+
+Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.¶
+refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.¶
+date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.¶
+colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.¶
+complexity, effectiveness, impact, possibleissues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL be present. effectiveness is represented by an enumerated value from a fixed vocabulary and SHALL be present. impact is represented by an enumerated value from a fixed vocabulary and SHALL be present. possibleissues is represented as a string and SHOULD be present.¶
+Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy:¶
+
{
"meta": {
"refs": [
@@ -545,9 +1415,11 @@
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
}
-
-
country, motive, spoken-language MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and SHALL be present.
-
Example use of the country, motive fields in the threat-actor galaxy:
+
¶
+
+country, motive, spoken-language MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and SHALL be present.¶
+Example use of the country, motive fields in the threat-actor galaxy:¶
+
{
"meta": {
"country": "CN",
@@ -567,11 +1439,13 @@
"description": "PLA Navy",
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
}
-
-
encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price MAY be used to give further information in ransomware galaxy. encryption is represented as a string and SHALL be present. extensions is represented as an array containing one or more strings and SHALL be present. ransomnotes is represented as an array containing one or more strings ans SHALL be present. ransomnotes-filenames is represented as an array containing one or more strings ans SHALL be present. ransomnotes-refs is represented as an array containing one or more strings ans SHALL be present. payment-method is represented as a string and SHALL be present. price is represented as a string and SHALL be present.
-
Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:
+
¶
+
+encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price MAY be used to give further information in ransomware galaxy. encryption is represented as a string and SHALL be present. extensions is represented as an array containing one or more strings and SHALL be present. ransomnotes is represented as an array containing one or more strings ans SHALL be present. ransomnotes-filenames is represented as an array containing one or more strings ans SHALL be present. ransomnotes-refs is represented as an array containing one or more strings ans SHALL be present. payment-method is represented as a string and SHALL be present. price is represented as a string and SHALL be present.¶
+Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:¶
+
{
- "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
+ "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
"meta": {
"ransomnotes-filenames": [
"RyukReadMe.txt"
@@ -587,8 +1461,10 @@
"uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718",
"value": "Ryuk ransomware"
}
-
-
Example use of the payment-method, price fields in the ransomware galaxy:
+
¶
+
+Example use of the payment-method, price fields in the ransomware galaxy:¶
+
{
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
"meta": {
@@ -609,9 +1485,11 @@
"uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b",
"value": "CryptoMeister Ransomware"
}
-
-
source-uuid, target-uuid SHALL be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) [RFC4122] of the value reference. source-uuid and target-uuid MUST be preserved.
-
Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy:
+
¶
+
+source-uuid, target-uuid SHALL be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) [RFC4122] of the value reference. source-uuid and target-uuid MUST be preserved.¶
+Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attack-relationship galaxy:¶
+
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
@@ -620,9 +1498,11 @@
"uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
"value": "menuPass (G0045) uses EvilGrab (S0152)"
}
-
-
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category MAY be used to report information gathered from CFR's (Council on Foreign Relations) [CFR] Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and SHALL be present. cfr-suspected-state-sponsor is represented as a string and SHALL be present. cfr-type-of-incident is represented as a string or an array and SHALL be present. RECOMMENDED but not exhaustive list of possible values for cfr-type-of-incident includes "Espionage", "Denial of service", "Sabotage". cfr-target-category is represented as an array containing one or more strings ans SHALL be present. RECOMMENDED but not exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military".
-
Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:
+
¶
+
+cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category MAY be used to report information gathered from CFR's (Council on Foreign Relations) [CFR] Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and SHALL be present. cfr-suspected-state-sponsor is represented as a string and SHALL be present. cfr-type-of-incident is represented as a string or an array and SHALL be present. RECOMMENDED but not exhaustive list of possible values for cfr-type-of-incident includes "Espionage", "Denial of service", "Sabotage". cfr-target-category is represented as an array containing one or more strings ans SHALL be present. RECOMMENDED but not exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military".¶
+Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:¶
+
{
"meta": {
"country": "CN",
@@ -644,22 +1524,34 @@
"value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
},
-
-
attribution-confidence MAY be used to indicate the confidence about an attribution given by country or cfr-suspected-state-sponsor. attribution-confidence is represented on a scale from 0 to 100, where 50 means "no information", the values under 50 mean "probably not, almost certainly not to impossibility", the values above 50 means "from probable, almost certain to certainty" and SHALL be present if country or cfr-suspected-state-sponsor are present.
+
¶
+
+attribution-confidence MAY be used to indicate the confidence about an attribution given by country or cfr-suspected-state-sponsor. attribution-confidence is represented on a scale from 0 to 100, where 50 means "no information", the values under 50 mean "probably not, almost certainly not to impossibility", the values above 50 means "from probable, almost certain to certainty" and SHALL be present if country or cfr-suspected-state-sponsor are present.¶
+
Impossibility no information Certainty
+
|
+-------------------+------------------>
0 50 100
-
-
-
The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy formats. The main format is the MISP galaxy format used for the clusters.
-
+
¶
+
+
+2.5.2.9. comment +
+comment is a contextual comment field.¶
+comment is represented by a JSON string. comment MAY be present.¶
+