{ "authors": [ "Various" ], "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", "type": "ransomware", "version": 1, "name": "Ransomware", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "values": [ { "description": "AES(256); .enc; ", "value": ".CryptoHasYou." }, { "description": "Sevleg; XOR; .777; ._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777; ", "value": "777" }, { "description": "7ev3n-HONE$T; .R4A .R5A; ", "value": "7ev3n" }, { "description": "AES; .7h9r; ", "value": "7h9r" }, { "description": "AES (256); .8lock8; ", "value": "8lock8" }, { "description": ".bin; ", "value": "Alfa Ransomware" }, { "description": "AES(128); random; random(x5); ", "value": "Alma Ransomware" }, { "description": "AlphaLocker; AES(256); .encrypt; ", "value": "Alpha Ransomware" }, { "description": ".amba; ", "value": "AMBA" }, { "description": ".adk; ", "value": "Angry Duck" }, { "description": "Fabiansomeware; .encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt; ", "value": "Apocalypse" }, { "description": ".encrypted .locked; ", "value": "ApocalypseVM" }, { "description": ".locky; ", "value": "AutoLocky" }, { "description": "", "value": "BadBlock" }, { "description": ".adr; ", "value": "BaksoCrypt" }, { "description": "Rakhni; AES(256); .id-[ID]_[EMAIL_ADDRESS]; ", "value": "Bandarchor" }, { "description": "BaCrypt; .bart.zip .bart .perl; ", "value": "Bart" }, { "description": ".clf; ", "value": "BitCryptor" }, { "description": "Base64 + String Replacement; .bitstak; ", "value": "BitStak" }, { "description": "SilentShade; AES (256); .Silent; ", "value": "BlackShades Crypter" }, { "description": "AES (256); .blocatto; ", "value": "Blocatto" }, { "description": "Salam!; ", "value": "Booyah" }, { "description": "AES(256); .lock; ", "value": "Brazilian" }, { "description": "AES; ", "value": "BrLock" }, { "description": "", "value": "Browlock" }, { "description": "GOST; ; ", "value": "Bucbi" }, { "description": "(.*).encoded.([A-Z0-9]{9}); ", "value": "BuyUnlockCode" }, { "description": ".cry; ", "value": "Central Security Treatment Organization" }, { "description": "AES; .cerber .cerber2 .cerber3; ", "value": "Cerber" }, { "description": ".crypt 4 random characters, e.g., .PzZs, .MKJL; ", "value": "Chimera" }, { "description": ".clf; ", "value": "CoinVault" }, { "description": "AES(256); .coverton .enigma .czvxce; ", "value": "Coverton" }, { "description": ".{CRYPTENDBLACKDC}; ", "value": "Cryaki" }, { "description": "", "value": "Crybola" }, { "description": "Moves bytes; .criptiko .criptoko .criptokod .cripttt .aga; ", "value": "CryFile" }, { "description": "Cry, CSTO; .cry; ", "value": "CryLocker" }, { "description": "AES(256); ", "value": "CrypMIC" }, { "description": ".ENCRYPTED; ", "value": "Crypren" }, { "description": "AES; .crypt38; ", "value": "Crypt38" }, { "description": "Hidden Tear; AES(256); ", "value": "Cryptear" }, { "description": "RSA; .scl; id[_ID]email_xerx@usa.com.scl; ", "value": "CryptFIle2" }, { "description": ".crinf; ", "value": "CryptInfinite" }, { "description": "AES and RSA; ", "value": "CryptoBit" }, { "description": "", "value": "CryptoDefense" }, { "description": "Ranscam; ", "value": "CryptoFinancial" }, { "description": "AES (256), RSA (1024); .frtrss; ", "value": "CryptoFortress" }, { "description": ".clf; ", "value": "CryptoGraphic Locker" }, { "description": "Manamecrypt, Telograph, ROI Locker; AES(256) (RAR implementation); ", "value": "CryptoHost" }, { "description": "AES-256; .crjoker; ", "value": "CryptoJoker" }, { "description": ".encrypted .ENC; ", "value": "CryptoLocker" }, { "description": "[A-F0-9]{8}_luck; ", "value": "CryptoLuck / YafunnLocker" }, { "description": "Zeta; .code .scl; .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl; ", "value": "CryptoMix" }, { "description": "AES; .crptrgr; ", "value": "CryptoRoger" }, { "description": "AES; .locked; ", "value": "CryptoShocker" }, { "description": ".CryptoTorLocker2015!; ", "value": "CryptoTorLocker2015" }, { "description": "no filename change; ", "value": "CryptoWall 1" }, { "description": "no filename change; ", "value": "CryptoWall 2" }, { "description": "no filename change; ", "value": "CryptoWall 3" }, { "description": "., e.g., 27p9k967z.x1nep; ", "value": "CryptoWall 4" }, { "description": "CryptProjectXXX; .crypt; ", "value": "CryptXXX" }, { "description": "CryptProjectXXX; .crypt; ", "value": "CryptXXX 2.0" }, { "description": "UltraDeCrypter UltraCrypter; .crypt .cryp1 .crypz .cryptz random; ", "value": "CryptXXX 3.0" }, { "description": ".cryp1; ", "value": "CryptXXX 3.1" }, { "description": "", "value": "CTB-Faker" }, { "description": "Citroni; RSA(2048); .ctbl ; .([a-z]{6,7}); ", "value": "CTB-Locker" }, { "description": "AES(256); ", "value": "CTB-Locker WEB" }, { "description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ", "value": "CuteRansomware" }, { "description": "", "value": "Deadly for a Good Purpose" }, { "description": ".html; ", "value": "DeCrypt Protect" }, { "description": "AES-256; .ded; ", "value": "DEDCryptor" }, { "description": "Based on Detox: Calipso We are all Pokemons Nullbyte; AES; ", "value": "DetoxCrypto" }, { "description": "", "value": "DirtyDecrypt" }, { "description": "AES(256) in ECB mode, Version 2-4 also RSA; ", "value": "DMALocker" }, { "description": "AES(256); ", "value": "DMALocker 3.0" }, { "description": "AES(256); .domino; ", "value": "Domino" }, { "description": "Cryptear; AES(256); .locked; ", "value": "EDA2 / HiddenTear" }, { "description": "EduCrypter; .isis .locked; ", "value": "EduCrypt" }, { "description": "Los Pollos Hermanos; .ha3; ", "value": "El-Polocker" }, { "description": "Trojan.Encoder.6491; ", "value": "Encoder.xxxx" }, { "description": "AES (128); .enigma .1txt; ", "value": "Enigma" }, { "description": ".exotic; ", "value": "Exotic" }, { "description": "", "value": "Fairware" }, { "description": ".locked; ", "value": "Fakben" }, { "description": "Variants: Comrade Circle; AES(128); .fantom; ", "value": "Fantom" }, { "description": "", "value": "Fonco" }, { "description": "", "value": "FSociety" }, { "description": "", "value": "Fury" }, { "description": "AES (256); .Z81928819; ", "value": "GhostCrypt" }, { "description": "Purge; Blowfish; .purge; ", "value": "Globe v1" }, { "description": "Purge; Blowfish; .. e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg; ", "value": "Globe v2" }, { "description": "Purge; RC4; .globe or random; ", "value": "Globe v3" }, { "description": "Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker; AES (256); .locked; .locked, e.g., bill.!ID!8MMnF!ID!.locked; ", "value": "GNL Locker" }, { "description": ".crypt; !___[EMAILADDRESS]_.crypt; ", "value": "Gomasom" }, { "description": "", "value": "Goopic" }, { "description": "", "value": "Gopher" }, { "description": ".html; ", "value": "Harasom" }, { "description": "Mamba; Custom (net shares), XTS-AES (disk); ", "value": "HDDCryptor" }, { "description": ".herbst; ", "value": "Herbst" }, { "description": "AES(256); .cry ; ", "value": "Hi Buddy!" }, { "description": "removes extensions; ", "value": "Hitler" }, { "description": "AES; (encrypted); ", "value": "HolyCrypt" }, { "description": "Hungarian Locky (Hucky); AES, RSA (hardcoded); .locky; [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky; ", "value": "Hucky" }, { "description": "hydracrypt_ID_[\\w]{8}; ", "value": "HydraCrypt" }, { "description": ".crime; ", "value": "iLock" }, { "description": ".crime; ", "value": "iLockLight" }, { "description": "<6 random characters>; ", "value": "International Police Association" }, { "description": "!ENC; ", "value": "JagerDecryptor" }, { "description": "Encryptor RaaS, Sarento; RC6 (files), RSA 2048 (RC6 key); ", "value": "Jeiphoos" }, { "description": "CryptoHitMan (subvariant); AES(256); .btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz; ", "value": "Jigsaw" }, { "description": "TripleDES; .locked .css; ", "value": "Job Crypter" }, { "description": "AES; .encrypted; ", "value": "KeRanger" }, { "description": "keybtc@inbox_com ; ", "value": "KeyBTC" }, { "description": "", "value": "KEYHolder" }, { "description": ".rip; ", "value": "Killer Locker" }, { "description": "AES; .kimcilware .locked; ", "value": "KimcilWare" }, { "description": "AES(256); .암호화됨; ", "value": "Korean" }, { "description": ".kostya; ", "value": "Kostya" }, { "description": "QC; RSA(2048); .31392E30362E32303136_[ID-KEY]_LSBJ1; .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}); ", "value": "Kozy.Jozy" }, { "description": ".kratos; ", "value": "KratosCrypt" }, { "description": "AES(256); ", "value": "KryptoLocker" }, { "description": ".LeChiffre; ", "value": "LeChiffre" }, { "description": "Linux.Encoder.{0,3}; ", "value": "Linux.Encoder" }, { "description": "", "value": "Locker" }, { "description": "AES(128); .locky .zepto .odin .shit .thor .asier .zzzzz .osiris; ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris; ", "value": "Locky" }, { "description": ".lock93; ", "value": "Lock93" }, { "description": ".crime; ", "value": "Lortok" }, { "description": "oor.; ", "value": "LowLevel04" }, { "description": "", "value": "Mabouia" }, { "description": "AES(256); .magic; ", "value": "Magic" }, { "description": "AES(256), RSA (2048); [a-z]{4,6}; ", "value": "MaktubLocker" }, { "description": "Crypt888; AES; Lock.; ", "value": "MIRCOP" }, { "description": "AES(256); .fucked, .fuck; ", "value": "MireWare" }, { "description": "\"Petya's little brother\"; .([a-zA-Z0-9]{4}); ", "value": "Mischa" }, { "description": "Booyah; AES(256); .locked; ", "value": "MM Locker" }, { "description": "Yakes CryptoBit; .KEYZ .KEYH0LES; ", "value": "Mobef" }, { "description": "", "value": "n1n1n1" }, { "description": "", "value": "Nagini" }, { "description": "AES (256), RSA; ", "value": "NanoLocker" }, { "description": "XOR(255) 7zip; .crypted; ", "value": "Nemucod" }, { "description": "", "value": "NoobCrypt" }, { "description": "XOR; .odcodc; C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc; ", "value": "ODCODC" }, { "description": "Vipasana, Cryakl; .cbf; email-[params].cbf; ", "value": "Offline ransomware" }, { "description": "GPCode; .LOL! .OMG!; ", "value": "OMG! Ransomware" }, { "description": "", "value": "Onyx" }, { "description": ".EXE; ", "value": "Operation Global III" }, { "description": ".padcrypt; ", "value": "PadCrypt" }, { "description": "XOR; ", "value": "PClock" }, { "description": "Goldeneye; Modified Salsa20; ", "value": "Petya" }, { "description": "AES(256); .locked; .locked; ", "value": "Philadelphia" }, { "description": ".id-[victim_id]-maestro@pizzacrypts.info; ", "value": "PizzaCrypts" }, { "description": "AES(256); .locked; ", "value": "PokemonGO" }, { "description": "AES(256); .filock; ", "value": "Popcorn Time" }, { "description": "AES(256); ", "value": "Polyglot" }, { "description": "PoshCoder; AES(128); .locky; ", "value": "PowerWare" }, { "description": "AES, but throws key away, destroys the files; ", "value": "PowerWorm" }, { "description": "", "value": "PRISM" }, { "description": ".crypt; ", "value": "R980" }, { "description": "RAA; .locked; ", "value": "RAA encryptor" }, { "description": "AES(256); .RDM .RRK .RAD .RADAMANT; ", "value": "Radamant" }, { "description": "Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor; .locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15; .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\\w]{4,12}; ", "value": "Rakhni" }, { "description": "locked-.[a-zA-Z]{4}; ", "value": "Rannoh" }, { "description": "", "value": "Ransom32" }, { "description": "Asymmetric 1024 ; ", "value": "RansomLock" }, { "description": ".vscrypt .infected .bloc .korrektor; ", "value": "Rector" }, { "description": "AES(256); .rekt; ", "value": "RektLocker" }, { "description": ".remind .crashed; ", "value": "RemindMe" }, { "description": "Curve25519 + ChaCha; .rokku; ", "value": "Rokku" }, { "description": "samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe; AES(256) + RSA(2096); .encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork; ", "value": "Samas-Samsam" }, { "description": "AES(256) + RSA(2096); .sanction; ", "value": "Sanction" }, { "description": "Sarah_G@ausi.com___; ", "value": "Satana" }, { "description": "", "value": "Scraper" }, { "description": "AES; ", "value": "Serpico" }, { "description": "Atom; .locked; ", "value": "Shark" }, { "description": ".shino; ", "value": "ShinoLocker" }, { "description": "KinCrypt; ", "value": "Shujin" }, { "description": "AES; .~; ", "value": "Simple_Encoder" }, { "description": "AES(256); .locked; ", "value": "SkidLocker / Pompous" }, { "description": ".encrypted; ", "value": "Smrss32" }, { "description": "AES(256); .RSNSlocked .RSplited; ", "value": "SNSLocker" }, { "description": ".sport; ", "value": "Sport" }, { "description": "AES(256); .locked; ", "value": "Stampado" }, { "description": "AES(256); .locked; ", "value": "Strictor" }, { "description": "AES(256); .surprise .tzu; ", "value": "Surprise" }, { "description": "", "value": "Survey" }, { "description": "", "value": "SynoLocker" }, { "description": ".szf; ", "value": "SZFLocker" }, { "description": "Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic; .xcri; ", "value": "TeleCrypt" }, { "description": "AlphaCrypt; .vvv .ecc .exx .ezz .abc .aaa .zzz .xyz; ", "value": "TeslaCrypt 0.x - 2.2.0" }, { "description": "AES(256) + ECHD + SHA1; .micro .xxx .ttt .mp3; ", "value": "TeslaCrypt 3.0+" }, { "description": "AES(256) + ECHD + SHA1; ", "value": "TeslaCrypt 4.1A" }, { "description": "", "value": "TeslaCrypt 4.2" }, { "description": "", "value": "Threat Finder" }, { "description": "Crypt0L0cker (subvariant); AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt; .Encrypted .enc; ", "value": "TorrentLocker" }, { "description": "", "value": "TowerWeb" }, { "description": ".toxcrypt; ", "value": "Toxcrypt" }, { "description": "Shade XTBL; AES(256); .better_call_saul .xtbl .da_vinci_code .windows10; ", "value": "Troldesh" }, { "description": "AES(256); .enc; ", "value": "TrueCrypter" }, { "description": "AES(256); .locked; ", "value": "Turkish Ransom" }, { "description": "AES; umbrecrypt_ID_[VICTIMID]; ", "value": "UmbreCrypt" }, { "description": "AES; .H3LL .0x0 .1999; ", "value": "Ungluk" }, { "description": ".CRRRT .CCCRRRPPP; ", "value": "Unlock92" }, { "description": "CrypVault Zlader; uses gpg.exe; .vault .xort .trun; ", "value": "VaultCrypt" }, { "description": "", "value": "VenisRansomware" }, { "description": "AES(256); .Venusf .Venusp; ", "value": "VenusLocker" }, { "description": ".exe; ", "value": "Virlock" }, { "description": "Crysis; AES(256); .CrySiS .xtbl; .id-########.decryptformoney@india.com.xtbl; ", "value": "Virus-Encoder" }, { "description": ".wflx; ", "value": "WildFire Locker" }, { "description": "XOR or TEA; .EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791; ", "value": "Xorist" }, { "description": ".xrtn; ", "value": "XRTN " }, { "description": "Zcryptor; .zcrypt; ", "value": "Zcrypt" }, { "description": ".crypto; ", "value": "Zimbra" }, { "description": "VaultCrypt CrypVault; RSA; .vault; ", "value": "Zlader / Russian" }, { "description": "GNL Locker; .zyklon; ", "value": "Zyklon" }, { "description": "AES; ", "value": "Erebus" } ], "source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml" }