MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add ransomwares

pull/254/head
Deborah Servili 2018-09-05 08:20:24 +02:00
parent 0a9e91766b
commit fb328b0ef4
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
1 changed files with 157 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
clusters/ransomware.json
View File

@ -2850,7 +2850,8 @@
"extensions": [
".MATRIX",
".[Files4463@tuta.io]",
".[RestorFile@tutanota.com]"
".[RestorFile@tutanota.com]",
"[KOK8@protonmail.com].<random>-<random>.KOK8"
],
"ransomnotes": [
"https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png",
@ -2862,16 +2863,20 @@
"https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/2/wallpaper.jpg",
"WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!",
"https://pbs.twimg.com/media/DZ4VCRpWsAYtckw.jpg",
"https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg"
"https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg",
"#KOK8_README#.rtf"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/",
"https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html",
"https://twitter.com/rommeljoven17/status/804251901529231360",
"https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/"
"https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/demonslay335/status/1034212374805278720"
],
"synonyms": [
"Malta Ransomware"
"Malta Ransomware",
"Matrix Ransomware"
]
},
"uuid": "42ee85b9-45f8-47a3-9bab-b695ac271544",
@ -9769,7 +9774,16 @@
"description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors dont take much time preparing the attack or the payload. Instead, theyre rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/"
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/",
"https://twitter.com/malwrhunterteam/status/1034436350748053504",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".BadNews"
],
"ransomnotes": [
"How To Decode Files.hta",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg"
]
},
"uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340",
@ -10369,7 +10383,144 @@
{
"value": "STOP Ransomware",
"uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5"
},
{
"value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware",
"description": "A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a \"tip\" to decrypt the files.",
"meta": {
"refs": [
"https://twitter.com/malwrhunterteam/status/1032242391665790981",
"https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/"
],
"synonyms": [
"Barack Obama's Blackmail Virus Ransomware"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg",
"Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information."
]
},
"uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e"
},
{
"value": "CryptoNar",
"description": "When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.\nIf the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/",
"https://twitter.com/malwrhunterteam/status/1034492151541977088"
],
"extensions": [
".fully.cryptoNar",
".partially.cryptoNar"
],
"ransomnotes": [
"CRYPTONAR RECOVERY INFORMATION.txt",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg"
]
},
"uuid": "10f92054-b028-11e8-a51f-2f82236ac72d"
},
{
"value": "CreamPie Ransomware",
"description": "Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/JakubKroustek/status/1033656080839139333"
],
"extensions":
[
".[backdata@cock.li].CreamPie"
]
},
"uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab"
},
{
"value": "Jeff the Ransomware",
"description": "Looks to be in-development as it does not encrypt.",
"meta": {
"refs": [
"https://twitter.com/leotpsc/status/1033625496003731458",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
]
},
"uuid": "7854c8bc-b036-11e8-bfb0-4ff71e54bbb2"
},
{
"value": "Cassetto Ransomware",
"description": "Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1034213399922524160",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".cassetto"
],
"ransomnotes": [
"IMPORTANT ABOUT DECRYPT.txt",
"L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.",
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg"
]
},
"uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9"
},
{
"value": "Acroware Cryptolocker Ransomware",
"description": "Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.",
"meta": {
"refs": [
"https://twitter.com/leotpsc/status/1034346447112679430",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"synonyms": [
"Acroware Screenlocker"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg"
]
},
"uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584"
},
{
"value": "Termite Ransomware",
"description": "Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.",
"meta": {
"refs": [
"https://twitter.com/B_H101/status/1034379267956715520",
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/"
],
"extensions": [
".aaaaaa"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg"
]
},
"uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412"
},
{
"value": "PICO Ransomware",
"description": "S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/",
"https://twitter.com/siri_urz/status/1035138577934557184"
],
"synonyms": [
"Pico Ransomware"
],
"extensions": [
".PICO"
],
"ransomnotes": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg",
"README.txt"
]
},
"uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2"
}
],
"version": 30
"version": 31
}