{ "authors": [ "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", "http://pastebin.com/raw/GHgpWjar" ], "values": [ { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" ], "encryption": "AES", "extensions": [ "RANDOM 3 LETTERS ARE ADDED" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Nhtnwcuf Ransomware (Fake)", "uuid": "81b4e3ac-aa83-4616-9899-8e19ee3bb78b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html", "https://twitter.com/jiriatvirlab/status/838779371750031360" ], "ransomnotes": [ "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" ], "encryption": "AES", "extensions": [ "RANDOM 3 LETTERS ARE ADDED" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CryptoJacky Ransomware", "uuid": "a8187609-329a-4de0-bda7-7823314e7db9" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" ], "encryption": "AES-128", "date": "March 2017" }, "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Kaenlupuf Ransomware", "uuid": "b97f07c4-136a-488a-9fa0-35ab45fbfe36" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/", "https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" ], "encryption": "AES-256", "extensions": [ "example:.encrypted.contact_here_me@india.com.enjey" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "EnjeyCrypter Ransomware", "uuid": "e98e6b50-00fd-484e-a5c1-4b2363579447" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html" ], "ransomnotes": [ "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" ], "encryption": "AES-128", "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Dangerous Ransomware", "uuid": "7dbdb949-a53b-4ebe-bc9a-7f49a7c5fd78" }, { "meta": { "synonyms": [ "Ŧl๏tєгค гคภร๏๓ฬคгє" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html", "https://twitter.com/struppigel/status/839778905091424260" ], "ransomnotes": [ "Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =" ], "extensions": [ ".aes" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Vortex Ransomware", "uuid": "04a5889d-b97d-4653-8a0f-d2df85f93430" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" ], "encryption": "AES-128", "extensions": [ ".fuck_you" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "GC47 Ransomware", "uuid": "2069c483-4701-4a3b-bd51-3850c7aa59d2" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html", "https://twitter.com/jiriatvirlab/status/840863070733885440" ], "ransomnotes": [ "OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru" ], "encryption": "AES-128", "extensions": [ ".enc", ".ENC" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", "value": "RozaLocker Ransomware", "uuid": "f158ea74-c8ba-4e5a-b07f-52bd8fe30888" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" ], "ransomnotes": [ "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." ], "encryption": "AES-128", "extensions": [ ".enc" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CryptoMeister Ransomware", "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html" ], "encryption": "AES-128", "extensions": [ ".GG" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016", "value": "GG Ransomware", "uuid": "f62eb881-c6b5-470c-907d-072485cd5860" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html" ], "ransomnotes": [ "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", "ПАРОЛЬ.txt" ], "encryption": "AES-128", "extensions": [ ".Project34" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Project34 Ransomware", "uuid": "4af0d2bd-46da-44da-b17e-987f86957c1d" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html", "https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" ], "encryption": "AES-128", "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "PetrWrap Ransomware", "uuid": "e11da570-e38d-4290-8a2c-8a31ae832ffb" }, { "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html", "https://twitter.com/malwrhunterteam/status/841747002438361089" ], "ransomnotes": [ "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" ], "encryption": "AES-128", "extensions": [ ".grt" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear", "value": "Karmen Ransomware", "uuid": "da7de60e-0725-498d-9a35-303ddb5bf60a" }, { "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", "# !!!HELP_FILE!!! #.txt" ], "encryption": "AES-256 + RSA-1024", "extensions": [ ".REVENGE" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", "value": "Revenge Ransomware", "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e" }, { "meta": { "synonyms": [ "Fake CTB-Locker" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", "https://twitter.com/JakubKroustek/status/842034887397908480" ], "ransomnotes": [ "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.", "Beni Oku.txt" ], "encryption": "AES", "extensions": [ ".encrypted" ], "date": "March 2017" }, "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Turkish FileEncryptor Ransomware", "uuid": "a291ac4c-7851-480f-b317-e977a616ac9d" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", "https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/", "http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html", "http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges", "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/", "https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png", "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER", "RANSOM_NOTE.txt" ], "encryption": "AES+RSA", "extensions": [ ".kirked", ".Kirked" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero", "value": "Kirk Ransomware & Spock Decryptor", "uuid": "6e442a2e-97db-4a7b-b4a1-9abb4a7472d8" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", "https://twitter.com/demonslay335?lang=en", "https://twitter.com/malwrhunterteam/status/842781575410597894" ], "ransomnotes": [ "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", "ZINO_NOTE.TXT" ], "encryption": "AES", "extensions": [ ".ZINO" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "ZinoCrypt Ransomware", "uuid": "719c8ba7-598e-4511-a851-34e651e301fa" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", "http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc", "https://twitter.com/malwrhunterteam/status/839467168760725508" ], "ransomnotes": [ "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png", "HOW_TO_FIX_!.txt" ], "encryption": "AES", "extensions": [ ".crptxxx" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass", "value": "Crptxxx Ransomware", "uuid": "786ca8b3-6915-4846-8f0f-9865fbc295f5" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", "https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", "motd.txt" ], "extensions": [ ".enc" ], "date": "March 2017" }, "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "MOTD Ransomware", "uuid": "5d1a3631-165c-4091-ba55-ac8da62efadf" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html", "https://twitter.com/PolarToffee/status/843527738774507522" ], "ransomnotes": [ "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" ], "encryption": "AES", "extensions": [ ".devil" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CryptoDevil Ransomware", "uuid": "f3ead274-6c98-4532-b922-03d5ce4e7cfc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html", "https://twitter.com/struppigel/status/837565766073475072" ], "ransomnotes": [ "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" ], "encryption": "AES-256+RSA", "extensions": [ ".locked" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "value": "FabSysCrypto Ransomware", "uuid": "e4d36930-2e00-4583-b5f5-d8f83736d3ce" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png" ], "encryption": "AES+RSA", "extensions": [ "[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Lock2017 Ransomware", "uuid": "cf47a853-bc1d-42ae-8542-8a7433f6c9c2" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html" ], "encryption": "AES", "extensions": [ ".Horas-Bah" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "RedAnts Ransomware", "uuid": "dd3601f1-df0a-4e67-8a20-82e7ba0ed13c" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "ConsoleApplication1 Ransomware", "uuid": "4c3788d6-30a9-4cad-af33-81f9ce3a0d4f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html", "https://twitter.com/malwrhunterteam/status/836995570384453632" ], "encryption": "AES", "extensions": [ ".kr3" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "KRider Ransomware", "uuid": "f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", "value": "CYR-Locker Ransomware (FAKE)", "uuid": "44f6d489-f376-4416-9ba4-e153472f75fc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html" ], "ransomnotes": [ "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "DotRansomware", "uuid": "0570e09d-10b9-448c-87fd-c1c4063e6592" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", "ReadMe-[3_random_chars].html" ], "encryption": "AES", "extensions": [ ".locked-[3_random_chars]" ], "date": "February 2017" }, "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Unlock26 Ransomware", "uuid": "37b9a28d-8554-4233-b130-efad4be97bc0" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html", "https://twitter.com/JakubKroustek/status/834821166116327425" ], "ransomnotes": [ "READ_ME_TO_DECRYPT.txt" ], "encryption": "AES", "extensions": [ ".EnCrYpTeD" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", "value": "PicklesRansomware", "uuid": "87171865-9fc9-42a9-9bd4-a453f556f20c" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html", "https://twitter.com/JAMESWT_MHT/status/834783231476166657" ], "ransomnotes": [ "NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety." ], "encryption": "ChaCha20 and Poly1305", "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware", "value": "Vanguard Ransomware", "uuid": "6a6eed70-3f90-420b-9e4a-5cce9428dc06" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html", "https://twitter.com/Jan0fficial/status/834706668466405377" ], "ransomnotes": [ "ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** " ], "encryption": "ChaCha20 and Poly1305", "extensions": [ ".d4nk" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "PyL33T Ransomware", "uuid": "305cb1fb-d43e-4477-8edc-90b34aaf227f" }, { "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", "What happen to my files.txt" ], "encryption": "AES-128", "extensions": [ ".trumplockerf", ".TheTrumpLockerf", ".TheTrumpLockerfp" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg", "value": "TrumpLocker Ransomware", "uuid": "63bd845c-94f6-49dc-8f0c-22e6f67820f7" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html", "https://decrypter.emsisoft.com/damage", "https://twitter.com/demonslay335/status/835664067843014656" ], "ransomnotes": [ "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" ], "encryption": "AES-128 OR Combination of SHA-1 and Blowfish", "extensions": [ ".damage" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi", "value": "Damage Ransomware", "uuid": "fbcb6a4f-1d31-4e31-bef5-e162e35649de" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html", "https://twitter.com/malwrhunterteam/status/833636006721122304" ], "ransomnotes": [ "All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id" ], "encryption": "AES-128", "extensions": [ "your files get marked with: “youarefucked”" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "value": "XYZWare Ransomware", "uuid": "f0652feb-a104-44e8-91c7-b0435253352b" }, { "meta": { "refs": [ "https://www.enigmasoftware.com/youarefuckedransomware-removal/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" ], "encryption": "AES-128", "extensions": [ "your files get marked with: “youarefucked”" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "YouAreFucked Ransomware", "uuid": "912af0ef-2d78-4a90-a884-41f3c37c723b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", "How decrypt files.hta" ], "encryption": "AES", "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", "value": "CryptConsole 2.0 Ransomware", "uuid": "7343da8f-fe18-46c9-8cda-5b04fb48e97d" }, { "meta": { "synonyms": [ "BarRaxCrypt Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", "https://twitter.com/demonslay335/status/835668540367777792" ], "encryption": "AES", "extensions": [ ".barRex", ".BarRax" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "value": "BarRax Ransomware", "uuid": "c0ee166e-273f-4940-859c-ba6f8666247c" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg" ], "encryption": "AES", "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CryptoLocker by NTK Ransomware", "uuid": "51bcbbc6-d8e0-4d2b-b5ce-79f26d669567" }, { "meta": { "synonyms": [ "CzechoSlovak Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html" ], "ransomnotes": [ "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" ], "encryption": "AES-256+RSA", "extensions": [ ".ENCR" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "UserFilesLocker Ransomware", "uuid": "c9e29151-7eda-4192-9c34-f9a81b2ef743" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017_03_01_archive.html", "https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html" ], "encryption": "AES-256+RSA", "extensions": [ ".A9v9Ahu4-000" ], "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", "value": "AvastVirusinfo Ransomware", "uuid": "78649172-cf5b-4e8a-950b-a967ff700acf" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png" ], "encryption": "AES", "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "SuchSecurity Ransomware", "uuid": "22481dfd-8284-4071-a76f-c9a4a5f43f00" }, { "meta": { "synonyms": [ "VHDLocker Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" ], "encryption": "AES-256", "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "PleaseRead Ransomware", "uuid": "9de7a1f2-cc21-40cf-b44e-c67f0262fbce" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", "https://twitter.com/MarceloRivero/status/832302976744173570", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", "INSTRUCCIONES.txt" ], "extensions": [ "[KASISKI]" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Kasiski Ransomware", "uuid": "59b537dc-3764-42fc-a416-92d2950aaff1" }, { "meta": { "synonyms": [ "Locky Impersonator Ransomware" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/", "https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/" ], "ransomnotes": [ "Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Fake Locky Ransomware", "uuid": "26a34763-a70c-4877-b99f-ae39decd2107" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html", "https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/" ], "ransomnotes": [ "# RESTORING FILES #.txt", "# RESTORING FILES #.html", "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" ], "encryption": "AES(256)/ROT-13", "extensions": [ ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.", "value": "CryptoShield 1.0 Ransomware", "uuid": "1f915f16-2e2f-4681-a1e8-e146a0a4fcdf" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", "https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/", "https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", "DECRYPT_INFORMATION.html", "UNIQUE_ID_DO_NOT_REMOVE" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: \"HERMES\"", "value": "Hermes Ransomware", "uuid": "b7102922-8aad-4b29-8518-6d87c3ba45bb" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg" ], "encryption": "AES", "extensions": [ ".hasp" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "LoveLock Ransomware or Love2Lock Ransomware", "uuid": "0785bdda-7cd8-4529-b28e-787367c50298" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" ], "encryption": "AES", "extensions": [ ".wcry" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Wcry Ransomware", "uuid": "0983bdda-c637-4ad9-a56f-615b2b052740" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html", "https://twitter.com/bleepincomputer/status/816053140147597312?lang=en" ], "ransomnotes": [ "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" ], "encryption": "AES", "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "DUMB Ransomware", "uuid": "27feba66-e9c7-4414-a560-1e5b7da74d08" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017_02_01_archive.html", "https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html" ], "encryption": "AES", "extensions": [ ".b0C", ".b0C.x" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "X-Files", "uuid": "c24f48ca-060b-4164-aafe-df7b3f43f40e" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" ], "encryption": "AES-256", "extensions": [ ".aes" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.", "value": "Polski Ransomware", "uuid": "b50265ac-ee45-4f5a-aca1-fabe3157fc14" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", "https://twitter.com/_ddoxer/status/827555507741274113" ], "ransomnotes": [ "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", "README.txt" ], "encryption": "AES-256", "extensions": [ ".yourransom" ], "date": "February 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)", "value": "YourRansom Ransomware", "uuid": "908b914b-6744-4e16-b014-121cf2106b5f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html", "https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" ], "encryption": "AES-256", "date": "February 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service", "value": "Ranion RaasRansomware", "uuid": "b4de724f-add4-4095-aa5a-e4d039322b59" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html" ], "ransomnotes": [ "How to recover my files.txt", "README.png", "README.html", "https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg" ], "encryption": "AES-256", "extensions": [ ".potato" ], "date": "January 2017" }, "description": "Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.", "value": "Potato Ransomware", "uuid": "378cb77c-bb89-4d32-bef9-1b132343f3fe" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" ], "ransomnotes": [ "!!!.txt", "1.bmp", "1.jpg", "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg", "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" ], "encryption": "RC4", "extensions": [ ".-opentoyou@india.com" ], "date": "December 2016/January 2017" }, "description": "This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)", "uuid": "e290fa29-6fc1-4fb5-ac98-44350e508bc1" }, { "meta": { "refs": [ "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", "https://twitter.com/jiriatvirlab/status/825411602535088129" ], "ransomnotes": [ "YOUR FILES ARE ENCRYPTED!!!.txt", "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", "YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool." ], "encryption": "AES", "extensions": [ ".encrypted" ], "date": "January 2017" }, "description": "Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", "value": "RansomPlus", "uuid": "c039a50b-f5f9-4ad0-8b66-e1d8cc86717b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", "https://twitter.com/PolarToffee/status/824705553201057794" ], "ransomnotes": [ "How decrypt files.hta", "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" ], "encryption": "AES", "extensions": [ ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", ".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters" ], "date": "January 2017" }, "description": "This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files", "value": "CryptConsole", "uuid": "42508fd8-3c2d-44b2-9b74-33c5d82b297d" }, { "meta": { "refs": [ "https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310", "https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html" ], "extensions": [ ".zxz" ], "date": "January 2017" }, "description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A", "value": "ZXZ Ramsomware", "uuid": "e4932d1c-2f97-474d-957e-c7df87f9591e" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html" ], "encryption": "AES+RSA", "extensions": [ ".vxlock" ], "date": "January 2017" }, "description": "Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc", "value": "VxLock Ransomware", "uuid": "14deb95c-7af3-4fb1-b2c1-71087e1bb156" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", "http://www.enigmasoftware.com/funfactransomware-removal/" ], "ransomnotes": [ "note.iti", "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" ], "encryption": "AES+RSA", "date": "January 2017" }, "description": "Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.", "value": "FunFact Ransomware", "uuid": "2bfac605-a2c5-4742-92a2-279a08a4c575" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" ], "ransomnotes": [ "encrypted_readme.txt", "__encrypted_readme.txt", "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" ], "encryption": "AES+RSA", "extensions": [ ".<7_random_letters>" ], "date": "January 2017" }, "description": "First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", "value": "ZekwaCrypt Ransomware", "uuid": "89d5a541-ef9a-4b18-ac04-2e1384031a2d" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom", "https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/", "https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga" ], "ransomnotes": [ "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", "!Recovery_[3_random_chars].html" ], "encryption": "AES", "extensions": [ ".sage" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker", "value": "Sage 2.0 Ransomware", "uuid": "9174eef3-65f7-4ab5-9b55-b323b36fb962" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html", "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/", "https://twitter.com/BleepinComputer/status/822653335681593345" ], "ransomnotes": [ "Warning警告.html", "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" ], "encryption": "AES", "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", "value": "CloudSword Ransomware", "uuid": "a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4" }, { "meta": { "synonyms": [ "Fake" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" ], "encryption": "AES", "extensions": [ ".killedXXX" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!", "value": "DN", "uuid": "327eb8b4-5793-42f0-96c0-7f651a0debdc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/garryweber.html" ], "ransomnotes": [ "HOW_OPEN_FILES.html", "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" ], "encryption": "AES", "extensions": [ ".id-_garryweber@protonmail.ch" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..", "value": "GarryWeber Ransomware", "uuid": "b6e6da33-bf23-4586-81cf-dcfe10e13a81" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", "https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "https://twitter.com/Xylit0l/status/821757718885236740" ], "ransomnotes": [ "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", "HELP_DECRYPT_FILES.html" ], "encryption": "AES-256 + RSA-2048", "extensions": [ ".stn" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS", "value": "Satan Ransomware", "uuid": "61d8bba8-7b22-493f-b023-97ffe7f17caf" }, { "meta": { "synonyms": [ "HavocCrypt Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" ], "encryption": "AES", "extensions": [ ".HavocCrypt" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..", "value": "Havoc", "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html", "http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/" ], "ransomnotes": [ "IMPORTANTE_LEER.html", "RECUPERAR_ARCHIVOS.html", "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.", "value": "CryptoSweetTooth Ransomware", "uuid": "ca831782-fcbf-4984-b04e-d79b14e48a71" }, { "meta": { "synonyms": [ "RansomTroll Ransomware", "Käändsõna Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", "https://twitter.com/BleepinComputer/status/819927858437099520" ], "ransomnotes": [ "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" ], "encryption": "AES", "extensions": [ ".kencf" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts", "value": "Kaandsona Ransomware", "uuid": "aed61a0a-dc48-43ac-9c33-27e5a286899e" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html", "http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/" ], "ransomnotes": [ "READ_IT.hTmL", "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" ], "encryption": "AES-256", "extensions": [ ".lambda_l0cked" ], "date": "January 2017" }, "description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", "value": "LambdaLocker Ransomware", "uuid": "0d1b35e9-c87a-4972-8c27-a11c13e351d7" }, { "meta": { "synonyms": [ "HakunaMatataRansomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html", "https://id-ransomware.blogspot.co.il/2016_03_01_archive.html" ], "ransomnotes": [ "Recovers files yako.html", "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" ], "encryption": "AES", "extensions": [ ".HakunaMatata" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "NMoreia 2.0 Ransomware", "uuid": "0645cae2-bda9-4d68-8bc3-c3c1eb9d1801" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", "https://decrypter.emsisoft.com/marlboro", "https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", "_HELP_Recover_Files_.html" ], "encryption": "XOR", "extensions": [ ".oops" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)", "value": "Marlboro Ransomware", "uuid": "4ae98da3-c667-4c6e-b0fb-5b52c667637c" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", "http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", "[Infection-ID].HTML" ], "encryption": "AES+RSA", "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png", "value": "Spora Ransomware", "uuid": "46601172-d938-47af-8cf5-c5a796ab68ab" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html" ], "encryption": "AES+RSA", "extensions": [ ".crypto" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.", "value": "CryptoKill Ransomware", "uuid": "7ae2f594-8a72-4ba8-a37a-32457d1d3fe8" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" ], "extensions": [ "AES+RSA" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "All_Your_Documents Ransomware", "uuid": "62120e20-21f6-474b-9dc1-fc871d25c798" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html", "https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/", "https://twitter.com/malwrhunterteam/status/830116190873849856" ], "ransomnotes": [ "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" ], "encryption": "AES", "extensions": [ ".velikasrbija" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.", "value": "SerbRansom 2017 Ransomware", "uuid": "fb1e99cb-73fa-4961-a052-c90b3f383542" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html", "https://twitter.com/malwrhunterteam/status/829768819031805953", "https://twitter.com/malwrhunterteam/status/838700700586684416" ], "ransomnotes": [ "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" ], "encryption": "AES", "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.", "value": "Fadesoft Ransomware", "uuid": "ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html", "https://www.ozbargain.com.au/node/228888?page=3", "https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" ], "encryption": "AES-256 + RSA-2048", "extensions": [ ".encypted" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "HugeMe Ransomware", "uuid": "681ad7cc-fda0-40dc-83b3-91fdfdec81e1" }, { "meta": { "synonyms": [ "DynA CryptoLocker Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html", "https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" ], "encryption": "AES-256 + RSA-2048", "extensions": [ ".crypt" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "DynA-Crypt Ransomware", "uuid": "9979ae53-98f7-49a2-aa1e-276973c2b44f" }, { "meta": { "synonyms": [ "Serpent Danish Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html" ], "ransomnotes": [ "==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================" ], "encryption": "AES-256 + RSA-2048", "extensions": [ ".crypt" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Serpent 2017 Ransomware", "uuid": "3b472aac-085b-409e-89f1-e8c766f7c401" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", "README.HTML" ], "encryption": "ROT-23", "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Erebus 2017 Ransomware", "uuid": "c21e637c-6611-47e1-a191-571409b6669a" }, { "meta": { "synonyms": [ "Ransomuhahawhere" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" ], "extensions": [ ".locked" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Cyber Drill Exercise ", "uuid": "dcb183d1-11b5-464c-893a-21e132cb7b51" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html", "https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" ], "extensions": [ ".cancer" ], "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.", "value": "Cancer Ransomware FAKE", "uuid": "ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html", "https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.", "value": "UpdateHost Ransomware", "uuid": "ed5b30b0-2949-410a-bc4c-3d90de93d033" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" ], "encryption": "AES", "extensions": [ ".v8dp" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.", "value": "Nemesis Ransomware", "uuid": "b5942085-c9f2-4d1a-aadf-1061ad38fb1d" }, { "meta": { "synonyms": [ "File0Locked KZ Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html", "http://www.enigmasoftware.com/evilransomware-removal/", "http://usproins.com/evil-ransomware-is-lurking/", "https://twitter.com/jiriatvirlab/status/818443491713884161", "https://twitter.com/PolarToffee/status/826508611878793219" ], "ransomnotes": [ "HOW_TO_DECRYPT_YOUR_FILES.TXT", "HOW_TO_DECRYPT_YOUR_FILES.HTML", "https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png", "https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png" ], "encryption": "AES", "extensions": [ ".file0locked", ".evillock" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript", "value": "Evil Ransomware", "uuid": "57933295-4a0e-4f6a-b06b-36807ff150cd" }, { "meta": { "synonyms": [ "Ocelot Locker Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html", "https://twitter.com/malwrhunterteam/status/817648547231371264" ], "ransomnotes": [ "https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg", "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.", "value": "Ocelot Ransomware (FAKE RANSOMWARE)", "uuid": "054b9fbd-72fa-464f-a683-a69ab3936d69" }, { "meta": { "synonyms": [ "Blablabla Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html", "https://twitter.com/malwrhunterteam/status/817079028725190656" ], "ransomnotes": [ "INFOK1.txt", "https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png", "https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg" ], "encryption": "AES", "date": "January 2017" }, "description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "value": "SkyName Ransomware", "uuid": "00b8ff33-1504-49a4-a025-b761738eed68" }, { "meta": { "synonyms": [ "Depsex Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", "https://twitter.com/BleepinComputer/status/817069320937345024" ], "ransomnotes": [ "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", "READ_ME.txt" ], "encryption": "AES", "extensions": [ ".locked-by-mafia" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear", "value": "MafiaWare Ransomware", "uuid": "e5a60429-ae5d-46f4-a731-da9e2fcf8b92" }, { "meta": { "synonyms": [ "Purge Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html", "https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/", "https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/", "https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html", "https://decrypter.emsisoft.com/globe3" ], "ransomnotes": [ "How To Recover Encrypted Files.hta", "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", "https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png" ], "encryption": "AES-256+RSA or RC4", "extensions": [ ".badnews", ".globe", ".[random].bit", ".[random].encrypted", ".[random].raid10", ".[random].globe", ".[mia.kokers@aol.com]", ".unlockv@india.com", ".rescuers@india.com.3392cYAn548QZeUf.lock", ".locked", ".decrypt2017", ".hnumkhotep" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.", "value": "Globe3 Ransomware", "uuid": "fe16edbe-3050-4276-bac3-c7ff5fd4174a" }, { "meta": { "synonyms": [ "FireCrypt Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg" ], "encryption": "AES-256", "extensions": [ ".firecrypt" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg", "value": "BleedGreen Ransomware", "uuid": "fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/btcamant.html" ], "ransomnotes": [ "BTC_DECRYPT_FILES.txt", "BTC_DECRYPT_FILES.html", "https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png" ], "encryption": "AES", "extensions": [ ".BTC" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)", "value": "BTCamant Ransomware", "uuid": "a5826bd3-b457-4aa9-a2e7-f0044ad9992f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png" ], "encryption": "AES", "extensions": [ "_x3m", "_r9oj", "_locked" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.", "value": "X3M Ransomware", "uuid": "192bc3e8-ace8-4229-aa88-37034a11ef5b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html", "https://twitter.com/BleepinComputer/status/816112218815266816" ], "ransomnotes": [ "DecryptFile.txt", "https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png", "https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png" ], "encryption": "AES", "extensions": [ ".LOCKED" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "GOG Ransomware", "uuid": "c3ef2acd-cc5d-4240-80e7-47e85b46db96" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html", "https://twitter.com/BleepinComputer/status/815392891338194945" ], "ransomnotes": [ "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" ], "encryption": "AES", "extensions": [ ".edgel" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.", "value": "EdgeLocker", "uuid": "ecfa106d-0aff-4f7e-a259-f00eb14fc245" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html", "https://twitter.com/JaromirHorejsi/status/815557601312329728" ], "ransomnotes": [ "MESSAGE.txt", "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear", "value": "Red Alert", "uuid": "f762860a-5e7a-43bf-bef4-06bd27e0b023" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "First", "uuid": "ed26fcf3-47fb-45cc-b5f9-de18f6491934" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", "https://twitter.com/JakubKroustek/status/825790584971472902" ], "ransomnotes": [ "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", "Xhelp.jpg" ], "encryption": "Twofish", "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.", "value": "XCrypt Ransomware", "uuid": "fd5bb71f-80dc-4a6d-ba8e-ed74999700d3" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html", "https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png" ], "ransomnotes": [ "https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png" ], "encryption": "Twofish", "extensions": [ ".7zipper" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "7Zipper Ransomware", "uuid": "d8ec9e54-a4a4-451e-9f29-e7503174c16e" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html", "https://www.pcrisk.com/removal-guides/10899-zyka-ransomware", "https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip", "https://twitter.com/GrujaRS/status/826153382557712385" ], "ransomnotes": [ "https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png" ], "encryption": "AES", "extensions": [ ".lock", ".locked" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.", "value": "Zyka Ransomware", "uuid": "7b7c8124-c679-4201-b5a5-5e66e6d52b70" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html", "http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c" ], "ransomnotes": [ "https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif" ], "encryption": "AES-256 (fake)", "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.", "value": "SureRansom Ransomeware (Fake)", "uuid": "a9365b55-acd8-4b70-adac-c86d121b80b3" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/", "https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/", "http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012", "https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg", "https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png" ], "ransomnotes": [ "https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg", "https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad" ], "encryption": "AES-256", "extensions": [ ".se" ], "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.", "value": "Netflix Ransomware", "uuid": "1317351f-ec8f-4c76-afab-334e1384d3d3" }, { "meta": { "synonyms": [ "Merry X-Mas", "MRCR" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html", "https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/", "http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/", "https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/", "https://decrypter.emsisoft.com/mrcr" ], "ransomnotes": [ "YOUR_FILES_ARE_DEAD.HTA", "MERRY_I_LOVE_YOU_BRUCE.HTA", "https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png", "https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png" ], "encryption": "AES-256", "extensions": [ ".MRCR1", ".PEGS1", ".RARE1", ".RMCM1", ".MERRY" ], "date": " December 2016" }, "description": "It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.", "value": "Merry Christmas", "uuid": "72cbed4e-b26a-46a1-82be-3d0154fdd2e5" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html" ], "encryption": "AES", "extensions": [ ".seoire" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.", "value": "Seoirse Ransomware", "uuid": "bdf807c2-74ec-4802-9907-a89b1d910296" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html", "https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/", "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/", "http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/", "http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware", "http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", "https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" ], "encryption": "AES-256+RSA", "date": "November/December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.", "value": "KillDisk Ransomware", "uuid": "8e067af6-d1f7-478a-8a8e-5154d2685bd1" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", "unlock-everybody.txt" ], "encryption": "AES", "extensions": [ ".deria" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.", "value": "DeriaLock Ransomware", "uuid": "c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", "https://twitter.com/demonslay335/status/813064189719805952" ], "ransomnotes": [ "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", "More.html" ], "encryption": "AES", "extensions": [ ".bript" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "BadEncript Ransomware", "uuid": "43bfbb2a-9416-44da-81ef-03d6d3a3923f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg" ], "encryption": "AES", "extensions": [ ".adam" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.", "value": "AdamLocker Ransomware", "uuid": "5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html", "https://twitter.com/PolarToffee/status/812331918633172992" ], "ransomnotes": [ "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" ], "encryption": "AES", "extensions": [ ".alphabet" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.", "value": "Alphabet Ransomware", "uuid": "dd356ed3-42b8-4587-ae53-95f933517612" }, { "meta": { "synonyms": [ "KokoLocker Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html", "http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg" ], "encryption": "AES", "extensions": [ ".kokolocker" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", "value": "KoKoKrypt Ransomware", "uuid": "d672fe4f-4561-488e-bca6-20385b53d77f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html" ], "ransomnotes": [ "YOU_HAVE_BEEN_HACKED.txt", "https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png" ], "encryption": "AES-256+RSA", "extensions": [ ".l33tAF" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker", "value": "L33TAF Locker Ransomware", "uuid": "791a6720-d589-4cf7-b164-08b35b453ac7" }, { "meta": { "synonyms": [ "PClock SysGop Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png" ], "encryption": "AES-256+RSA", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "PClock4 Ransomware", "uuid": "b78be3f4-e39b-41cc-adc0-5824f246959b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html", "https://twitter.com/BleepinComputer/status/812131324979007492" ], "ransomnotes": [ "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" ], "encryption": "AES-256+RSA", "extensions": [ ".locked" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.", "value": "Guster Ransomware", "uuid": "ffa7ac2f-b216-4fac-80be-e859a0e0251f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg" ], "encryption": "AES", "extensions": [ ".madebyadam" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png", "value": "Roga", "uuid": "cd1eb48e-070b-418e-8d83-4644a388f8ae" }, { "meta": { "synonyms": [ "Fake CryptoLocker" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif" ], "encryption": "AES-128+RSA", "extensions": [ ".cryptolocker" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.", "value": "CryptoLocker3 Ransomware", "uuid": "4094b021-6654-49d5-9b80-a3666a1c1e44" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html", "http://www.archersecuritygroup.com/what-is-ransomware/", "https://twitter.com/demonslay335/status/812002960083394560", "https://twitter.com/malwrhunterteam/status/811613888705859586" ], "ransomnotes": [ "https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg" ], "encryption": "AES", "extensions": [ ".crypted" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.", "value": "ProposalCrypt Ransomware", "uuid": "4cf270e7-e4df-49d5-979b-c13d8ce117cc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/", "https://twitter.com/struppigel/status/811587154983981056" ], "ransomnotes": [ "https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg" ], "encryption": "AES", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.", "value": "Manifestus Ransomware ", "uuid": "e62ba8f5-e7ce-44ab-ac33-713ace192de3" }, { "meta": { "synonyms": [ "IDRANSOMv3", "Manifestus" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html", "https://twitter.com/demonslay335/status/811343914712100872", "https://twitter.com/BleepinComputer/status/811264254481494016", "https://twitter.com/struppigel/status/811587154983981056" ], "ransomnotes": [ "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" ], "encryption": "AES", "extensions": [ ".fucked" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name", "value": "EnkripsiPC Ransomware", "uuid": "52caade6-ba7b-474e-b173-63f4332aa808" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png", "https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg" ], "encryption": "AES", "extensions": [ ".braincrypt" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.", "value": "BrainCrypt Ransomware", "uuid": "ade6ec5e-e082-43cb-9b82-ff8c0f4d7e56" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", "https://twitter.com/struppigel/status/810766686005719040" ], "ransomnotes": [ "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", "RESTORE_YOUR_FILES.txt" ], "encryption": "AES", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.", "value": "MSN CryptoLocker Ransomware", "uuid": "7de27419-9874-4c3f-b75f-429a507ed7c5" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html", "https://twitter.com/drProct0r/status/810500976415281154" ], "ransomnotes": [ "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" ], "encryption": "RSA-2048", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS", "value": "CryptoBlock Ransomware ", "uuid": "7b0df78e-8f00-468f-a6ef-3e1bda2a344c" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html" ], "ransomnotes": [ "!!! READ THIS -IMPORTANT !!!.txt", "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" ], "encryption": "AES-256 (ECB) + RSA-2048", "extensions": [ ".aes256" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "AES-NI Ransomware ", "uuid": "69c9b45f-f226-485f-9033-fcb796c315cf" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html", "https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" ], "encryption": "AES-256", "extensions": [ ".encrypted" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop", "value": "Koolova Ransomware", "uuid": "ff6b8fc4-cfe0-45c1-9814-3261e39b4c9a" }, { "meta": { "synonyms": [ "Globe Imposter", "GlobeImposter" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", "https://twitter.com/fwosar/status/812421183245287424", "https://decrypter.emsisoft.com/globeimposter", "https://twitter.com/malwrhunterteam/status/809795402421641216" ], "ransomnotes": [ "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", "HOW_OPEN_FILES.hta" ], "encryption": "AES", "extensions": [ ".crypt" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.", "value": "Fake Globe Ransomware", "uuid": "e03873ef-9e3d-4d07-85d8-e22a55f60c19" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png" ], "encryption": "RSA", "extensions": [ ".v8" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", "value": "V8Locker Ransomware", "uuid": "45862a62-4cb3-4101-84db-8e338d17e283" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg" ], "encryption": "RSA", "extensions": [ ".ENC" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.", "value": "Cryptorium (Fake Ransomware)", "uuid": "96bd63e5-99bd-490c-a23a-e0092337f6e6" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg" ], "encryption": "XOR", "extensions": [ ".antihacker2017" ], "date": "December 2016" }, "description": "It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).", "value": "Antihacker2017 Ransomware", "uuid": "efd64e86-611a-4e10-91c7-e741cf0c58d9" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html", "https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/", "https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg", "value": "CIA Special Agent 767 Ransomware (FAKE!!!)", "uuid": "e479e32e-c884-4ea0-97d3-3c3356135719" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.", "value": "LoveServer Ransomware ", "uuid": "d1698a73-8be8-4c10-8114-8cfa1c399eb1" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", "_HELP_YOUR_FILES.html" ], "encryption": "AES", "extensions": [ ".kraken", "[base64].kraken" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.", "value": "Kraken Ransomware", "uuid": "51737c36-11a0-4c25-bd87-a990bd479aaf" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg" ], "encryption": "AES", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.", "value": "Antix Ransomware", "uuid": "8a7e0615-b9bd-41ab-89f1-62d041350e99" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", "https://twitter.com/BleepinComputer/status/808316635094380544" ], "ransomnotes": [ "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", "!!!!!ATENÇÃO!!!!!.html" ], "encryption": "AES-256", "extensions": [ ".sexy" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear", "value": "PayDay Ransomware ", "uuid": "70324b69-6076-4d00-884e-7f9d5537a65a" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html" ], "encryption": "AES-256", "extensions": [ ".encrypted" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.", "value": "Slimhem Ransomware", "uuid": "76b14980-e53c-4209-925e-3ab024210734" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html" ], "ransomnotes": [ "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" ], "encryption": "AES-256", "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!", "value": "M4N1F3STO Ransomware (FAKE!!!!!)", "uuid": "94a3be6b-3a83-40fb-85b2-555239260235" }, { "meta": { "synonyms": [ "DaleLocker Ransomware" ], "encryption": "AES+RSA-512", "extensions": [ ".DALE" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE", "value": "Dale Ransomware", "uuid": "abe6cbe4-9031-46da-9e1c-89d9babe6449" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html", "https://twitter.com/struppigel/status/807161652663742465" ], "ransomnotes": [ "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" ], "encryption": "AES-256", "extensions": [ ".locked (added before the ending, not to the ending, for example: file.locked.doc" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire", "value": "UltraLocker Ransomware", "uuid": "3a66610b-5197-4af9-b662-d873afc81b2e" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png" ], "encryption": "AES-256 and RSA-2048", "extensions": [ ".pre_alpha" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", "value": "AES_KEY_GEN_ASSIST Ransomware", "uuid": "d755510f-d775-420c-83a0-b0fe9e483256" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg", "https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif" ], "encryption": "AES-256 and RSA-2048", "extensions": [ ".locky" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Code Virus Ransomware ", "uuid": "a23d7c45-7200-4074-9acf-8789600fa145" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png" ], "encryption": "Blowfish", "extensions": [ "_morf56@meta.ua_" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "FLKR Ransomware", "uuid": "1cdc34ce-43b7-4df1-ae8f-ae0acbe5e4ad" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", "restore_your_files.html", "restore_your_files.txt" ], "encryption": "AES-256", "extensions": [ ".kok", ".filock" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png", "value": "PopCorn Time Ransomware", "uuid": "c1b3477b-cd7f-4726-8744-a2c44275dffd" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg" ], "encryption": "AES-256", "extensions": [ ".hacked" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.", "value": "HackedLocker Ransomware", "uuid": "c2624d8e-da7b-4d94-b06f-363131ddb6ac" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html", "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/", "https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg", "https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg" ], "encryption": "AES(CBC)", "extensions": [ "." ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", "value": "GoldenEye Ransomware", "uuid": "ac7affb8-971d-4c05-84f0-172b61d007d7" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/", "https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png" ], "encryption": "AES", "extensions": [ ".sage" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", "value": "Sage Ransomware", "uuid": "3e5a475f-7467-49ab-917a-4d1f590ad9b4" }, { "meta": { "synonyms": [ "VO_ Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" ], "encryption": "AES and RSA-1024", "extensions": [ ".VO_" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.", "value": "SQ_ Ransomware", "uuid": "5024f328-2595-4dbd-9007-218147e55d5f" }, { "meta": { "synonyms": [ "Malta Ransomware" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html", "https://twitter.com/rommeljoven17/status/804251901529231360", "https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", "[5 numbers]-MATRIX-README.RTF", "!ReadMe_To_Decrypt_Files!.rtf", "#Decrypt_Files_ReadMe#.rtf", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/ransom-note.jpg", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/background.jpg", "https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/2/wallpaper.jpg", "WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!", "https://pbs.twimg.com/media/DZ4VCRpWsAYtckw.jpg", "https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg" ], "encryption": "AES and RSA", "extensions": [ ".MATRIX", ".[Files4463@tuta.io]", ".[RestorFile@tutanota.com]" ], "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", "value": "Matrix", "uuid": "42ee85b9-45f8-47a3-9bab-b695ac271544" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Satan666 Ransomware", "uuid": "03d92e7b-95ae-4c5b-8b58-daa2fd98f7a1" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", "https://twitter.com/BleepinComputer/status/804810315456200704" ], "ransomnotes": [ "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", "Important!.txt" ], "encryption": "AES-256", "extensions": [ ".R.i.P" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", "value": "RIP (Phoenix) Ransomware", "uuid": "5705df4a-42b0-4579-ad9f-8bfa42bae471" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", "https://twitter.com/struppigel/status/807169774098796544" ], "ransomnotes": [ "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", "RESTORE_CORUPTED_FILES.HTML" ], "encryption": "AES-256", "extensions": [ ".novalid" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe", "value": "Locked-In Ransomware or NoValid Ransomware", "uuid": "777f0b78-e778-435f-b4d5-e40f0b7f54c3" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html" ], "encryption": "AES", "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Chartwig Ransomware", "uuid": "37fff5f8-8e66-43d3-a075-3619b6f2163d" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg" ], "encryption": "Rename > Ren + Locker", "extensions": [ ".crypter" ], "date": "November 2016" }, "description": "It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]", "value": "RenLocker Ransomware (FAKE)", "uuid": "957850f7-081a-4191-9e5e-cf9ff27584ac" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html", "https://twitter.com/BleepinComputer/status/801486420368093184" ], "ransomnotes": [ "https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png" ], "encryption": "AES", "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Thanksgiving Ransomware", "uuid": "459ea908-e39e-4274-8866-362281e24911" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html", "https://twitter.com/jiriatvirlab/status/801910919739674624" ], "ransomnotes": [ "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" ], "encryption": "RSA", "extensions": [ ".hannah" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CockBlocker Ransomware", "uuid": "3a40c5ae-b117-45cd-b674-a7750e3f3082" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html", "https://twitter.com/siri_urz/status/801815087082274816" ], "ransomnotes": [ "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" ], "encryption": "AES-256", "extensions": [ ".encrypted" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire", "value": "Lomix Ransomware", "uuid": "e721b7c5-df07-4e26-b375-fc09a4911451" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", "https://decrypter.emsisoft.com/ozozalocker", "https://twitter.com/malwrhunterteam/status/801503401867673603" ], "ransomnotes": [ "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", "HOW TO DECRYPT YOU FILES.txt" ], "encryption": "AES", "extensions": [ ".locked", ".Locked" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png", "value": "OzozaLocker Ransomware", "uuid": "d20b0d12-1a56-4339-b02b-eb3803dc3e6e" }, { "meta": { "synonyms": [ "m0on Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html", "https://www.bleepingcomputer.com/virus-removal/threat/ransomware/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg" ], "encryption": "AES", "extensions": [ ".mo0n" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Crypute Ransomware", "uuid": "5539c8e7-2058-4757-b9e3-71ff7d41db31" }, { "meta": { "synonyms": [ "Fake Maktub Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html", "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG", "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], "encryption": "AES-256 + RSA", "extensions": [ ".maktub" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "NMoreira Ransomware", "uuid": "9490641f-6a51-419c-b3dc-c6fa2bab4ab3" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html", "https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph", "https://rol.im/VindowsUnlocker.zip", "https://twitter.com/JakubKroustek/status/800729944112427008", "https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" ], "encryption": "AES", "extensions": [ ".vindows" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.", "value": "VindowsLocker Ransomware", "uuid": "b58e1265-2855-4c8a-ac34-bb1504086084" }, { "meta": { "refs": [ "http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" ], "encryption": "AES", "extensions": [ ".ENCRYPTED" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", "value": "Donald Trump 2 Ransomware", "uuid": "96c10791-258f-4b2b-a2cc-b5abddbdb285" }, { "meta": { "synonyms": [ "Voldemort Ransomware" ], "refs": [ "http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg" ], "encryption": "RSA", "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", "value": "Nagini Ransomware", "uuid": "46a35af7-9d05-4de4-a955-41ccf3d3b83b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html", "https://twitter.com/JakubKroustek/status/799388289337671680" ], "ransomnotes": [ "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" ], "encryption": "AES", "extensions": [ ".l0cked", ".L0cker" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "ShellLocker Ransomware", "uuid": "a8ea7a67-c019-4c6c-8061-8614c47f153e" }, { "meta": { "synonyms": [ "ChipLocker Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", "http://malware-traffic-analysis.net/2016/11/17/index.html", "https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", "CHIP_FILES.txt" ], "encryption": "AES + RSA-512", "extensions": [ ".CHIP", ".DALE" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Chip Ransomware", "uuid": "7487fd37-d4ba-4c85-b6f8-8d4d7d5b74d7" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", "https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/" ], "ransomnotes": [ "README.txt", "README.jpg", "Info.hta" ], "encryption": "AES + RSA-512", "extensions": [ ".dharma", ".wallet", ".zzzzz" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant", "value": "Dharma Ransomware", "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html", "https://twitter.com/malwrhunterteam/status/798268218364358656" ], "ransomnotes": [ "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" ], "encryption": "AES", "extensions": [ ".angelamerkel" ], "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Angela Merkel Ransomware", "uuid": "a9bb4ae1-b4da-49bb-aeeb-3596cb883860" }, { "meta": { "synonyms": [ "YafunnLocker" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", "https://twitter.com/malwareforme/status/798258032115322880" ], "ransomnotes": [ "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", "%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt." ], "encryption": "AES-256 + RSA-2048", "extensions": [ "._luck" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CryptoLuck Ransomware", "uuid": "615b682d-4746-464d-8091-8869d0e6ea2c" }, { "meta": { "synonyms": [ "Nemesis", "X3M" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html", "https://decrypter.emsisoft.com/crypton", "https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/", "https://twitter.com/JakubKroustek/status/829353444632825856" ], "ransomnotes": [ "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" ], "encryption": "AES-256 + RSA + SHA-256", "extensions": [ "_crypt", ".id-_locked", ".id-_locked_by_krec", ".id-_locked_by_perfect", ".id-_x3m", ".id-_r9oj", ".id-_garryweber@protonmail.ch", ".id-_steaveiwalker@india.com_", ".id-_julia.crown@india.com_", ".id-_tom.cruz@india.com_", ".id-_CarlosBoltehero@india.com_", ".id-_maria.lopez1@india.com_" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Crypton Ransomware", "uuid": "117693d2-1551-486e-93e5-981945eecabd" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", "https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt" ], "encryption": "AES", "extensions": [ ".karma" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp", "value": "Karma Ransomware", "uuid": "51596eaa-6df7-4aa3-8df4-cec3aeffb1b5" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png" ], "encryption": "AES", "extensions": [ ".locked" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "WickedLocker HT Ransomware", "uuid": "878c06be-95d7-4a0d-9dba-178ffc1d3e5e" }, { "meta": { "synonyms": [ "PClock SuppTeam Ransomware", "WinPlock", "CryptoLocker clone" ], "refs": [ "https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/", "https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html", "http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/", "https://decrypter.emsisoft.com/" ], "ransomnotes": [ "Your files are locked !.txt", "Your files are locked !!.txt", "Your files are locked !!!.txt", "Your files are locked !!!!.txt", "%AppData%\\WinCL\\winclwp.jpg" ], "encryption": "AES or XOR", "extensions": [ ".locked" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", "value": "PClock3 Ransomware", "uuid": "6c38f175-b32a-40ef-8cad-33c2c8840d51" }, { "meta": { "synonyms": [ "Kolobocheg Ransomware" ], "refs": [ "https://www.ransomware.wiki/tag/kolobo/", "https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html", "https://forum.drweb.com/index.php?showtopic=315142" ], "ransomnotes": [ "https://www.ransomware.wiki/tag/kolobo/" ], "encryption": "XOR and RSA", "extensions": [ ".kolobocheg@aol.com_" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Kolobo Ransomware", "uuid": "f32f0bec-961b-4c01-9cc1-9cf409efd598" }, { "meta": { "synonyms": [ "Paysafecard Generator 2016" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html", "https://twitter.com/JakubKroustek/status/796083768155078656" ], "ransomnotes": [ "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" ], "encryption": "AES-256", "extensions": [ ".cry_" ], "date": "November 2016" }, "description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "PaySafeGen (German) Ransomware", "uuid": "379d5258-6f11-4c41-a685-c2ff555c0cb9" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html", "http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked", "https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif" ], "encryption": "AES", "extensions": [ ".Xcri" ], "date": "November 2016" }, "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.", "value": "Telecrypt Ransomware", "uuid": "2f362760-925b-4948-aae5-dd0d2fc21002" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", "https://twitter.com/struppigel/status/795630452128227333" ], "ransomnotes": [ "https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png" ], "encryption": "AES", "extensions": [ ".cerber" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CerberTear Ransomware", "uuid": "28808e63-e71f-4aaa-b203-9310745f87b6" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html" ], "encryption": "RSA-4096", "extensions": [ ".dll" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe > FuckSociety", "value": "FuckSociety Ransomware", "uuid": "81c476c3-3190-440d-be4a-ea875e9415aa" }, { "meta": { "synonyms": [ "Serpent Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html", "https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", "https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers" ], "ransomnotes": [ "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" ], "encryption": "AES-256", "extensions": [ ".dng", ".serpent" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048", "value": "PayDOS Ransomware", "uuid": "4818a48a-dfc2-4f35-a76d-e4fb462d6c94" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", "https://twitter.com/struppigel/status/794077145349967872" ], "encryption": "AES", "extensions": [ ".dng" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "zScreenLocker Ransomware", "uuid": "47834caa-2226-4a3a-a228-210a64c281b9" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html", "https://twitter.com/struppigel/status/794444032286060544", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg" ], "encryption": "AES", "extensions": [ ".rnsmwr" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Gremit Ransomware", "uuid": "47512afc-ecf2-4766-8487-8f3bc8dddbf3" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG" ], "encryption": "AES", "extensions": [ ".hollycrypt" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Hollycrypt Ransomware", "uuid": "b77298c1-3f84-4ffb-a81b-36eab5c10881" }, { "meta": { "synonyms": [ "BTC Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG" ], "encryption": "AES", "extensions": [ ".BTC" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "BTCLocker Ransomware", "uuid": "3f461284-85a1-441c-b07d-8b547be43ca2" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/" ], "ransomnotes": [ "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", "filename.Instructions_Data_Recovery.txt" ], "encryption": "AES", "extensions": [ ".crypted_file" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda", "value": "Kangaroo Ransomware", "uuid": "5ab1449f-7e7d-47e7-924a-8662bc2df805" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png" ], "encryption": "AES-256", "extensions": [ ".dCrypt" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "DummyEncrypter Ransomware", "uuid": "6bf055c6-acb2-4459-92b0-70d61616ab62" }, { "meta": { "synonyms": [ "SFX Monster Ransomware" ], "refs": [ "http://virusinfo.info/showthread.php?t=201710", "https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html" ], "ransomnotes": [ "YOUR FILES ARE ENCRYPTED THAT THEIR DECRYPT SEND EMAIL US AT encryptss77@gmail.com IN MESSAGE INDICATE IP ADDRESS OF COMPUTER WHERE YOU SAW THIS MESSAGE YOU CAN FIND IT ON 2IP.RU WE WILL REPLY TO YOU WITHIN 24 HOURS" ], "encryption": "AES-256", "extensions": [ ".dCrypt" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Encryptss77 Ransomware", "uuid": "317cab8a-31a1-4a82-876a-94edc7afffba" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png" ], "encryption": "AES-256", "extensions": [ ".ace" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "WinRarer Ransomware", "uuid": "7ee22340-ed89-4e22-b085-257bde4c0fc5" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html" ], "ransomnotes": [ "YOUR FILES HAVE BEEN ENCRYPTED! Your personal ID ***** Your file have been encrypted with a powerful strain of a virus called ransomware. Your files are encrypted using the same methods banks and the military use. There is currently no possible way to decrypt files with the private key. Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info necessary to decrypt all your files, quickly and easily." ], "encryption": "AES-256", "extensions": [ ".blackblock" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Russian Globe Ransomware", "uuid": "30771cde-2543-4c13-b722-ff940f235b0f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html" ], "ransomnotes": [ "https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG" ], "encryption": "AES-256", "extensions": [ ".zn2016" ], "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "ZeroCrypt Ransomware", "uuid": "e999ca18-61cb-4419-a2fa-ab8af6ebe8dc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html" ], "ransomnotes": [ "Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!" ], "encryption": "RSA", "extensions": [ ".c400", ".c300" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "RotorCrypt(RotoCrypt, Tar) Ransomware", "uuid": "63991ed9-98dc-4f24-a0a6-ff58e489c263" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html" ], "ransomnotes": [ "FOR FILE DISCRIPTION, PLEASE CONTACT YOU@edtonmail@protonmail.com Or BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standard encryption order: AES 256 + RSA 2048. > A unique AES key is created for each file. > Decryption is impossible without the ISHTAR.DATA file (see% APPDATA% directory). ----- TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com OR TO BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standart encryption routine: AES 256 + RSA 2048. > Every AES key is unique per file. > Decryption is impossible without ISHTAR.DATA file (see% APPDATA% path)." ], "encryption": "AES-256 + RSA-2048", "extensions": [ "ISHTAR-. (prefix)" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.", "value": "Ishtar Ransomware", "uuid": "30cad868-b2f1-4551-8f76-d17695c67d52" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", "https://twitter.com/struppigel/status/791943837874651136" ], "ransomnotes": [ "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", "CreatesReadThisFileImportant.txt" ], "extensions": [ ".hcked" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "MasterBuster Ransomware", "uuid": "07f859cd-9c36-4dae-a6fc-fa4e4aa36176" }, { "meta": { "synonyms": [ "Jack.Pot Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html", "https://twitter.com/struppigel/status/791639214152617985", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg" ], "extensions": [ ".coin" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "JackPot Ransomware", "uuid": "04f1772a-053e-4f6e-a9af-3f83ab312633" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html", "https://twitter.com/struppigel/status/791557636164558848", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" ], "ransomnotes": [ "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.", "https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg" ], "extensions": [ ".Encryption:" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware", "value": "ONYX Ransomeware", "uuid": "927a4150-9380-4310-9f68-cb06d8debcf2" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html", "https://twitter.com/struppigel/status/791576159960072192", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG" ], "encryption": "AES", "extensions": [ ".inf643" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "IFN643 Ransomware", "uuid": "ddeab8b3-5df2-414e-9c6b-06b309e1fcf4" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", "https://twitter.com/PolarToffee/status/792796055020642304" ], "ransomnotes": [ "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", "ransomed.hTmL" ], "encryption": "AES", "extensions": [ ".Alcatraz" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Alcatraz Locker Ransomware", "uuid": "2ad63264-8f52-4ab4-ad26-ca8c3bcc066e" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html", "https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/" ], "ransomnotes": [ "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.", "https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png" ], "encryption": "AES", "extensions": [ ".encrypted" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Esmeralda Ransomware", "uuid": "ff5a04bb-d412-4cb3-9780-8d3488b7c268" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg" ], "encryption": "AES", "extensions": [ ".encrypted" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "EncrypTile Ransomware", "uuid": "56e49b84-a250-4aaf-9f65-412616709652" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ], "ransomnotes": [ "https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png" ], "encryption": "AES", "extensions": [ ".encrypted" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG", "value": "Fileice Ransomware Survey Ransomware", "uuid": "ca5d0e52-d0e4-4aa9-872a-0669433c0dcc" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html", "https://twitter.com/struppigel/status/791554654664552448", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ], "ransomnotes": [ "https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg", "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" ], "encryption": "AES-256", "extensions": [ ".encrypted" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "CryptoWire Ransomeware", "uuid": "4e6e45c2-8e13-49ad-8b27-e5aeb767294a" }, { "meta": { "synonyms": [ "Hungarian Locky Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", "https://twitter.com/struppigel/status/846241982347427840" ], "ransomnotes": [ "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", "_Adatok_visszaallitasahoz_utasitasok.txt", "_locky_recover_instructions.txt" ], "encryption": "AES-128+RSA", "extensions": [ ".locky", "[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky", "value": "Hucky Ransomware", "uuid": "74f91a93-4f1e-4603-a6f5-aaa40d2dd311" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html", "https://twitter.com/PolarToffee/status/811940037638111232" ], "ransomnotes": [ "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", "YOUR FILES ARE ENCRYPTED!.txt" ], "encryption": "AES", "extensions": [ ".wnx" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Winnix Cryptor Ransomware", "uuid": "e30e663d-d8c8-44f2-8da7-03b1a9c52376" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", "https://twitter.com/demonslay335/status/790334746488365057" ], "ransomnotes": [ "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg", "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" ], "encryption": "AES-512", "extensions": [ ".adk" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC", "value": "AngryDuck Ransomware", "uuid": "2813a5c7-530b-492f-8d77-fe7b1ed96a65" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html", "https://twitter.com/malwrhunterteam/status/789882488365678592" ], "ransomnotes": [ "https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg", "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" ], "encryption": "AES-512", "extensions": [ ".lock93" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Lock93 Ransomware", "uuid": "2912426d-2a26-4091-a87f-032a6d3d28c1" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", "!!!!!readme!!!!!.htm" ], "encryption": "AES-512", "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "ASN1 Encoder Ransomware", "uuid": "dd99cc50-91f7-4375-906a-7d09c76ee9f7" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html", "https://www.youtube.com/watch?v=Xe30kV4ip8w" ], "ransomnotes": [ "All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price." ], "encryption": "AES", "extensions": [ ".hacked" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif", "value": "Click Me Ransomware", "uuid": "97bdadda-e874-46e6-8672-11dbfe3958c4" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" ], "encryption": "AES-256 + RSA-2048", "extensions": [ ".hacked" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "AiraCrop Ransomware", "uuid": "e7a5c384-a93c-4ed4-8411-ca1e52396256" }, { "meta": { "synonyms": [ "SHC Ransomware", "SHCLocker", "SyNcryption" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker", "https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php", "https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots" ], "ransomnotes": [ "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" ], "encryption": "AES-256 + RSA-2048", "extensions": [ "#LOCK#" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping", "value": "JapanLocker Ransomware", "uuid": "d579e5b6-c6fd-43d9-9213-7591cd324f94" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", "http://nyxbone.com/malware/Anubis.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", "Decryption Instructions.txt" ], "encryption": "AES(256)", "extensions": [ ".coded" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2", "value": "Anubis Ransomware", "uuid": "a6215279-37d8-47f7-9b1b-efae4178c738" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html" ], "ransomnotes": [ "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" ], "encryption": "AES-256", "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "XTPLocker 5.0 Ransomware", "uuid": "eef4bf49-5b1d-463a-aef9-538c5dc2f71f" }, { "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware", "https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg", "https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg", "https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg" ], "encryption": "AES-128", "extensions": [ ".exotic", "random.exotic" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables", "value": "Exotic Ransomware", "uuid": "eb22cb8d-763d-4cac-af35-46dc4f85317b" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg" ], "encryption": "AES-128", "extensions": [ ".dll" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED", "value": "APT Ransomware v.2", "uuid": "6ec0f43c-6b73-4f5e-bee7-a231572eb994" }, { "meta": { "synonyms": [ "WS Go Ransonware", "Trojan.Encoder.6491" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2" ], "ransomnotes": [ "https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png" ], "encryption": "AES-256", "extensions": [ ".enc" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Windows_Security Ransonware", "uuid": "a57a8bc3-8c33-43e8-b237-25edcd5f532a" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg" ], "encryption": "AES", "extensions": [ ".NCRYPT", ".ncrypt" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "NCrypt Ransomware", "uuid": "d590865e-f3ae-4381-9d82-3f540f9818cb" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html", "https://twitter.com/Antelox/status/785849412635521024", "http://pastebin.com/HuK99Xmj" ], "ransomnotes": [ "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" ], "encryption": "AES-2048", "extensions": [ ".venis" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com", "value": "Venis Ransomware", "uuid": "b9cfe6f3-5970-4283-baf4-252e0491b91c" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html" ], "ransomnotes": [ "We encrypt important files on your computer: documents, databases, photos, videos and keys. Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know. Encrypted files have .1txt extension. It decrypts files without the private key IMPOSSIBLE. \nIf you want to get the files back: \n1) Install the Tor Browser http://www.torproject.org/ \n2) Locate the desktop key to access E_N_I_G_M_A.RSA site (password is encrypted in the key of your files) \n3) Go to the website http://kf2uimw5omtgveu6.onion/ into a torus-browser and log in using E_N_I_G_M_A.RSA \n4) Follow the instructions on the website and download the decoder \nC:\\Documents and Settings\\Администратор\\Рабочийстол\\E_N_I_G_M_A.RSA - The path to the key file on the desktop C:\\DOCUME~1\\9335~1\\LOCALS~1\\Temp\\E_N_I_G_M_A.RSA - The path to the key file in TMP directory" ], "encryption": "AES-128", "extensions": [ ".1txt" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Enigma 2 Ransomware", "uuid": "507506a3-3745-47fd-8d31-ef122317c0c2" }, { "meta": { "synonyms": [ "Deadly for a Good Purpose Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html", "https://twitter.com/malwrhunterteam/status/785533373007728640" ], "ransomnotes": [ "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" ], "encryption": "AES-256", "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...", "value": "Deadly Ransomware", "uuid": "a25e39b0-b601-403c-bba8-2f595e221269" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html" ], "ransomnotes": [ "https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg", "https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG", "https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg" ], "encryption": "AES-256", "extensions": [ ".comrade" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Comrade Circle Ransomware", "uuid": "db23145a-e15b-4cf7-9d2c-ffa9928750d5" }, { "meta": { "synonyms": [ "Purge Ransomware" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html", "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221" ], "ransomnotes": [ "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" ], "encryption": "AES-256 or Blowfish", "extensions": [ ".raid10", ".[random].raid10", ".blt", ".globe", ".[random].blt", ".encrypted", ".[random].globe", ".[random].encrypted", ".mia.kokers@aol.com", ".[mia.kokers@aol.com]", ".lovewindows", ".openforyou@india.com", ".." ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Globe2 Ransomware", "uuid": "5541471c-8d15-4aec-9996-e24b59c3e3d6" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html", "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/" ], "ransomnotes": [ "https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg", "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" ], "encryption": "AES-256", "extensions": [ ".k0stya" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Kostya Ransomware", "uuid": "7d6f02d2-a626-40f6-81c3-14e3a9a2aea5" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.htm" ], "ransomnotes": [ "https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png" ], "encryption": "AES-256 CBC", "extensions": [ ".comrade" ], "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", "value": "Fs0ciety Locker Ransomware", "uuid": "ed3a4f8a-49de-40c3-9acb-da1b78f89c4f" }, { "meta": { "refs": [ "https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html" ], "ransomnotes": [ "https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png" ], "encryption": "AES", "extensions": [ ".ecrypt" ], "date": "September 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet", "value": "Erebus Ransomware", "uuid": "6a77c96b-1814-427f-83ca-fe7e0e40b1c0" }, { "meta": { "synonyms": [ "WannaCrypt", "WannaCry", "WanaCrypt0r", "WCrypt", "WCRY" ], "refs": [ "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" ], "date": "May 2017" }, "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", "value": "WannaCry", "uuid": "d62ab8d5-4ba1-4c45-8a63-13fdb099b33c" }, { "value": ".CryptoHasYou.", "description": "Ransomware", "meta": { "extensions": [ ".enc" ], "encryption": "AES(256)", "ransomnotes": [ "YOUR_FILES_ARE_LOCKED.txt" ], "refs": [ "http://www.nyxbone.com/malware/CryptoHasYou.html" ] }, "uuid": "a0ce5d94-a22a-40db-a09f-a796d0bb4006" }, { "value": "777", "description": "Ransomware", "meta": { "synonyms": [ "Sevleg" ], "extensions": [ ".777", "._[timestamp]_$[email]$.777", "e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777" ], "encryption": "XOR", "ransomnotes": [ "read_this_file.txt" ], "refs": [ "https://decrypter.emsisoft.com/777" ] }, "uuid": "cd9e9eaa-0895-4d55-964a-b53eacdfd36a" }, { "value": "7ev3n", "description": "Ransomware", "meta": { "synonyms": [ "7ev3n-HONE$T" ], "extensions": [ ".R4A", ".R5A" ], "ransomnotes": [ "FILES_BACK.txt" ], "refs": [ "https://github.com/hasherezade/malware_analysis/tree/master/7ev3n", "https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", "http://www.nyxbone.com/malware/7ev3n-HONE$T.html" ] }, "uuid": "664701d6-7948-4e80-a333-1d1938103ba1" }, { "value": "8lock8", "description": "Ransomware Based on HiddenTear", "meta": { "extensions": [ ".8lock8" ], "encryption": "AES-256", "ransomnotes": [ "READ_IT.txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" ] }, "uuid": "b70b6537-cf00-4bd1-a4e9-ae5ff2eb7504" }, { "value": "AiraCrop", "description": "Ransomware related to TeamXRat", "meta": { "extensions": [ "._AiraCropEncrypted" ], "ransomnotes": [ "How to decrypt your files.txt" ], "refs": [ "https://twitter.com/PolarToffee/status/796079699478900736" ] }, "uuid": "77919c1f-4ef8-41cd-a635-2d3118ade1f3" }, { "value": "Al-Namrood", "description": "Ransomware", "meta": { "extensions": [ ".unavailable", ".disappeared" ], "ransomnotes": [ "Read_Me.Txt" ], "refs": [ "https://decrypter.emsisoft.com/al-namrood" ] }, "uuid": "0040dca4-bf2e-43cb-89ae-ab1b50f1183d" }, { "value": "ALFA Ransomware", "description": "Ransomware Made by creators of Cerber", "meta": { "extensions": [ ".bin" ], "ransomnotes": [ "README HOW TO DECRYPT YOUR FILES.HTML" ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" ] }, "uuid": "888abc95-9e01-4cbc-a6e5-058eb9314f51" }, { "value": "Alma Ransomware", "description": "Ransomware", "meta": { "extensions": [ "random", "random(x5)" ], "encryption": "AES-128", "ransomnotes": [ "Unlock_files_randomx5.html" ], "refs": [ "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" ] }, "uuid": "76a08868-345f-4566-a403-5f5e575dfee5" }, { "value": "Alpha Ransomware", "description": "Ransomware", "meta": { "synonyms": [ "AlphaLocker" ], "extensions": [ ".encrypt" ], "encryption": "AES-256", "ransomnotes": [ "Read Me (How Decrypt) !!!!.txt" ], "refs": [ "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", "https://twitter.com/malwarebread/status/804714048499621888" ] }, "uuid": "a27fff00-995a-4598-ba00-05921bf20e80" }, { "value": "AMBA", "description": "Ransomware Websites only amba@riseup.net", "meta": { "extensions": [ ".amba" ], "ransomnotes": [ "ПРОЧТИ_МЕНЯ.txt", "READ_ME.txt" ], "refs": [ "https://twitter.com/benkow_/status/747813034006020096" ] }, "uuid": "8dd289d8-71bc-42b0-aafd-540dafa93343" }, { "value": "AngleWare", "description": "Ransomware", "meta": { "extensions": [ ".AngleWare" ], "ransomnotes": [ "READ_ME.txt" ], "refs": [ "https://twitter.com/BleepinComputer/status/844531418474708993" ] }, "uuid": "e06526ac-0083-44ab-8787-dd7278746bb6" }, { "value": "Anony", "description": "Ransomware Based on HiddenTear", "meta": { "synonyms": [ "ngocanh" ], "refs": [ "https://twitter.com/struppigel/status/842047409446387714" ] }, "uuid": "5b94100d-83bb-4e30-be7a-6015c00356e0" }, { "value": "Apocalypse", "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", "meta": { "synonyms": [ "Fabiansomeware" ], "extensions": [ ".encrypted", ".SecureCrypted", ".FuckYourData", ".unavailable", ".bleepYourFiles", ".Where_my_files.txt", "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" ], "ransomnotes": [ "*.How_To_Decrypt.txt", "*.Contact_Here_To_Recover_Your_Files.txt", "*.Where_my_files.txt", "*.Read_Me.Txt", "*md5*.txt" ], "refs": [ "https://decrypter.emsisoft.com/apocalypse", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ] }, "uuid": "e38b8876-5780-4574-9adf-304e9d659bdb" }, { "value": "ApocalypseVM", "description": "Ransomware Apocalypse ransomware version which uses VMprotect", "meta": { "extensions": [ ".encrypted", ".locked" ], "ransomnotes": [ "*.How_To_Get_Back.txt" ], "refs": [ "http://decrypter.emsisoft.com/download/apocalypsevm" ] }, "uuid": "5bc9c3a5-a35f-43aa-a999-fc7cd0685994" }, { "value": "AutoLocky", "description": "Ransomware", "meta": { "extensions": [ ".locky" ], "ransomnotes": [ "info.txt", "info.html" ], "refs": [ "https://decrypter.emsisoft.com/autolocky" ] }, "uuid": "803fa9e2-8803-409a-b455-3a886c23fae4" }, { "value": "Aw3s0m3Sc0t7", "description": "Ransomware", "meta": { "extensions": [ ".enc" ], "refs": [ "https://twitter.com/struppigel/status/828902907668000770" ] }, "uuid": "dced0fe8-224e-47ef-92ed-5ab6c0536daa" }, { "value": "BadBlock", "description": "Ransomware", "meta": { "ransomnotes": [ "Help Decrypt.html" ], "refs": [ "https://decrypter.emsisoft.com/badblock", "http://www.nyxbone.com/malware/BadBlock.html", "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" ] }, "uuid": "f1a30552-21c1-46be-8b5f-64bd62b03d35" }, { "value": "BaksoCrypt", "description": "Ransomware Based on my-Little-Ransomware", "meta": { "extensions": [ ".adr" ], "refs": [ "https://twitter.com/JakubKroustek/status/760482299007922176", "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" ] }, "uuid": "b21997a1-212f-4bbe-a6b7-3c703cbf113e" }, { "value": "Bandarchor", "description": "Ransomware Files might be partially encrypted", "meta": { "synonyms": [ "Rakhni" ], "extensions": [ ".id-1235240425_help@decryptservice.info", ".id-[ID]_[EMAIL_ADDRESS]" ], "encryption": "AES-256", "ransomnotes": [ "HOW TO DECRYPT.txt" ], "refs": [ "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/", "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" ] }, "uuid": "af50d07e-3fc5-4014-9ac5-f5466cf042bc" }, { "value": "Bart", "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", "meta": { "synonyms": [ "BaCrypt" ], "extensions": [ ".bart.zip", ".bart", ".perl" ], "ransomnotes": [ "recover.txt", "recover.bmp" ], "refs": [ "http://now.avg.com/barts-shenanigans-are-no-match-for-avg/", "http://phishme.com/rockloader-downloading-new-ransomware-bart/", "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" ] }, "uuid": "3cf2c880-e0b5-4311-9c4e-6293f2a566e7" }, { "value": "BitCryptor", "description": "Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.", "meta": { "extensions": [ ".clf" ], "refs": [ "https://noransom.kaspersky.com/" ] }, "uuid": "b5e9a802-cd17-4cd6-b83d-f36cce009808" }, { "value": "BitStak", "description": "Ransomware", "meta": { "extensions": [ ".bitstak" ], "encryption": "Base64 + String Replacement", "refs": [ "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip" ] }, "uuid": "33e398fa-2586-415e-9b18-6ea2ea36ff74" }, { "value": "BlackShades Crypter", "description": "Ransomware", "meta": { "synonyms": [ "SilentShade" ], "extensions": [ ".Silent" ], "encryption": "AES-256", "ransomnotes": [ "Hacked_Read_me_to_decrypt_files.html", "YourID.txt" ], "refs": [ "http://nyxbone.com/malware/BlackShades.html" ] }, "uuid": "bf065217-e13a-4f6d-a5b2-ba0750b5c312" }, { "value": "Blocatto", "description": "Ransomware Based on HiddenTear", "meta": { "extensions": [ ".blocatto" ], "encryption": "AES-256", "refs": [ "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" ] }, "uuid": "a3e1cfec-aacd-4d84-aa7d-99ed6c17f26d" }, { "value": "Booyah", "description": "Ransomware EXE was replaced to neutralize threat", "meta": { "synonyms": [ "Salami" ] }, "uuid": "eee75995-321f-477f-8b57-eee4eedf4ba3" }, { "value": "Brazilian", "description": "Ransomware Based on EDA2", "meta": { "extensions": [ ".lock" ], "encryption": "AES-256", "ransomnotes": [ "MENSAGEM.txt" ], "refs": [ "http://www.nyxbone.com/malware/brazilianRansom.html", "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" ] }, "uuid": "f9cf4f0d-3efc-4d6d-baf2-7dcb96db1279" }, { "value": "Brazilian Globe", "description": "Ransomware", "meta": { "extensions": [ ".id-%ID%_garryweber@protonmail.ch" ], "ransomnotes": [ "HOW_OPEN_FILES.html" ], "refs": [ "https://twitter.com/JakubKroustek/status/821831437884211201" ] }, "uuid": "d2bc5ec4-1dd1-408a-a6f6-621986657dff" }, { "value": "BrLock", "description": "Ransomware", "meta": { "encryption": "AES", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" ] }, "uuid": "889d2296-40d2-49f6-be49-cbdfbcde2246" }, { "value": "Browlock", "description": "Ransomware no local encryption, browser only", "uuid": "9769be50-8e0b-4f52-b7f6-98aeac0aaac4" }, { "value": "BTCWare Related to / new version of CryptXXX", "description": "Ransomware", "meta": { "extensions": [ ".btcware" ], "ransomnotes": [ "#_HOW_TO_FIX_!.hta" ], "refs": [ "https://twitter.com/malwrhunterteam/status/845199679340011520" ] }, "uuid": "8d60dec9-d43f-4d52-904f-40fb67e57ef7" }, { "value": "Bucbi", "description": "Ransomware no file name change, no extension", "meta": { "encryption": "GOST", "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/" ] }, "uuid": "3510ce65-80e6-4f80-8cde-bb5ad8a271c6" }, { "value": "BuyUnlockCode", "description": "Ransomware Does not delete Shadow Copies", "meta": { "extensions": [ "(.*).encoded.([A-Z0-9]{9})" ], "ransomnotes": [ "BUYUNLOCKCODE.txt" ] }, "uuid": "289624c4-1d50-4178-9371-aebd95f423f9" }, { "value": "Central Security Treatment Organization", "description": "Ransomware", "meta": { "extensions": [ ".cry" ], "ransomnotes": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/" ] }, "uuid": "8ff729d9-aee5-4b85-a59d-3f57e105be40" }, { "value": "Cerber", "description": "Ransomware", "meta": { "extensions": [ ".cerber", ".cerber2", ".cerber3" ], "synonyms": [ "CRBR ENCRYPTOR" ], "encryption": "AES", "ransomnotes": [ "# DECRYPT MY FILES #.html", "# DECRYPT MY FILES #.txt", "# DECRYPT MY FILES #.vbs", "# README.hta", "_{RAND}_README.jpg", "_{RAND}_README.hta", "_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg", "_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta", "_HELP_HELP_HELP_%random%.jpg", "_HELP_HELP_HELP_%random%.hta", "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta", "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg" ], "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", "https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410", "https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/" ] }, "uuid": "190edf95-9cd9-4e4a-a228-b716d52a751b" }, { "value": "Chimera", "description": "Ransomware", "meta": { "extensions": [ ".crypt", "4 random characters, e.g., .PzZs, .MKJL" ], "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT", ".gif" ], "refs": [ "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" ] }, "uuid": "27b036f0-afa3-4984-95b3-47fa344b1aa7" }, { "value": "Clock", "description": "Ransomware Does not encrypt anything", "meta": { "refs": [ "https://twitter.com/JakubKroustek/status/794956809866018816" ] }, "uuid": "af3b3bbb-b54d-49d0-8e58-e9c56762a96b" }, { "value": "CoinVault", "description": "Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!", "meta": { "extensions": [ ".clf" ], "ransomnotes": [ "wallpaper.jpg" ], "refs": [ "https://noransom.kaspersky.com/" ] }, "uuid": "15941fb1-08f0-4276-a61f-e2a306d6c6b5" }, { "value": "Coverton", "description": "Ransomware", "meta": { "extensions": [ ".coverton", ".enigma", ".czvxce" ], "encryption": "AES-256", "ransomnotes": [ "!!!-WARNING-!!!.html", "!!!-WARNING-!!!.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/" ] }, "uuid": "36450e8c-ff66-4ecf-9c0f-fbfb27a72d63" }, { "value": "Cryaki", "description": "Ransomware", "meta": { "extensions": [ ".{CRYPTENDBLACKDC}" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] }, "uuid": "2c11d679-1fb1-4bd7-9516-9c6f402f3c25" }, { "value": "Crybola", "description": "Ransomware", "meta": { "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] }, "uuid": "93dcd241-f2d6-40f3-aee3-351420046a77" }, { "value": "CryFile", "description": "Ransomware", "meta": { "extensions": [ ".criptiko", ".criptoko", ".criptokod", ".cripttt", ".aga" ], "encryption": "Moves bytes", "refs": [ "SHTODELATVAM.txt", "Instructionaga.txt" ], "ransomnotes": [ "http://virusinfo.info/showthread.php?t=185396" ] }, "uuid": "0d46e21d-8f1c-4355-8205-185fb7e041a7" }, { "value": "CryLocker", "description": "Ransomware Identifies victim locations w/Google Maps API", "meta": { "synonyms": [ "Cry", "CSTO", "Central Security Treatment Organization" ], "extensions": [ ".cry" ], "ransomnotes": [ "!Recovery_[random_chars].html", "!Recovery_[random_chars].txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/" ] }, "uuid": "629f6986-2c1f-4d0a-b805-e4ef3e2ce634" }, { "value": "CrypMIC", "description": "Ransomware CryptXXX clone/spinoff", "meta": { "encryption": "AES-256", "ransomnotes": [ "README.TXT", "README.HTML", "README.BMP" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" ] }, "uuid": "82cb7a40-0a78-4414-9afd-028d6b3082ea" }, { "value": "Crypren", "description": "Ransomware", "meta": { "extensions": [ ".ENCRYPTED" ], "ransomnotes": [ "READ_THIS_TO_DECRYPT.html" ], "refs": [ "https://github.com/pekeinfo/DecryptCrypren", "http://www.nyxbone.com/malware/Crypren.html", "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" ] }, "uuid": "a9f05b4e-6b03-4211-a2bd-6b4432eb3388" }, { "value": "Crypt38", "description": "Ransomware", "meta": { "extensions": [ ".crypt38" ], "encryption": "AES", "refs": [ "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption" ] }, "uuid": "12a96f43-8a8c-410e-aaa3-ba6735276555" }, { "value": "Crypter", "description": "Ransomware Does not actually encrypt the files, but simply renames them", "meta": { "refs": [ "https://twitter.com/jiriatvirlab/status/802554159564062722" ] }, "uuid": "37edc8d7-c939-4a33-9ed5-dafbbc1e5b1e" }, { "value": "CryptFIle2", "description": "Ransomware", "meta": { "extensions": [ ".scl", "id[_ID]email_xerx@usa.com.scl" ], "encryption": "RSA", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" ] }, "uuid": "5b0dd136-6428-48c8-b2a6-8e926a82dfac" }, { "value": "CryptInfinite", "description": "Ransomware", "meta": { "extensions": [ ".crinf" ], "refs": [ "https://decrypter.emsisoft.com/" ] }, "uuid": "2b0d60c3-6560-49ac-baf0-5f642e8a77de" }, { "value": "CryptoBit", "description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.", "meta": { "encryption": "AES + RSA", "ransomnotes": [ "OKSOWATHAPPENDTOYOURFILES.TXT" ], "refs": [ "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml" ] }, "uuid": "1903ed75-05f7-4019-b0b7-7a8f23f22194" }, { "value": "CryptoDefense", "description": "Ransomware no extension change", "meta": { "ransomnotes": [ "HOW_DECRYPT.TXT", "HOW_DECRYPT.HTML", "HOW_DECRYPT.URL" ], "refs": [ "https://decrypter.emsisoft.com/" ] }, "uuid": "ad9eeff2-91b4-440a-ae74-ab84d3e2075e" }, { "value": "CryptoFinancial", "description": "Ransomware", "meta": { "synonyms": [ "Ranscam" ], "refs": [ "http://blog.talosintel.com/2016/07/ranscam.html", "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" ] }, "uuid": "383d7ebb-9b08-4874-b5d7-dc02b499c38f" }, { "value": "CryptoFortress", "description": "Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB", "meta": { "extensions": [ ".frtrss" ], "encryption": "AES-256 + RSA-1024", "ransomnotes": [ "READ IF YOU WANT YOUR FILES BACK.html" ] }, "uuid": "26c8b446-305c-4057-83bc-85b09630281e" }, { "value": "CryptoGraphic Locker", "description": "Ransomware Has a GUI. Subvariants: CoinVault BitCryptor", "meta": { "extensions": [ ".clf" ], "ransomnotes": [ "wallpaper.jpg" ] }, "uuid": "58534bc4-eb96-44f4-bdad-2cc5cfea8c6f" }, { "value": "CryptoHost", "description": "Ransomware RAR's victim's files has a GUI", "meta": { "synonyms": [ "Manamecrypt", "Telograph", "ROI Locker" ], "encryption": "AES-256 (RAR implementation)", "refs": [ "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" ] }, "uuid": "dba2cf74-16a9-4ed8-8536-6542fda95999" }, { "value": "CryptoJoker", "description": "Ransomware", "meta": { "extensions": [ ".crjoker" ], "encryption": "AES-256", "ransomnotes": [ "README!!!.txt", "GetYouFiles.txt", "crjoker.html" ] }, "uuid": "2fb307a2-8752-4521-8973-75b68703030d" }, { "value": "CryptoLocker", "description": "Ransomware no longer relevant", "meta": { "extensions": [ ".encrypted", ".ENC" ], "refs": [ "https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html", "https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/" ] }, "uuid": "b35b1ca2-f99c-4495-97a5-b8f30225cb90" }, { "value": "CryptoLocker 1.0.0", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/839747940122001408" ] }, "uuid": "8d5e3b1f-e333-4eed-8dec-d74f19d6bcbb" }, { "value": "CryptoLocker 5.1", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/782890104947867649" ] }, "uuid": "e1412d2a-2a94-4c83-aed0-9e09523514a4" }, { "value": "CryptoMix", "description": "Ransomware", "meta": { "synonyms": [ "Zeta" ], "extensions": [ ".code", ".scl", ".rmd", ".lesli", ".rdmk", ".CRYPTOSHIELD", ".CRYPTOSHIEL", ".id_(ID_MACHINE)_email_xoomx@dr.com_.code", ".id_*_email_zeta@dr.com", ".id_(ID_MACHINE)_email_anx@dr.com_.scl", ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli", "*filename*.email[*email*]_id[*id*].rdmk", ".EMPTY", ".0000", ".XZZX", ".TEST", ".WORK", ".SYSTEM", ".MOLE66" ], "ransomnotes": [ "HELP_YOUR_FILES.html (CryptXXX)", "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", "INSTRUCTION RESTORE FILE.TXT", "# HELP_DECRYPT_YOUR_FILES #.TXT", "_HELP_INSTRUCTION.TXT", "C:\\ProgramData\\[random].exe", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number", "!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!" ], "refs": [ "http://www.nyxbone.com/malware/CryptoMix.html", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", "https://twitter.com/JakubKroustek/status/804009831518572544", "https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/" ] }, "uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a" }, { "value": "CryptoRansomeware", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/817672617658347521" ] }, "uuid": "de53f392-8794-43d1-a38b-c0b90c20a3fb" }, { "value": "CryptoRoger", "description": "Ransomware", "meta": { "extensions": [ ".crptrgr" ], "encryption": "AES", "ransomnotes": [ "!Where_are_my_files!.html" ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/" ] }, "uuid": "b6fe71ba-b0f4-4cc4-b84c-d3d80a37eada" }, { "value": "CryptoShadow", "description": "Ransomware", "meta": { "extensions": [ ".doomed" ], "ransomnotes": [ "LEER_INMEDIATAMENTE.txt" ], "refs": [ "https://twitter.com/struppigel/status/821992610164277248" ] }, "uuid": "b11563ce-cced-4c8b-a3a1-0c4ff76aa0ef" }, { "value": "CryptoShocker", "description": "Ransomware", "meta": { "extensions": [ ".locked" ], "encryption": "AES", "ransomnotes": [ "ATTENTION.url" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/" ] }, "uuid": "545b4b25-763a-4a5c-8dda-12142c00422c" }, { "value": "CryptoTorLocker2015", "description": "Ransomware", "meta": { "extensions": [ ".CryptoTorLocker2015!" ], "ransomnotes": [ "HOW TO DECRYPT FILES.txt", "%Temp%\\.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/" ] }, "uuid": "06ec3640-4b93-4e79-a8ec-e24b3d349dd5" }, { "value": "CryptoTrooper", "description": "Ransomware", "meta": { "encryption": "AES", "refs": [ "http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml" ] }, "uuid": "13fdf55f-46f7-4635-96b8-b4806c78a80c" }, { "value": "CryptoWall 1", "description": "Ransomware", "meta": { "ransomnotes": [ "DECRYPT_INSTRUCTION.HTM", "DECRYPT_INSTRUCTION.TXT", "DECRYPT_INSTRUCTION.URL", "INSTALL_TOR.URL" ] }, "uuid": "5559fbc1-52c6-469c-be97-8f8344765577" }, { "value": "CryptoWall 2", "description": "Ransomware", "meta": { "ransomnotes": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", "HELP_DECRYPT.HTML" ] }, "uuid": "f2780d22-4410-4a2f-a1c3-f43807ed1f19" }, { "value": "CryptoWall 3", "description": "Ransomware", "meta": { "ransomnotes": [ "HELP_DECRYPT.TXT", "HELP_DECRYPT.PNG", "HELP_DECRYPT.URL", "HELP_DECRYPT.HTML" ], "refs": [ "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" ] }, "uuid": "9d35fe47-5f8c-494c-a74f-23a7ac7f44be" }, { "value": "CryptoWall 4", "description": "Ransomware", "meta": { "extensions": [ "., e.g. ,27p9k967z.x1nep" ], "ransomnotes": [ "HELP_YOUR_FILES.HTML", "HELP_YOUR_FILES.PNG" ] }, "uuid": "f7c04ce6-dd30-4a94-acd4-9a3125bcb12e" }, { "value": "CryptXXX", "description": "Ransomware Comes with Bedep", "meta": { "synonyms": [ "CryptProjectXXX" ], "extensions": [ ".crypt" ], "ransomnotes": [ "de_crypt_readme.bmp, .txt, .html" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information" ] }, "uuid": "255aac37-e4d2-4eeb-b8de-143f9c2321bd" }, { "value": "CryptXXX 2.0", "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", "meta": { "synonyms": [ "CryptProjectXXX" ], "extensions": [ ".crypt" ], "ransomnotes": [ ".txt, .html, .bmp" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool", "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" ] }, "uuid": "e272d0b5-cdfc-422a-bb78-9214475daec5" }, { "value": "CryptXXX 3.0", "description": "Ransomware Comes with Bedep", "meta": { "synonyms": [ "UltraDeCrypter", "UltraCrypter" ], "extensions": [ ".crypt", ".cryp1", ".crypz", ".cryptz", "random" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" ] }, "uuid": "60a50fe5-53ea-43f0-8a17-e7134f5fc371" }, { "value": "CryptXXX 3.1", "description": "Ransomware StilerX credential stealing", "meta": { "extensions": [ ".cryp1" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100" ] }, "uuid": "3f5a76ea-6b83-443e-b26f-b2b2d02d90e0" }, { "value": "CryPy", "description": "Ransomware", "meta": { "extensions": [ ".cry" ], "encryption": "AES", "ransomnotes": [ "README_FOR_DECRYPT.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/" ] }, "uuid": "0b0f5f33-1871-461d-8e7e-b5e0ebc82311" }, { "value": "CTB-Faker", "description": "Ransomware", "meta": { "synonyms": [ "Citroni" ], "extensions": [ ".ctbl", ".([a-z]{6,7})" ], "encryption": "RSA-2048", "ransomnotes": [ "AllFilesAreLocked .bmp", "DecryptAllFiles .txt", ".html" ] }, "uuid": "6212bf8f-07db-490a-8cef-ac42042076c1" }, { "value": "CTB-Locker WEB", "description": "Ransomware websites only", "meta": { "refs": [ "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", "https://github.com/eyecatchup/Critroni-php" ] }, "uuid": "555b2c6f-0848-4ac1-9443-e4c20814459a" }, { "value": "CuteRansomware", "description": "Ransomware Based on my-Little-Ransomware", "meta": { "synonyms": [ "my-Little-Ransomware" ], "extensions": [ ".已加密", ".encrypted" ], "encryption": "AES-128", "ransomnotes": [ "你的檔案被我們加密啦!!!.txt", "Your files encrypted by our friends !!! txt" ], "refs": [ "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", "https://github.com/aaaddress1/my-Little-Ransomware" ] }, "uuid": "1a369bbf-6f03-454c-b507-15abe2a8bbb4" }, { "value": "Cyber SpLiTTer Vbs", "description": "Ransomware Based on HiddenTear", "meta": { "synonyms": [ "CyberSplitter" ], "refs": [ "https://twitter.com/struppigel/status/778871886616862720", "https://twitter.com/struppigel/status/806758133720698881" ] }, "uuid": "587589df-ee42-43f4-9480-c65d6e1d7e0f" }, { "value": "Death Bitches", "description": "Ransomware", "meta": { "extensions": [ ".locked" ], "ransomnotes": [ "READ_IT.txt" ], "refs": [ "https://twitter.com/JaromirHorejsi/status/815555258478981121" ] }, "uuid": "0f074c07-613d-43cb-bd5f-37c747d39fe2" }, { "value": "DeCrypt Protect", "description": "Ransomware", "meta": { "extensions": [ ".html" ], "refs": [ "http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/" ] }, "uuid": "c80c78ae-fc05-44cf-8b47-4d50c103ca70" }, { "value": "DEDCryptor", "description": "Ransomware Based on EDA2", "meta": { "extensions": [ ".ded" ], "encryption": "AES-256", "refs": [ "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", "http://www.nyxbone.com/malware/DEDCryptor.html" ] }, "uuid": "496b6c3c-771a-46cd-8e41-ce7c4168ae20" }, { "value": "Demo", "description": "Ransomware only encrypts .jpg files", "meta": { "extensions": [ ".encrypted" ], "ransomnotes": [ "HELP_YOUR_FILES.txt" ], "refs": [ "https://twitter.com/struppigel/status/798573300779745281" ] }, "uuid": "b314d86f-92bb-4be3-b32a-19d6f8eb55d4" }, { "value": "DetoxCrypto", "description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte", "meta": { "encryption": "AES", "refs": [ "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/" ] }, "uuid": "be094d75-eba8-4ff3-91f1-f8cde687e5ed" }, { "value": "Digisom", "description": "Ransomware", "meta": { "ransomnotes": [ "Digisom Readme0.txt (0 to 9)" ], "refs": [ "https://twitter.com/PolarToffee/status/829727052316160000" ] }, "uuid": "c5b2a0bc-352f-481f-8c35-d378754793c0" }, { "value": "DirtyDecrypt", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/demonslay335/status/752586334527709184" ] }, "uuid": "5ad8a530-3ab9-48b1-9a75-e1e97b3f77ec" }, { "value": "DMALocker", "description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0", "meta": { "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", "ransomnotes": [ "cryptinfo.txt", "decrypting.txt", "start.txt" ], "refs": [ "https://decrypter.emsisoft.com/", "https://github.com/hasherezade/dma_unlocker", "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" ] }, "uuid": "407ebc7c-5b05-488f-862f-b2bf6c562372" }, { "value": "DMALocker 3.0", "description": "Ransomware", "meta": { "encryption": "AES-256 + XPTLOCK5.0", "refs": [ "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" ] }, "uuid": "ba39be57-c138-48d5-b46b-d996ff899ffa" }, { "value": "DNRansomware", "description": "Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT", "meta": { "extensions": [ ".fucked" ], "refs": [ "https://twitter.com/BleepinComputer/status/822500056511213568" ] }, "uuid": "45cae006-5d14-4c95-bb5b-dcf5555d7c78" }, { "value": "Domino", "description": "Ransomware Based on Hidden Tear", "meta": { "extensions": [ ".domino" ], "encryption": "AES-256", "ransomnotes": [ "README_TO_RECURE_YOUR_FILES.txt" ], "refs": [ "http://www.nyxbone.com/malware/Domino.html", "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/" ] }, "uuid": "7cb20800-2033-49a4-bdf8-a7da5a24f7f1" }, { "value": "DoNotChange", "description": "Ransomware", "meta": { "extensions": [ ".id-7ES642406.cry", ".Do_not_change_the_filename" ], "encryption": "AES-128", "ransomnotes": [ "HOW TO DECODE FILES!!!.txt", "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/" ] }, "uuid": "2e6f4fa6-5fdf-4d69-b764-063d88ba1dd0" }, { "value": "DummyLocker", "description": "Ransomware", "meta": { "extensions": [ ".dCrypt" ], "refs": [ "https://twitter.com/struppigel/status/794108322932785158" ] }, "uuid": "55446b3a-fdc7-4c75-918a-2d9fb5cdf3ff" }, { "value": "DXXD", "description": "Ransomware", "meta": { "extensions": [ ".dxxd" ], "ransomnotes": [ "ReadMe.TxT" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/" ] }, "uuid": "57108b9e-5af8-4797-9924-e424cb5e9903" }, { "value": "HiddenTear", "description": "Ransomware Open sourced C#", "meta": { "synonyms": [ "Cryptear", "EDA2" ], "extensions": [ ".locked" ], "encryption": "AES-256", "refs": [ "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" ] }, "uuid": "254f4f67-d850-4dc5-8ddb-2e955ddea287" }, { "value": "EduCrypt", "description": "Ransomware Based on Hidden Tear", "meta": { "synonyms": [ "EduCrypter" ], "extensions": [ ".isis", ".locked" ], "ransomnotes": [ "README.txt" ], "refs": [ "http://www.filedropper.com/decrypter_1", "https://twitter.com/JakubKroustek/status/747031171347910656" ] }, "uuid": "826a341a-c329-4e1e-bc9f-5d44c8317557" }, { "value": "EiTest", "description": "Ransomware", "meta": { "extensions": [ ".crypted" ], "refs": [ "https://twitter.com/BroadAnalysis/status/845688819533930497", "https://twitter.com/malwrhunterteam/status/845652520202616832" ] }, "uuid": "0a24ea0d-3f8a-428a-8b77-ef5281c1ee05" }, { "value": "El-Polocker", "description": "Ransomware Has a GUI", "meta": { "synonyms": [ "Los Pollos Hermanos" ], "extensions": [ ".ha3" ], "ransomnotes": [ "qwer.html", "qwer2.html", "locked.bmp" ] }, "uuid": "63d9cb32-a1b9-46c3-818a-df16d8b9e46a" }, { "value": "Encoder.xxxx", "description": "Ransomware Coded in GO", "meta": { "synonyms": [ "Trojan.Encoder.6491" ], "ransomnotes": [ "Instructions.html" ], "refs": [ "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", "http://vms.drweb.ru/virus/?_is=1&i=8747343" ] }, "uuid": "f855609e-b7ab-41e8-aafa-62016f8f4e1a" }, { "value": "encryptoJJS", "description": "Ransomware", "meta": { "extensions": [ ".enc" ], "ransomnotes": [ "How to recover.enc" ] }, "uuid": "3e5deef2-bace-40bc-beb1-5d9009233667" }, { "value": "Enigma", "description": "Ransomware", "meta": { "extensions": [ ".enigma", ".1txt" ], "encryption": "AES-128", "ransomnotes": [ "enigma.hta", "enigma_encr.txt", "enigma_info.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/" ] }, "uuid": "1b24d240-df72-4388-946b-efa07a9447bb" }, { "value": "Enjey", "description": "Ransomware Based on RemindMe", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/839022018230112256" ] }, "uuid": "198891fb-26a4-455a-9719-4130bedba103" }, { "value": "Fairware", "description": "Ransomware Target Linux O.S.", "meta": { "refs": [ "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" ] }, "uuid": "6771b42f-1d95-4b2e-bbb5-9ab703bbaa9d" }, { "value": "Fakben", "description": "Ransomware Based on Hidden Tear", "meta": { "extensions": [ ".locked" ], "ransomnotes": [ "READ ME FOR DECRYPT.txt" ], "refs": [ "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code" ] }, "uuid": "c308346a-2746-4900-8149-464a09086b55" }, { "value": "FakeCryptoLocker", "description": "Ransomware", "meta": { "extensions": [ ".cryptolocker" ], "refs": [ "https://twitter.com/PolarToffee/status/812312402779836416" ] }, "uuid": "abddc01f-7d76-47d4-985d-ea6d16acccb1" }, { "value": "Fantom", "description": "Ransomware Based on EDA2", "meta": { "synonyms": [ "Comrad Circle" ], "extensions": [ ".fantom", ".comrade" ], "encryption": "AES-128", "ransomnotes": [ "DECRYPT_YOUR_FILES.HTML", "RESTORE-FILES![id]" ], "refs": [ "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" ] }, "uuid": "35be87a5-b498-4693-8b8d-8b17864ac088" }, { "value": "FenixLocker", "description": "Ransomware", "meta": { "extensions": [ ".FenixIloveyou!!" ], "ransomnotes": [ "Help to decrypt.txt" ], "refs": [ "https://decrypter.emsisoft.com/fenixlocker", "https://twitter.com/fwosar/status/777197255057084416" ] }, "uuid": "f9f54046-ed5d-4353-8b81-d92b51f596b4" }, { "value": "FILE FROZR", "description": "Ransomware RaaS", "meta": { "refs": [ "https://twitter.com/rommeljoven17/status/846973265650335744" ] }, "uuid": "2a50f476-7355-4d58-b0ce-4235b2546c90" }, { "value": "FileLocker", "description": "Ransomware", "meta": { "extensions": [ ".ENCR" ], "refs": [ "https://twitter.com/jiriatvirlab/status/836616468775251968" ] }, "uuid": "b92bc550-7edb-4f8f-96fc-cf47d437df32" }, { "value": "FireCrypt", "description": "Ransomware", "meta": { "extensions": [ ".firecrypt" ], "encryption": "AES-256", "ransomnotes": [ "[random_chars]-READ_ME.html" ], "refs": [ "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ] }, "uuid": "721ba430-fd28-454c-8512-24339ef2235f" }, { "value": "Flyper", "description": "Ransomware Based on EDA2 / HiddenTear", "meta": { "extensions": [ ".locked" ], "refs": [ "https://twitter.com/malwrhunterteam/status/773771485643149312" ] }, "uuid": "1a110f7e-8820-4a9a-86c0-db4056f0b911" }, { "value": "Fonco", "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", "meta": { "ransomnotes": [ "help-file-decrypt.enc", "/pronk.txt" ] }, "uuid": "3d75cb84-2f14-408d-95bd-f1316bf854e6" }, { "value": "FortuneCookie ", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/struppigel/status/842302481774321664" ] }, "uuid": "2db3aafb-b219-4b52-8dfe-ce41416ebeab" }, { "value": "Free-Freedom", "description": "Ransomware Unlock code is: adam or adamdude9", "meta": { "synonyms": [ "Roga" ], "extensions": [ ".madebyadam" ], "refs": [ "https://twitter.com/BleepinComputer/status/812135608374226944" ] }, "uuid": "175ebcc0-d74f-49b2-9226-c660ca1fe2e8" }, { "value": "FSociety", "description": "Ransomware Based on EDA2 and RemindMe", "meta": { "extensions": [ ".fs0ciety", ".dll" ], "ransomnotes": [ "fs0ciety.html", "DECRYPT_YOUR_FILES.HTML" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/", "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", "https://twitter.com/siri_urz/status/795969998707720193" ] }, "uuid": "d1e7c0d9-3c96-41b7-a4a2-7eaef64d7b0f" }, { "value": "Fury", "description": "Ransomware", "meta": { "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] }, "uuid": "291997b1-72b6-43ea-9365-b4d55eddca71" }, { "value": "GhostCrypt", "description": "Ransomware Based on Hidden Tear", "meta": { "extensions": [ ".Z81928819" ], "encryption": "AES-256", "refs": [ "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/" ] }, "uuid": "3b681f76-b0e4-4ba7-a113-5dd87d6ee53b" }, { "value": "Gingerbread", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/ni_fi_70/status/796353782699425792" ] }, "uuid": "c6419971-47f8-4c80-a685-77292ff30fa7" }, { "value": "Globe v1", "description": "Ransomware", "meta": { "synonyms": [ "Purge" ], "extensions": [ ".purge" ], "encryption": "Blowfish", "ransomnotes": [ "How to restore files.hta" ], "refs": [ "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", "http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/" ] }, "uuid": "b247b6e5-f51b-4bb5-8f5a-1628843abe99" }, { "value": "GNL Locker", "description": "Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker", "meta": { "extensions": [ ".locked", ".locked, e.g., bill.!ID!8MMnF!ID!.locked" ], "encryption": "AES-256", "ransomnotes": [ "UNLOCK_FILES_INSTRUCTIONS.html and .txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/" ] }, "uuid": "390abe30-8b9e-439e-a6d3-2ee978f05fba" }, { "value": "Gomasom", "description": "Ransomware", "meta": { "extensions": [ ".crypt", "!___[EMAILADDRESS]_.crypt" ], "refs": [ "https://decrypter.emsisoft.com/" ] }, "uuid": "70b85861-f419-4ad5-9aa6-254db292e043" }, { "value": "Goopic", "description": "Ransomware", "meta": { "ransomnotes": [ "Your files have been crypted.html" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" ] }, "uuid": "3229a370-7a09-4b93-ad89-9555a847b1dd" }, { "value": "Gopher", "description": "Ransomware OS X ransomware (PoC)", "uuid": "ec461b8a-5390-4304-9d2a-a20c7ed6a9db" }, { "value": "Hacked", "description": "Ransomware Jigsaw Ransomware variant", "meta": { "extensions": [ ".versiegelt", ".encrypted", ".payrmts", ".locked", ".Locked" ], "refs": [ "https://twitter.com/demonslay335/status/806878803507101696" ] }, "uuid": "7f2df0cd-5962-4687-90a2-a49eab2b12bc" }, { "value": "HappyDayzz", "description": "Ransomware", "meta": { "encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4", "refs": [ "https://twitter.com/malwrhunterteam/status/847114064224497666" ] }, "uuid": "e71c76f3-8274-4ec5-ac11-ac8b8286d069" }, { "value": "Harasom", "description": "Ransomware", "meta": { "extensions": [ ".html" ], "refs": [ "https://decrypter.emsisoft.com/" ] }, "uuid": "5cadd11c-002a-4062-bafd-aadb7d740f59" }, { "value": "HDDCryptor", "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", "meta": { "synonyms": [ "Mamba" ], "encryption": "Custom (net shares), XTS-AES (disk)", "refs": [ "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" ] }, "uuid": "95be4cd8-1d98-484f-a328-a5917a05e3c8" }, { "value": "Heimdall", "description": "Ransomware File marker: \"Heimdall---\"", "meta": { "encryption": "AES-128-CBC", "refs": [ "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" ] }, "uuid": "c6d6ddf0-2afa-4cca-8982-ba2a7c0441ae" }, { "value": "Help_dcfile", "description": "Ransomware", "meta": { "extensions": [ ".XXX" ], "ransomnotes": [ "help_dcfile.txt" ] }, "uuid": "2fdc6daa-6b6b-41b9-9a25-1030101478c3" }, { "value": "Herbst", "description": "Ransomware", "meta": { "extensions": [ ".herbst" ], "encryption": "AES-256", "refs": [ "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" ] }, "uuid": "6489895b-0213-4564-9cfc-777df58d84c9" }, { "value": "Hi Buddy!", "description": "Ransomware Based on HiddenTear", "meta": { "extensions": [ ".cry" ], "encryption": "AES-256", "refs": [ "http://www.nyxbone.com/malware/hibuddy.html" ] }, "uuid": "a0d6563d-1e98-4e49-9151-39fbeb09ef76" }, { "value": "Hitler", "description": "Ransomware Deletes files", "meta": { "extensions": [ "removes extensions" ], "refs": [ "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", "https://twitter.com/jiriatvirlab/status/825310545800740864" ] }, "uuid": "8807752b-bd26-45a7-ba34-c8ddd8e5781d" }, { "value": "HolyCrypt", "description": "Ransomware", "meta": { "extensions": [ "(encrypted)" ], "encryption": "AES", "refs": [ "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" ] }, "uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c" }, { "value": "HTCryptor", "description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear", "meta": { "refs": [ "https://twitter.com/BleepinComputer/status/803288396814839808" ] }, "uuid": "728aecfc-9b99-478f-a0a3-8c0fb6896353" }, { "value": "HydraCrypt", "description": "Ransomware CrypBoss Family", "meta": { "extensions": [ "hydracrypt_ID_[\\w]{8}" ], "ransomnotes": [ "README_DECRYPT_HYRDA_ID_[ID number].txt" ], "refs": [ "https://decrypter.emsisoft.com/", "http://www.malware-traffic-analysis.net/2016/02/03/index2.html" ] }, "uuid": "335c3ab6-8f2c-458c-92a3-2f3a09a6064c" }, { "value": "iLock", "description": "Ransomware", "meta": { "extensions": [ ".crime" ], "refs": [ "https://twitter.com/BleepinComputer/status/817085367144873985" ] }, "uuid": "68e90fa4-ea66-4159-b454-5f48fdae3d89" }, { "value": "iLockLight", "description": "Ransomware", "meta": { "extensions": [ ".crime" ] }, "uuid": "cb374ee8-76c0-4db8-9026-a57a51d9a0a1" }, { "value": "International Police Association", "description": "Ransomware CryptoTorLocker2015 variant", "meta": { "extensions": [ "<6 random characters>" ], "ransomnotes": [ "%Temp%\\.bmp" ], "refs": [ "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" ] }, "uuid": "a66fbb1e-ba59-48c1-aac8-8678b4a98dc1" }, { "value": "iRansom", "description": "Ransomware", "meta": { "extensions": [ ".Locked" ], "refs": [ "https://twitter.com/demonslay335/status/796134264744083460" ] }, "uuid": "4514ecd4-850d-446f-82cb-0668d2c94ffa" }, { "value": "JagerDecryptor", "description": "Ransomware Prepends filenames", "meta": { "extensions": [ "!ENC" ], "ransomnotes": [ "Important_Read_Me.html" ], "refs": [ "https://twitter.com/JakubKroustek/status/757873976047697920" ] }, "uuid": "25a086aa-e25c-4190-a848-69d9f46fd8ab" }, { "value": "Jeiphoos", "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", "meta": { "synonyms": [ "Encryptor RaaS", "Sarento" ], "encryption": "RC6 (files), RSA 2048 (RC6 key)", "ransomnotes": [ "readme_liesmich_encryptor_raas.txt" ], "refs": [ "http://www.nyxbone.com/malware/RaaS.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/" ] }, "uuid": "50014fe7-5efd-4639-82ef-30d36f4d2918" }, { "value": "Jhon Woddy", "description": "Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH", "meta": { "extensions": [ ".killedXXX" ], "refs": [ "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", "https://twitter.com/BleepinComputer/status/822509105487245317" ] }, "uuid": "fedd7285-d4bd-4411-985e-087954cee96d" }, { "value": "Jigsaw", "description": "Ransomware Has a GUI", "meta": { "synonyms": [ "CryptoHitMan" ], "extensions": [ ".btc", ".kkk", ".fun", ".gws", ".porno", ".payransom", ".payms", ".paymst", ".AFD", ".paybtcs", ".epic", ".xyz", ".encrypted", ".hush", ".paytounlock", ".uk-dealer@sigaint.org", ".gefickt", ".nemo-hacks.at.sigaint.org", ".LolSec" ], "encryption": "AES-256", "refs": [ "http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/", "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", "https://twitter.com/demonslay335/status/795819556166139905" ] }, "uuid": "1e3384ae-4b48-4c96-b7c2-bc1cc1eda203" }, { "value": "Job Crypter", "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", "meta": { "extensions": [ ".locked", ".css" ], "encryption": "TripleDES", "ransomnotes": [ "Comment débloquer mes fichiers.txt", "Readme.txt" ], "refs": [ "http://www.nyxbone.com/malware/jobcrypter.html", "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", "https://twitter.com/malwrhunterteam/status/828914052973858816" ] }, "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a" }, { "value": "JohnyCryptor", "description": "Ransomware", "uuid": "5af5be3e-549f-4485-8c2e-1459d4e5c7d7" }, { "value": "KawaiiLocker", "description": "Ransomware", "meta": { "ransomnotes": [ "How Decrypt Files.txt" ], "refs": [ "https://safezone.cc/resources/kawaii-decryptor.195/" ] }, "uuid": "b6d0ea4d-4e55-4b42-9d60-485d605d6c49" }, { "value": "KeRanger", "description": "Ransomware OS X Ransomware", "meta": { "extensions": [ ".encrypted" ], "encryption": "AES", "refs": [ "http://news.drweb.com/show/?i=9877&lng=en&c=5", "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/" ] }, "uuid": "63292b32-9867-4fb2-9e59-d4983d4fd5d1" }, { "value": "KeyBTC", "description": "Ransomware", "meta": { "extensions": [ "keybtc@inbox_com" ], "ransomnotes": [ "DECRYPT_YOUR_FILES.txt", "READ.txt", "readme.txt" ], "refs": [ "https://decrypter.emsisoft.com/" ] }, "uuid": "3964e617-dde5-4c95-b4a0-e7c19c6e7d7f" }, { "value": "KEYHolder", "description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address", "meta": { "ransomnotes": [ "how_decrypt.gif", "how_decrypt.html" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml" ] }, "uuid": "66eda328-9408-4e98-ad27-572fd6b2acd8" }, { "value": "KillerLocker", "description": "Ransomware Possibly Portuguese dev", "meta": { "extensions": [ ".rip" ], "refs": [ "https://twitter.com/malwrhunterteam/status/782232299840634881" ] }, "uuid": "ea8e7350-f243-4ef7-bc31-4648df8a4d96" }, { "value": "KimcilWare", "description": "Ransomware websites only", "meta": { "extensions": [ ".kimcilware", ".locked" ], "encryption": "AES", "refs": [ "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/" ] }, "uuid": "950e2514-8a7e-4fdb-a3ad-5679f6342e5d" }, { "value": "Korean", "description": "Ransomware Based on HiddenTear", "meta": { "extensions": [ ".암호화됨" ], "encryption": "AES-256", "ransomnotes": [ "ReadMe.txt" ], "refs": [ "http://www.nyxbone.com/malware/koreanRansom.html" ] }, "uuid": "4febffe0-3837-41d7-b95f-e26d126275e4" }, { "value": "Kozy.Jozy", "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", "meta": { "synonyms": [ "QC" ], "extensions": [ ".31392E30362E32303136_[ID-KEY]_LSBJ1", ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" ], "encryption": "RSA-2048", "ransomnotes": [ "w.jpg" ], "refs": [ "http://www.nyxbone.com/malware/KozyJozy.html", "http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/" ] }, "uuid": "47b5d261-11bd-4c7b-91f9-e5651578026a" }, { "value": "KratosCrypt", "description": "Ransomware kratosdimetrici@gmail.com", "meta": { "extensions": [ ".kratos" ], "ransomnotes": [ "README_ALL.html" ], "refs": [ "https://twitter.com/demonslay335/status/746090483722686465" ] }, "uuid": "cc819741-830b-4859-bb7c-ccedf3356acd" }, { "value": "KryptoLocker", "description": "Ransomware Based on HiddenTear", "meta": { "encryption": "AES-256", "ransomnotes": [ "KryptoLocker_README.txt" ] }, "uuid": "e68d4f37-704a-4f8e-9718-b12039fbe424" }, { "value": "LanRan", "description": "Ransomware Variant of open-source MyLittleRansomware", "meta": { "ransomnotes": [ "@__help__@" ], "refs": [ "https://twitter.com/struppigel/status/847689644854595584" ] }, "uuid": "9e152871-fb16-475d-bf3b-f3b870d0237a" }, { "value": "LeChiffre", "description": "Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker", "meta": { "extensions": [ ".LeChiffre" ], "ransomnotes": [ "How to decrypt LeChiffre files.html" ], "refs": [ "https://decrypter.emsisoft.com/lechiffre", "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/" ] }, "uuid": "ea1ba874-07e6-4a6d-82f0-e4ce4210e34e" }, { "value": "Lick", "description": "Ransomware Variant of Kirk", "meta": { "extensions": [ ".Licked" ], "ransomnotes": [ "RANSOM_NOTE.txt" ], "refs": [ "https://twitter.com/JakubKroustek/status/842404866614038529" ] }, "uuid": "f2e76070-0cea-4c9c-8d6b-1d847e777575" }, { "value": "Linux.Encoder", "description": "Ransomware Linux Ransomware", "meta": { "synonyms": [ "Linux.Encoder.{0,3}" ], "refs": [ "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" ] }, "uuid": "b4992483-a693-4e73-b39e-0f45c9f645b5" }, { "value": "LK Encryption", "description": "Ransomware Based on HiddenTear", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/845183290873044994" ] }, "uuid": "af52badb-3211-42b0-a1ac-e4d35d5829d7" }, { "value": "LLTP Locker", "description": "Ransomware Targeting Spanish speaking victims", "meta": { "extensions": [ ".ENCRYPTED_BY_LLTP", ".ENCRYPTED_BY_LLTPp" ], "encryption": "AES-256", "ransomnotes": [ "LEAME.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/" ] }, "uuid": "0cec6928-80c7-4085-ba47-cdc52177dfd3" }, { "value": "Locker", "description": "Ransomware has GUI", "meta": { "refs": [ "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545" ] }, "uuid": "abc7883c-244a-44ac-9c86-559dafa4eb63" }, { "value": "LockLock", "description": "Ransomware", "meta": { "extensions": [ ".locklock" ], "encryption": "AES-256", "ransomnotes": [ "READ_ME.TXT" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/" ] }, "uuid": "7850bf92-394b-443b-8830-12f9ddbb50dc" }, { "value": "Locky", "description": "Ransomware Affiliations with Dridex and Necurs botnets", "meta": { "extensions": [ ".locky", ".zepto", ".odin", ".shit", ".thor", ".aesir", ".zzzzz", ".osiris", "([A-F0-9]{32}).locky", "([A-F0-9]{32}).zepto", "([A-F0-9]{32}).odin", "([A-F0-9]{32}).shit", "([A-F0-9]{32}).thor", "([A-F0-9]{32}).aesir", "([A-F0-9]{32}).zzzzz", "([A-F0-9]{32}).osiris", ".lukitus" ], "encryption": "AES-128", "ransomnotes": [ "_Locky_recover_instructions.txt", "_Locky_recover_instructions.bmp", "_HELP_instructions.txt", "_HELP_instructions.bmp", "_HOWDO_text.html", "_WHAT_is.html", "_INSTRUCTION.html", "DesktopOSIRIS.(bmp|htm)", "OSIRIS-[0-9]{4}.htm", "lukitus.htm", "lukitus.bmp." ], "refs": [ "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/", "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/" ] }, "uuid": "8d51a22e-3485-4480-af96-8ed0305a7aa6" }, { "value": "Lortok", "description": "Ransomware", "meta": { "extensions": [ ".crime" ] }, "uuid": "bc23872a-7cd3-4a66-9d25-6b4e6f90cc4e" }, { "value": "LowLevel04", "description": "Ransomware Prepends filenames", "meta": { "extensions": [ "oor." ] }, "uuid": "d4fb0463-6cd1-45ac-a7d2-6eea8be39590" }, { "value": "M4N1F3STO", "description": "Ransomware Does not encrypt Unlock code=suckmydicknigga", "meta": { "refs": [ "https://twitter.com/jiriatvirlab/status/808015275367002113" ] }, "uuid": "f5d19af8-1c85-408b-818e-db50208d62b1" }, { "value": "Mabouia", "description": "Ransomware OS X ransomware (PoC)", "uuid": "f9214319-6ad4-4c4e-bc6d-fb710f61da48" }, { "value": "MacAndChess", "description": "Ransomware Based on HiddenTear", "uuid": "fae8bf6e-47d1-4449-a1c6-761a4970fc38" }, { "value": "Magic", "description": "Ransomware Based on EDA2", "meta": { "extensions": [ ".magic" ], "encryption": "AES-256", "ransomnotes": [ "DECRYPT_ReadMe1.TXT", "DECRYPT_ReadMe.TXT" ] }, "uuid": "31fa83fc-8247-4347-940a-e463acd66bac" }, { "value": "MaktubLocker", "description": "Ransomware", "meta": { "extensions": [ "[a-z]{4,6}" ], "encryption": "AES-256 + RSA-2048", "ransomnotes": [ "_DECRYPT_INFO_[extension pattern].html" ], "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ] }, "uuid": "ef6ceb04-243e-4783-b476-8e8e9f06e8a7" }, { "value": "MarsJoke", "description": "Ransomware", "meta": { "extensions": [ ".a19", ".ap19" ], "ransomnotes": [ "!!! Readme For Decrypt !!!.txt", "ReadMeFilesDecrypt!!!.txt" ], "refs": [ "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker" ] }, "uuid": "933bd53f-5ccf-4262-a70c-c01a6f05af3e" }, { "value": "Meister", "description": "Ransomware Targeting French victims", "meta": { "refs": [ "https://twitter.com/siri_urz/status/840913419024945152" ] }, "uuid": "ce5a82ef-d2a3-405c-ac08-3dca71057eb5" }, { "value": "Meteoritan", "description": "Ransomware", "meta": { "ransomnotes": [ "where_are_your_files.txt", "readme_your_files_have_been_encrypted.txt" ], "refs": [ "https://twitter.com/malwrhunterteam/status/844614889620561924" ] }, "uuid": "34f292d9-cb68-4bcf-a3db-a717362aca77" }, { "value": "MIRCOP", "description": "Ransomware Prepends files Demands 48.48 BTC", "meta": { "synonyms": [ "Crypt888" ], "extensions": [ "Lock." ], "encryption": "AES", "refs": [ "http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/", "https://www.avast.com/ransomware-decryption-tools#!", "http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/", "http://www.nyxbone.com/malware/Mircop.html" ] }, "uuid": "7dd326a5-1168-4309-98b1-f2146d9cf8c7" }, { "value": "MireWare", "description": "Ransomware Based on HiddenTear", "meta": { "extensions": [ ".fucked", ".fuck" ], "encryption": "AES-256", "ransomnotes": [ "READ_IT.txt" ] }, "uuid": "9f01ded7-99f6-4863-b3a3-9d32aabf96c3" }, { "value": "Mischa", "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", "meta": { "synonyms": [ "\"Petya's little brother\"" ], "extensions": [ ".([a-zA-Z0-9]{4})" ], "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.HTML", "YOUR_FILES_ARE_ENCRYPTED.TXT " ], "refs": [ "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/" ] }, "uuid": "a029df89-2bb1-409d-878b-a67572217a65" }, { "value": "MM Locker", "description": "Ransomware Based on EDA2", "meta": { "synonyms": [ "Booyah" ], "extensions": [ ".locked" ], "encryption": "AES-256", "ransomnotes": [ "READ_IT.txt" ], "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" ] }, "uuid": "b95aa3fb-9f32-450e-8058-67d94f196913" }, { "value": "Mobef", "description": "Ransomware", "meta": { "synonyms": [ "Yakes", "CryptoBit" ], "extensions": [ ".KEYZ", ".KEYH0LES" ], "ransomnotes": [ "4-14-2016-INFECTION.TXT", "IMPORTANT.README" ], "refs": [ "http://nyxbone.com/malware/Mobef.html", "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", "http://nyxbone.com/images/articulos/malware/mobef/0.png" ] }, "uuid": "681f212a-af1b-4e40-a718-81b0dc46dc52" }, { "value": "Monument", "description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/844826339186135040" ] }, "uuid": "2702fb96-8118-4519-bd75-23eed40f25e9" }, { "value": "N-Splitter", "description": "Ransomware Russian Koolova Variant", "meta": { "extensions": [ ".кибер разветвитель" ], "refs": [ "https://twitter.com/JakubKroustek/status/815961663644008448", "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" ] }, "uuid": "8ec55495-fb31-49c7-a720-40250b5e085f" }, { "value": "n1n1n1", "description": "Ransomware Filemaker: \"333333333333\"", "meta": { "ransomnotes": [ "decrypt explanations.html" ], "refs": [ "https://twitter.com/demonslay335/status/790608484303712256", "https://twitter.com/demonslay335/status/831891344897482754" ] }, "uuid": "a439b37b-e123-4b1d-9400-94aca70b223a" }, { "value": "NanoLocker", "description": "Ransomware no extension change, has a GUI", "meta": { "encryption": "AES-256 + RSA", "ransomnotes": [ "ATTENTION.RTF" ], "refs": [ "http://github.com/Cyberclues/nanolocker-decryptor" ] }, "uuid": "03a91686-c607-49a8-a4e2-2054833c0013" }, { "value": "Nemucod", "description": "Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes", "meta": { "extensions": [ ".crypted" ], "encryption": "XOR(255) + 7zip", "ransomnotes": [ "Decrypted.txt" ], "refs": [ "https://decrypter.emsisoft.com/nemucod", "https://github.com/Antelox/NemucodFR", "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/" ] }, "uuid": "f1ee9ae8-b798-4e6f-8f98-874395d0fa18" }, { "value": "Netix", "description": "Ransomware", "meta": { "synonyms": [ "RANSOM_NETIX.A" ], "extensions": [ "AES-256" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/" ] }, "uuid": "5d3ec71e-9e0f-498a-aa33-0433799e80b4" }, { "value": "Nhtnwcuf", "description": "Ransomware Does not encrypt the files / Files are destroyed", "meta": { "ransomnotes": [ "!_RECOVERY_HELP_!.txt", "HELP_ME_PLEASE.txt" ], "refs": [ "https://twitter.com/demonslay335/status/839221457360195589" ] }, "uuid": "1d8e8ca3-da2a-494c-9db3-5b1b6277c363" }, { "value": "NMoreira", "description": "Ransomware", "meta": { "synonyms": [ "XRatTeam", "XPan" ], "extensions": [ ".maktub", ".__AiraCropEncrypted!" ], "encryption": "mix of RSA and AES-256", "ransomnotes": [ "Recupere seus arquivos. Leia-me!.txt" ], "refs": [ "https://decrypter.emsisoft.com/nmoreira", "https://twitter.com/fwosar/status/803682662481174528" ] }, "uuid": "51f00a39-f4b9-4ed2-ba0d-258c6bf3f71a" }, { "value": "NoobCrypt", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/JakubKroustek/status/757267550346641408", "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/" ] }, "uuid": "aeb76911-ed45-4bf2-9a60-e023386e02a4" }, { "value": "Nuke", "description": "Ransomware", "meta": { "extensions": [ ".nuclear55" ], "encryption": "AES", "ransomnotes": [ "!!_RECOVERY_instructions_!!.html", "!!_RECOVERY_instructions_!!.txt" ] }, "uuid": "e0bcb7d2-6032-43a0-b490-c07430d8a598" }, { "value": "Nullbyte", "description": "Ransomware", "meta": { "extensions": [ "_nullbyte" ], "refs": [ "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/" ] }, "uuid": "460b700b-5d03-43f9-99e7-916ff180a036" }, { "value": "ODCODC", "description": "Ransomware", "meta": { "extensions": [ ".odcodc", "C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc" ], "encryption": "XOR", "ransomnotes": [ "HOW_TO_RESTORE_FILES.txt" ], "refs": [ "http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip", "http://www.nyxbone.com/malware/odcodc.html", "https://twitter.com/PolarToffee/status/813762510302183424", "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png" ] }, "uuid": "f90724e4-c148-4479-ae1a-109498b4688f" }, { "value": "Offline ransomware", "description": "Ransomware email addresses overlap with .777 addresses", "meta": { "synonyms": [ "Vipasana", "Cryakl" ], "extensions": [ ".cbf", "email-[params].cbf" ], "ransomnotes": [ "desk.bmp", "desk.jpg" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547", "http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html" ] }, "uuid": "3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39" }, { "value": "OMG! Ransomware", "description": "Ransomware", "meta": { "synonyms": [ "GPCode" ], "extensions": [ ".LOL!", ".OMG!" ], "ransomnotes": [ "how to get data.txt" ] }, "uuid": "7914f9c9-3257-464c-b918-3754c4d018af" }, { "value": "Operation Global III", "description": "Ransomware Is a file infector (virus)", "meta": { "extensions": [ ".EXE" ], "refs": [ "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" ] }, "uuid": "e5800883-c663-4eb0-b05e-6034df5bc6e0" }, { "value": "Owl", "description": "Ransomware", "meta": { "synonyms": [ "CryptoWire" ], "extensions": [ "dummy_file.encrypted", "dummy_file.encrypted.[extension]" ], "ransomnotes": [ "log.txt" ], "refs": [ "https://twitter.com/JakubKroustek/status/842342996775448576" ] }, "uuid": "4bb11db7-17a0-4536-b817-419ae6299004" }, { "value": "PadCrypt", "description": "Ransomware has a live support chat", "meta": { "extensions": [ ".padcrypt" ], "ransomnotes": [ "IMPORTANT READ ME.txt", "File Decrypt Help.html" ], "refs": [ "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", "https://twitter.com/malwrhunterteam/status/798141978810732544" ] }, "uuid": "57c5df76-e72f-41b9-be29-89395f83a77c" }, { "value": "Padlock Screenlocker", "description": "Ransomware Unlock code is: ajVr/G\\ RJz0R", "meta": { "refs": [ "https://twitter.com/BleepinComputer/status/811635075158839296" ] }, "uuid": "8f41c9ce-9bd4-4bbd-96d7-c965d1621be7" }, { "value": "Patcher", "description": "Ransomware Targeting macOS users", "meta": { "extensions": [ ".crypt" ], "ransomnotes": [ "README!.txt" ], "refs": [ "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" ] }, "uuid": "e211ea8d-5042-48ae-86c6-15186d1f8dba" }, { "value": "Petya", "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", "meta": { "synonyms": [ "Goldeneye" ], "encryption": "Modified Salsa20", "ransomnotes": [ "YOUR_FILES_ARE_ENCRYPTED.TXT" ], "refs": [ "http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator", "https://www.youtube.com/watch?v=mSqxFjZq_z4", "https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/", "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/" ] }, "uuid": "7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a" }, { "value": "Philadelphia", "description": "Ransomware Coded by \"The_Rainmaker\"", "meta": { "extensions": [ ".locked", ".locked" ], "encryption": "AES-256", "refs": [ "https://decrypter.emsisoft.com/philadelphia", "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" ] }, "uuid": "6fd25982-9cf8-4379-a126-433c91aaadf2" }, { "value": "PizzaCrypts", "description": "Ransomware", "meta": { "extensions": [ ".id-[victim_id]-maestro@pizzacrypts.info" ], "refs": [ "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip" ] }, "uuid": "2482122b-1df6-488e-8867-215b165a4f66" }, { "value": "PokemonGO", "description": "Ransomware Based on Hidden Tear", "meta": { "extensions": [ ".locked" ], "encryption": "AES-256", "refs": [ "http://www.nyxbone.com/malware/pokemonGO.html", "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/" ] }, "uuid": "8b151275-d4c4-438a-9d06-92da2835586d" }, { "value": "Polyglot", "description": "Ransomware Immitates CTB-Locker", "meta": { "encryption": "AES-256", "refs": [ "https://support.kaspersky.com/8547", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" ] }, "uuid": "b22cafb4-ccef-4935-82f4-631a6e539b8e" }, { "value": "PowerWare", "description": "Ransomware Open-sourced PowerShell", "meta": { "synonyms": [ "PoshCoder" ], "extensions": [ ".locky" ], "encryption": "AES-128", "refs": [ "https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py", "https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip", "https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/", "http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" ] }, "uuid": "9fa93bb7-2997-4864-aa0e-0e667990dec8" }, { "value": "PowerWorm", "description": "Ransomware no decryption possible, throws key away, destroys the files", "meta": { "encryption": "AES", "ransomnotes": [ "DECRYPT_INSTRUCTION.html" ] }, "uuid": "b54d59d7-b604-4b01-8002-5a2930732ca6" }, { "value": "Princess Locker", "description": "Ransomware", "meta": { "extensions": [ "[a-z]{4,6},[0-9]" ], "ransomnotes": [ "!_HOW_TO_RESTORE_[extension].TXT", "!_HOW_TO_RESTORE_[extension].html", "!_HOW_TO_RESTORE_*id*.txt", ".*id*", "@_USE_TO_FIX_JJnY.txt" ], "refs": [ "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/" ] }, "uuid": "7c8ff7e5-2cad-48e8-92e8-4c8226933cbc" }, { "value": "PRISM", "description": "Ransomware", "meta": { "refs": [ "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" ] }, "uuid": "c0ebfb75-254d-4d85-9d02-a7af8e655068" }, { "value": "Ps2exe", "description": "Ransomware", "meta": { "refs": [ "https://twitter.com/jiriatvirlab/status/803297700175286273" ] }, "uuid": "1da6653c-8657-4cdc-9eaf-0df9d2ebbf10" }, { "value": "R", "description": "Ransomware", "meta": { "ransomnotes": [ "Ransomware.txt" ], "refs": [ "https://twitter.com/malwrhunterteam/status/846705481741733892" ] }, "uuid": "f7cd8956-2825-4104-94b1-e9589ab1089a" }, { "value": "R980", "description": "Ransomware", "meta": { "extensions": [ ".crypt" ], "ransomnotes": [ "DECRYPTION INSTRUCTIONS.txt", "rtext.txt" ], "refs": [ "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" ] }, "uuid": "6a7ebb0a-78bc-4fdc-92ae-1b02976b5499" }, { "value": "RAA encryptor", "description": "Ransomware Possible affiliation with Pony", "meta": { "synonyms": [ "RAA" ], "extensions": [ ".locked" ], "ransomnotes": [ "!!!README!!![id].rtf" ], "refs": [ "https://reaqta.com/2016/06/raa-ransomware-delivering-pony/", "http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/" ] }, "uuid": "b6d4faa1-6d76-42ff-8a18-238eb70cff06" }, { "value": "Rabion", "description": "Ransomware RaaS Copy of Ranion RaaS", "meta": { "refs": [ "https://twitter.com/CryptoInsane/status/846181140025282561" ] }, "uuid": "4a95257a-6646-492f-93eb-d15dff7ce1eb" }, { "value": "Radamant", "description": "Ransomware", "meta": { "extensions": [ ".RDM", ".RRK", ".RAD", ".RADAMANT" ], "encryption": "AES-256", "ransomnotes": [ "YOUR_FILES.url" ], "refs": [ "https://decrypter.emsisoft.com/radamant", "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", "http://www.nyxbone.com/malware/radamant.html" ] }, "uuid": "674c3bf6-2e16-427d-ab0f-b91676a460cd" }, { "value": "Rakhni", "description": "Ransomware Files might be partially encrypted", "meta": { "synonyms": [ "Agent.iih", "Aura", "Autoit", "Pletor", "Rotor", "Lamer", "Isda", "Cryptokluchen", "Bandarchor" ], "extensions": [ ".locked", ".kraken", ".darkness", ".nochance", ".oshit", ".oplata@qq_com", ".relock@qq_com", ".crypto", ".helpdecrypt@ukr.net", ".pizda@qq_com", ".dyatel@qq_com", "_ryp", ".nalog@qq_com", ".chifrator@qq_com", ".gruzin@qq_com", ".troyancoder@qq_com", ".encrypted", ".cry", ".AES256", ".enc", ".hb15", ".coderksu@gmail_com_id[0-9]{2,3}", ".crypt@india.com.[\\w]{4,12}" ], "ransomnotes": [ "\\fud.bmp", "\\paycrypt.bmp", "\\strongcrypt.bmp", "\\maxcrypt.bmp", "%APPDATA%\\Roaming\\.bmp" ], "refs": [ "https://support.kaspersky.com/us/viruses/disinfection/10556" ] }, "uuid": "c85a41a8-a0a1-4963-894f-84bb980e6e86" }, { "value": "Ramsomeer", "description": "Ransomware Based on the DUMB ransomware", "uuid": "5b81ea66-9a44-43d8-bceb-22e5b0582f8d" }, { "value": "Rannoh", "description": "Ransomware", "meta": { "extensions": [ "locked-.[a-zA-Z]{4}" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] }, "uuid": "d45f089b-efc7-45f8-a681-845374349d83" }, { "value": "RanRan", "description": "Ransomware", "meta": { "extensions": [ ".zXz" ], "ransomnotes": [ "VictemKey_0_5", "VictemKey_5_30", "VictemKey_30_100", "VictemKey_100_300", "VictemKey_300_700", "VictemKey_700_2000", "VictemKey_2000_3000", "VictemKey_3000", "zXz.html" ], "refs": [ "https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" ] }, "uuid": "e01a0cfa-2c8c-4e08-963a-4fa1e8cc6a34" }, { "value": "Ransoc", "description": "Ransomware Doesn't encrypt user files", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" ] }, "uuid": "f0fcbac5-6216-4c3c-adcb-3aa06ab23340" }, { "value": "Ransom32", "description": "Ransomware no extension change, Javascript Ransomware", "uuid": "d74e2fa6-6b8d-49ed-80f9-07b274eecef8" }, { "value": "RansomLock", "description": "Ransomware Locks the desktop", "meta": { "encryption": "Asymmetric 1024 ", "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" ] }, "uuid": "24f98123-192c-4e31-b2ee-4c77afbdc3be" }, { "value": "RarVault", "description": "Ransomware", "meta": { "ransomnotes": [ "RarVault.htm" ] }, "uuid": "c8ee96a3-ac22-40c7-8ed2-df67aeaca08d" }, { "value": "Razy", "description": "Ransomware", "meta": { "extensions": [ ".razy", ".fear" ], "encryption": "AES-128", "refs": [ "http://www.nyxbone.com/malware/Razy(German).html", "http://nyxbone.com/malware/Razy.html" ] }, "uuid": "f2a38c7b-054e-49ab-aa0e-67a7aac71837" }, { "value": "Rector", "description": "Ransomware", "meta": { "extensions": [ ".vscrypt", ".infected", ".bloc", ".korrektor" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/4264" ] }, "uuid": "08f519f4-df8f-4baf-b7ac-c7a0c66f7e74" }, { "value": "RektLocker", "description": "Ransomware", "meta": { "extensions": [ ".rekt" ], "encryption": "AES-256", "ransomnotes": [ "Readme.txt" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/4264" ] }, "uuid": "5448f038-0558-45c7-bda7-76950f82846a" }, { "value": "RemindMe", "description": "Ransomware", "meta": { "extensions": [ ".remind", ".crashed" ], "ransomnotes": [ "decypt_your_files.html " ], "refs": [ "http://www.nyxbone.com/malware/RemindMe.html", "http://i.imgur.com/gV6i5SN.jpg" ] }, "uuid": "0120015c-7d37-469c-a966-7a0d42166e67" }, { "value": "Rokku", "description": "Ransomware possibly related with Chimera", "meta": { "extensions": [ ".rokku" ], "encryption": "Curve25519 + ChaCha", "ransomnotes": [ "README_HOW_TO_UNLOCK.TXT", "README_HOW_TO_UNLOCK.HTML" ], "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" ] }, "uuid": "61184aea-e87b-467d-b36e-cfc75ccb242f" }, { "value": "RoshaLock", "description": "Ransomware Stores your files in a password protected RAR file", "meta": { "refs": [ "https://twitter.com/siri_urz/status/842452104279134209" ] }, "uuid": "e88a7509-9c79-42c1-8b0c-5e63af8e25b5" }, { "value": "Runsomewere", "description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background", "meta": { "refs": [ "https://twitter.com/struppigel/status/801812325657440256" ] }, "uuid": "266b366b-2b4f-41af-a30f-eab1c63c9976" }, { "value": "RussianRoulette", "description": "Ransomware Variant of the Philadelphia ransomware", "meta": { "refs": [ "https://twitter.com/struppigel/status/823925410392080385" ] }, "uuid": "1149197c-89e7-4a8f-98aa-40ac0a9c0914" }, { "value": "SADStory", "description": "Ransomware Variant of CryPy", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/845356853039190016" ] }, "uuid": "6d81cee2-6c99-41fb-8b54-6581422d85dc" }, { "value": "Sage 2.2", "description": "Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.", "meta": { "extensions": [ ".sage" ], "refs": [ "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" ] }, "uuid": "eacf3aee-ffb1-425a-862f-874e444a218d" }, { "value": "Samas-Samsam", "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", "meta": { "synonyms": [ "samsam.exe", "MIKOPONI.exe", "RikiRafael.exe", "showmehowto.exe" ], "extensions": [ ".encryptedAES", ".encryptedRSA", ".encedRSA", ".justbtcwillhelpyou", ".btcbtcbtc", ".btc-help-you", ".only-we_can-help_you", ".iwanthelpuuu", ".notfoundrans", ".encmywork", ".VforVendetta", ".theworldisyours", ".Whereisyourfiles", ".helpmeencedfiles", ".powerfulldecrypt", ".noproblemwedecfiles", ".weareyourfriends", ".otherinformation", ".letmetrydecfiles", ".encryptedyourfiles", ".weencedufiles", ".iaufkakfhsaraf", ".cifgksaffsfyghd" ], "encryption": "AES(256) + RSA(2096)", "ransomnotes": [ "HELP_DECRYPT_YOUR_FILES.html", "###-READ-FOR-HELLPP.html", "000-PLEASE-READ-WE-HELP.html", "CHECK-IT-HELP-FILES.html", "WHERE-YOUR-FILES.html", "HELP-ME-ENCED-FILES.html", "WE-MUST-DEC-FILES.html", "000-No-PROBLEM-WE-DEC-FILES.html", "TRY-READ-ME-TO-DEC.html", "000-IF-YOU-WANT-DEC-FILES.html", "LET-ME-TRY-DEC-FILES.html", "001-READ-FOR-DECRYPT-FILES.html", "READ-READ-READ.html", "IF_WANT_FILES_BACK_PLS_READ.html", "READ_READ_DEC_FILES.html" ], "refs": [ "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf" ] }, "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d" }, { "value": "Sanction", "description": "Ransomware Based on HiddenTear, but heavily modified keygen", "meta": { "extensions": [ ".sanction" ], "encryption": "AES-256 + RSA-2096", "ransomnotes": [ "DECRYPT_YOUR_FILES.HTML" ] }, "uuid": "e7b69fbe-26ba-49df-aa62-a64525f89343" }, { "value": "Sanctions", "description": "Ransomware", "meta": { "extensions": [ ".wallet" ], "encryption": "AES-256 + RSA-2048", "ransomnotes": [ "RESTORE_ALL_DATA.html" ], "refs": [ "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/" ] }, "uuid": "7b517c02-9f93-44c7-b957-10346803c43c" }, { "value": "Sardoninir", "description": "Ransomware", "meta": { "extensions": [ ".enc" ], "refs": [ "https://twitter.com/BleepinComputer/status/835955409953357825" ] }, "uuid": "6e49ecfa-1c25-4841-ae60-3b1c3c9c7710" }, { "value": "Satana", "description": "Ransomware", "meta": { "extensions": [ "Sarah_G@ausi.com___" ], "ransomnotes": [ "!satana!.txt" ], "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", "https://blog.kaspersky.com/satana-ransomware/12558/" ] }, "uuid": "a127a59e-9e4c-4c2b-b833-cabd076c3016" }, { "value": "Scraper", "description": "Ransomware", "meta": { "refs": [ "http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/" ] }, "uuid": "c0c685b8-a59d-4922-add9-e572d5fd48cd" }, { "value": "Serpico", "description": "Ransomware DetoxCrypto Variant", "meta": { "encryption": "AES", "refs": [ "http://www.nyxbone.com/malware/Serpico.html" ] }, "uuid": "bd4bfbab-c21d-4971-b70c-b180bcf40630" }, { "value": "Shark", "description": "Ransomware", "meta": { "synonyms": [ "Atom" ], "extensions": [ ".locked" ], "encryption": "AES-256", "ransomnotes": [ "Readme.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", "http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/" ] }, "uuid": "503c9910-902f-4bae-8c33-ea29db8bdd7f" }, { "value": "ShinoLocker", "description": "Ransomware", "meta": { "extensions": [ ".shino" ], "refs": [ "https://twitter.com/JakubKroustek/status/760560147131408384", "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/" ] }, "uuid": "bc029327-ee34-4eba-8933-bd85f2a1e9d1" }, { "value": "Shujin", "description": "Ransomware", "meta": { "synonyms": [ "KinCrypt" ], "ransomnotes": [ "文件解密帮助.txt" ], "refs": [ "http://www.nyxbone.com/malware/chineseRansom.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ] }, "uuid": "b9963d52-a391-4e9c-92e7-d2a147d5451f" }, { "value": "Simple_Encoder", "description": "Ransomware", "meta": { "extensions": [ ".~" ], "encryption": "AES", "ransomnotes": [ "_RECOVER_INSTRUCTIONS.ini" ], "refs": [ "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/" ] }, "uuid": "2709b2ff-a2be-49a9-b268-2576170a5dff" }, { "value": "SkidLocker", "description": "Ransomware Based on EDA2", "meta": { "synonyms": [ "Pompous" ], "extensions": [ ".locked" ], "encryption": "AES-256", "ransomnotes": [ "READ_IT.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/", "http://www.nyxbone.com/malware/SkidLocker.html" ] }, "uuid": "44b6b99e-b1d9-4605-95c2-55c14c7c25be" }, { "value": "Smash!", "description": "Ransomware", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" ] }, "uuid": "27283e74-abc6-4d8a-bcb6-a60804b8e264" }, { "value": "Smrss32", "description": "Ransomware", "meta": { "extensions": [ ".encrypted" ], "ransomnotes": [ "_HOW_TO_Decrypt.bmp" ] }, "uuid": "cd21bb2a-0c6a-463b-8c0e-16da251f69ae" }, { "value": "SNSLocker", "description": "Ransomware Based on EDA2", "meta": { "extensions": [ ".RSNSlocked", ".RSplited" ], "encryption": "AES-256", "ransomnotes": [ "READ_Me.txt" ], "refs": [ "http://nyxbone.com/malware/SNSLocker.html", "http://nyxbone.com/images/articulos/malware/snslocker/16.png" ] }, "uuid": "82658f48-6a62-4dee-bd87-382e76b84c3d" }, { "value": "Sport", "description": "Ransomware", "meta": { "extensions": [ ".sport" ] }, "uuid": "9526efea-8853-42f2-89be-a04ee1ca4c7d" }, { "value": "Stampado", "description": "Ransomware Coded by \"The_Rainmaker\" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key", "meta": { "extensions": [ ".locked" ], "encryption": "AES-256", "ransomnotes": [ "Random message includes bitcoin wallet address with instructions" ], "refs": [ "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", "http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/", "https://decrypter.emsisoft.com/stampado", "https://cdn.streamable.com/video/mp4/kfh3.mp4", "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/" ] }, "uuid": "6b8729b0-7ffc-4d07-98de-e5210928b274" }, { "value": "Strictor", "description": "Ransomware Based on EDA2, shows Guy Fawkes mask", "meta": { "extensions": [ ".locked" ], "encryption": "AES-256", "refs": [ "http://www.nyxbone.com/malware/Strictor.html" ] }, "uuid": "d75bdd85-032a-46b7-a339-257fd5656c11" }, { "value": "Surprise", "description": "Ransomware Based on EDA2", "meta": { "extensions": [ ".surprise", ".tzu" ], "encryption": "AES-256", "ransomnotes": [ "DECRYPTION_HOWTO.Notepad" ] }, "uuid": "6848b77c-92c8-40ec-90ac-9c14b9f17272" }, { "value": "Survey", "description": "Ransomware Still in development, shows FileIce survey", "meta": { "ransomnotes": [ "ThxForYurTyme.txt" ], "refs": [ "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ] }, "uuid": "11725992-3634-4715-ae17-b6f5ed13b877" }, { "value": "SynoLocker", "description": "Ransomware Exploited Synology NAS firmware directly over WAN", "uuid": "27740d5f-30cf-4c5c-812c-15c0918ce9f0" }, { "value": "SZFLocker", "description": "Ransomware", "meta": { "extensions": [ ".szf" ], "refs": [ "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/" ] }, "uuid": "a7845bbe-d7e6-4c7b-a9b8-dccbd93bc4b2" }, { "value": "TeamXrat", "description": "Ransomware", "meta": { "extensions": [ ".___xratteamLucked" ], "encryption": "AES-256", "ransomnotes": [ "Como descriptografar os seus arquivos.txt" ], "refs": [ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ] }, "uuid": "65a31863-4f59-4c66-bc2d-31e8fb68bbe8" }, { "value": "TeslaCrypt 0.x - 2.2.0", "description": "Ransomware Factorization", "meta": { "synonyms": [ "AlphaCrypt" ], "extensions": [ ".vvv", ".ecc", ".exx", ".ezz", ".abc", ".aaa", ".zzz", ".xyz" ], "ransomnotes": [ "HELP_TO_SAVE_FILES.txt", "Howto_RESTORE_FILES.html" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.talosintel.com/teslacrypt_tool/" ] }, "uuid": "af92c71e-935e-4486-b4e7-319bf16d622e" }, { "value": "TeslaCrypt 3.0+", "description": "Ransomware 4.0+ has no extension", "meta": { "extensions": [ ".micro", ".xxx", ".ttt", ".mp3" ], "encryption": "AES-256 + ECHD + SHA1", "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" ] }, "uuid": "bd19dfff-7c8d-4c94-967e-f8ffc19e7dd9" }, { "value": "TeslaCrypt 4.1A", "description": "Ransomware", "meta": { "encryption": "AES-256 + ECHD + SHA1", "ransomnotes": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", "_how_recover+.txt", "_how_recover+.html", "help_recover_instructions+.html", "help_recover_instructions+.txt", "help_recover_instructions+.BMP", "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", "HELP_TO_SAVE_FILES.txt", "HELP_TO_SAVE_FILES.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain" ] }, "uuid": "ab6b8f56-cf2d-4733-8f9c-df3d52c05e66" }, { "value": "TeslaCrypt 4.2", "description": "Ransomware", "meta": { "ransomnotes": [ "RECOVER<5_chars>.html", "RECOVER<5_chars>.png", "RECOVER<5_chars>.txt", "_how_recover+.txt", "_how_recover+.html", "help_recover_instructions+.BMP", "help_recover_instructions+.html", "help_recover_instructions+.txt", "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", "HELP_TO_SAVE_FILES.txt", "HELP_TO_SAVE_FILES.bmp" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" ] }, "uuid": "eed65c12-b179-4002-a11b-7a2e2df5f0c8" }, { "value": "Threat Finder", "description": "Ransomware Files cannot be decrypted Has a GUI", "meta": { "ransomnotes": [ "HELP_DECRYPT.HTML" ] }, "uuid": "c0bce92a-63b8-4538-93dc-0911ae46596d" }, { "value": "TorrentLocker", "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", "meta": { "synonyms": [ "Crypt0L0cker", "CryptoFortress", "Teerac" ], "extensions": [ ".Encrypted", ".enc" ], "encryption": "AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt", "ransomnotes": [ "HOW_TO_RESTORE_FILES.html", "DECRYPT_INSTRUCTIONS.html", "DESIFROVANI_POKYNY.html", "INSTRUCCIONES_DESCIFRADO.html", "ISTRUZIONI_DECRITTAZIONE.html", "ENTSCHLUSSELN_HINWEISE.html", "ONTSLEUTELINGS_INSTRUCTIES.html", "INSTRUCTIONS_DE_DECRYPTAGE.html", "SIFRE_COZME_TALIMATI.html", "wie_zum_Wiederherstellen_von_Dateien.txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", "https://twitter.com/PolarToffee/status/804008236600934403", "http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" ] }, "uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9" }, { "value": "TowerWeb", "description": "Ransomware", "meta": { "ransomnotes": [ "Payment_Instructions.jpg" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/" ] }, "uuid": "4d470cf8-09b6-4d0e-8e5a-2f618e48c560" }, { "value": "Toxcrypt", "description": "Ransomware", "meta": { "extensions": [ ".toxcrypt" ], "ransomnotes": [ "tox.html" ] }, "uuid": "08fc7534-fe85-488b-92b0-630c0d91ecbe" }, { "value": "Trojan", "description": "Ransomware", "meta": { "synonyms": [ "BrainCrypt" ], "extensions": [ ".braincrypt" ], "ransomnotes": [ "!!! HOW TO DECRYPT FILES !!!.txt" ], "refs": [ "https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip", "https://twitter.com/PolarToffee/status/811249250285842432" ] }, "uuid": "97673387-75ae-4da4-9a5f-38773f2492e7" }, { "value": "Troldesh orShade, XTBL", "description": "Ransomware May download additional malware after encryption", "meta": { "extensions": [ ".breaking_bad", ".better_call_saul", ".xtbl", ".da_vinci_code", ".windows10", ".no_more_ransom" ], "encryption": "AES-256", "ransomnotes": [ "README.txt", "nomoreransom_note_original.txt" ], "refs": [ "https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf", "http://www.nyxbone.com/malware/Troldesh.html", "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/" ] }, "uuid": "6c3dd006-3501-4ebc-ab86-b06e4d555194" }, { "value": "TrueCrypter", "description": "Ransomware", "meta": { "extensions": [ ".enc" ], "encryption": "AES-256", "refs": [ "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/" ] }, "uuid": "c46bfed8-7010-432a-8108-138f6d067000" }, { "value": "Turkish", "description": "Ransomware", "meta": { "extensions": [ ".sifreli" ], "refs": [ "https://twitter.com/struppigel/status/821991600637313024" ] }, "uuid": "132c39fc-1364-4210-aef9-48f73afc1108" }, { "value": "Turkish Ransom", "description": "Ransomware", "meta": { "extensions": [ ".locked" ], "encryption": "AES-256", "ransomnotes": [ "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" ], "refs": [ "http://www.nyxbone.com/malware/turkishRansom.html" ] }, "uuid": "174dd201-0b0b-4a76-95c7-71f8141684d0" }, { "value": "UmbreCrypt", "description": "Ransomware CrypBoss Family", "meta": { "extensions": [ "umbrecrypt_ID_[VICTIMID]" ], "encryption": "AES", "ransomnotes": [ "README_DECRYPT_UMBRE_ID_[victim_id].jpg", "README_DECRYPT_UMBRE_ID_[victim_id].txt", "default32643264.bmp", "default432643264.jpg" ], "refs": [ "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware" ] }, "uuid": "028b3489-51da-45d7-8bd0-62044e9ea49f" }, { "value": "UnblockUPC", "description": "Ransomware", "meta": { "ransomnotes": [ "Files encrypted.txt" ], "refs": [ "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/" ] }, "uuid": "5a9f9ebe-f4c8-4985-8890-743f59d658fd" }, { "value": "Ungluk", "description": "Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key", "meta": { "extensions": [ ".H3LL", ".0x0", ".1999" ], "encryption": "AES", "ransomnotes": [ "READTHISNOW!!!.txt", "Hellothere.txt", "YOUGOTHACKED.TXT" ] }, "uuid": "bb8c6b80-91cb-4c01-b001-7b9e73228420" }, { "value": "Unlock92 ", "description": "Ransomware", "meta": { "extensions": [ ".CRRRT", ".CCCRRRPPP" ], "ransomnotes": [ "READ_ME_!.txt" ], "refs": [ "https://twitter.com/malwrhunterteam/status/839038399944224768" ] }, "uuid": "dfe760e5-f878-492d-91d0-05fa45a2849d" }, { "value": "VapeLauncher", "description": "Ransomware CryptoWire variant", "meta": { "refs": [ "https://twitter.com/struppigel/status/839771195830648833" ] }, "uuid": "7799247c-4e6a-4c20-b0b3-d8e6a8ab6783" }, { "value": "VaultCrypt", "description": "Ransomware", "meta": { "synonyms": [ "CrypVault", "Zlader" ], "extensions": [ ".vault", ".xort", ".trun" ], "encryption": "uses gpg.exe", "ransomnotes": [ "VAULT.txt", "xort.txt", "trun.txt", ".hta | VAULT.hta" ], "refs": [ "http://www.nyxbone.com/malware/russianRansom.html" ] }, "uuid": "63a82b7f-9a71-47a8-9a79-14acc6595da5" }, { "value": "VBRANSOM 7", "description": "Ransomware", "meta": { "extensions": [ ".VBRANSOM" ], "refs": [ "https://twitter.com/BleepinComputer/status/817851339078336513" ] }, "uuid": "44a56cd0-8cd8-486f-972d-4b1b416e9077" }, { "value": "VenusLocker", "description": "Ransomware Based on EDA2", "meta": { "extensions": [ ".Venusf", ".Venusp" ], "encryption": "AES-256", "ransomnotes": [ "ReadMe.txt" ], "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", "http://www.nyxbone.com/malware/venusLocker.html" ] }, "uuid": "7340c6d6-a16e-4a01-8bb4-8ad3edc64d28" }, { "value": "Virlock", "description": "Ransomware Polymorphism / Self-replication", "meta": { "extensions": [ ".exe" ], "refs": [ "http://www.nyxbone.com/malware/Virlock.html", "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" ] }, "uuid": "5c736959-6c58-4bf2-b084-7197b42e500a" }, { "value": "Virus-Encoder", "description": "Ransomware", "meta": { "synonyms": [ "CrySiS" ], "extensions": [ ".CrySiS", ".xtbl", ".crypt", ".DHARMA", ".id-########.decryptformoney@india.com.xtbl", ".[email_address].DHARMA" ], "encryption": "AES-256", "ransomnotes": [ "How to decrypt your data.txt" ], "refs": [ "http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/", "http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip", "http://www.nyxbone.com/malware/virus-encoder.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/" ] }, "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215" }, { "value": "WildFire Locker", "description": "Ransomware Zyklon variant", "meta": { "synonyms": [ "Hades Locker" ], "extensions": [ ".wflx" ], "ransomnotes": [ "HOW_TO_UNLOCK_FILES_README_().txt" ], "refs": [ "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" ] }, "uuid": "31945e7b-a734-4333-9ea2-e52051ca015a" }, { "value": "Xorist", "description": "Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length", "meta": { "extensions": [ ".EnCiPhErEd", ".73i87A", ".p5tkjw", ".PoAr2w", ".fileiscryptedhard", ".encoderpass", ".zc3791", ".antihacker2017" ], "encryption": "XOR or TEA", "ransomnotes": [ "HOW TO DECRYPT FILES.TXT" ], "refs": [ "https://support.kaspersky.com/viruses/disinfection/2911", "https://decrypter.emsisoft.com/xorist" ] }, "uuid": "0a15a920-9876-4985-9d3d-bb0794722258" }, { "value": "XRTN ", "description": "Ransomware VaultCrypt family", "meta": { "extensions": [ ".xrtn" ] }, "uuid": "22ff9f8c-f658-46cc-a404-1a54e1b74569" }, { "value": "You Have Been Hacked!!!", "description": "Ransomware Attempt to steal passwords", "meta": { "extensions": [ ".Locked" ], "refs": [ "https://twitter.com/malwrhunterteam/status/808280549802418181" ] }, "uuid": "0810ea3e-1cd6-4ea3-a416-5895fb685c5b" }, { "value": "Zcrypt", "description": "Ransomware", "meta": { "synonyms": [ "Zcryptor" ], "extensions": [ ".zcrypt" ], "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/" ] }, "uuid": "7eed5e96-0219-4355-9a9c-44643272894c" }, { "value": "Zimbra", "description": "Ransomware mpritsken@priest.com", "meta": { "extensions": [ ".crypto" ], "ransomnotes": [ "how.txt" ], "refs": [ "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/" ] }, "uuid": "07346620-a0b4-48d5-9158-5048741f5078" }, { "value": "Zlader", "description": "Ransomware VaultCrypt family", "meta": { "synonyms": [ "Russian", "VaultCrypt", "CrypVault" ], "extensions": [ ".vault" ], "encryption": "RSA", "refs": [ "http://www.nyxbone.com/malware/russianRansom.html" ] }, "uuid": "2195387d-ad9c-47e6-8f14-a49388b26eab" }, { "value": "Zorro", "description": "Ransomware", "meta": { "extensions": [ ".zorro" ], "ransomnotes": [ "Take_Seriously (Your saving grace).txt" ], "refs": [ "https://twitter.com/BleepinComputer/status/844538370323812353" ] }, "uuid": "b2bd25e1-d41c-42f2-8971-ecceceb6ba08" }, { "value": "Zyklon", "description": "Ransomware Hidden Tear family, GNL Locker variant", "meta": { "synonyms": [ "GNL Locker" ], "extensions": [ ".zyklon" ] }, "uuid": "78ef77ac-a570-4fb9-af80-d04c09dff9ab" }, { "value": "vxLock", "description": "Ransomware", "meta": { "extensions": [ ".vxLock" ] }, "uuid": "37950a1c-0035-49e0-9278-e878df0a10f3" }, { "value": "Jaff", "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed \"Jaff\". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", "meta": { "extensions": [ ".jaff" ], "encryption": "AES", "ransomnotes": [ "WallpapeR.bmp", "ReadMe.bmp", "ReadMe.html", "ReadMe.txt" ], "refs": [ "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" ] }, "uuid": "8e3d44d0-6768-4b54-88b0-2e004a7f2297" }, { "value": "Uiwix Ransomware", "description": "Using EternalBlue SMB Exploit To Infect Victims", "meta": { "extensions": [ "._[10_digit_victim_id].UIWIX" ], "encryption": "may be a mixture of AES and RC4.", "ransomnotes": [ "DECODE_FILES.txt" ], "refs": [ "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/" ] }, "uuid": "369d6fda-0284-44aa-9e74-f6651416fec4" }, { "value": "SOREBRECT", "description": "Fileless, Code-injecting Ransomware", "meta": { "extensions": [ ".pr0tect" ], "ransomnotes": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/" ] }, "uuid": "34cedaf0-b1f0-4b5d-b7bd-2eadfc630ea7" }, { "value": "Cyron", "description": "claims it detected \"Children Pornsites\" in your browser history", "meta": { "extensions": [ ".CYRON" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg" ], "refs": [ "https://twitter.com/struppigel/status/899524853426008064" ] }, "uuid": "f597d388-886e-46d6-a5cc-26deeb4674f2" }, { "value": "Kappa", "description": "Made with OXAR builder; decryptable", "meta": { "extensions": [ ".OXR" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/899528477824700416" ] }, "uuid": "3330e226-b71a-4ee4-8612-2b06b58368fc" }, { "value": "Trojan Dz", "description": "CyberSplitter variant", "meta": { "extensions": [ ".Isis" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/899537940539478016" ] }, "uuid": "1fe6c23b-863e-49e4-9439-aa9e999aa2e1" }, { "value": "Xolzsec", "description": "ransomware written by self proclaimed script kiddies that should really be considered trollware", "meta": { "extensions": [ ".xolzsec" ], "refs": [ "https://twitter.com/struppigel/status/899916577252028416" ] }, "uuid": "f2930308-2e4d-4af5-b119-746be0fe7f2c" }, { "value": "FlatChestWare", "description": "HiddenTear variant; decryptable", "meta": { "extensions": [ ".flat" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg" ], "refs": [ "https://twitter.com/struppigel/status/900238572409823232" ] }, "uuid": "d29341fd-f48e-4caa-8a28-b17853b779d1" }, { "value": "SynAck", "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/" ], "synonyms": [ "Syn Ack" ], "ransomnotes": [ "RESTORE_INFO-[id].txt" ] }, "uuid": "04585cd8-54ae-420f-9191-8ddb9b88a80c" }, { "value": "SyncCrypt", "description": "A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" ], "extensions": [ ".kk" ], "ransomnotes": [ "readme.html", "readme.png" ] }, "uuid": "83d10b83-9038-4dd6-b305-f14c21478588" }, { "value": "Bad Rabbit", "description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.", "meta": { "refs": [ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html" ], "synonyms": [ "BadRabbit", "Bad-Rabbit" ] }, "uuid": "e8af6388-6575-4812-94a8-9df1567294c5" }, { "value": "Halloware", "description": "A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/" ], "extensions": [ "(Lucifer) [prepend]" ] }, "uuid": "b366627d-dbc0-45ba-90bc-5f5694f45e35" }, { "value": "StorageCrypt", "description": "Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User's have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/" ], "extensions": [ ".locked" ], "ransomnotes": [ "_READ_ME_FOR_DECRYPT.txt", "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" ] }, "uuid": "0b920d03-971f-413c-8057-60d187192140" }, { "value": "HC7", "description": "A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.\nOriginally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.\nUnfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" ], "extensions": [ ".GOTYA" ], "ransomnotes": [ "RECOVERY.txt", "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" ] }, "uuid": "9325e097-9fea-490c-9b89-c2d40c166101" }, { "value": "HC6", "description": "Predecessor of HC7", "meta": { "refs": [ "https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw", "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" ], "extensions": [ ".fucku" ] }, "uuid": "909fde65-e015-40a9-9012-8d3ef62bba53" }, { "value": "qkG", "description": "Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/" ] }, "uuid": "1f3eab7f-da0a-4e0b-8a9f-cda2f146c819" }, { "value": "Scarab", "description": "The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year.\nWritten in Delphi, the first version was simplistic and was recognizable via the \".scarab\" extension it appended after the names of encrypted files.\nMalwarebytes researcher Marcelo Rivera spotted a second version in July that used the \".scorpio\" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension.\nThe current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file's name with the \".[suupport@protonmail.com].scarab\" extension.\nScarab also deletes shadow volume copies and drops a ransom note named \"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT\" on users' computers, which it opens immediately.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", "https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/", "https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware", "https://twitter.com/malwrhunterteam/status/933643147766321152", "https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/" ], "extensions": [ ".scarab", ".scorpio", ".[suupport@protonmail.com].scarab" ], "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" ] }, "uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4" }, { "value": "File Spider", "description": "A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like\"Potrazivanje dugovanja\", which translates to \"Debt Collection\" and whose message, according to Google Translate, appear to be in Serbian.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/" ], "extensions": [ ".spider" ], "ransomnotes": [ "HOW TO DECRYPT FILES.url", "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." ] }, "uuid": "3e75ce6b-b6de-4e5a-9501-8f9f847c819c" }, { "value": "FileCoder", "description": "A barely functional piece of macOS ransomware, written in Swift.", "meta": { "date": "Febuary 2017", "refs": [ "https://objective-see.com/blog/blog_0x25.html#FileCoder" ], "synonyms": [ "FindZip", "Patcher" ] }, "uuid": "091c9923-5939-4bde-9db5-56abfb51f1a2" }, { "value": "MacRansom", "description": "A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.", "meta": { "date": "June 2017", "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] }, "uuid": "7574c7f1-5075-4230-aca9-d6c0956f1fac" }, { "value": "GandCrab", "description": "A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld. ", "meta": { "date": "January 2018", "refs": [ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/", "https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/" ], "ransomnotes": [ "GDCB-DECRYPT.txt", "CRAB-Decrypt.txt", "https://www.bleepstatic.com/images/news/ransomware/g/gandcrab/v3/desktop-background.jpg", "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "---= GANDCRAB =---\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]\n5. Follow the instructions on this page\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\nIf you can't download TOR and use it, or in your country TOR blocked, read it:\n1. Visit https://tox.chat/download.html\n2. Download and install qTOX on your PC.\n3. Open it, click \"New Profile\" and create profile.\n4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5\n5. In message please write your ID and wait our answer: 6361f798c4ba3647\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "ENCRYPTED BY GANDCRAB 3\n\nDEAR [user_name],\n\nYOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR\n\nFor further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.", " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! " ], "extensions": [ ".Crab", ".CRAB" ] }, "uuid": "5920464b-e093-4fa0-a275-438dffef228f" }, { "value": "ShurL0ckr", "description": "Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.", "meta": { "refs": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" ], "date": "Febuary 2018" }, "uuid": "cc7f6da3-fafd-444f-b7e9-f0e650fb4d4f" }, { "value": "Cryakl", "description": "ransomware", "meta": { "refs": [ "https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/", "https://www.technologynews.tech/cryakl-ransomware-virus", "http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/" ], "date": "January 2018", "extensions": [ ".fairytail" ] }, "uuid": "4f3e494e-0e37-4894-94b2-741a8100f07a" }, { "value": "Thanatos", "description": "first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)", "meta": { "refs": [ "https://mobile.twitter.com/EclecticIQ/status/968478323889332226", "https://www.eclecticiq.com/resources/thanatos--ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report" ], "extensions": [ ".THANATOS" ] }, "uuid": "361d7a90-2fde-4fc7-91ed-fdce26eb790f" }, { "value": "RSAUtil", "description": "RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.", "uuid": "f80b0a42-21ef-11e8-8ac7-0317408794e2", "meta": { "refs": [ "https://www.securityweek.com/rsautil-ransomware-distributed-rdp-attacks", "https://www.bleepingcomputer.com/news/security/rsautil-ransomware-helppme-india-com-installed-via-hacked-remote-desktop-services/", "http://id-ransomware.blogspot.lu/2017/04/rsautil-ransomware.html", "http://id-ransomware.blogspot.lu/2017/04/" ], "ransomnotes": [ "How_return_files.txt", "Image.jpg", "Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.", "WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.", "Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com", "Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com", "ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.", "https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg", "https://2.bp.blogspot.com/-T4lvnNISc_A/WQY1SI1r1mI/AAAAAAAAE-E/tH7p02nS2LUTvXmq66poiyM1RYhHc4HbwCLcB/s200/lock-note.jpg", "Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again." ], "synonyms": [ "Vagger", "DONTSLIP" ] } }, { "value": "Qwerty Ransomware", "description": "A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/qwerty-ransomware-utilizes-gnupg-to-encrypt-a-victims-files/" ], "ransomnotes": [ "Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!", "README_DECRYPT.txt" ] }, "uuid": "15c370c0-2799-11e8-a959-57cdcd57e3bf" }, { "value": "Zenis Ransomware", "description": "A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/" ], "ransomnotes": [ "Zenis-Instructions.html", "*** All your files has been encrypted ***\n\nI am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world. A world in digital space that you are supposed to play the role of my toys.\n\nIf you want to win in this game, you have to listen carefully to my instructions, otherwise you will be caught up in a one-step game and you will become the main loser of the story.\n\nMy instructions are simple and clear. Then follow these steps:\n\n1. Send this file (Zenis-Instructions.html) to my email with one your encrypted file less than 2 MB to trust to the game.\n\n2. I decrypt your file for free and send for you.\n\n3. If you confirm the correctness of the files, verify that the files are correct via email\n\n4. Then receive the price of decrypting files\n\n5. After you have deposited, please send me the payment details\n\n6. After i confirm deposit, i send you the \"Zenis Decryptor\" along with \"Private Key\" to recovery all your files.\n\nNow you can finish the game. You won the game. congratulations.\n\n\nPlease submit your request to both emails:\n\nTheZenis@Tutanota.com\n\nTheZenis@MailFence.com\n\nIf you did not receive an email after six hours, submit your request to the following emails:\n\nTheZenis@Protonmail.com\n\nTheZenis@Mail2Tor.com (On the TOR network)\n\n\nWarning: 3rd party and public programs, It may cause irreversible damage to your files. And your files will be lost forever." ] }, "uuid": "cbe3ee70-2d11-11e8-84bb-9b3c525a48d9" }, { "value": "Flotera Ransomware", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/" ] }, "uuid": "aab356ac-396c-11e8-90c8-631229f19d7a" }, { "value": "Black Ruby", "description": "A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/" ], "extensions": [ ".BlackRuby" ], "ransomnotes": [ "HOW-TO-DECRYPT-FILES.txt", " ____ __ __ ____ __\n / __ ) / /____ _ _____ / /__ / __ \\ __ __ / /_ __ __\n / __ |/ // __ `// ___// //_/ / /_/ // / / // __ \\ / / / /\n / /_/ // // /_/ // /__ / ,< / _, _// /_/ // /_/ // /_/ /\n /_____//_/ \\__,_/ \\___//_/|_| /_/ |_| \\__,_//_.___/ \\__, /\n /____/\n\n===================== Identification Key =====================\n\n[id]\n\n===================== Identification Key =====================\n\n[Can not access your files?]\n\nCongratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.\nOur hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.\n\nThis time, we are guest with a new souvenir called \"Black Ruby\". A ruby ​​in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.\n\nSo let's talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.\nIt does not matter if you're a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it's important that you have a black ruby and to get rid of it, you need to get back to previous situation and we need a next step.\n\nThe breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge.\nWe are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone. We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility. you must pay $650 (USD) worth of Bitcoins for restore your system to the previous state and you are free to choose to stay in this situation or return to the normal.\n\nDo not forget that your opportunity is limited. From these limits you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.\n\n ========================================================================================================================\n\n [HOW TO DECRYPT FILES]\n\n 1. Copy \"Identification Key\".\n 2. Send this key with two encrypted files (less than 5 MB) for trust us to email address \"TheBlackRuby@Protonmail.com\".\n 3. We decrypt your two files and send them to your email.\n 4. After ensuring the integrity of the files, you must pay $650 (USD) with bitcoin and send transaction code to our email, our bitcoin address is \"19S7k3zHphKiYr85T25FnqdxizHcgmjoj1\".\n 5. You get \"Black Ruby Decryptor\" Along with the private key of your system.\n 6. Everything returns to the normal and your files will bereleased.\n\n========================================================================================================================\n\n[What is encryption?]\n\nEncryption is a reversible modification of information for security reasons but providing full access to it for authorised users.\n To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an \"Personal Identification Key\". But not only it. It is required also to have the special decryption software\n(in your case “Black Ruby Decryptor” software) for safe and complete decryption of all your files and data.\n\n[Everything is clear for me but what should I do?]\n\n The first step is reading these instructions to the end. Your files have been encrypted with the “Black Ruby Ransomware” software; the instructions (“HOW-TO-DECRYPT-FILES.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Black Ruby Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.\n\n[Have you got advice?]\n\n[*** Any attempts to get back you files with the third-party tools can be fatal for your encrypted files ***]\nThe most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. \nFinally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Black Ruby Ransomware” software may be fatal for your files.\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." ] }, "uuid": "abf3001c-396c-11e8-8da6-ef501eef12e1" }, { "value": "WhiteRose", "description": "A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/" ], "extensions": [ ".WHITEROSE", "_ENCRYPTED_BY.WHITEROSE" ], "ransomnotes": [ "HOW-TO-RECOVERY-FILES.TXT", "[Rose ASCII art]\n\n[WhiteRose written in ASCII art]\n\nThe singing of the sparrows, the breezes of the northern mountains and smell of the earth that was raining in the morning filled the entire garden space. I'm sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day.\n\nBehind me is an empty house of dreams and in front of me, full of beautiful white roses. To my left is an empty blue pool of red fish and my right, trees full of spring white blooms.\n\n I drink coffee, I'll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend.\n\nI have neither a pet, nor a friend or an enemy; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I'm just a little interested in hacking and programming. My only electronic devices in this big garden are an old laptop for do projects and an iPhone for check out the news feeds for malware analytics on Twitter without likes posts.\n\nBelieve me, my only assets are the white roses of this garden. I think of days and write at night: the story, poem, code, exploit or the accumulation of the number of white roses sold and I say to myself that the wealth is having different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses.\n\nToday, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the worth of unity, intimacy, joy and love and is the decision to release white roses and to give gifts to all peoples of the world.\n\nI do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it's important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. Wait for good days with White Rose.\n\nI hope you accept this gift from me and if it reaches you, close your eyes and place yourself in a large garden on a wooden chair and feel this beautiful scene to reduce your anxiety and everyday tension.\n\nThank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\n[Recovery Instructions]\n\n I. Download qTox on your computer from [https://tox.chat/download.html]\nII. Create new profile then enter our ID in search contacts\n Our Tox ID: \"6F548F217897AA4140FB4C514C8187F2FFDBA3CAFC83795DEE2FBCA369E689006B7CED4A18E9\". III. Wait for us to accept your request.\nIV. Copy '[PersonalKey]' in \"HOW-TO-RECOVERY-FILES.TXT\" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat.\n IV.I. Only if you did not receive a reply after 24 hours from us, send your message to our secure tor email address \"TheWhiteRose@Torbox3uiot6wchz.onion\".\n IV.II. For perform \"Step IV.I\" and enter the TOR network, you must download tor and register in \"http://torbox3uiot6wchz.onion\" Mail Service)\nV. We decrypt your two files and we will send you.\nVI. After ensuring the integrity of the files, We will send you payment info.\nVII. Now after payment, you get \"WhiteRose Decryptor\" Along with the private key of your system.\nVIII.Everything returns to the normal and your files will be released.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\nWhat is encryption?\n\n In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it, and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. in your case “WhiteRose Decryptor” software for safe and complete decryption of all your files and data.\n\nAny other way?\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support." ] }, "uuid": "abc80362-396c-11e8-bc5c-8bca89c0f797" }, { "value": "PUBG Ransomware", "description": "In what could only be a joke, a new ransomware has been discovered called \"PUBG Ransomware\" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds. Discovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/" ], "extensions": [ ".PUBG" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/p/pubg-ransomware/pubg-ransomware.jpg" ] }, "uuid": "2239b3ca-3c9b-11e8-873e-53608d51ee71" }, { "value": "LockCrypt", "description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/" ] }, "uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340" }, { "value": "Magniber Ransomware", "description": "Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/", "https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/" ], "extensions": [ ".ihsdj", ".kgpvwnr" ], "ransomnotes": [ "READ_ME_FOR_DECRYPT_[id].txt", " ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!\n ====================================================================================================\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n\n The only 1 way to decrypt your files is to receive the private key and decryption program.\n\n Any attempts to restore your files with the third-party software will be fatal for your files!\n ====================================================================================================\n To receive the private key and decryption program follow the instructions below:\n\n 1. Download \"Tor Browser\" from https://www.torproject.org/ and install it.\n\n 2. In the \"Tor Browser\" open your personal page here:\n\n\n http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513\n\n\n Note! This page is available via \"Tor Browser\" only.\n ====================================================================================================\n Also you can use temporary addresses on your personal page without using \"Tor Browser\":\n\n\n http://[victim_id].bankme.date/EP866p5M93wDS513\n\n http://[victim_id].jobsnot.services/EP866p5M93wDS513\n\n http://[victim_id].carefit.agency/EP866p5M93wDS513\n\n http://[victim_id].hotdisk.world/EP866p5M93wDS513\n\n\n Note! These are temporary addresses! They will be available for a limited amount of time!" ] }, "uuid": "a0c1790a-3ee7-11e8-9774-93351d675a9e" }, { "value": "Vurten", "meta": { "refs": [ "https://twitter.com/siri_urz/status/981191281195044867" ], "extensions": [ ".improved" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg", "UNCRYPT.README" ] }, "uuid": "7666e948-3f09-11e8-b0b2-af79c067d856" }, { "value": "Reveton ransomware", "description": "A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/", "https://en.wikipedia.org/wiki/Ransomware#Reveton", "https://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed-explained-and-eliminated/" ] }, "uuid": "1912ec68-4145-11e8-ac06-9b6643035a71" }, { "value": "Fusob", "description": "Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob.\nLike a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well.\nIn order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob.\nWhen Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively.\nFusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.", "meta": { "refs": [ "https://en.wikipedia.org/wiki/Ransomware#Fusob" ] }, "uuid": "c921d9ac-4145-11e8-965b-df5002d4cad8" }, { "value": "OXAR", "meta": { "refs": [ "https://twitter.com/demonslay335/status/981270787905720320" ], "ransomnotes": [ "https://pastebin.com/xkRaRytW", "What Happened to My Computer?\nYour important files are encrypted.\nMany of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.\n\nCan I Recover My Files?\nSure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.\nBut if you want to decrypt all your files, you need to pay.\n\nHow Do I Pay?\nPayment is accepted in Bitcoin only.\nPlease check the current price of Bitcoin and buy some bitcoins.\nAnd send the correct amount to the address specified in this window.\n\nWe strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!\nOnce the payment is sent, send us an e-mail to the specified address specifying your \"Client ID\", you will be sent your decryption key in return.\nHow to buy Bitcoins?\n\nStep 1 : Create a portfolio on the Blockchain website at the address : https://blockchain.info/fr/wallet/#/signup\nStep 2 : Sign in to your account you just created and purchase the amount shown : https://blockchain.info/wallet/#/buy-sell\n Step 3 : Send the amount to the indicated Bitcoin address, once this is done send us an email with your \"Client ID\" you can retreive this in the file \"instruction.txt\" or \"Whats Appens With My File.s.txt\" in order to ask us the key of decryption of your data.\n\nContact us at : spaghetih@protonmail.com\nSend 20$ to Bitcoin at 1MFA4PEuDoe2UCKgabrwm8P4KztASKtiuv if you want decrypt your files !\nYour Client ID is : [id]" ], "extensions": [ ".FUCK" ] }, "uuid": "b0ce2b90-4171-11e8-af82-0f4431fd2726" }, { "value": "BansomQare Manna Ransomware", "uuid": "b95a76d8-4171-11e8-b9b3-1bf62ec3265e" }, { "value": "Haxerboi Ransomware", "uuid": "60e79876-4178-11e8-8c04-63662c94ba03" }, { "value": "SkyFile", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/982229994364547073" ] }, "uuid": "b4654c94-417a-11e8-8c2c-5b5748496f92" }, { "value": "MC Ransomware", "description": "Supposed joke ransomware, decrypt when running an exectable with the string \"Minecraft\"", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/" ] }, "uuid": "443c55c6-43d1-11e8-9072-6fdcf89aa4e6" }, { "value": "CSGO Ransomware", "description": "Supposed joke ransomware, decrypt when running an exectable with the string \"csgo\"", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/" ] }, "uuid": "449e18b0-43d1-11e8-847e-0fed641732a1" }, { "value": "XiaoBa ransomware", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/", "https://twitter.com/malwrhunterteam/status/923847744137154560", "https://twitter.com/struppigel/status/926748937477939200", "https://twitter.com/demonslay335/status/968552114787151873" ], "extensions": [ ".Encrypted[BaYuCheng@yeah.net].XiaBa", ".XiaoBa1", ".XiaoBa2", ".XiaoBa3", ".XiaoBa4", ".XiaoBa5", ".XiaoBa6", ".XiaoBa7", ".XiaoBa8", ".XiaoBa9", ".XiaoBa10", ".XiaoBa11", ".XiaoBa12", ".XiaoBa13", ".XiaoBa14", ".XiaoBa15", ".XiaoBa16", ".XiaoBa17", ".XiaoBa18", ".XiaoBa19", ".XiaoBa20", ".XiaoBa21", ".XiaoBa22", ".XiaoBa23", ".XiaoBa24", ".XiaoBa25", ".XiaoBa26", ".XiaoBa27", ".XiaoBa28", ".XiaoBa29", ".XiaoBa30", ".XiaoBa31", ".XiaoBa32", ".XiaoBa33", ".XiaoBa34" ], "ransomnotes": [ "https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg", "https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg", "_@XiaoBa@_.bmp", "_@Explanation@_.hta", "_XiaoBa_Info_.hta", "_XiaoBa_Info_.bmp" ] }, "uuid": "ef094aa6-4465-11e8-81ce-739cce28650b" }, { "meta": { "date": "April 2018", "encryption": "AES+RSA", "refs": [ "https://sensorstechforum.com/nmcrypt-files-ransomware-virus-remove-restore-data/", "https://www.enigmasoftware.com/nmcryptansomware-removal/" ], "extensions": [ ".NMCRYPT" ], "ransomnotes": [ "Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser...", "https://sensorstechforum.com/wp-content/uploads/2018/04/stf-NMCRYPT-ransomware-virus-ransom-note-tor-onion-network-page-768x827.png" ] }, "description": "The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.", "value": "NMCRYPT Ransomware", "uuid": "bd71be69-fb8c-4b1f-9d96-993ab23d5f2b" }, { "value": "Iron", "description": "It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.\nWe know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design)\nDMA Locker (Iron Unlocker, decryption tool)\nSatan (exclusion list)", "meta": { "refs": [ "https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html" ], "ransomnotes": [ "!HELP_YOUR_FILES.HTML", "We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…" ] }, "uuid": "ba64d47c-46cd-11e8-87df-ff6252b4ea76" }, { "value": "Tron ransomware", "meta": { "refs": [ "https://twitter.com/malwrhunterteam/status/985152346773696512" ], "extensions": [ ".tron" ], "ransomnotes": [ "https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg" ] }, "uuid": "94290f1c-46ff-11e8-b9c6-ef8852c58952" }, { "value": "Unnamed ramsomware 1", "description": "A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/" ], "extensions": [ "sequre@tuta.io_[hex]" ], "ransomnotes": [ "HOW DECRIPT FILES.hta", "https://www.bleepstatic.com/images/news/ransomware/c/compiled-ransomware/ransom-note.jpg" ] }, "uuid": "c1788ac0-4fa0-11e8-b0fd-63f5a2914926" } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", "version": 20, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" }