From 33a15bbdabe313b78725236f86d6e78c3ffb4137 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 Apr 2019 14:46:32 +0200 Subject: [PATCH 1/2] rfc galaxy - add new fields for ransomware galaxy --- misp-galaxy-format/raw.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md index 7aab67c..0ec2a71 100644 --- a/misp-galaxy-format/raw.md +++ b/misp-galaxy-format/raw.md @@ -162,7 +162,7 @@ Example use of the country, motive fields in the threat-actor galaxy: } ~~~~ -encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs **MAY** be used to give further information in ransomware galaxy. encryption is represented as a string and **SHALL** be present. extensions is represented as an array containing one or more strings and **SHALL** be present. ransomnotes is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-filenames is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-refs is represented as an array containing one or more strings ans **SHALL** be present. +encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method and price **MAY** be used to give further information in ransomware galaxy. encryption is represented as a string and **SHALL** be present. extensions is represented as an array containing one or more strings and **SHALL** be present. ransomnotes is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-filenames is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-refs is represented as an array containing one or more strings ans **SHALL** be present. payment-method is represented as a string and **SHALL** be present. price is represented as a string and **SHALL** be present. Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy: From d14e0567168e6a5789e10a632a02e7e151cf37df Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 18 Apr 2019 14:50:54 +0200 Subject: [PATCH 2/2] rfc galaxy - improve and merge attempt --- misp-galaxy-format/raw.md | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md index 0ec2a71..8f745e4 100644 --- a/misp-galaxy-format/raw.md +++ b/misp-galaxy-format/raw.md @@ -104,7 +104,7 @@ Related contains a list of JSON key value pairs which describe the related value ## meta -Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence wherever applicable. +Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price wherever applicable. refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present. @@ -162,7 +162,7 @@ Example use of the country, motive fields in the threat-actor galaxy: } ~~~~ -encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method and price **MAY** be used to give further information in ransomware galaxy. encryption is represented as a string and **SHALL** be present. extensions is represented as an array containing one or more strings and **SHALL** be present. ransomnotes is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-filenames is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-refs is represented as an array containing one or more strings ans **SHALL** be present. payment-method is represented as a string and **SHALL** be present. price is represented as a string and **SHALL** be present. +encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price **MAY** be used to give further information in ransomware galaxy. encryption is represented as a string and **SHALL** be present. extensions is represented as an array containing one or more strings and **SHALL** be present. ransomnotes is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-filenames is represented as an array containing one or more strings ans **SHALL** be present. ransomnotes-refs is represented as an array containing one or more strings ans **SHALL** be present. payment-method is represented as a string and **SHALL** be present. price is represented as a string and **SHALL** be present. Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy: @@ -186,6 +186,31 @@ Example use of the encryption, extensions, ransomnotes fields in the ransomware } ~~~~ +Example use of the payment-method, price fields in the ransomware galaxy: +~~~~ +{ + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "meta": { + "date": "March 2017", + "encryption": "AES-128", + "extensions": [ + ".enc" + ], + "payment-method": "Bitcoin", + "price": "0.1", + "ransomnotes": [ + "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" + ] + }, + "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b", + "value": "CryptoMeister Ransomware" +} +~~~~ + + source-uuid, target-uuid **SHALL** be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) [@!RFC4122] of the value reference. source-uuid and target-uuid **MUST** be preserved. Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy: