion",
"http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion"
]
},
"related": [
{
"dest-uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c09f73fd-c3c3-42b1-b355-b03ca4941110",
"value": "Lockbit3"
},
{
"meta": {
"links": [
"http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion",
"http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion",
"http://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion"
]
},
"uuid": "9886732d-76a2-4fbb-86b7-9e6a80669fb5",
"value": "Lolnek"
},
{
"meta": {
"links": [
"http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/",
"http://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion/"
]
},
"uuid": "46d56775-5f8c-411e-adbe-2acd07bf99ac",
"value": "Lv"
},
{
"meta": {
"links": [
"http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion"
]
},
"uuid": "95891bae-09a4-4d02-990e-2477cb09b9c2",
"value": "Mallox"
},
{
"meta": {
"links": [
"http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onion"
]
},
"uuid": "7ecd6452-d521-4095-8fd7-eecdeb6c8d96",
"value": "Mbc"
},
{
"meta": {
"links": [
"http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php"
]
},
"uuid": "c0ce34c6-13b9-41ef-847c-840b090f2bfc",
"value": "Midas"
},
{
"meta": {
"links": [
"http://moishddxqnpdxpababec6exozpl2yr7idfhdldiz5525ao25bmasxhid.onion"
]
},
"uuid": "b2e44cc2-2df9-4210-a0ee-9ae913278c00",
"value": "Moisha"
},
{
"meta": {
"links": [
"http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/",
"http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/catalog/"
]
},
"uuid": "814f656d-7107-41d3-a934-1667e427ad8a",
"value": "Monte"
},
{
"meta": {
"links": [
"http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion/",
"http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion/"
]
},
"uuid": "0ea4daa9-0b83-4acb-bc54-420635b7bfea",
"value": "Monti"
},
{
"meta": {
"links": [
"http://58b87e60649ccc808ac8mstiejnj.5s4ixqul2enwxrqv.onion"
]
},
"uuid": "8b726e6a-ed85-4a5b-a501-6bc06dab288d",
"value": "Mydecryptor"
},
{
"meta": {
"links": [
"http://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onion"
]
},
"uuid": "815b13b2-2b94-4ea9-adc2-8193936a1c61",
"value": "N3Tworm"
},
{
"meta": {
"links": [
"http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion"
]
},
"uuid": "a449e5a4-a835-419e-af3e-d223c74d0536",
"value": "Netwalker"
},
{
"meta": {
"links": [
"http://nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion/",
"http://nevbackvzwfu5yu3gszap77bg66koadds6eln37gxdhdk4jdsbkayrid.onion/",
"http://nevaffcwswjosddmw55qhn4u4secw42wlppzvf26k5onrlxjevm6avad.onion/"
]
},
"uuid": "9c517547-8002-4a9a-a360-8d836d2fe3e3",
"value": "Nevada"
},
{
"meta": {
"links": [
"http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion"
]
},
"uuid": "886a2d59-2e8d-4357-b70f-a6dd3d034dfd",
"value": "Nightsky"
},
{
"meta": {
"links": [
"http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion",
"http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion/",
"http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion/"
]
},
"uuid": "2b2f2e07-f764-4cc2-86ac-cc087a953cbb",
"value": "Nokoyawa"
},
{
"meta": {
"links": [
"http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion"
]
},
"uuid": "e9e810e3-a919-4417-85d0-fcab700e45de",
"value": "Onepercent"
},
{
"meta": {
"links": [
"http://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion/"
]
},
"uuid": "fd2161a9-cd88-4d12-94d9-52b93b28eb5b",
"value": "Payloadbin"
},
{
"meta": {
"links": [
"http://promethw27cbrcot.onion/blog/"
]
},
"uuid": "bcf0a9da-dca3-42c0-b875-59d434564fbb",
"value": "Prometheus"
},
{
"meta": {
"links": [
"http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/",
"http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion",
"http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog",
"http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/"
]
},
"uuid": "d5b3ce3d-59e2-4e56-a29a-42fb8b733a51",
"value": "Qilin"
},
{
"meta": {
"links": [
"http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion",
"http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion/"
]
},
"uuid": "065110c5-574a-4466-a336-e6c5f3ef86c4",
"value": "Qlocker"
},
{
"meta": {
"links": [
"http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion",
"http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion",
"http://ramp4u5iz4xx75vmt6nk5xfrs5mrmtokzszqxhhkjqlk7pbwykaz7zid.onion"
]
},
"uuid": "824f225c-7cd9-47e3-9f5b-c3194e4a26ea",
"value": "Ramp"
},
{
"meta": {
"links": [
"http://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onion/"
]
},
"uuid": "62e56597-01c8-4721-abd2-c7efa37fb566",
"value": "Ransomcartel"
},
{
"meta": {
"links": [
"http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion",
"http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion/"
]
},
"uuid": "00a6fc79-8a29-417b-a298-adc8e17d8aba",
"value": "Ransomhouse"
},
{
"meta": {
"links": [
"http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion"
]
},
"uuid": "840d5e7b-e96f-426d-8cf0-a5a10f5e4a46",
"value": "Ranzy"
},
{
"meta": {
"links": [
"http://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onion"
]
},
"uuid": "f4340cdb-ed0c-411e-ae11-b14ee151886a",
"value": "Relic"
},
{
"meta": {
"links": [
"http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion",
"http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion"
]
},
"uuid": "9a970739-24e3-4eb5-9154-d0ac6b2c378d",
"value": "Royal"
},
{
"meta": {
"links": [
"http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion"
]
},
"uuid": "470306b5-5a3b-4b63-9c02-0dc917584e72",
"value": "Rransom"
},
{
"meta": {
"links": [
"http://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion/blog",
"http://54bb47h.blog"
]
},
"uuid": "efdf315c-e85c-4d87-b816-ec29dbea67b5",
"value": "Sabbath"
},
{
"meta": {
"links": [
"http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion/login"
]
},
"uuid": "70719914-dc82-4ab0-b925-da837b337c89",
"value": "Solidbit"
},
{
"meta": {
"links": [
"http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion"
]
},
"uuid": "ce4eb745-e341-4f5d-be93-2af23b9ad756",
"value": "Sparta"
},
{
"meta": {
"links": [
"http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/blog/"
]
},
"uuid": "0d4a8359-d607-4e5a-b85c-c8248cfa520a",
"value": "Spook"
},
{
"meta": {
"links": [
"http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion"
]
},
"uuid": "6e20bdd2-31ac-4429-8aa7-4ce8cb7dc7b5",
"value": "Stormous"
},
{
"meta": {
"links": [
"http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion"
]
},
"uuid": "0e2d3ead-3de9-4089-b7a3-10790b6f70f2",
"value": "Unknown"
},
{
"meta": {
"links": [
"http://unsafeipw6wbkzzmj7yqp7bz6j7ivzynggmwxsm6u2wwfmfqrxqrrhyd.onion/"
]
},
"uuid": "df2b1358-b3f1-4af4-8153-02f4fc018b03",
"value": "Unsafe"
},
{
"meta": {
"links": [
"http://test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion"
]
},
"related": [
{
"dest-uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7fd558de-1dfe-432a-834b-3e2691ee7283",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f4b870cb-8c61-40ab-865b-b8304a120ba5",
"value": "V Is Vendetta"
},
{
"meta": {
"links": [
"http://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onion",
"http://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion"
]
},
"uuid": "465828ea-6e81-4851-b02c-458d696629c1",
"value": "Vfokx"
},
{
"meta": {
"links": [
"http://4hzyuotli6maqa4u.onion",
"http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion",
"http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion/",
"http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion/",
"http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion"
]
},
"uuid": "41979767-bfb8-4633-af1f-3946a599f922",
"value": "Vicesociety"
},
{
"meta": {
"links": [
"http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion/"
]
},
"uuid": "8b2e6391-05b4-439e-b318-1c3ace388c2d",
"value": "Vsop"
},
{
"meta": {
"links": [
"http://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion/"
]
},
"uuid": "e92d5c00-81ae-4909-9994-74bf48180f22",
"value": "Xinglocker"
},
{
"meta": {
"links": [
"http://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion"
]
},
"uuid": "64b7dc11-a627-43b2-91cd-38608784c53f",
"value": "Xinof"
},
{
"meta": {
"links": [
"http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion/"
]
},
"uuid": "476de1fe-d9b7-441a-8cb9-e6648189be3b",
"value": "Yanluowang"
}
],
"version": 117
"version": 118
}