Hide Navigation Hide TOC

Edit

Ransomware

Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar

Authors

Authors and/or Contributors
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
http://pastebin.com/raw/GHgpWjar
MISP Project
https://id-ransomware.blogspot.com/2016/07/ransomware-list.html

Nhtnwcuf Ransomware (Fake)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 81b4e3ac-aa83-4616-9899-8e19ee3bb78b which can be used as unique global reference for Nhtnwcuf Ransomware (Fake) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['RANDOM 3 LETTERS ARE ADDED']
payment-method	Bitcoin
price	1(300$)
ransomnotes-refs	['https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif']

CryptoJacky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID a8187609-329a-4de0-bda7-7823314e7db9 which can be used as unique global reference for CryptoJacky Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html - webarchive
• https://twitter.com/jiriatvirlab/status/838779371750031360 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['RANDOM 3 LETTERS ARE ADDED']
payment-method	Bitcoin
price	250 €
ransomnotes-refs	['https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png']

Kaenlupuf Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID b97f07c4-136a-488a-9fa0-35ab45fbfe36 which can be used as unique global reference for Kaenlupuf Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg']

EnjeyCrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e98e6b50-00fd-484e-a5c1-4b2363579447 which can be used as unique global reference for EnjeyCrypter Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/ - webarchive
• https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-256
extensions	['example:.encrypted.contact_here_me@india.com.enjey']
payment-method	Bitcoin
ransomnotes-refs	['https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png']

Dangerous Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 7dbdb949-a53b-4ebe-bc9a-7f49a7c5fd78 which can be used as unique global reference for Dangerous Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
ransomnotes	['DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com']

Vortex Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vortex Ransomware.

Known Synonyms
Ŧl๏tєгค гคภร๏๓ฬคгє

Internal MISP references

UUID 04a5889d-b97d-4653-8a0f-d2df85f93430 which can be used as unique global reference for Vortex Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html - webarchive
• https://twitter.com/struppigel/status/839778905091424260 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
extensions	['.aes']
payment-method	Dollars
price	199
ransomnotes	['Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =']

GC47 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 2069c483-4701-4a3b-bd51-3850c7aa59d2 which can be used as unique global reference for GC47 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
extensions	['.fuck_you']
payment-method	Bitcoin
price	0,0361312 (50$)
ransomnotes-refs	['https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg']

RozaLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RozaLocker Ransomware.

Known Synonyms
Roza

Internal MISP references

UUID f158ea74-c8ba-4e5a-b07f-52bd8fe30888 which can be used as unique global reference for RozaLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html - webarchive
• https://twitter.com/jiriatvirlab/status/840863070733885440 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
extensions	['.enc', '.ENC']
payment-method	Bitcoin
price	10000 Rubles (135€)
ransomnotes	["OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru"]

CryptoMeister Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4c76c845-c5eb-472c-93a1-4178f86c319b which can be used as unique global reference for CryptoMeister Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
extensions	['.enc']
payment-method	Bitcoin
price	0.1
ransomnotes	['Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the "Buy Bitcoins" section and then buy Bitcoin Step 4: Go to the "Send" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear \'Check\' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites.']

GG Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016

Internal MISP references

UUID f62eb881-c6b5-470c-907d-072485cd5860 which can be used as unique global reference for GG Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
extensions	['.GG']

Project34 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4af0d2bd-46da-44da-b17e-987f86957c1d which can be used as unique global reference for Project34 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
extensions	['.Project34']
payment-method	MoneyPak
price	300$
ransomnotes	['(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU']
ransomnotes-filenames	['ПАРОЛЬ.txt']

PetrWrap Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e11da570-e38d-4290-8a2c-8a31ae832ffb which can be used as unique global reference for PetrWrap Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ - webarchive
• https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/ - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
payment-method	Bitcoin
price	300$
ransomnotes-refs	['https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png']

Karmen Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear

Internal MISP references

UUID da7de60e-0725-498d-9a35-303ddb5bf60a which can be used as unique global reference for Karmen Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ - webarchive
• https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/841747002438361089 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-128
extensions	['.grt']
payment-method	Bitcoin
price	1.2683
ransomnotes-refs	['https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg']

Revenge Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant

Internal MISP references

UUID 987d36d5-6ba8-484d-9e0b-7324cc886b0e which can be used as unique global reference for Revenge Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/ - webarchive
• https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES-256 + RSA-1024
extensions	['.REVENGE']
ransomnotes	['===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.']
ransomnotes-filenames	['# !!!HELP_FILE!!! #.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg']

Turkish FileEncryptor Ransomware

his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turkish FileEncryptor Ransomware.

Known Synonyms
Fake CTB-Locker

Internal MISP references

UUID a291ac4c-7851-480f-b317-e977a616ac9d which can be used as unique global reference for Turkish FileEncryptor Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html - webarchive
• https://twitter.com/JakubKroustek/status/842034887397908480 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.encrypted']
payment-method	Bitcoin
price	150$
ransomnotes	['FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the "My Documents" folder for more information in the file "Beni Oku.txt". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.']
ransomnotes-filenames	['Beni Oku.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg']

Kirk Ransomware & Spock Decryptor

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kirk Ransomware & Spock Decryptor.

Known Synonyms
Kirk & Spock Decryptor

Internal MISP references

UUID 6e442a2e-97db-4a7b-b4a1-9abb4a7472d8 which can be used as unique global reference for Kirk Ransomware & Spock Decryptor in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ - webarchive
• https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/ - webarchive
• http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html - webarchive
• http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges - webarchive
• https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/ - webarchive
• https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/ - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES+RSA
extensions	['.kirked', '.Kirked']
payment-method	Monero
price	1100 roupies (14€)
ransomnotes	['!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don\'t work. This may have broken some software, including games, office suites etc. Here\'s a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension \'.kirked\n\', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named \'pwd\' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n"Logic, motherfucker." ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you\'re still unsure, google\' bitcoin exchange\'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called \'Spock\'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don\'t fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER']
ransomnotes-filenames	['RANSOM_NOTE.txt']
ransomnotes-refs	['https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png']

ZinoCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 719c8ba7-598e-4511-a851-34e651e301fa which can be used as unique global reference for ZinoCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html - webarchive
• https://twitter.com/demonslay335?lang=en - webarchive
• https://twitter.com/malwrhunterteam/status/842781575410597894 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.ZINO']
payment-method	Bitcoin
ransomnotes-filenames	['ZINO_NOTE.TXT']
ransomnotes-refs	['https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg']

Crptxxx Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass

Internal MISP references

UUID 786ca8b3-6915-4846-8f0f-9865fbc295f5 which can be used as unique global reference for Crptxxx Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84 - webarchive
• http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc - webarchive
• https://twitter.com/malwrhunterteam/status/839467168760725508 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.crptxxx']
ransomnotes-filenames	['HOW_TO_FIX_!.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png']

MOTD Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 5d1a3631-165c-4091-ba55-ac8da62efadf which can be used as unique global reference for MOTD Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/ - webarchive
• https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/ - webarchive

Associated metadata

Metadata key	Value
date	March 2017
extensions	['.enc']
payment-method	Bitcoin
price	2
ransomnotes-filenames	['motd.txt']
ransomnotes-refs	['https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png']

CryptoDevil Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID f3ead274-6c98-4532-b922-03d5ce4e7cfc which can be used as unique global reference for CryptoDevil Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html - webarchive
• https://twitter.com/PolarToffee/status/843527738774507522 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.devil']
payment-method	Dollars
price	20 - 100
ransomnotes-refs	['https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg', 'https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg']

FabSysCrypto Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Internal MISP references

UUID e4d36930-2e00-4583-b5f5-d8f83736d3ce which can be used as unique global reference for FabSysCrypto Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html - webarchive
• https://twitter.com/struppigel/status/837565766073475072 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-256+RSA
extensions	['.locked']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png']

Lock2017 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID cf47a853-bc1d-42ae-8542-8a7433f6c9c2 which can be used as unique global reference for Lock2017 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES+RSA
extensions	['[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is']
ransomnotes-refs	['https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png']

RedAnts Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID dd3601f1-df0a-4e67-8a20-82e7ba0ed13c which can be used as unique global reference for RedAnts Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.Horas-Bah']
payment-method	Bitcoin
price	0.5

ConsoleApplication1 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4c3788d6-30a9-4cad-af33-81f9ce3a0d4f which can be used as unique global reference for ConsoleApplication1 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	0.5

KRider Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7 which can be used as unique global reference for KRider Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/836995570384453632 - webarchive

Associated metadata

Metadata key	Value
date	March 2017
encryption	AES
extensions	['.kr3']
payment-method	no ransom

CYR-Locker Ransomware (FAKE)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg

Internal MISP references

UUID 44f6d489-f376-4416-9ba4-e153472f75fc which can be used as unique global reference for CYR-Locker Ransomware (FAKE) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
payment-method	Bitcoin
price	0.5 (300$)

DotRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 0570e09d-10b9-448c-87fd-c1c4063e6592 which can be used as unique global reference for DotRansomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	0.1
ransomnotes	["DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR
ransomnotes-refs	['https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png']

Unlock26 Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 37b9a28d-8554-4233-b130-efad4be97bc0 which can be used as unique global reference for Unlock26 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.locked-[3_random_chars]']
payment-method	Bitcoin
price	0.01 - 0.06
ransomnotes-filenames	['ReadMe-[3_random_chars].html']
ransomnotes-refs	['https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png', 'https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png']

PicklesRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PicklesRansomware.

Known Synonyms
Pickles

Internal MISP references

UUID 87171865-9fc9-42a9-9bd4-a453f556f20c which can be used as unique global reference for PicklesRansomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html - webarchive
• https://twitter.com/JakubKroustek/status/834821166116327425 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.EnCrYpTeD']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['READ_ME_TO_DECRYPT.txt']

Vanguard Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware

Internal MISP references

UUID 6a6eed70-3f90-420b-9e4a-5cce9428dc06 which can be used as unique global reference for Vanguard Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html - webarchive
• https://twitter.com/JAMESWT_MHT/status/834783231476166657 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	ChaCha20 and Poly1305
payment-method	Bitcoin
price	1
ransomnotes	['NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety.']

PyL33T Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 305cb1fb-d43e-4477-8edc-90b34aaf227f which can be used as unique global reference for PyL33T Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html - webarchive
• https://twitter.com/Jan0fficial/status/834706668466405377 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	ChaCha20 and Poly1305
extensions	['.d4nk']
ransomnotes	['ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** ']

TrumpLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg

Internal MISP references

UUID 63bd845c-94f6-49dc-8f0c-22e6f67820f7 which can be used as unique global reference for TrumpLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/ - webarchive
• https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-128
extensions	['.trumplockerf', '.TheTrumpLockerf', '.TheTrumpLockerfp']
payment-method	Bitcoin
price	1(50 - 165$)
ransomnotes-filenames	['What happen to my files.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg']

Damage Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi

Internal MISP references

UUID fbcb6a4f-1d31-4e31-bef5-e162e35649de which can be used as unique global reference for Damage Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html - webarchive
• https://decrypter.emsisoft.com/damage - webarchive
• https://twitter.com/demonslay335/status/835664067843014656 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-128 OR Combination of SHA-1 and Blowfish
extensions	['.damage']
ransomnotes	['TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com']

XYZWare Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Internal MISP references

UUID f0652feb-a104-44e8-91c7-b0435253352b which can be used as unique global reference for XYZWare Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/833636006721122304 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-128
extensions	['your files get marked with: “youarefucked”']
payment-method	Bitcoin
price	0.1 - 0.2
ransomnotes	["All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id"]

YouAreFucked Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YouAreFucked Ransomware.

Known Synonyms
FortuneCrypt

Internal MISP references

UUID 912af0ef-2d78-4a90-a884-41f3c37c723b which can be used as unique global reference for YouAreFucked Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.enigmasoftware.com/youarefuckedransomware-removal/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-128
extensions	['your files get marked with: “youarefucked”']
payment-method	Bitcoin
price	0.1 (250$)
ransomnotes-refs	['https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png']

CryptConsole 2.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 7343da8f-fe18-46c9-8cda-5b04fb48e97d which can be used as unique global reference for CryptConsole 2.0 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
payment-method	Bitcoin
price	0.5 - 0.7
ransomnotes-filenames	['How decrypt files.hta']
ransomnotes-refs	['https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png']

BarRax Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BarRax Ransomware.

Known Synonyms
BarRaxCrypt Ransomware

Internal MISP references

UUID c0ee166e-273f-4940-859c-ba6f8666247c which can be used as unique global reference for BarRax Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html - webarchive
• https://twitter.com/demonslay335/status/835668540367777792 - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.barRex', '.BarRax']
payment-method	Bitcoin
price	0.5

CryptoLocker by NTK Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 51bcbbc6-d8e0-4d2b-b5ce-79f26d669567 which can be used as unique global reference for CryptoLocker by NTK Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
ransomnotes-refs	['https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg']

UserFilesLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UserFilesLocker Ransomware.

Known Synonyms
CzechoSlovak Ransomware

Internal MISP references

UUID c9e29151-7eda-4192-9c34-f9a81b2ef743 which can be used as unique global reference for UserFilesLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-256+RSA
extensions	['.ENCR']
payment-method	Bitcoin
price	0.8 - 2
ransomnotes	['All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)']
ransomnotes-refs	['https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg']

AvastVirusinfo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!

Internal MISP references

UUID 78649172-cf5b-4e8a-950b-a967ff700acf which can be used as unique global reference for AvastVirusinfo Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017_03_01_archive.html - webarchive
• https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-256+RSA
extensions	['.A9v9Ahu4-000']
payment-method	Bitcoin
price	6

SuchSecurity Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SuchSecurity Ransomware.

Known Synonyms
Such Security

Internal MISP references

UUID 22481dfd-8284-4071-a76f-c9a4a5f43f00 which can be used as unique global reference for SuchSecurity Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
ransomnotes-refs	['https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png']

PleaseRead Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PleaseRead Ransomware.

Known Synonyms
VHDLocker Ransomware

Internal MISP references

UUID 9de7a1f2-cc21-40cf-b44e-c67f0262fbce which can be used as unique global reference for PleaseRead Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-256
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png']

Kasiski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 59b537dc-3764-42fc-a416-92d2950aaff1 which can be used as unique global reference for Kasiski Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html - webarchive
• https://twitter.com/MarceloRivero/status/832302976744173570 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
extensions	['[KASISKI]']
payment-method	Dollars
price	500
ransomnotes-filenames	['INSTRUCCIONES.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg']

Fake Locky Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fake Locky Ransomware.

Known Synonyms
Locky Impersonator Ransomware

Internal MISP references

UUID 26a34763-a70c-4877-b99f-ae39decd2107 which can be used as unique global reference for Fake Locky Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/ - webarchive
• https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html - webarchive
• https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	1
ransomnotes	['Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys']

CryptoShield 1.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.

Internal MISP references

UUID 1f915f16-2e2f-4681-a1e8-e146a0a4fcdf which can be used as unique global reference for CryptoShield 1.0 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES(256)/ROT-13
extensions	['.CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)']
payment-method	Email
ransomnotes-filenames	['# RESTORING FILES #.txt', '# RESTORING FILES #.html']
ransomnotes-refs	['https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png']

Hermes Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: "HERMES"

Internal MISP references

UUID b7102922-8aad-4b29-8518-6d87c3ba45bb which can be used as unique global reference for Hermes Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/ - webarchive
• https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/ - webarchive
• https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.locked']
payment-method	Email - Bitcoin
ransomnotes	['UNIQUE_ID_DO_NOT_REMOVE']
ransomnotes-filenames	['DECRYPT_INFORMATION.html']
ransomnotes-refs	['https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png', 'https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png']

Related clusters

To see the related clusters, click here.

LoveLock Ransomware or Love2Lock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LoveLock Ransomware or Love2Lock Ransomware.

Known Synonyms
Love2Lock
LoveLock

Internal MISP references

UUID 0785bdda-7cd8-4529-b28e-787367c50298 which can be used as unique global reference for LoveLock Ransomware or Love2Lock Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.hasp']
ransomnotes-refs	['https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg']

Wcry Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 0983bdda-c637-4ad9-a56f-615b2b052740 which can be used as unique global reference for Wcry Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.wcry']
payment-method	Bitcoin
price	0.1
ransomnotes-refs	['https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg']

DUMB Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 27feba66-e9c7-4414-a560-1e5b7da74d08 which can be used as unique global reference for DUMB Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html - webarchive
• https://twitter.com/bleepincomputer/status/816053140147597312?lang=en - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
payment-method	Bitcoin
price	0,3169
ransomnotes-refs	['https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png', 'https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg']

X-Files

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID c24f48ca-060b-4164-aafe-df7b3f43f40e which can be used as unique global reference for X-Files in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017_02_01_archive.html - webarchive
• https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES
extensions	['.b0C', '.b0C.x']
payment-method	Bitcoin
price	0,2

Polski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.

Internal MISP references

UUID b50265ac-ee45-4f5a-aca1-fabe3157fc14 which can be used as unique global reference for Polski Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	February 2017
encryption	AES-256
extensions	['.aes']
payment-method	Dollars
price	249
ransomnotes-refs	['https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg']

YourRansom Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)

Internal MISP references

UUID 908b914b-6744-4e16-b014-121cf2106b5f which can be used as unique global reference for YourRansom Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/ - webarchive
• https://twitter.com/_ddoxer/status/827555507741274113 - webarchive

Associated metadata

Metadata key	Value
date	February 2016
encryption	AES-256
extensions	['.yourransom']
payment-method	Email
ransomnotes-filenames	['README.txt']
ransomnotes-refs	['https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png']

Ranion RaasRansomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service

Internal MISP references

UUID b4de724f-add4-4095-aa5a-e4d039322b59 which can be used as unique global reference for Ranion RaasRansomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html - webarchive
• https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/ - webarchive

Associated metadata

Metadata key	Value
date	February 2016
encryption	AES-256
payment-method	Bitcoin
price	0.6 - 0.95
ransomnotes-refs	['https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png']

Potato Ransomware

Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.

Internal MISP references

UUID 378cb77c-bb89-4d32-bef9-1b132343f3fe which can be used as unique global reference for Potato Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256
extensions	['.potato']
payment-method	Email
ransomnotes-filenames	['How to recover my files.txt', 'README.png', 'README.html']
ransomnotes-refs	['https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg']

of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)

This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Internal MISP references

UUID e290fa29-6fc1-4fb5-ac98-44350e508bc1 which can be used as unique global reference for of Ransomware: OpenToYou (Formerly known as OpenToDecrypt) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016/January 2017
encryption	RC4
extensions	['.-opentoyou@india.com']
payment-method	Email
ransomnotes	['Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884']
ransomnotes-filenames	['!!!.txt', '1.bmp', '1.jpg']
ransomnotes-refs	['https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg']

RansomPlus

Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Internal MISP references

UUID c039a50b-f5f9-4ad0-8b66-e1d8cc86717b which can be used as unique global reference for RansomPlus in MISP communities and other software using the MISP galaxy

External references

• http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html - webarchive
• https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html - webarchive
• https://twitter.com/jiriatvirlab/status/825411602535088129 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.encrypted']
payment-method	Bitcoin
price	0.25
ransomnotes	['YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool.']
ransomnotes-filenames	['YOUR FILES ARE ENCRYPTED!!!.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png']

CryptConsole

This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files

Internal MISP references

UUID 42508fd8-3c2d-44b2-9b74-33c5d82b297d which can be used as unique global reference for CryptConsole in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/ - webarchive
• https://twitter.com/PolarToffee/status/824705553201057794 - webarchive
• https://twitter.com/demonslay335/status/1004351990493741057 - webarchive
• https://twitter.com/demonslay335/status/1004803373747572736 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ', '.decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters']
payment-method	Bitcoin
price	0.2
ransomnotes	["Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key"]
ransomnotes-filenames	['How decrypt files.hta']

ZXZ Ramsomware

Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A

Internal MISP references

UUID e4932d1c-2f97-474d-957e-c7df87f9591e which can be used as unique global reference for ZXZ Ramsomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310 - webarchive
• https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
extensions	['.zxz']
payment-method	Email

VxLock Ransomware

Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc

Internal MISP references

UUID 14deb95c-7af3-4fb1-b2c1-71087e1bb156 which can be used as unique global reference for VxLock Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES+RSA
extensions	['.vxlock']

FunFact Ransomware

Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.

Internal MISP references

UUID 2bfac605-a2c5-4742-92a2-279a08a4c575 which can be used as unique global reference for FunFact Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/funfact.html - webarchive
• http://www.enigmasoftware.com/funfactransomware-removal/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES+RSA
payment-method	Bitcoin
price	0,65806
ransomnotes	['Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061\nBTC Address: 1AQrj\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******\n-----END PGP PUBLIC KEY BLOCK-----']
ransomnotes-filenames	['note.iti']

ZekwaCrypt Ransomware

First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Internal MISP references

UUID 89d5a541-ef9a-4b18-ac04-2e1384031a2d which can be used as unique global reference for ZekwaCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html - webarchive
• http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES+RSA
extensions	['.<7_random_letters>']
payment-method	Email
ransomnotes	['WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com']
ransomnotes-filenames	['encrypted_readme.txt', '__encrypted_readme.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png']

Sage 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker

Internal MISP references

UUID 9174eef3-65f7-4ab5-9b55-b323b36fb962 which can be used as unique global reference for Sage 2.0 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html - webarchive
• https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/ - webarchive
• http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom - webarchive
• https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/ - webarchive
• https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.sage']
payment-method	Bitcoin
price	2,15555 (2000$)
ransomnotes-filenames	['!Recovery_[3_random_chars].html']
ransomnotes-refs	['https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png', 'https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png']

CloudSword Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Internal MISP references

UUID a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4 which can be used as unique global reference for CloudSword Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html - webarchive
• http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/ - webarchive
• https://twitter.com/BleepinComputer/status/822653335681593345 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
payment-method	Bitcoin
ransomnotes-filenames	['Warning警告.html']
ransomnotes-refs	['https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg']

DN

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DN.

Known Synonyms
Fake

Internal MISP references

UUID 327eb8b4-5793-42f0-96c0-7f651a0debdc which can be used as unique global reference for DN in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.killedXXX']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg', 'https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg']

GarryWeber Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, etc..

Internal MISP references

UUID b6e6da33-bf23-4586-81cf-dcfe10e13a81 which can be used as unique global reference for GarryWeber Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/garryweber.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.id-_garryweber@protonmail.ch']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['HOW_OPEN_FILES.html']
ransomnotes-refs	['https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg']

Satan Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS

Internal MISP references

UUID 61d8bba8-7b22-493f-b023-97ffe7f17caf which can be used as unique global reference for Satan Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html - webarchive
• https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/ - webarchive
• https://twitter.com/Xylit0l/status/821757718885236740 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256 + RSA-2048
extensions	['.stn']
payment-method	Bitcoin
price	0.1 - your choice
ransomnotes-filenames	['HELP_DECRYPT_FILES.html']
ransomnotes-refs	['https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png']

Related clusters

To see the related clusters, click here.

Havoc

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Havoc.

Known Synonyms
HavocCrypt Ransomware

Internal MISP references

UUID c6bef9c8-becb-4bee-bd97-c1c655133396 which can be used as unique global reference for Havoc in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.HavocCrypt']
payment-method	Bitcoin
price	150 $
ransomnotes-refs	['https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg']

CryptoSweetTooth Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.

Internal MISP references

UUID ca831782-fcbf-4984-b04e-d79b14e48a71 which can be used as unique global reference for CryptoSweetTooth Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html - webarchive
• http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['IMPORTANTE_LEER.html', 'RECUPERAR_ARCHIVOS.html']
ransomnotes-refs	['https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg']

Kaandsona Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaandsona Ransomware.

Known Synonyms
Käändsõna Ransomware
RansomTroll Ransomware

Internal MISP references

UUID aed61a0a-dc48-43ac-9c33-27e5a286899e which can be used as unique global reference for Kaandsona Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html - webarchive
• https://twitter.com/BleepinComputer/status/819927858437099520 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.kencf']
payment-method	Bitcoin
price	1
ransomnotes	["You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'"]
ransomnotes-refs	['https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png']

LambdaLocker Ransomware

It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

Internal MISP references

UUID 0d1b35e9-c87a-4972-8c27-a11c13e351d7 which can be used as unique global reference for LambdaLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html - webarchive
• http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256
extensions	['.lambda_l0cked']
payment-method	Bitcoin
price	0.5 - 1
ransomnotes-filenames	['READ_IT.hTmL']
ransomnotes-refs	['https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif']

NMoreia 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NMoreia 2.0 Ransomware.

Known Synonyms
HakunaMatataRansomware

Internal MISP references

UUID 0645cae2-bda9-4d68-8bc3-c3c1eb9d1801 which can be used as unique global reference for NMoreia 2.0 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html - webarchive
• https://id-ransomware.blogspot.co.il/2016_03_01_archive.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.HakunaMatata']
payment-method	Website (onion)
ransomnotes-filenames	['Recovers files yako.html']
ransomnotes-refs	['https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png']

Marlboro Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)

Internal MISP references

UUID 4ae98da3-c667-4c6e-b0fb-5b52c667637c which can be used as unique global reference for Marlboro Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/marlboro.html - webarchive
• https://decrypter.emsisoft.com/marlboro - webarchive
• https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	XOR
extensions	['.oops']
payment-method	Bitcoin
price	0.2
ransomnotes-filenames	['HELP_Recover_Files.html']
ransomnotes-refs	['https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png', 'https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png']

Spora Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png

Internal MISP references

UUID 46601172-d938-47af-8cf5-c5a796ab68ab which can be used as unique global reference for Spora Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html - webarchive
• https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware - webarchive
• http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES+RSA
payment-method	Bitcoin
price	79$
ransomnotes-filenames	['[Infection-ID].HTML']
ransomnotes-refs	['https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png']

CryptoKill Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.

Internal MISP references

UUID 7ae2f594-8a72-4ba8-a37a-32457d1d3fe8 which can be used as unique global reference for CryptoKill Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES+RSA
extensions	['.crypto']
payment-method	Bitcoin

All_Your_Documents Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 62120e20-21f6-474b-9dc1-fc871d25c798 which can be used as unique global reference for All_Your_Documents Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
extensions	['AES+RSA']
payment-method	Bitcoin
price	0.35
ransomnotes-refs	['https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png']

SerbRansom 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.

Internal MISP references

UUID fb1e99cb-73fa-4961-a052-c90b3f383542 which can be used as unique global reference for SerbRansom 2017 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html - webarchive
• https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/ - webarchive
• https://twitter.com/malwrhunterteam/status/830116190873849856 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.velikasrbija']
payment-method	Bitcoin
price	500$
ransomnotes-refs	['https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg', 'https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg']

Fadesoft Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.

Internal MISP references

UUID ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37 which can be used as unique global reference for Fadesoft Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/829768819031805953 - webarchive
• https://twitter.com/malwrhunterteam/status/838700700586684416 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
payment-method	Bitcoin
price	0.33
ransomnotes-refs	['https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg']

HugeMe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 681ad7cc-fda0-40dc-83b3-91fdfdec81e1 which can be used as unique global reference for HugeMe Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html - webarchive
• https://www.ozbargain.com.au/node/228888?page=3 - webarchive
• https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256 + RSA-2048
extensions	['.encypted']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png']

DynA-Crypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DynA-Crypt Ransomware.

Known Synonyms
DynA CryptoLocker Ransomware

Internal MISP references

UUID 9979ae53-98f7-49a2-aa1e-276973c2b44f which can be used as unique global reference for DynA-Crypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256 + RSA-2048
extensions	['.crypt']
payment-method	Bitcoin
price	50$
ransomnotes-refs	['https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg']

Serpent 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Serpent 2017 Ransomware.

Known Synonyms
Serpent Danish Ransomware

Internal MISP references

UUID 3b472aac-085b-409e-89f1-e8c766f7c401 which can be used as unique global reference for Serpent 2017 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256 + RSA-2048
extensions	['.crypt']
payment-method	Bitcoin
price	0.75 (787.09$) - 2.25 (2366.55$ after 7 days)
ransomnotes	["==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================"]

Erebus 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID c21e637c-6611-47e1-a191-571409b6669a which can be used as unique global reference for Erebus 2017 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	ROT-23
payment-method	Bitcoin
price	0.085
ransomnotes-filenames	['README.HTML']
ransomnotes-refs	['https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg']

Cyber Drill Exercise

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber Drill Exercise .

Known Synonyms
Ransomuhahawhere

Internal MISP references

UUID dcb183d1-11b5-464c-893a-21e132cb7b51 which can be used as unique global reference for Cyber Drill Exercise in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
extensions	['.locked']
payment-method	Bitcoin
price	0.085
ransomnotes-refs	['https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png']

Cancer Ransomware FAKE

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.

Internal MISP references

UUID ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f which can be used as unique global reference for Cancer Ransomware FAKE in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/ - webarchive

Associated metadata

Metadata key	Value
date	February 2017
extensions	['.cancer']
payment-method	no ransom
ransomnotes-refs	['https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg']

UpdateHost Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.

Internal MISP references

UUID ed5b30b0-2949-410a-bc4c-3d90de93d033 which can be used as unique global reference for UpdateHost Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html - webarchive
• https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.locked']
payment-method	Email - Bitcoin
ransomnotes-refs	['https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png']

Nemesis Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.

Internal MISP references

UUID b5942085-c9f2-4d1a-aadf-1061ad38fb1d which can be used as unique global reference for Nemesis Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.v8dp']
payment-method	Bitcoin
price	10
ransomnotes-refs	['https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg']

Evil Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evil Ransomware.

Known Synonyms
File0Locked KZ Ransomware

Internal MISP references

UUID 57933295-4a0e-4f6a-b06b-36807ff150cd which can be used as unique global reference for Evil Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html - webarchive
• http://www.enigmasoftware.com/evilransomware-removal/ - webarchive
• http://usproins.com/evil-ransomware-is-lurking/ - webarchive
• https://twitter.com/jiriatvirlab/status/818443491713884161 - webarchive
• https://twitter.com/PolarToffee/status/826508611878793219 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.file0locked', '.evillock']
payment-method	Email
ransomnotes-filenames	['HOW_TO_DECRYPT_YOUR_FILES.TXT', 'HOW_TO_DECRYPT_YOUR_FILES.HTML']
ransomnotes-refs	['https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png', 'https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png']

Ocelot Ransomware (FAKE RANSOMWARE)

It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ocelot Ransomware (FAKE RANSOMWARE).

Known Synonyms
Ocelot Locker Ransomware

Internal MISP references

UUID 054b9fbd-72fa-464f-a683-a69ab3936d69 which can be used as unique global reference for Ocelot Ransomware (FAKE RANSOMWARE) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/817648547231371264 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
payment-method	Bitcoin
price	0.03
ransomnotes-refs	['https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg', 'https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg']

SkyName Ransomware

It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SkyName Ransomware.

Known Synonyms
Blablabla Ransomware

Internal MISP references

UUID 00b8ff33-1504-49a4-a025-b761738eed68 which can be used as unique global reference for SkyName Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/817079028725190656 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
payment-method	Bitcoin
price	1000 CZK
ransomnotes-filenames	['INFOK1.txt']
ransomnotes-refs	['https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png', 'https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg']

MafiaWare Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MafiaWare Ransomware.

Known Synonyms
Depsex Ransomware

Internal MISP references

UUID e5a60429-ae5d-46f4-a731-da9e2fcf8b92 which can be used as unique global reference for MafiaWare Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/ - webarchive
• https://twitter.com/BleepinComputer/status/817069320937345024 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.locked-by-mafia']
payment-method	Bitcoin
price	155$
ransomnotes-filenames	['READ_ME.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png']

Globe3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Globe3 Ransomware.

Known Synonyms
Purge Ransomware

Internal MISP references

UUID fe16edbe-3050-4276-bac3-c7ff5fd4174a which can be used as unique global reference for Globe3 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/ - webarchive
• https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html - webarchive
• https://decrypter.emsisoft.com/globe3 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256+RSA or RC4
extensions	['.badnews', '.globe', '.[random].bit', '.[random].encrypted', '.[random].raid10', '.[random].globe', '.[mia.kokers@aol.com]', '.unlockv@india.com', '.rescuers@india.com.3392cYAn548QZeUf.lock', '.locked', '.decrypt2017', '.hnumkhotep']
payment-method	Bitcoin
price	3
ransomnotes-filenames	['How To Recover Encrypted Files.hta']
ransomnotes-refs	['https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png', 'https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png']

Related clusters

To see the related clusters, click here.

BleedGreen Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BleedGreen Ransomware.

Known Synonyms
FireCrypt Ransomware

Internal MISP references

UUID fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08 which can be used as unique global reference for BleedGreen Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/ - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256
extensions	['.firecrypt']
payment-method	Bitcoin
price	500$
ransomnotes-refs	['https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg']

BTCamant Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)

Internal MISP references

UUID a5826bd3-b457-4aa9-a2e7-f0044ad9992f which can be used as unique global reference for BTCamant Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/btcamant.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.BTC']
payment-method	Email
ransomnotes-filenames	['BTC_DECRYPT_FILES.txt', 'BTC_DECRYPT_FILES.html']
ransomnotes-refs	['https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png']

X3M Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.

Internal MISP references

UUID 192bc3e8-ace8-4229-aa88-37034a11ef5b which can be used as unique global reference for X3M Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['_x3m', '_r9oj', '_locked']
payment-method	Bitcoin
price	700$
ransomnotes-refs	['https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png']

GOG Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID c3ef2acd-cc5d-4240-80e7-47e85b46db96 which can be used as unique global reference for GOG Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html - webarchive
• https://twitter.com/BleepinComputer/status/816112218815266816 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.LOCKED']
payment-method	Bitcoin - WebSite (onion)
ransomnotes-filenames	['DecryptFile.txt']
ransomnotes-refs	['https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png', 'https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png']

RegretLocker

RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.

Internal MISP references

UUID 9479d372-605e-408e-a2a3-ea971ad4ad78 which can be used as unique global reference for RegretLocker in MISP communities and other software using the MISP galaxy

External references

• http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/ - webarchive

Associated metadata

Metadata key	Value
date	November 2020
encryption	AES
extensions	['.mouse']

EdgeLocker

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.

Internal MISP references

UUID ecfa106d-0aff-4f7e-a259-f00eb14fc245 which can be used as unique global reference for EdgeLocker in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html - webarchive
• https://twitter.com/BleepinComputer/status/815392891338194945 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.edgel']
payment-method	Bitcoin
price	0.1
ransomnotes-refs	['https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg']

Red Alert

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear

Internal MISP references

UUID f762860a-5e7a-43bf-bef4-06bd27e0b023 which can be used as unique global reference for Red Alert in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html - webarchive
• https://twitter.com/JaromirHorejsi/status/815557601312329728 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.locked']
payment-method	Website
ransomnotes-filenames	['MESSAGE.txt']
ransomnotes-refs	['https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg']

Related clusters

To see the related clusters, click here.

First

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID ed26fcf3-47fb-45cc-b5f9-de18f6491934 which can be used as unique global reference for First in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	1.5
ransomnotes-refs	['https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg']

XCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XCrypt Ransomware.

Known Synonyms
XCrypt

Internal MISP references

UUID fd5bb71f-80dc-4a6d-ba8e-ed74999700d3 which can be used as unique global reference for XCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html - webarchive
• https://twitter.com/JakubKroustek/status/825790584971472902 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	Twofish
payment-method	Email
ransomnotes-filenames	['Xhelp.jpg']
ransomnotes-refs	['https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg']

7Zipper Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID d8ec9e54-a4a4-451e-9f29-e7503174c16e which can be used as unique global reference for 7Zipper Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html - webarchive
• https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	Twofish
extensions	['.7zipper']
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png']

Zyka Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.

Internal MISP references

UUID 7b7c8124-c679-4201-b5a5-5e66e6d52b70 which can be used as unique global reference for Zyka Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html - webarchive
• https://www.pcrisk.com/removal-guides/10899-zyka-ransomware - webarchive
• https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip - webarchive
• https://twitter.com/GrujaRS/status/826153382557712385 - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES
extensions	['.lock', '.locked']
payment-method	Bitcoin
price	170€/$
ransomnotes-refs	['https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png']

SureRansom Ransomeware (Fake)

It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.

Internal MISP references

UUID a9365b55-acd8-4b70-adac-c86d121b80b3 which can be used as unique global reference for SureRansom Ransomeware (Fake) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html - webarchive
• http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256 (fake)
payment-method	Bitcoin
price	50£
ransomnotes-refs	['https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif']

Netflix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.

Internal MISP references

UUID 1317351f-ec8f-4c76-afab-334e1384d3d3 which can be used as unique global reference for Netflix Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/ - webarchive
• https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/ - webarchive
• http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012 - webarchive
• https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg - webarchive
• https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png - webarchive

Associated metadata

Metadata key	Value
date	January 2017
encryption	AES-256
extensions	['.se']
payment-method	Bitcoin
price	0.18 (100$)
ransomnotes-refs	['https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg', 'https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad']

Merry Christmas

It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Merry Christmas.

Known Synonyms
MRCR
Merry X-Mas

Internal MISP references

UUID 72cbed4e-b26a-46a1-82be-3d0154fdd2e5 which can be used as unique global reference for Merry Christmas in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/ - webarchive
• http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/ - webarchive
• https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/ - webarchive
• https://decrypter.emsisoft.com/mrcr - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.MRCR1', '.PEGS1', '.RARE1', '.RMCM1', '.MERRY']
payment-method	Email
ransomnotes-filenames	['YOUR_FILES_ARE_DEAD.HTA', 'MERRY_I_LOVE_YOU_BRUCE.HTA']
ransomnotes-refs	['https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png', 'https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png']

Seoirse Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.

Internal MISP references

UUID bdf807c2-74ec-4802-9907-a89b1d910296 which can be used as unique global reference for Seoirse Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.seoire']
payment-method	Bitcoin
price	0.5

KillDisk Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.

Internal MISP references

UUID 8e067af6-d1f7-478a-8a8e-5154d2685bd1 which can be used as unique global reference for KillDisk Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/ - webarchive
• https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/ - webarchive
• http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/ - webarchive
• http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware - webarchive
• http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ - webarchive
• https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/ - webarchive

Associated metadata

Metadata key	Value
date	November/December 2016
encryption	AES-256+RSA
payment-method	Bitcoin
price	222 (200 000$)
ransomnotes-refs	['https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png']

DeriaLock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.

Internal MISP references

UUID c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3 which can be used as unique global reference for DeriaLock Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.deria']
payment-method	Bitcoin
price	20 - 30$
ransomnotes-filenames	['unlock-everybody.txt']
ransomnotes-refs	['https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif']

BadEncript Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 43bfbb2a-9416-44da-81ef-03d6d3a3923f which can be used as unique global reference for BadEncript Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html - webarchive
• https://twitter.com/demonslay335/status/813064189719805952 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.bript']
payment-method	Email - Bitcoin
ransomnotes-filenames	['More.html']
ransomnotes-refs	['https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png']

AdamLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.

Internal MISP references

UUID 5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc which can be used as unique global reference for AdamLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.adam']
payment-method	Website
ransomnotes-refs	['https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg']

Alphabet Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.

Internal MISP references

UUID dd356ed3-42b8-4587-ae53-95f933517612 which can be used as unique global reference for Alphabet Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html - webarchive
• https://twitter.com/PolarToffee/status/812331918633172992 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.alphabet']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg']

Related clusters

To see the related clusters, click here.

KoKoKrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KoKoKrypt Ransomware.

Known Synonyms
KokoLocker Ransomware

Internal MISP references

UUID d672fe4f-4561-488e-bca6-20385b53d77f which can be used as unique global reference for KoKoKrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html - webarchive
• http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.kokolocker']
payment-method	Bitcoin
price	0.1
ransomnotes-refs	['https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg']

L33TAF Locker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker

Internal MISP references

UUID 791a6720-d589-4cf7-b164-08b35b453ac7 which can be used as unique global reference for L33TAF Locker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256+RSA
extensions	['.l33tAF']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['YOU_HAVE_BEEN_HACKED.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png']

PClock4 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PClock4 Ransomware.

Known Synonyms
PClock SysGop Ransomware

Internal MISP references

UUID b78be3f4-e39b-41cc-adc0-5824f246959b which can be used as unique global reference for PClock4 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256+RSA
payment-method	Bitcoin
price	0.6 - 1.6
ransomnotes-refs	['https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png']

Guster Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.

Internal MISP references

UUID ffa7ac2f-b216-4fac-80be-e859a0e0251f which can be used as unique global reference for Guster Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html - webarchive
• https://twitter.com/BleepinComputer/status/812131324979007492 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256+RSA
extensions	['.locked']
payment-method	Bitcoin
price	0.4
ransomnotes-refs	['https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg']

Roga

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png

Internal MISP references

UUID cd1eb48e-070b-418e-8d83-4644a388f8ae which can be used as unique global reference for Roga in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.madebyadam']
payment-method	Website (gift card)
ransomnotes-refs	['https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg']

Related clusters

To see the related clusters, click here.

CryptoLocker3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoLocker3 Ransomware.

Known Synonyms
Fake CryptoLocker

Internal MISP references

UUID 4094b021-6654-49d5-9b80-a3666a1c1e44 which can be used as unique global reference for CryptoLocker3 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-128+RSA
extensions	['.cryptolocker']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif']

ProposalCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.

Internal MISP references

UUID 4cf270e7-e4df-49d5-979b-c13d8ce117cc which can be used as unique global reference for ProposalCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html - webarchive
• http://www.archersecuritygroup.com/what-is-ransomware/ - webarchive
• https://twitter.com/demonslay335/status/812002960083394560 - webarchive
• https://twitter.com/malwrhunterteam/status/811613888705859586 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.crypted']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg']

Manifestus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.

Internal MISP references

UUID e62ba8f5-e7ce-44ab-ac33-713ace192de3 which can be used as unique global reference for Manifestus Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/ - webarchive
• https://twitter.com/struppigel/status/811587154983981056 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
payment-method	Bitcoin
price	0.2 (160$)
ransomnotes-refs	['https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg']

EnkripsiPC Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EnkripsiPC Ransomware.

Known Synonyms
IDRANSOMv3
Manifestus

Internal MISP references

UUID 52caade6-ba7b-474e-b173-63f4332aa808 which can be used as unique global reference for EnkripsiPC Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html - webarchive
• https://twitter.com/demonslay335/status/811343914712100872 - webarchive
• https://twitter.com/BleepinComputer/status/811264254481494016 - webarchive
• https://twitter.com/struppigel/status/811587154983981056 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.fucked']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif']

Related clusters

To see the related clusters, click here.

BrainCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.

Internal MISP references

UUID ade6ec5e-e082-43cb-9b82-ff8c0f4d7e56 which can be used as unique global reference for BrainCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.braincrypt']
payment-method	Email
ransomnotes-refs	['https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png', 'https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg']

MSN CryptoLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.

Internal MISP references

UUID 7de27419-9874-4c3f-b75f-429a507ed7c5 which can be used as unique global reference for MSN CryptoLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html - webarchive
• https://twitter.com/struppigel/status/810766686005719040 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
payment-method	Bitcoin
price	0.2
ransomnotes-filenames	['RESTORE_YOUR_FILES.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png']

CryptoBlock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS

Internal MISP references

UUID 7b0df78e-8f00-468f-a6ef-3e1bda2a344c which can be used as unique global reference for CryptoBlock Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html - webarchive
• https://twitter.com/drProct0r/status/810500976415281154 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	RSA-2048
payment-method	Bitcoin
price	0.3
ransomnotes-refs	['https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg']

AES-NI Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 69c9b45f-f226-485f-9033-fcb796c315cf which can be used as unique global reference for AES-NI Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256 (ECB) + RSA-2048
extensions	['.aes256']
payment-method	Email
ransomnotes-filenames	['!!! READ THIS -IMPORTANT !!!.txt']
ransomnotes-refs	['https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png']

Koolova Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop

Internal MISP references

UUID ff6b8fc4-cfe0-45c1-9814-3261e39b4c9a which can be used as unique global reference for Koolova Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.encrypted']
payment-method	Game
ransomnotes-refs	['https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png']

Fake Globe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fake Globe Ransomware.

Known Synonyms
Globe Imposter
GlobeImposter

Internal MISP references

UUID e03873ef-9e3d-4d07-85d8-e22a55f60c19 which can be used as unique global reference for Fake Globe Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/ - webarchive
• https://twitter.com/fwosar/status/812421183245287424 - webarchive
• https://decrypter.emsisoft.com/globeimposter - webarchive
• https://twitter.com/malwrhunterteam/status/809795402421641216 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive
• https://twitter.com/GrujaRS/status/1004661259906768896 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.crypt', '.emilysupp']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['HOW_OPEN_FILES.hta']
ransomnotes-refs	['https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg']

Related clusters

To see the related clusters, click here.

V8Locker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Internal MISP references

UUID 45862a62-4cb3-4101-84db-8e338d17e283 which can be used as unique global reference for V8Locker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	RSA
extensions	['.v8']
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png']

Cryptorium (Fake Ransomware)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.

Internal MISP references

UUID 96bd63e5-99bd-490c-a23a-e0092337f6e6 which can be used as unique global reference for Cryptorium (Fake Ransomware) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	RSA
extensions	['.ENC']
payment-method	Website
ransomnotes-refs	['https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg']

Antihacker2017 Ransomware

It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).

Internal MISP references

UUID efd64e86-611a-4e10-91c7-e741cf0c58d9 which can be used as unique global reference for Antihacker2017 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	XOR
extensions	['.antihacker2017']
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg']

CIA Special Agent 767 Ransomware (FAKE!!!)

It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg

Internal MISP references

UUID e479e32e-c884-4ea0-97d3-3c3356135719 which can be used as unique global reference for CIA Special Agent 767 Ransomware (FAKE!!!) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html - webarchive
• https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/ - webarchive
• https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
payment-method	Dollars
price	100 - 250 - 500
ransomnotes-refs	['https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png']

LoveServer Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.

Internal MISP references

UUID d1698a73-8be8-4c10-8114-8cfa1c399eb1 which can be used as unique global reference for LoveServer Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png']

Kraken Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.

Internal MISP references

UUID 51737c36-11a0-4c25-bd87-a990bd479aaf which can be used as unique global reference for Kraken Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.kraken', '[base64].kraken']
payment-method	Bitcoin
price	2
ransomnotes-filenames	['_HELP_YOUR_FILES.html']
ransomnotes-refs	['https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png', 'https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png']

Antix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.

Internal MISP references

UUID 8a7e0615-b9bd-41ab-89f1-62d041350e99 which can be used as unique global reference for Antix Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
payment-method	Bitcoin
price	0.25
ransomnotes-refs	['https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg']

PayDay Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear

Internal MISP references

UUID 70324b69-6076-4d00-884e-7f9d5537a65a which can be used as unique global reference for PayDay Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html - webarchive
• https://twitter.com/BleepinComputer/status/808316635094380544 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.sexy']
payment-method	Bitcoin
price	950 bresilian real ($)
ransomnotes-filenames	['!!!!!ATENÇÃO!!!!!.html']
ransomnotes-refs	['https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg']

Slimhem Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.

Internal MISP references

UUID 76b14980-e53c-4209-925e-3ab024210734 which can be used as unique global reference for Slimhem Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.encrypted']
payment-method	no ransom

M4N1F3STO Ransomware (FAKE!!!!!)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!

Internal MISP references

UUID 94a3be6b-3a83-40fb-85b2-555239260235 which can be used as unique global reference for M4N1F3STO Ransomware (FAKE!!!!!) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
payment-method	Bitcoin
price	0.3
ransomnotes	["I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins"]
ransomnotes-refs	['https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg']

Dale Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dale Ransomware.

Known Synonyms
DaleLocker Ransomware

Internal MISP references

UUID abe6cbe4-9031-46da-9e1c-89d9babe6449 which can be used as unique global reference for Dale Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES+RSA-512
extensions	['.DALE']
payment-method	Email

UltraLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire

Internal MISP references

UUID 3a66610b-5197-4af9-b662-d873afc81b2e which can be used as unique global reference for UltraLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html - webarchive
• https://twitter.com/struppigel/status/807161652663742465 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.locked (added before the ending, not to the ending, for example: file.locked.doc']
payment-method	Bitcoin
price	1000 $
ransomnotes-refs	['https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png']

AES_KEY_GEN_ASSIST Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Internal MISP references

UUID d755510f-d775-420c-83a0-b0fe9e483256 which can be used as unique global reference for AES_KEY_GEN_ASSIST Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html - webarchive
• https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256 and RSA-2048
extensions	['.pre_alpha']
payment-method	Email
ransomnotes-refs	['https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png']

Code Virus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID a23d7c45-7200-4074-9acf-8789600fa145 which can be used as unique global reference for Code Virus Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256 and RSA-2048
extensions	['.locky']
payment-method	Bitcoin
price	0.5 - 1
ransomnotes-refs	['https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg', 'https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif']

FLKR Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 1cdc34ce-43b7-4df1-ae8f-ae0acbe5e4ad which can be used as unique global reference for FLKR Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	Blowfish
extensions	['morf56@meta.ua']
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png']

PopCorn Time Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png

Internal MISP references

UUID c1b3477b-cd7f-4726-8744-a2c44275dffd which can be used as unique global reference for PopCorn Time Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.kok', '.filock']
payment-method	Bitcoin
price	0.5 - 1
ransomnotes-filenames	['restore_your_files.html', 'restore_your_files.txt']
ransomnotes-refs	['https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png', 'https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg']

HackedLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.

Internal MISP references

UUID c2624d8e-da7b-4d94-b06f-363131ddb6ac which can be used as unique global reference for HackedLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES-256
extensions	['.hacked']
payment-method	Bitcoin
price	0.33 - 0.5
ransomnotes-refs	['https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg']

GoldenEye Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Internal MISP references

UUID ac7affb8-971d-4c05-84f0-172b61d007d7 which can be used as unique global reference for GoldenEye Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/ - webarchive
• https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES(CBC)
extensions	['.']
payment-method	Bitcoin
price	1.33 - 1.34
ransomnotes-refs	['https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg', 'https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg']

Related clusters

To see the related clusters, click here.

Sage Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Internal MISP references

UUID 3e5a475f-7467-49ab-917a-4d1f590ad9b4 which can be used as unique global reference for Sage Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/ - webarchive
• https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/ - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES
extensions	['.sage']
payment-method	Bitcoin
price	0.74 (545 $)
ransomnotes-refs	['https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png']

SQ_ Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SQ_ Ransomware.

Known Synonyms
VO_ Ransomware

Internal MISP references

UUID 5024f328-2595-4dbd-9007-218147e55d5f which can be used as unique global reference for SQ_ Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES and RSA-1024
extensions	['.VO_']
payment-method	Bitcoin
price	4(1040 $)
ransomnotes-refs	['https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png']

Matrix

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Matrix.

Known Synonyms
Malta Ransomware
Matrix Ransomware

Internal MISP references

UUID 42ee85b9-45f8-47a3-9bab-b695ac271544 which can be used as unique global reference for Matrix in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/ - webarchive
• https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html - webarchive
• https://twitter.com/rommeljoven17/status/804251901529231360 - webarchive
• https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive
• https://twitter.com/demonslay335/status/1034212374805278720 - webarchive
• https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive
• https://twitter.com/demonslay335/status/1049314118409306112 - webarchive
• https://twitter.com/demonslay335/status/1050118985210048512 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/ - webarchive
• https://twitter.com/demonslay335/status/1039907030570598400 - webarchive

Associated metadata

Metadata key	Value
date	December 2016
encryption	AES and RSA
extensions	['.MATRIX', '.[Files4463@tuta.io]', '.[RestorFile@tutanota.com]', '[KOK8@protonmail.com].-.KOK8', '.FOX', '.EMAN50', '.GMAN', '.NOBAD', '.ITLOCK']
payment-method	Email
ransomnotes	["WHAT HAPPENED WITH YOUR FILES?\nYour documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.\nMore information about the RSA and AES can be found here:\nhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\nIt mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!\nIf yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:\nFiles4463@tuta.io\nFiles4463@protonmail.ch\nFiles4463@gmail.com\nIn subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:\n4292D68970C047D9\nWе rесоmmеnd yоu tо sеnd yоur mеssаgе ОN ЕАСH оf ОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоr а vаriеtу оf rеаsоns!\nPlеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!\nIf yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.\nYour message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.\nTо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.\nYоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.\nNоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.\n\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 6 hours, рlеаsе сhеck SРАМ fоldеr!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hours, рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе!\nIf yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеd аnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthеr еmаil sеrviсе tо еасh оf оur 3 еmаils!\nАnd dоn't fоrgеt tо chеck SPАМ fоldеr!", "HOW TO RECOVER YOUR FILES INSTRUCTION\nATENTION!!!\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \nby our automatic software. It became possible because of bad server security.\nATENTION!!!\nPlease don't worry, we can help you to RESTORE your server to original\nstate and decrypt all your files quickly and safely!\n\nINFORMATION!!!\nFiles are not broken!!!\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\n Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\n Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\n\nHOW TO RECOVER FILES???\nPlease write us to the e-mail (write on English or use professional translator):\nPabFox@protonmail.com \nFoxHelp@cock.li\nFoxHelp@tutanota.com\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\n\nIn subject line write your personal ID:\n[id]\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \n\nOUR ADVICE!!!\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\n\nWe will definitely reach an agreement ;) !!!"]
ransomnotes-filenames	['[5 numbers]-MATRIX-README.RTF', '!ReadMe_To_Decrypt_Files!.rtf', '#Decrypt_Files_ReadMe#.rtf', '#KOK8_README#.rtf', '#FOX_README#.rtf', '!README_GMAN!.rtf', '#README_EMAN50#.rtf', '#NOBAD_README#.rtf', '!ITLOCK_README!.rtf']
ransomnotes-refs	['https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png', 'https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/ransom-note.jpg', 'https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/1/background.jpg', 'https://www.bleepstatic.com/images/news/ransomware/m/matrix/4-7-2018/2/wallpaper.jpg', 'https://pbs.twimg.com/media/DZ4VCRpWsAYtckw.jpg', 'https://pbs.twimg.com/media/DZ4V8uXWsAI0r1v.jpg', 'https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg']

Satan666 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 03d92e7b-95ae-4c5b-8b58-daa2fd98f7a1 which can be used as unique global reference for Satan666 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.locked']
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png']

RIP (Phoenix) Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RIP (Phoenix) Ransomware.

Known Synonyms
Phoenix
RIP

Internal MISP references

UUID 5705df4a-42b0-4579-ad9f-8bfa42bae471 which can be used as unique global reference for RIP (Phoenix) Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html - webarchive
• https://twitter.com/BleepinComputer/status/804810315456200704 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.R.i.P']
payment-method	Bitcoin
price	0.2
ransomnotes-filenames	['Important!.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG']

Locked-In Ransomware or NoValid Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Locked-In Ransomware or NoValid Ransomware.

Known Synonyms
Locked-In Ransomware
NoValid Ransomware

Internal MISP references

UUID 777f0b78-e778-435f-b4d5-e40f0b7f54c3 which can be used as unique global reference for Locked-In Ransomware or NoValid Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/ - webarchive
• https://twitter.com/struppigel/status/807169774098796544 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.novalid']
payment-method	Bitcoin - Link WebSite
ransomnotes-filenames	['RESTORE_CORUPTED_FILES.HTML']
ransomnotes-refs	['https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg']

Chartwig Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 37fff5f8-8e66-43d3-a075-3619b6f2163d which can be used as unique global reference for Chartwig Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES

RenLocker Ransomware (FAKE)

It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]

Internal MISP references

UUID 957850f7-081a-4191-9e5e-cf9ff27584ac which can be used as unique global reference for RenLocker Ransomware (FAKE) in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	Rename > Ren + Locker
extensions	['.crypter']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg']

Thanksgiving Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 459ea908-e39e-4274-8866-362281e24911 which can be used as unique global reference for Thanksgiving Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html - webarchive
• https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html - webarchive
• https://twitter.com/BleepinComputer/status/801486420368093184 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
payment-method	Email
ransomnotes-refs	['https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png']

CockBlocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 3a40c5ae-b117-45cd-b674-a7750e3f3082 which can be used as unique global reference for CockBlocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html - webarchive
• https://twitter.com/jiriatvirlab/status/801910919739674624 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	RSA
extensions	['.hannah']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif']

Lomix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire

Internal MISP references

UUID e721b7c5-df07-4e26-b375-fc09a4911451 which can be used as unique global reference for Lomix Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html - webarchive
• https://twitter.com/siri_urz/status/801815087082274816 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.encrypted']
payment-method	Bitcoin
price	0.68096697 (500$)
ransomnotes-refs	['https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png']

OzozaLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png

Internal MISP references

UUID d20b0d12-1a56-4339-b02b-eb3803dc3e6e which can be used as unique global reference for OzozaLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html - webarchive
• https://decrypter.emsisoft.com/ozozalocker - webarchive
• https://twitter.com/malwrhunterteam/status/801503401867673603 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.locked', '.Locked']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['HOW TO DECRYPT YOU FILES.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG']

Crypute Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Crypute Ransomware.

Known Synonyms
m0on Ransomware

Internal MISP references

UUID 5539c8e7-2058-4757-b9e3-71ff7d41db31 which can be used as unique global reference for Crypute Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html - webarchive
• https://www.bleepingcomputer.com/virus-removal/threat/ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.mo0n']
payment-method	WebSite link
ransomnotes-refs	['https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg']

NMoreira Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NMoreira Ransomware.

Known Synonyms
Fake Maktub Ransomware

Internal MISP references

UUID 9490641f-6a51-419c-b3dc-c6fa2bab4ab3 which can be used as unique global reference for NMoreira Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html - webarchive
• https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256 + RSA
extensions	['.maktub']
payment-method	Bitcoin
price	0,5 - 1,5
ransomnotes-refs	['https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG', 'https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG']

VindowsLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.

Internal MISP references

UUID b58e1265-2855-4c8a-ac34-bb1504086084 which can be used as unique global reference for VindowsLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html - webarchive
• https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph - webarchive
• https://rol.im/VindowsUnlocker.zip - webarchive
• https://twitter.com/JakubKroustek/status/800729944112427008 - webarchive
• https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.vindows']
payment-method	Call Number
price	349.99$
ransomnotes-refs	['https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png']

Donald Trump 2 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html

Internal MISP references

UUID 96c10791-258f-4b2b-a2cc-b5abddbdb285 which can be used as unique global reference for Donald Trump 2 Ransomware in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.ENCRYPTED']
payment-method	no ransom
ransomnotes-refs	['https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg', 'https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/']

Nagini Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\Temp\voldemort.horcrux

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nagini Ransomware.

Known Synonyms
Voldemort Ransomware

Internal MISP references

UUID 46a35af7-9d05-4de4-a955-41ccf3d3b83b which can be used as unique global reference for Nagini Ransomware in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	RSA
payment-method	CreditCard
ransomnotes-refs	['https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg']

ShellLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID a8ea7a67-c019-4c6c-8061-8614c47f153e which can be used as unique global reference for ShellLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html - webarchive
• https://twitter.com/JakubKroustek/status/799388289337671680 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.l0cked', '.L0cker']
payment-method	Bitcoin
price	100$
ransomnotes-refs	['https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg']

Chip Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chip Ransomware.

Known Synonyms
ChipLocker Ransomware

Internal MISP references

UUID 7487fd37-d4ba-4c85-b6f8-8d4d7d5b74d7 which can be used as unique global reference for Chip Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html - webarchive
• http://malware-traffic-analysis.net/2016/11/17/index.html - webarchive
• https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES + RSA-512
extensions	['.CHIP', '.DALE']
payment-method	Tor WebSite
ransomnotes-filenames	['CHIP_FILES.txt']
ransomnotes-refs	['https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG']

Dharma Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant

Internal MISP references

UUID 2b365b2c-4a9a-4b66-804d-3b2d2814fe7b which can be used as unique global reference for Dharma Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive
• https://twitter.com/demonslay335/status/1049313390097813504 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/ - webarchive
• https://twitter.com/JakubKroustek/status/1038680437508501504 - webarchive
• https://twitter.com/demonslay335/status/1059521042383814657 - webarchive
• https://twitter.com/demonslay335/status/1059940414147489792 - webarchive
• https://twitter.com/JakubKroustek/status/1060825783197933568 - webarchive
• https://twitter.com/JakubKroustek/status/1064061275863425025 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/ - webarchive
• https://www.youtube.com/watch?v=qjoYtwLx2TI - webarchive
• https://twitter.com/GrujaRS/status/1072139616910757888 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES + RSA-512
extensions	['.dharma', '.wallet', '.zzzzz', '.cmb', '.id-BCBEF350.[paymentbtc@firemail.cc].cmb', '.bip', '.id-BCBEF350.[Beamsell@qq.com].bip', '.boost', '.[Darknes@420blaze.it].waifu', '.brrr', '.adobe', '.tron', '.AUDIT', '.cccmn', '.fire', '.myjob', '.[cyberwars@qq.com].war', '.risk', '.RISK', '.bkpx', '.[newsantaclaus@aol.com].santa']
payment-method	Bitcoin - Email
ransomnotes	['all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc', "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", 'all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com']
ransomnotes-filenames	['README.txt', 'README.jpg', 'Info.hta', 'FILES ENCRYPTED.txt', 'INFO.hta']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/d/dharma/cmb/hta-ransom-note.jpg', 'https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg', 'https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg', 'https://pbs.twimg.com/media/DrWqLWzXgAc4SlG.jpg', 'https://pbs.twimg.com/media/DuEBIMBW0AANnGW.jpg']

Angela Merkel Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID a9bb4ae1-b4da-49bb-aeeb-3596cb883860 which can be used as unique global reference for Angela Merkel Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/798268218364358656 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.angelamerkel']
payment-method	Bitcoin
price	1200€
ransomnotes-refs	['https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg']

CryptoLuck Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoLuck Ransomware.

Known Synonyms
YafunnLocker

Internal MISP references

UUID 615b682d-4746-464d-8091-8869d0e6ea2c which can be used as unique global reference for CryptoLuck Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html - webarchive
• http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/ - webarchive
• https://twitter.com/malwareforme/status/798258032115322880 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256 + RSA-2048
extensions	['._luck']
payment-method	Bitcoin
price	0.7 - 2.1
ransomnotes	['%AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt.']
ransomnotes-refs	['https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG', 'https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG']

Crypton Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Crypton Ransomware.

Known Synonyms
Nemesis
X3M

Internal MISP references

UUID 117693d2-1551-486e-93e5-981945eecabd which can be used as unique global reference for Crypton Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html - webarchive
• https://decrypter.emsisoft.com/crypton - webarchive
• https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/ - webarchive
• https://twitter.com/JakubKroustek/status/829353444632825856 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256 + RSA + SHA-256
extensions	['crypt', '.id-_locked', '.id-_locked_by_krec', '.id-_locked_by_perfect', '.id-_x3m', '.id-_r9oj', '.id-_garryweber@protonmail.ch', '.id-_steaveiwalker@india.com', '.id-julia.crown@india.com', '.id-tom.cruz@india.com', '.id-CarlosBoltehero@india.com', '.id-maria.lopez1@india.com']
payment-method	Bitcoin
price	0.2 - 2
ransomnotes-refs	['https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png']

Karma Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp

Internal MISP references

UUID 51596eaa-6df7-4aa3-8df4-cec3aeffb1b5 which can be used as unique global reference for Karma Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.karma']
links	['http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['# DECRYPT MY FILES #.html', '# DECRYPT MY FILES #.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png']

WickedLocker HT Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 878c06be-95d7-4a0d-9dba-178ffc1d3e5e which can be used as unique global reference for WickedLocker HT Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png']

PClock3 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PClock3 Ransomware.

Known Synonyms
CryptoLocker clone
PClock SuppTeam Ransomware
WinPlock

Internal MISP references

UUID 6c38f175-b32a-40ef-8cad-33c2c8840d51 which can be used as unique global reference for PClock3 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/ - webarchive
• https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html - webarchive
• http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/ - webarchive
• https://decrypter.emsisoft.com/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES or XOR
extensions	['.locked']
payment-method	Bitcoin
price	0.55 - 0.65
ransomnotes-filenames	['Your files are locked !.txt', 'Your files are locked !!.txt', 'Your files are locked !!!.txt', 'Your files are locked !!!!.txt', '%AppData%\WinCL\winclwp.jpg']

Kolobo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kolobo Ransomware.

Known Synonyms
Kolobocheg Ransomware

Internal MISP references

UUID f32f0bec-961b-4c01-9cc1-9cf409efd598 which can be used as unique global reference for Kolobo Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.ransomware.wiki/tag/kolobo/ - webarchive
• https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html - webarchive
• https://forum.drweb.com/index.php?showtopic=315142 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	XOR and RSA
extensions	['.kolobocheg@aol.com_']
payment-method	Email
ransomnotes-refs	['https://www.ransomware.wiki/tag/kolobo/']

PaySafeGen (German) Ransomware

This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PaySafeGen (German) Ransomware.

Known Synonyms
PaySafeCard
PaySafeGen
Paysafecard Generator 2016

Internal MISP references

UUID 379d5258-6f11-4c41-a685-c2ff555c0cb9 which can be used as unique global reference for PaySafeGen (German) Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html - webarchive
• https://twitter.com/JakubKroustek/status/796083768155078656 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.cry_']
payment-method	PaySafeCard
price	100€
ransomnotes-refs	['https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png']

Telecrypt Ransomware

This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.

Internal MISP references

UUID 2f362760-925b-4948-aae5-dd0d2fc21002 which can be used as unique global reference for Telecrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html - webarchive
• http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked - webarchive
• https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ - webarchive
• https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.Xcri']
payment-method	Qhvi-wallet / Yandex-wallet
price	5000 rubles
ransomnotes-refs	['https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif']

CerberTear Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 28808e63-e71f-4aaa-b203-9310745f87b6 which can be used as unique global reference for CerberTear Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html - webarchive
• https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/ - webarchive
• https://twitter.com/struppigel/status/795630452128227333 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.cerber']
payment-method	Bitcoin
price	0.4
ransomnotes-refs	['https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png']

FuckSociety Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK "https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html" "_blank" RemindMe > FuckSociety

Internal MISP references

UUID 81c476c3-3190-440d-be4a-ea875e9415aa which can be used as unique global reference for FuckSociety Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	RSA-4096
extensions	['.dll']
payment-method	Bitcoin

PayDOS Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PayDOS Ransomware.

Known Synonyms
Serpent Ransomware

Internal MISP references

UUID 4818a48a-dfc2-4f35-a76d-e4fb462d6c94 which can be used as unique global reference for PayDOS Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html - webarchive
• https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.dng', '.serpent']
payment-method	Bitcoin
price	0.33
ransomnotes-filenames	['HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html', 'HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt']

zScreenLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 47834caa-2226-4a3a-a228-210a64c281b9 which can be used as unique global reference for zScreenLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html - webarchive
• https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/ - webarchive
• https://twitter.com/struppigel/status/794077145349967872 - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.dng']

Gremit Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 47512afc-ecf2-4766-8487-8f3bc8dddbf3 which can be used as unique global reference for Gremit Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html - webarchive
• https://twitter.com/struppigel/status/794444032286060544 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.rnsmwr']
payment-method	Bitcoin
price	0.03
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg']

Hollycrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID b77298c1-3f84-4ffb-a81b-36eab5c10881 which can be used as unique global reference for Hollycrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.hollycrypt']
payment-method	Bitcoin Email
ransomnotes-refs	['https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG']

BTCLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BTCLocker Ransomware.

Known Synonyms
BTC Ransomware

Internal MISP references

UUID 3f461284-85a1-441c-b07d-8b547be43ca2 which can be used as unique global reference for BTCLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.BTC']
payment-method	Email
ransomnotes-refs	['https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG']

Kangaroo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda

Internal MISP references

UUID 5ab1449f-7e7d-47e7-924a-8662bc2df805 which can be used as unique global reference for Kangaroo Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/ - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES
extensions	['.crypted_file']
payment-method	Bitcoin
price	2
ransomnotes-filenames	['filename.Instructions_Data_Recovery.txt']
ransomnotes-refs	['https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png']

DummyEncrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 6bf055c6-acb2-4459-92b0-70d61616ab62 which can be used as unique global reference for DummyEncrypter Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.dCrypt']
payment-method	Email
ransomnotes-refs	['https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png']

Encryptss77 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Encryptss77 Ransomware.

Known Synonyms
SFX Monster Ransomware

Internal MISP references

UUID 317cab8a-31a1-4a82-876a-94edc7afffba which can be used as unique global reference for Encryptss77 Ransomware in MISP communities and other software using the MISP galaxy

External references

• http://virusinfo.info/showthread.php?t=201710 - webarchive
• https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.dCrypt']
payment-method	Email
ransomnotes	['YOUR FILES ARE ENCRYPTED THAT THEIR DECRYPT SEND EMAIL US AT encryptss77@gmail.com IN MESSAGE INDICATE IP ADDRESS OF COMPUTER WHERE YOU SAW THIS MESSAGE YOU CAN FIND IT ON 2IP.RU WE WILL REPLY TO YOU WITHIN 24 HOURS']

WinRarer Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 7ee22340-ed89-4e22-b085-257bde4c0fc5 which can be used as unique global reference for WinRarer Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.ace']
payment-method	Website (onion)
ransomnotes-refs	['https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png']

Russian Globe Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 30771cde-2543-4c13-b722-ff940f235b0f which can be used as unique global reference for Russian Globe Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.blackblock']
payment-method	Bitcoin
price	0.5 - 1
ransomnotes	["YOUR FILES HAVE BEEN ENCRYPTED! Your personal ID * Your file have been encrypted with a powerful strain of a virus called ransomware. Your files are encrypted using the same methods banks and the military use. There is currently no possible way to decrypt files with the private key. Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info necessary to decrypt all your files, quickly and easily."]

ZeroCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e999ca18-61cb-4419-a2fa-ab8af6ebe8dc which can be used as unique global reference for ZeroCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	November 2016
encryption	AES-256
extensions	['.zn2016']
payment-method	Bitcoin
price	10 (7300 $)
ransomnotes-refs	['https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG']

RotorCrypt(RotoCrypt, Tar) Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RotorCrypt(RotoCrypt, Tar) Ransomware.

Known Synonyms
RotoCrypt
RotorCrypt
Tar Ransomware

Internal MISP references

UUID 63991ed9-98dc-4f24-a0a6-ff58e489c263 which can be used as unique global reference for RotorCrypt(RotoCrypt, Tar) Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive
• https://twitter.com/demonslay335/status/1050117756094476289 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	RSA
extensions	['.c400', '.c300', '!@!@!@contact mail___boroznsalyuda@gmail.com___!@!@.psd', '!@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR', '!@#$%^&-()+.1C']
payment-method	Bitcoin
price	7 (2000 - 5000 $)
ransomnotes	['Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!', 'Для связи с нами используйте почту\ninkognitoman@tutamail.com\ninkognitoman@firemail.cc']
ransomnotes-filenames	['INFO.txt']

Ishtar Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.

Internal MISP references

UUID 30cad868-b2f1-4551-8f76-d17695c67d52 which can be used as unique global reference for Ishtar Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256 + RSA-2048
extensions	['ISHTAR-. (prefix)']
payment-method	Email - rubles
price	15 000
ransomnotes	['FOR FILE DISCRIPTION, PLEASE CONTACT YOU@edtonmail@protonmail.com Or BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standard encryption order: AES 256 + RSA 2048. > A unique AES key is created for each file. > Decryption is impossible without the ISHTAR.DATA file (see% APPDATA% directory). ----- TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com OR TO BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standart encryption routine: AES 256 + RSA 2048. > Every AES key is unique per file. > Decryption is impossible without ISHTAR.DATA file (see% APPDATA% path).']

MasterBuster Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 07f859cd-9c36-4dae-a6fc-fa4e4aa36176 which can be used as unique global reference for MasterBuster Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html - webarchive
• https://twitter.com/struppigel/status/791943837874651136 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
extensions	['.hcked']
payment-method	rupies
price	3500 - 5000 - 10 000
ransomnotes	['IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020']
ransomnotes-filenames	['CreatesReadThisFileImportant.txt']
ransomnotes-refs	['https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg']

JackPot Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JackPot Ransomware.

Known Synonyms
Jack.Pot Ransomware

Internal MISP references

UUID 04f1772a-053e-4f6e-a9af-3f83ab312633 which can be used as unique global reference for JackPot Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html - webarchive
• https://twitter.com/struppigel/status/791639214152617985 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
extensions	['.coin']
payment-method	Bitcoin
price	3
ransomnotes-refs	['https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg']

ONYX Ransomeware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware

Internal MISP references

UUID 927a4150-9380-4310-9f68-cb06d8debcf2 which can be used as unique global reference for ONYX Ransomeware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html - webarchive
• https://twitter.com/struppigel/status/791557636164558848 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
extensions	['.Encryption:']
payment-method	Bitcoin
price	100 $
ransomnotes	['All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.']
ransomnotes-refs	['https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg']

IFN643 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID ddeab8b3-5df2-414e-9c6b-06b309e1fcf4 which can be used as unique global reference for IFN643 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html - webarchive
• https://twitter.com/struppigel/status/791576159960072192 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.inf643']
payment-method	Bitcoin
price	1000 $
ransomnotes-refs	['https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG']

Alcatraz Locker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 2ad63264-8f52-4ab4-ad26-ca8c3bcc066e which can be used as unique global reference for Alcatraz Locker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/ - webarchive
• https://twitter.com/PolarToffee/status/792796055020642304 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.Alcatraz']
payment-method	Email
ransomnotes-filenames	['ransomed.hTmL']
ransomnotes-refs	['https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg', 'https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg']

Esmeralda Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID ff5a04bb-d412-4cb3-9780-8d3488b7c268 which can be used as unique global reference for Esmeralda Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html - webarchive
• https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.encrypted']
payment-method	Email
ransomnotes	['Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.']
ransomnotes-refs	['https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png']

EncrypTile Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 56e49b84-a250-4aaf-9f65-412616709652 which can be used as unique global reference for EncrypTile Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.encrypted']
payment-method	Bitcoin
price	0.053773
ransomnotes-refs	['https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg']

Fileice Ransomware Survey Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG

Internal MISP references

UUID ca5d0e52-d0e4-4aa9-872a-0669433c0dcc which can be used as unique global reference for Fileice Ransomware Survey Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html - webarchive
• https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.encrypted']
payment-method	Game
ransomnotes-refs	['https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png']

CryptoWire Ransomeware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4e6e45c2-8e13-49ad-8b27-e5aeb767294a which can be used as unique global reference for CryptoWire Ransomeware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html - webarchive
• https://twitter.com/struppigel/status/791554654664552448 - webarchive
• https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256
extensions	['.encrypted']
payment-method	Bitcoin
price	0.29499335
ransomnotes-refs	['https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg', 'https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg']

Hucky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hucky Ransomware.

Known Synonyms
Hungarian Locky Ransomware

Internal MISP references

UUID 74f91a93-4f1e-4603-a6f5-aaa40d2dd311 which can be used as unique global reference for Hucky Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html - webarchive
• https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe - webarchive
• https://twitter.com/struppigel/status/846241982347427840 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-128+RSA
extensions	['.locky', '[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky']
payment-method	Email
ransomnotes	['!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!']
ransomnotes-filenames	['_Adatok_visszaallitasahoz_utasitasok.txt', '_locky_recover_instructions.txt']
ransomnotes-refs	['https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png']

Winnix Cryptor Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e30e663d-d8c8-44f2-8da7-03b1a9c52376 which can be used as unique global reference for Winnix Cryptor Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html - webarchive
• https://twitter.com/PolarToffee/status/811940037638111232 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.wnx']
payment-method	Bitcoin
price	2 - 4
ransomnotes	["Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team"]
ransomnotes-filenames	['YOUR FILES ARE ENCRYPTED!.txt']

AngryDuck Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC

Internal MISP references

UUID 2813a5c7-530b-492f-8d77-fe7b1ed96a65 which can be used as unique global reference for AngryDuck Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html - webarchive
• https://twitter.com/demonslay335/status/790334746488365057 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-512
extensions	['.adk']
payment-method	Bitcoin
price	10 (7300 $)
ransomnotes	["ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!"]
ransomnotes-refs	['https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg']

Lock93 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 2912426d-2a26-4091-a87f-032a6d3d28c1 which can be used as unique global reference for Lock93 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/789882488365678592 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-512
extensions	['.lock93']
payment-method	Email
price	1000 rubles
ransomnotes-refs	['https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg', 'https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg']

ASN1 Encoder Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID dd99cc50-91f7-4375-906a-7d09c76ee9f7 which can be used as unique global reference for ASN1 Encoder Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html - webarchive
• https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-512
payment-method	Bitcoin
price	0.25 - 0.5
ransomnotes-filenames	['!!!!!readme!!!!!.htm']
ransomnotes-refs	['https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG']

Click Me Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif

Internal MISP references

UUID 97bdadda-e874-46e6-8672-11dbfe3958c4 which can be used as unique global reference for Click Me Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html - webarchive
• https://www.youtube.com/watch?v=Xe30kV4ip8w - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.hacked']
payment-method	Email Bitcoin
ransomnotes	["All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price."]

AiraCrop Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e7a5c384-a93c-4ed4-8411-ca1e52396256 which can be used as unique global reference for AiraCrop Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256 + RSA-2048
extensions	['.hacked']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG']

JapanLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JapanLocker Ransomware.

Known Synonyms
SHC Ransomware
SHCLocker
SyNcryption

Internal MISP references

UUID d579e5b6-c6fd-43d9-9213-7591cd324f94 which can be used as unique global reference for JapanLocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html - webarchive
• https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker - webarchive
• https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php - webarchive
• https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256 + RSA-2048
extensions	['#LOCK#']
payment-method	Email
ransomnotes-refs	['https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg']

Anubis Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2

Internal MISP references

UUID a6215279-37d8-47f7-9b1b-efae4178c738 which can be used as unique global reference for Anubis Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html - webarchive
• http://nyxbone.com/malware/Anubis.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES(256)
extensions	['.coded']
payment-method	Bitcoin
price	1 - 2.5 - 3
ransomnotes-filenames	['Decryption Instructions.txt']
ransomnotes-refs	['https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg']

XTPLocker 5.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID eef4bf49-5b1d-463a-aef9-538c5dc2f71f which can be used as unique global reference for XTPLocker 5.0 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256
payment-method	Bitcoin
price	2
ransomnotes	['Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com']

Exotic Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables

Internal MISP references

UUID eb22cb8d-763d-4cac-af35-46dc4f85317b which can be used as unique global reference for Exotic Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/ - webarchive
• https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware - webarchive
• https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-128
extensions	['.exotic', 'random.exotic']
payment-method	Bitcoin
price	50 $
ransomnotes-refs	['https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg', 'https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg', 'https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg']

APT Ransomware v.2

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED

Internal MISP references

UUID 6ec0f43c-6b73-4f5e-bee7-a231572eb994 which can be used as unique global reference for APT Ransomware v.2 in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-128
extensions	['.dll']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg']

Windows_Security Ransonware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Windows_Security Ransonware.

Known Synonyms
Trojan.Encoder.6491
WS Go Ransonware

Internal MISP references

UUID a57a8bc3-8c33-43e8-b237-25edcd5f532a which can be used as unique global reference for Windows_Security Ransonware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html - webarchive
• https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256
extensions	['.enc']
payment-method	Bitcoin
price	0.0523
ransomnotes-refs	['https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png']

Related clusters

To see the related clusters, click here.

NCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID d590865e-f3ae-4381-9d82-3f540f9818cb which can be used as unique global reference for NCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES
extensions	['.NCRYPT', '.ncrypt']
payment-method	Bitcoin
price	0.2
ransomnotes-refs	['https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg']

Venis Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com

Internal MISP references

UUID b9cfe6f3-5970-4283-baf4-252e0491b91c which can be used as unique global reference for Venis Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html - webarchive
• https://twitter.com/Antelox/status/785849412635521024 - webarchive
• http://pastebin.com/HuK99Xmj - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-2048
extensions	['.venis']
payment-method	Email
ransomnotes-refs	['https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg']

Enigma 2 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 507506a3-3745-47fd-8d31-ef122317c0c2 which can be used as unique global reference for Enigma 2 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-128
extensions	['.1txt']
payment-method	Bitcoin
price	200 $
ransomnotes	['We encrypt important files on your computer: documents, databases, photos, videos and keys. Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know. Encrypted files have .1txt extension. It decrypts files without the private key IMPOSSIBLE. \nIf you want to get the files back: \n1) Install the Tor Browser http://www.torproject.org/ \n2) Locate the desktop key to access E_N_I_G_M_A.RSA site (password is encrypted in the key of your files) \n3) Go to the website http://kf2uimw5omtgveu6.onion/ into a torus-browser and log in using E_N_I_G_M_A.RSA \n4) Follow the instructions on the website and download the decoder \nC:\Documents and Settings\Администратор\Рабочийстол\E_N_I_G_M_A.RSA - The path to the key file on the desktop C:\DOCUME~1\9335~1\LOCALS~1\Temp\E_N_I_G_M_A.RSA - The path to the key file in TMP directory']

Deadly Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Deadly Ransomware.

Known Synonyms
Deadly for a Good Purpose Ransomware

Internal MISP references

UUID a25e39b0-b601-403c-bba8-2f595e221269 which can be used as unique global reference for Deadly Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html - webarchive
• https://twitter.com/malwrhunterteam/status/785533373007728640 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256
payment-method	Bitcoin
price	500$
ransomnotes-refs	['https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg']

Comrade Circle Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID db23145a-e15b-4cf7-9d2c-ffa9928750d5 which can be used as unique global reference for Comrade Circle Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256
extensions	['.comrade']
payment-method	Bitcoin
price	~2
ransomnotes-refs	['https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg', 'https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG', 'https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg']

Globe2 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Globe2 Ransomware.

Known Synonyms
Purge Ransomware

Internal MISP references

UUID 5541471c-8d15-4aec-9996-e24b59c3e3d6 which can be used as unique global reference for Globe2 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html - webarchive
• https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221 - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256 or Blowfish
extensions	['.raid10', '.[random].raid10', '.blt', '.globe', '.[random].blt', '.encrypted', '.[random].globe', '.[random].encrypted', '.mia.kokers@aol.com', '.[mia.kokers@aol.com]', '.lovewindows', '.openforyou@india.com', '..']
payment-method	Bitcoin
price	0.8 - 1
ransomnotes-refs	['https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg']

Related clusters

To see the related clusters, click here.

Kostya Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 7d6f02d2-a626-40f6-81c3-14e3a9a2aea5 which can be used as unique global reference for Kostya Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html - webarchive
• http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/ - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256
extensions	['.k0stya']
payment-method	PaySafe
price	300 CZK - 2000 CZK after 12 hours
ransomnotes-refs	['https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg', 'https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg']

Fs0ciety Locker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID ed3a4f8a-49de-40c3-9acb-da1b78f89c4f which can be used as unique global reference for Fs0ciety Locker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	October 2016
encryption	AES-256 CBC
extensions	['.comrade']
payment-method	Bitcoin
price	1.5
ransomnotes-refs	['https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png']

Erebus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet

Internal MISP references

UUID 6a77c96b-1814-427f-83ca-fe7e0e40b1c0 which can be used as unique global reference for Erebus Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	September 2016
encryption	AES
extensions	['.ecrypt']
payment-method	Tor WebSite
ransomnotes-refs	['https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png']

WannaCry

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WannaCry.

Known Synonyms
WCRY
WCrypt
WanaCrypt0r
WannaCry
WannaCrypt

Internal MISP references

UUID d62ab8d5-4ba1-4c45-8a63-13fdb099b33c which can be used as unique global reference for WannaCry in MISP communities and other software using the MISP galaxy

External references

• https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 - webarchive

Associated metadata

Metadata key	Value
date	May 2017
payment-method	Bitcoin
price	0.1781 (300$ - $600)

Related clusters

To see the related clusters, click here.

.CryptoHasYou.

Ransomware

Internal MISP references

UUID a0ce5d94-a22a-40db-a09f-a796d0bb4006 which can be used as unique global reference for .CryptoHasYou. in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/CryptoHasYou.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES(256)
extensions	['.enc']
payment-method	Email
ransomnotes-filenames	['YOUR_FILES_ARE_LOCKED.txt']

777

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 777.

Known Synonyms
Sevleg

Internal MISP references

UUID cd9e9eaa-0895-4d55-964a-b53eacdfd36a which can be used as unique global reference for 777 in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/777 - webarchive

Associated metadata

Metadata key	Value
encryption	XOR
extensions	['.777', '.[timestamp]$[email]$.777', 'e.g. .14-05-2016-11-59-36$ninja.gaiver@aol.com$.777']
payment-method	Bitcoin
price	0.1 (37$)
ransomnotes-filenames	['read_this_file.txt']

7ev3n

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 7ev3n.

Known Synonyms
7ev3n-HONE$T

Internal MISP references

UUID 664701d6-7948-4e80-a333-1d1938103ba1 which can be used as unique global reference for 7ev3n in MISP communities and other software using the MISP galaxy

External references

• https://github.com/hasherezade/malware_analysis/tree/master/7ev3n - webarchive
• https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be - webarchive
• http://www.nyxbone.com/malware/7ev3n-HONE$T.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.R4A', '.R5A']
payment-method	Bitcoin
price	13 (4980$)
ransomnotes-filenames	['FILES_BACK.txt']

Related clusters

To see the related clusters, click here.

8lock8

Ransomware Based on HiddenTear

Internal MISP references

UUID b70b6537-cf00-4bd1-a4e9-ae5ff2eb7504 which can be used as unique global reference for 8lock8 in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.8lock8']
ransomnotes-filenames	['READ_IT.txt']

AiraCrop

Ransomware related to TeamXRat

Internal MISP references

UUID 77919c1f-4ef8-41cd-a635-2d3118ade1f3 which can be used as unique global reference for AiraCrop in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/PolarToffee/status/796079699478900736 - webarchive

Associated metadata

Metadata key	Value
extensions	['._AiraCropEncrypted']
payment-method	WebSite (onion) - Email
ransomnotes-filenames	['How to decrypt your files.txt']

Al-Namrood

Ransomware

Internal MISP references

UUID 0040dca4-bf2e-43cb-89ae-ab1b50f1183d which can be used as unique global reference for Al-Namrood in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/al-namrood - webarchive

Associated metadata

Metadata key	Value
extensions	['.unavailable', '.disappeared']
payment-method	Email
ransomnotes-filenames	['Read_Me.Txt']

ALFA Ransomware

Ransomware Made by creators of Cerber

Internal MISP references

UUID 888abc95-9e01-4cbc-a6e5-058eb9314f51 which can be used as unique global reference for ALFA Ransomware in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/ - webarchive
• https://news.softpedia.com/news/cerber-devs-create-new-ransomware-called-alfa-506165.shtml - webarchive

Associated metadata

Metadata key	Value
extensions	['.bin']
payment-method	Bitcoin
price	1 (650$)
ransomnotes-filenames	['README HOW TO DECRYPT YOUR FILES.HTML']

Alma Ransomware

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alma Ransomware.

Known Synonyms
Alma Locker

Internal MISP references

UUID 76a08868-345f-4566-a403-5f5e575dfee5 which can be used as unique global reference for Alma Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283 - webarchive
• https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter - webarchive
• http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['random', 'random(x5)']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['Unlock_files_randomx5.html']

Alpha Ransomware

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alpha Ransomware.

Known Synonyms
AlphaLocker

Internal MISP references

UUID a27fff00-995a-4598-ba00-05921bf20e80 which can be used as unique global reference for Alpha Ransomware in MISP communities and other software using the MISP galaxy

External references

• http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip - webarchive
• https://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-accepts-itunes-gift-cards-as-payment/ - webarchive
• https://twitter.com/malwarebread/status/804714048499621888 - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.encrypt']
payment-method	Itunes Gift Cards
price	400$
ransomnotes-filenames	['Read Me (How Decrypt) !!!!.txt']

Related clusters

To see the related clusters, click here.

AMBA

Ransomware Websites only amba@riseup.net

Internal MISP references

UUID 8dd289d8-71bc-42b0-aafd-540dafa93343 which can be used as unique global reference for AMBA in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/benkow_/status/747813034006020096 - webarchive
• https://www.enigmasoftware.com/ambaransomware-removal/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.amba']
payment-method	Bitcoin
price	Depending on the victim’s situation
ransomnotes-filenames	['ПРОЧТИ_МЕНЯ.txt', 'READ_ME.txt']

AngleWare

Ransomware

Internal MISP references

UUID e06526ac-0083-44ab-8787-dd7278746bb6 which can be used as unique global reference for AngleWare in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/844531418474708993 - webarchive

Associated metadata

Metadata key	Value
extensions	['.AngleWare']
payment-method	Bitcoin
price	3
ransomnotes-filenames	['READ_ME.txt']

Anony

Ransomware Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anony.

Known Synonyms
ngocanh

Internal MISP references

UUID 5b94100d-83bb-4e30-be7a-6015c00356e0 which can be used as unique global reference for Anony in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/842047409446387714 - webarchive

Associated metadata

Metadata key	Value
payment-method	Write a FaceBook message

Apocalypse

Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Apocalypse.

Known Synonyms
Fabiansomeware

Internal MISP references

UUID e38b8876-5780-4574-9adf-304e9d659bdb which can be used as unique global reference for Apocalypse in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/apocalypse - webarchive
• http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypted', '.SecureCrypted', '.FuckYourData', '.unavailable', '.bleepYourFiles', '.Where_my_files.txt', '[filename].ID-8characters+countrycode[cryptservice@inbox.ru].[random7characters]', 'filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}']
payment-method	Email - WebSite (onion)
ransomnotes-filenames	['.How_To_Decrypt.txt', '.Contact_Here_To_Recover_Your_Files.txt', '.Where_my_files.txt', '.Read_Me.Txt', 'md5.txt']

Related clusters

To see the related clusters, click here.

ApocalypseVM

Ransomware Apocalypse ransomware version which uses VMprotect

Internal MISP references

UUID 5bc9c3a5-a35f-43aa-a999-fc7cd0685994 which can be used as unique global reference for ApocalypseVM in MISP communities and other software using the MISP galaxy

External references

• http://decrypter.emsisoft.com/download/apocalypsevm - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypted', '.locked']
payment-method	Email - WebSite (onion)
ransomnotes-filenames	['*.How_To_Get_Back.txt']

AutoLocky

Ransomware

Internal MISP references

UUID 803fa9e2-8803-409a-b455-3a886c23fae4 which can be used as unique global reference for AutoLocky in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/autolocky - webarchive

Associated metadata

Metadata key	Value
extensions	['.locky']
payment-method	Bitcoin
price	0.5 - 1
ransomnotes-filenames	['info.txt', 'info.html']

Aw3s0m3Sc0t7

Ransomware

Internal MISP references

UUID dced0fe8-224e-47ef-92ed-5ab6c0536daa which can be used as unique global reference for Aw3s0m3Sc0t7 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/828902907668000770 - webarchive

Associated metadata

Metadata key	Value
extensions	['.enc']

BadBlock

Ransomware

Internal MISP references

UUID f1a30552-21c1-46be-8b5f-64bd62b03d35 which can be used as unique global reference for BadBlock in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/badblock - webarchive
• http://www.nyxbone.com/malware/BadBlock.html - webarchive
• http://www.nyxbone.com/images/articulos/malware/badblock/5.png - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	2 (888,4$)
ransomnotes-filenames	['Help Decrypt.html']

BaksoCrypt

Ransomware Based on my-Little-Ransomware

Internal MISP references

UUID b21997a1-212f-4bbe-a6b7-3c703cbf113e which can be used as unique global reference for BaksoCrypt in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/760482299007922176 - webarchive
• https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.adr']

Bandarchor

Ransomware Files might be partially encrypted

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bandarchor.

Known Synonyms
Rakhni

Internal MISP references

UUID af50d07e-3fc5-4014-9ac5-f5466cf042bc which can be used as unique global reference for Bandarchor in MISP communities and other software using the MISP galaxy

External references

• https://reaqta.com/2016/03/bandarchor-ransomware-still-active/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.id-1235240425_help@decryptservice.info', '.id-[ID]_[EMAIL_ADDRESS]']
payment-method	Email - Telegram
ransomnotes-filenames	['HOW TO DECRYPT.txt']

Related clusters

To see the related clusters, click here.

Bart

Ransomware Possible affiliations with RockLoader, Locky and Dridex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bart.

Known Synonyms
BaCrypt

Internal MISP references

UUID 3cf2c880-e0b5-4311-9c4e-6293f2a566e7 which can be used as unique global reference for Bart in MISP communities and other software using the MISP galaxy

External references

• http://now.avg.com/barts-shenanigans-are-no-match-for-avg/ - webarchive
• http://phishme.com/rockloader-downloading-new-ransomware-bart/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky - webarchive

Associated metadata

Metadata key	Value
extensions	['.bart.zip', '.bart', '.perl']
payment-method	Bitcoin
price	3
ransomnotes-filenames	['recover.txt', 'recover.bmp']

Related clusters

To see the related clusters, click here.

BitCryptor

Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.

Internal MISP references

UUID b5e9a802-cd17-4cd6-b83d-f36cce009808 which can be used as unique global reference for BitCryptor in MISP communities and other software using the MISP galaxy

External references

• https://noransom.kaspersky.com/ - webarchive
• https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.clf']
payment-method	Bitcoin
price	1

BitStak

Ransomware

Internal MISP references

UUID 33e398fa-2586-415e-9b18-6ea2ea36ff74 which can be used as unique global reference for BitStak in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip - webarchive
• https://id-ransomware.blogspot.com/2016/07/ransomware-007867.html - webarchive

Associated metadata

Metadata key	Value
encryption	Base64 + String Replacement
extensions	['.bitstak']
payment-method	Bitcoin
price	0.07867 (40€)

BlackShades Crypter

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackShades Crypter.

Known Synonyms
BlackShades
SilentShade

Internal MISP references

UUID bf065217-e13a-4f6d-a5b2-ba0750b5c312 which can be used as unique global reference for BlackShades Crypter in MISP communities and other software using the MISP galaxy

External references

• http://nyxbone.com/malware/BlackShades.html - webarchive
• https://id-ransomware.blogspot.com/2016/06/silentshade-ransomware-blackshades.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.Silent']
payment-method	Bitcoin
price	0.07 (30$)
ransomnotes-filenames	['Hacked_Read_me_to_decrypt_files.html', 'YourID.txt']

Blocatto

Ransomware Based on HiddenTear

Internal MISP references

UUID a3e1cfec-aacd-4d84-aa7d-99ed6c17f26d which can be used as unique global reference for Blocatto in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.blocatto']
payment-method	Bitcoin
price	5 - 10

Booyah

Ransomware EXE was replaced to neutralize threat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Booyah.

Known Synonyms
Salami

Internal MISP references

UUID eee75995-321f-477f-8b57-eee4eedf4ba3 which can be used as unique global reference for Booyah in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

Brazilian

Ransomware Based on EDA2

Internal MISP references

UUID f9cf4f0d-3efc-4d6d-baf2-7dcb96db1279 which can be used as unique global reference for Brazilian in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/brazilianRansom.html - webarchive
• http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.lock']
payment-method	Reais
price	2000 (543$)
ransomnotes-filenames	['MENSAGEM.txt']

Brazilian Globe

Ransomware

Internal MISP references

UUID d2bc5ec4-1dd1-408a-a6f6-621986657dff which can be used as unique global reference for Brazilian Globe in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/821831437884211201 - webarchive

Associated metadata

Metadata key	Value
extensions	['.id-%ID%_garryweber@protonmail.ch']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['HOW_OPEN_FILES.html']

BrLock

Ransomware

Internal MISP references

UUID 889d2296-40d2-49f6-be49-cbdfbcde2246 which can be used as unique global reference for BrLock in MISP communities and other software using the MISP galaxy

External references

• https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered - webarchive

Associated metadata

Metadata key	Value
encryption	AES
payment-method	Phone Number
price	1000 Rubles (15$)

Browlock

Ransomware no local encryption, browser only

Internal MISP references

UUID 9769be50-8e0b-4f52-b7f6-98aeac0aaac4 which can be used as unique global reference for Browlock in MISP communities and other software using the MISP galaxy

BTCWare Related to / new version of CryptXXX

Ransomware

Internal MISP references

UUID 8d60dec9-d43f-4d52-904f-40fb67e57ef7 which can be used as unique global reference for BTCWare Related to / new version of CryptXXX in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/845199679340011520 - webarchive

Associated metadata

Metadata key	Value
extensions	['.btcware']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['#HOW_TO_FIX!.hta']

Bucbi

Ransomware no file name change, no extension

Internal MISP references

UUID 3510ce65-80e6-4f80-8cde-bb5ad8a271c6 which can be used as unique global reference for Bucbi in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/ - webarchive
• https://id-ransomware.blogspot.com/2016/05/bucbi-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	GOST
payment-method	Bitcoin
price	5

BuyUnlockCode

Ransomware Does not delete Shadow Copies

Internal MISP references

UUID 289624c4-1d50-4178-9371-aebd95f423f9 which can be used as unique global reference for BuyUnlockCode in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/05/buyunlockcode-ransomware-rsa-1024.html - webarchive

Associated metadata

Metadata key	Value
extensions	['(.*).encoded.([A-Z0-9]{9})']
ransomnotes-filenames	['BUYUNLOCKCODE.txt']

Central Security Treatment Organization

Ransomware

Internal MISP references

UUID 8ff729d9-aee5-4b85-a59d-3f57e105be40 which can be used as unique global reference for Central Security Treatment Organization in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/ - webarchive
• https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.cry']
payment-method	Bitcoin
price	Variable / 0.3 - 1.2 / Double after 4 days and 4 hours
ransomnotes-filenames	['!Recovery_[random_chars].html', '!Recovery_[random_chars].txt']

Related clusters

To see the related clusters, click here.

Cerber

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cerber.

Known Synonyms
CRBR ENCRYPTOR

Internal MISP references

UUID 190edf95-9cd9-4e4a-a228-b716d52a751b which can be used as unique global reference for Cerber in MISP communities and other software using the MISP galaxy

External references

• https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ - webarchive
• https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410 - webarchive
• https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.cerber', '.cerber2', '.cerber3']
payment-method	Bitcoin
price	1.24 / 2.48 after 7 days
ransomnotes-filenames	['# DECRYPT MY FILES #.html', '# DECRYPT MY FILES #.txt', '# DECRYPT MY FILES #.vbs', '# README.hta', '{RAND}_README.jpg', 'README.hta', '_HELP_DECRYPT[A-Z0-9]{4-8}.jpg', '_HELP_DECRYPT[A-Z0-9]{4-8}.hta', '_HELP_HELP_HELP%random%.jpg', 'HELP_HELP_HELP%random%.hta', 'HOW_TO_DECRYPT[A-Z0-9]{4-8}.hta', '_HOW_TO_DECRYPT[A-Z0-9]{4-8}_.jpg']

Related clusters

To see the related clusters, click here.

Chimera

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chimera.

Known Synonyms
Pashka
Quimera Crypter

Internal MISP references

UUID 27b036f0-afa3-4984-95b3-47fa344b1aa7 which can be used as unique global reference for Chimera in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/ - webarchive
• https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.crypt', '4 random characters, e.g., .PzZs, .MKJL']
payment-method	Bitcoin
price	0.939
ransomnotes-filenames	['YOUR_FILES_ARE_ENCRYPTED.HTML', 'YOUR_FILES_ARE_ENCRYPTED.TXT', '.gif']

Clock

Ransomware Does not encrypt anything

Internal MISP references

UUID af3b3bbb-b54d-49d0-8e58-e9c56762a96b which can be used as unique global reference for Clock in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/794956809866018816 - webarchive

Associated metadata

Metadata key	Value
payment-method	Paypal
price	20$

CoinVault

Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!

Internal MISP references

UUID 15941fb1-08f0-4276-a61f-e2a306d6c6b5 which can be used as unique global reference for CoinVault in MISP communities and other software using the MISP galaxy

External references

• https://noransom.kaspersky.com/ - webarchive
• https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.clf']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['wallpaper.jpg']

Coverton

Ransomware

Internal MISP references

UUID 36450e8c-ff66-4ecf-9c0f-fbfb27a72d63 which can be used as unique global reference for Coverton in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/ - webarchive
• https://id-ransomware.blogspot.com/2016/04/coverton-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.coverton', '.enigma', '.czvxce']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['!!!-WARNING-!!!.html', '!!!-WARNING-!!!.txt']

Cryaki

Ransomware

Internal MISP references

UUID 2c11d679-1fb1-4bd7-9516-9c6f402f3c25 which can be used as unique global reference for Cryaki in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive

Associated metadata

Metadata key	Value
extensions	['.{CRYPTENDBLACKDC}']

Crybola

Ransomware

Internal MISP references

UUID 93dcd241-f2d6-40f3-aee3-351420046a77 which can be used as unique global reference for Crybola in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive

Associated metadata

Metadata key	Value

CryFile

Ransomware

Internal MISP references

UUID 0d46e21d-8f1c-4355-8205-185fb7e041a7 which can be used as unique global reference for CryFile in MISP communities and other software using the MISP galaxy

External references

• SHTODELATVAM.txt
• Instructionaga.txt
• https://id-ransomware.blogspot.com/2016/06/cryfile-ransomware-100.html - webarchive

Associated metadata

Metadata key	Value
encryption	Moves bytes
extensions	['.criptiko', '.criptoko', '.criptokod', '.cripttt', '.aga']
payment-method	Email
price	100$
ransomnotes-refs	['http://virusinfo.info/showthread.php?t=185396']

CryLocker

Ransomware Identifies victim locations w/Google Maps API

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryLocker.

Known Synonyms
CSTO
Central Security Treatment Organization
Cry

Internal MISP references

UUID 629f6986-2c1f-4d0a-b805-e4ef3e2ce634 which can be used as unique global reference for CryLocker in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/ - webarchive
• https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.cry']
payment-method	Bitcoin
price	Variable / 0.3 - 1.2 / Double after 4 days and 4 hours
ransomnotes-filenames	['!Recovery_[random_chars].html', '!Recovery_[random_chars].txt']

Related clusters

To see the related clusters, click here.

CrypMIC

Ransomware CryptXXX clone/spinoff

Internal MISP references

UUID 82cb7a40-0a78-4414-9afd-028d6b3082ea which can be used as unique global reference for CrypMIC in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/ - webarchive
• https://id-ransomware.blogspot.com/2016/07/crypmic-ransomware-aes-256.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
payment-method	Bitcoin
price	Variable / 0.3 - 1.2 / Double after 4 days and 4 hours
ransomnotes-filenames	['README.TXT', 'README.HTML', 'README.BMP']

Crypren

Ransomware

Internal MISP references

UUID a9f05b4e-6b03-4211-a2bd-6b4432eb3388 which can be used as unique global reference for Crypren in MISP communities and other software using the MISP galaxy

External references

• https://github.com/pekeinfo/DecryptCrypren - webarchive
• http://www.nyxbone.com/malware/Crypren.html - webarchive
• http://www.nyxbone.com/images/articulos/malware/crypren/0.png - webarchive

Associated metadata

Metadata key	Value
extensions	['.ENCRYPTED']
payment-method	Bitcoin
price	0.1 (45$)
ransomnotes-filenames	['READ_THIS_TO_DECRYPT.html']

Crypt38

Ransomware

Internal MISP references

UUID 12a96f43-8a8c-410e-aaa3-ba6735276555 which can be used as unique global reference for Crypt38 in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip - webarchive
• https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption - webarchive
• https://id-ransomware.blogspot.com/2016/06/regist-crypt38-ransomware-aes-1000-15.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.crypt38']
payment-method	Rubles
price	1000 (15$)

Crypter

Ransomware Does not actually encrypt the files, but simply renames them

Internal MISP references

UUID 37edc8d7-c939-4a33-9ed5-dafbbc1e5b1e which can be used as unique global reference for Crypter in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/jiriatvirlab/status/802554159564062722 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1

CryptFIle2

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptFIle2.

Known Synonyms
Lesli

Internal MISP references

UUID 5b0dd136-6428-48c8-b2a6-8e926a82dfac which can be used as unique global reference for CryptFIle2 in MISP communities and other software using the MISP galaxy

External references

• https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered - webarchive
• https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html - webarchive

Associated metadata

Metadata key	Value
encryption	RSA
extensions	['.scl', 'id[_ID]email_xerx@usa.com.scl']
payment-method	Bitcoin
price	0.5 - 1.5

CryptInfinite

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptInfinite.

Known Synonyms
DecryptorMax

Internal MISP references

UUID 2b0d60c3-6560-49ac-baf0-5f642e8a77de which can be used as unique global reference for CryptInfinite in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crinf']
payment-method	Bitcoin
price	0.5 - 1.5

CryptoBit

Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.

Internal MISP references

UUID 1903ed75-05f7-4019-b0b7-7a8f23f22194 which can be used as unique global reference for CryptoBit in MISP communities and other software using the MISP galaxy

External references

• http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/ - webarchive
• http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptobit-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES + RSA
payment-method	Bitcoin
price	1 - 2
ransomnotes-filenames	['OKSOWATHAPPENDTOYOURFILES.TXT']

Related clusters

To see the related clusters, click here.

CryptoDefense

Ransomware no extension change

Internal MISP references

UUID ad9eeff2-91b4-440a-ae74-ab84d3e2075e which can be used as unique global reference for CryptoDefense in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptodefense-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	RSA
payment-method	Bitcoin
price	0.9 (500$) - 1.9 (1000$) after 4 days
ransomnotes-filenames	['HOW_DECRYPT.TXT', 'HOW_DECRYPT.HTML', 'HOW_DECRYPT.URL']

CryptoFinancial

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoFinancial.

Known Synonyms
Ranscam

Internal MISP references

UUID 383d7ebb-9b08-4874-b5d7-dc02b499c38f which can be used as unique global reference for CryptoFinancial in MISP communities and other software using the MISP galaxy

External references

• http://blog.talosintel.com/2016/07/ranscam.html - webarchive
• https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/ - webarchive
• https://id-ransomware.blogspot.com/search?q=CryptoFinancial - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.2

Related clusters

To see the related clusters, click here.

CryptoFortress

Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB

Internal MISP references

UUID 26c8b446-305c-4057-83bc-85b09630281e which can be used as unique global reference for CryptoFortress in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/05/cryptofortress-ransomware-aes-256-1.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + RSA-1024
extensions	['.frtrss']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['READ IF YOU WANT YOUR FILES BACK.html']

Related clusters

To see the related clusters, click here.

CryptoGraphic Locker

Ransomware Has a GUI. Subvariants: CoinVault BitCryptor

Internal MISP references

UUID 58534bc4-eb96-44f4-bdad-2cc5cfea8c6f which can be used as unique global reference for CryptoGraphic Locker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
extensions	['.clf']
ransomnotes-filenames	['wallpaper.jpg']

CryptoHost

Ransomware RAR's victim's files has a GUI

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoHost.

Known Synonyms
Manamecrypt
ROI Locker
Telograph

Internal MISP references

UUID dba2cf74-16a9-4ed8-8536-6542fda95999 which can be used as unique global reference for CryptoHost in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/ - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptohost-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 (RAR implementation)
payment-method	Bitcoin
price	0.33

Related clusters

To see the related clusters, click here.

CryptoJoker

Ransomware

Internal MISP references

UUID 2fb307a2-8752-4521-8973-75b68703030d which can be used as unique global reference for CryptoJoker in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2017/07/cryptojoker-2017-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.crjoker']
payment-method	Bitcoin
price	100€
ransomnotes-filenames	['README!!!.txt', 'GetYouFiles.txt', 'crjoker.html']

Related clusters

To see the related clusters, click here.

CryptoLocker

Ransomware no longer relevant

Internal MISP references

UUID b35b1ca2-f99c-4495-97a5-b8f30225cb90 which can be used as unique global reference for CryptoLocker in MISP communities and other software using the MISP galaxy

External references

• https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html - webarchive
• https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypted', '.ENC']

Related clusters

To see the related clusters, click here.

CryptoLocker 1.0.0

Ransomware

Internal MISP references

UUID 8d5e3b1f-e333-4eed-8dec-d74f19d6bcbb which can be used as unique global reference for CryptoLocker 1.0.0 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/839747940122001408 - webarchive

Associated metadata

Metadata key	Value
payment-method	Email

CryptoLocker 5.1

Ransomware

Internal MISP references

UUID e1412d2a-2a94-4c83-aed0-9e09523514a4 which can be used as unique global reference for CryptoLocker 5.1 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/782890104947867649 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	250€

CryptoMix

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix.

Known Synonyms
Zeta

Internal MISP references

UUID c76110ea-15f1-4adf-a28d-c707374dbb3a which can be used as unique global reference for CryptoMix in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/CryptoMix.html - webarchive
• https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/ - webarchive
• https://twitter.com/JakubKroustek/status/804009831518572544 - webarchive
• https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/ - webarchive
• https://twitter.com/demonslay335/status/1072227523755470848 - webarchive
• https://www.coveware.com/blog/cryptomix-ransomware-exploits-cancer-crowdfunding - webarchive
• https://www.bleepingcomputer.com/news/security/cryptomix-ransomware-exploits-sick-children-to-coerce-payments/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.code', '.scl', '.rmd', '.lesli', '.rdmk', '.CRYPTOSHIELD', '.CRYPTOSHIEL', '.id_(ID_MACHINE)email_xoomx@dr.com.code', '.id_email_zeta@dr.com', '.id(ID_MACHINE)email_anx@dr.com.scl', '.email[supl0@post.com]id[\[[a-z0-9]{16}\]].lesli', 'filename.email[email]_id[id*].rdmk', '.EMPTY', '.0000', '.XZZX', '.TEST', '.WORK', '.SYSTEM', '.MOLE66', '.BACKUP', '[16 uppercase hex].SYS']
payment-method	Bitcoin
price	5
ransomnotes	['HELP_YOUR_FILES.html (CryptXXX)', 'HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number', 'Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number', '!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nbackuppc@tuta.io\n\nbackuppc@protonmail.com\n\nbackuppc1@protonmail.com\n\nb4ckuppc1@yandex.com\n\nb4ckuppc2@yandex.com\n\nbackuppc1@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[id] number', 'Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nleab@tuta.io\n\nitprocessor@protonmail.com\n\npcambulance1@protonmail.com\n\nleablossom@yandex.com\n\nblossomlea@yandex.com\n\nleablossom@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\n\nDECRYPT-ID-[redacted lowercase GUID] number']
ransomnotes-filenames	['INSTRUCTION RESTORE FILE.TXT', '# HELP_DECRYPT_YOUR_FILES #.TXT', '_HELP_INSTRUCTION.TXT', 'C:\ProgramData\[random].exe']
ransomnotes-refs	['https://pbs.twimg.com/media/DuFQ4FdWoAMy7Hg.jpg']

Related clusters

To see the related clusters, click here.

CryptoRansomeware

Ransomware

Internal MISP references

UUID de53f392-8794-43d1-a38b-c0b90c20a3fb which can be used as unique global reference for CryptoRansomeware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/817672617658347521 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	Some Bitcoins

Related clusters

To see the related clusters, click here.

CryptoRoger

Ransomware

Internal MISP references

UUID b6fe71ba-b0f4-4cc4-b84c-d3d80a37eada which can be used as unique global reference for CryptoRoger in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/cryptoroger-aes-256-0.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.crptrgr']
payment-method	Bitcoin
price	0.5 (360$)
ransomnotes-filenames	['!Where_are_my_files!.html']

CryptoShadow

Ransomware

Internal MISP references

UUID b11563ce-cced-4c8b-a3a1-0c4ff76aa0ef which can be used as unique global reference for CryptoShadow in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/821992610164277248 - webarchive

Associated metadata

Metadata key	Value
extensions	['.doomed']
ransomnotes-filenames	['LEER_INMEDIATAMENTE.txt']

CryptoShocker

Ransomware

Internal MISP references

UUID 545b4b25-763a-4a5c-8dda-12142c00422c which can be used as unique global reference for CryptoShocker in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/cryptoshocker-ransomware-aes-200.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.locked']
payment-method	Bitcoin
price	200$
ransomnotes-filenames	['ATTENTION.url']

CryptoTorLocker2015

Ransomware

Internal MISP references

UUID 06ec3640-4b93-4e79-a8ec-e24b3d349dd5 which can be used as unique global reference for CryptoTorLocker2015 in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/ - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptotorlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.CryptoTorLocker2015!']
payment-method	Bitcoin
price	0.5 (100$)
ransomnotes-filenames	['HOW TO DECRYPT FILES.txt', '%Temp%\.bmp']

CryptoTrooper

Ransomware

Internal MISP references

UUID 13fdf55f-46f7-4635-96b8-b4806c78a80c which can be used as unique global reference for CryptoTrooper in MISP communities and other software using the MISP galaxy

External references

• http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml - webarchive

Associated metadata

Metadata key	Value
encryption	AES

CryptoWall 1

Ransomware, Infection by Phishing

Internal MISP references

UUID 5559fbc1-52c6-469c-be97-8f8344765577 which can be used as unique global reference for CryptoWall 1 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
encryption	RSA
payment-method	Bitcoin
price	1.09 (500$)
ransomnotes-filenames	['DECRYPT_INSTRUCTION.HTM', 'DECRYPT_INSTRUCTION.TXT', 'DECRYPT_INSTRUCTION.URL', 'INSTALL_TOR.URL']

CryptoWall 2

Ransomware

Internal MISP references

UUID f2780d22-4410-4a2f-a1c3-f43807ed1f19 which can be used as unique global reference for CryptoWall 2 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1.09 (500$)
ransomnotes-filenames	['HELP_DECRYPT.TXT', 'HELP_DECRYPT.PNG', 'HELP_DECRYPT.URL', 'HELP_DECRYPT.HTML']

CryptoWall 3

Ransomware

Internal MISP references

UUID 9d35fe47-5f8c-494c-a74f-23a7ac7f44be which can be used as unique global reference for CryptoWall 3 in MISP communities and other software using the MISP galaxy

External references

• https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/ - webarchive
• https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1.09 (500$)
ransomnotes-filenames	['HELP_DECRYPT.TXT', 'HELP_DECRYPT.PNG', 'HELP_DECRYPT.URL', 'HELP_DECRYPT.HTML']

CryptoWall 4

Ransomware

Internal MISP references

UUID f7c04ce6-dd30-4a94-acd4-9a3125bcb12e which can be used as unique global reference for CryptoWall 4 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
extensions	['., e.g. ,27p9k967z.x1nep']
payment-method	Bitcoin
price	1.09 (500$)
ransomnotes-filenames	['HELP_YOUR_FILES.HTML', 'HELP_YOUR_FILES.PNG']

CryptXXX

Ransomware Comes with Bedep

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptXXX.

Known Synonyms
CryptProjectXXX

Internal MISP references

UUID 255aac37-e4d2-4eeb-b8de-143f9c2321bd which can be used as unique global reference for CryptXXX in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive
• http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypt']
payment-method	Bitcoin
price	1.2 (500$) - 2.4
ransomnotes-filenames	['de_crypt_readme.bmp', 'de_crypt_readme.txt', 'de_crypt_readme.html', '[victim_id].html', '[victim_id].bmp', '!Recovery_[victim_id].bmp', '!Recovery_[victim_id].html', '!Recovery_[victim_id].txt']

Related clusters

To see the related clusters, click here.

CryptXXX 2.0

Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptXXX 2.0.

Known Synonyms
CryptProjectXXX

Internal MISP references

UUID e272d0b5-cdfc-422a-bb78-9214475daec5 which can be used as unique global reference for CryptXXX 2.0 in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool - webarchive
• http://blogs.cisco.com/security/cryptxxx-technical-deep-dive - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypt']
payment-method	Bitcoin
price	1.2 (500$) - 2.4
ransomnotes-filenames	['.txt', '.html', '.bmp']

Related clusters

To see the related clusters, click here.

CryptXXX 3.0

Ransomware Comes with Bedep

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptXXX 3.0.

Known Synonyms
UltraCrypter
UltraDeCrypter

Internal MISP references

UUID 60a50fe5-53ea-43f0-8a17-e7134f5fc371 which can be used as unique global reference for CryptXXX 3.0 in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive
• http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/ - webarchive
• http://blogs.cisco.com/security/cryptxxx-technical-deep-dive - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypt', '.cryp1', '.crypz', '.cryptz', 'random']
payment-method	Bitcoin
price	1.2 (500$) - 2.4

CryptXXX 3.1

Ransomware StilerX credential stealing

Internal MISP references

UUID 3f5a76ea-6b83-443e-b26f-b2b2d02d90e0 which can be used as unique global reference for CryptXXX 3.1 in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100 - webarchive
• https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.cryp1']
payment-method	Bitcoin
price	1.2 (500$) - 2.4

CryPy

Ransomware

Internal MISP references

UUID 0b0f5f33-1871-461d-8e7e-b5e0ebc82311 which can be used as unique global reference for CryPy in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/ - webarchive
• https://id-ransomware.blogspot.com/2016/09/crypy-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.cry']
payment-method	Email
ransomnotes-filenames	['README_FOR_DECRYPT.txt']

CTB-Faker

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CTB-Faker.

Known Synonyms
Citroni

Internal MISP references

UUID 6212bf8f-07db-490a-8cef-ac42042076c1 which can be used as unique global reference for CTB-Faker in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/07/ctb-faker-ransomware-008.html - webarchive

Associated metadata

Metadata key	Value
encryption	RSA-2048
extensions	['.ctbl', '.([a-z]{6,7})']
payment-method	Bitcoin
price	0.08686 (50$)
ransomnotes-filenames	['AllFilesAreLocked .bmp', 'DecryptAllFiles .txt', '.html']

CTB-Locker WEB

Ransomware websites only

Internal MISP references

UUID 555b2c6f-0848-4ac1-9443-e4c20814459a which can be used as unique global reference for CTB-Locker WEB in MISP communities and other software using the MISP galaxy

External references

• https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/ - webarchive
• https://github.com/eyecatchup/Critroni-php - webarchive
• https://id-ransomware.blogspot.com/2016/06/ctb-locker-for-websites-04.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.4 - 0.8

CuteRansomware

Ransomware Based on my-Little-Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CuteRansomware.

Known Synonyms
my-Little-Ransomware

Internal MISP references

UUID 1a369bbf-6f03-454c-b507-15abe2a8bbb4 which can be used as unique global reference for CuteRansomware in MISP communities and other software using the MISP galaxy

External references

• https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool - webarchive
• https://github.com/aaaddress1/my-Little-Ransomware - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.已加密', '.encrypted']
payment-method	Bitcoin
price	1
ransomnotes	['Your files encrypted by our friends !!! txt']
ransomnotes-filenames	['你的檔案被我們加密啦!!!.txt']

Cyber SpLiTTer Vbs

Ransomware Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber SpLiTTer Vbs.

Known Synonyms
CyberSplitter

Internal MISP references

UUID 587589df-ee42-43f4-9480-c65d6e1d7e0f which can be used as unique global reference for Cyber SpLiTTer Vbs in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/778871886616862720 - webarchive
• https://twitter.com/struppigel/status/806758133720698881 - webarchive
• https://id-ransomware.blogspot.com/2016/09/cyber-splitter-vbs-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1

Related clusters

To see the related clusters, click here.

Death Bitches

Ransomware

Internal MISP references

UUID 0f074c07-613d-43cb-bd5f-37c747d39fe2 which can be used as unique global reference for Death Bitches in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JaromirHorejsi/status/815555258478981121 - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Bitcoin
price	1.5
ransomnotes-filenames	['READ_IT.txt']

DeCrypt Protect

Ransomware

Internal MISP references

UUID c80c78ae-fc05-44cf-8b47-4d50c103ca70 which can be used as unique global reference for DeCrypt Protect in MISP communities and other software using the MISP galaxy

External references

• http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.html']

DEDCryptor

Ransomware Based on EDA2

Internal MISP references

UUID 496b6c3c-771a-46cd-8e41-ce7c4168ae20 which can be used as unique global reference for DEDCryptor in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/ - webarchive
• http://www.nyxbone.com/malware/DEDCryptor.html - webarchive
• https://id-ransomware.blogspot.com/2016/06/dedcryptor-ransomware-aes-256rsa-2.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.ded']
payment-method	Bitcoin
price	2

Demo

Ransomware only encrypts .jpg files

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Demo.

Known Synonyms
CryptoDemo

Internal MISP references

UUID b314d86f-92bb-4be3-b32a-19d6f8eb55d4 which can be used as unique global reference for Demo in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/798573300779745281 - webarchive
• https://id-ransomware.blogspot.com/2017/10/cryptodemo-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypted']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['HELP_YOUR_FILES.txt']

DetoxCrypto

Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte

Internal MISP references

UUID be094d75-eba8-4ff3-91f1-f8cde687e5ed which can be used as unique global reference for DetoxCrypto in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/ - webarchive
• https://id-ransomware.blogspot.com/2016/08/detoxcrypto-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
payment-method	Bitcoin
price	2 - 3

Digisom

Ransomware

Internal MISP references

UUID c5b2a0bc-352f-481f-8c35-d378754793c0 which can be used as unique global reference for Digisom in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/PolarToffee/status/829727052316160000 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.05
ransomnotes	['Digisom Readme0.txt (0 to 9)']

DirtyDecrypt

Ransomware

Internal MISP references

UUID 5ad8a530-3ab9-48b1-9a75-e1e97b3f77ec which can be used as unique global reference for DirtyDecrypt in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/752586334527709184 - webarchive
• https://id-ransomware.blogspot.com/2016/07/revoyem-dirtydecrypt-ransomware-doc.html - webarchive

Associated metadata

Metadata key	Value
payment-method	No ransom

DMALocker

Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0

Internal MISP references

UUID 407ebc7c-5b05-488f-862f-b2bf6c562372 which can be used as unique global reference for DMALocker in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive
• https://github.com/hasherezade/dma_unlocker - webarchive
• https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg - webarchive
• https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 in ECB mode, Version 2-4 also RSA
payment-method	Bitcoin
price	1 - 2 - 4
ransomnotes-filenames	['cryptinfo.txt', 'decrypting.txt', 'start.txt']

DMALocker 3.0

Ransomware

Internal MISP references

UUID ba39be57-c138-48d5-b46b-d996ff899ffa which can be used as unique global reference for DMALocker 3.0 in MISP communities and other software using the MISP galaxy

External references

• https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg - webarchive
• https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + XPTLOCK5.0
payment-method	Bitcoin
price	1 - 2 (440$)

DNRansomware

Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT

Internal MISP references

UUID 45cae006-5d14-4c95-bb5b-dcf5555d7c78 which can be used as unique global reference for DNRansomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/822500056511213568 - webarchive

Associated metadata

Metadata key	Value
extensions	['.fucked']
payment-method	Bitcoin
price	0.5 (864$)

Domino

Ransomware Based on Hidden Tear

Internal MISP references

UUID 7cb20800-2033-49a4-bdf8-a7da5a24f7f1 which can be used as unique global reference for Domino in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/Domino.html - webarchive
• http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/ - webarchive
• https://id-ransomware.blogspot.com/2016/08/domino-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.domino']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['README_TO_RECURE_YOUR_FILES.txt']

DoNotChange

Ransomware

Internal MISP references

UUID 2e6f4fa6-5fdf-4d69-b764-063d88ba1dd0 which can be used as unique global reference for DoNotChange in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/ - webarchive
• https://id-ransomware.blogspot.com/2017/03/donotchange-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.id-7ES642406.cry', '.Do_not_change_the_filename']
payment-method	Email
price	250$
ransomnotes-filenames	['HOW TO DECODE FILES!!!.txt', 'КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt']

DummyLocker

Ransomware

Internal MISP references

UUID 55446b3a-fdc7-4c75-918a-2d9fb5cdf3ff which can be used as unique global reference for DummyLocker in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/794108322932785158 - webarchive

Associated metadata

Metadata key	Value
extensions	['.dCrypt']

DXXD

Ransomware

Internal MISP references

UUID 57108b9e-5af8-4797-9924-e424cb5e9903 which can be used as unique global reference for DXXD in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/ - webarchive
• https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/ - webarchive
• https://id-ransomware.blogspot.com/2016/09/dxxd-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.dxxd']
payment-method	Email
ransomnotes-filenames	['ReadMe.TxT']

HiddenTear

Ransomware Open sourced C#

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HiddenTear.

Known Synonyms
Cryptear
EDA2
Hidden Tear

Internal MISP references

UUID 254f4f67-d850-4dc5-8ddb-2e955ddea287 which can be used as unique global reference for HiddenTear in MISP communities and other software using the MISP galaxy

External references

• http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html - webarchive
• https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Download Decrypter

Related clusters

To see the related clusters, click here.

EduCrypt

Ransomware Based on Hidden Tear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EduCrypt.

Known Synonyms
EduCrypter

Internal MISP references

UUID 826a341a-c329-4e1e-bc9f-5d44c8317557 which can be used as unique global reference for EduCrypt in MISP communities and other software using the MISP galaxy

External references

• http://www.filedropper.com/decrypter_1 - webarchive
• https://twitter.com/JakubKroustek/status/747031171347910656 - webarchive
• https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.isis', '.locked']
payment-method	Download Decryter
ransomnotes-filenames	['README.txt']

EiTest

Ransomware

Internal MISP references

UUID 0a24ea0d-3f8a-428a-8b77-ef5281c1ee05 which can be used as unique global reference for EiTest in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BroadAnalysis/status/845688819533930497 - webarchive
• https://twitter.com/malwrhunterteam/status/845652520202616832 - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypted']
payment-method	Bitcoin
price	0.25 (320$)

El-Polocker

Ransomware Has a GUI

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular El-Polocker.

Known Synonyms
Los Pollos Hermanos

Internal MISP references

UUID 63d9cb32-a1b9-46c3-818a-df16d8b9e46a which can be used as unique global reference for El-Polocker in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/07/el-polocker-ransomware-aes-450-aud.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.ha3']
payment-method	Email
price	450$ - 1000$
ransomnotes-filenames	['qwer.html', 'qwer2.html', 'locked.bmp']

Encoder.xxxx

Ransomware Coded in GO

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Encoder.xxxx.

Known Synonyms
Trojan.Encoder.6491

Internal MISP references

UUID f855609e-b7ab-41e8-aafa-62016f8f4e1a which can be used as unique global reference for Encoder.xxxx in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/ - webarchive
• http://vms.drweb.ru/virus/?_is=1&i=8747343 - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['Instructions.html']

Related clusters

To see the related clusters, click here.

encryptoJJS

Ransomware

Internal MISP references

UUID 3e5deef2-bace-40bc-beb1-5d9009233667 which can be used as unique global reference for encryptoJJS in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/11/encryptojjs-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.enc']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['How to recover.enc']

Enigma

Ransomware

Internal MISP references

UUID 1b24d240-df72-4388-946b-efa07a9447bb which can be used as unique global reference for Enigma in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/ - webarchive
• https://id-ransomware.blogspot.com/2016/05/enigma-ransomware-aes-128-0.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.enigma', '.1txt']
payment-method	WebSite (onion)
ransomnotes-filenames	['enigma.hta', 'enigma_encr.txt', 'enigma_info.txt']

Enjey

Ransomware Based on RemindMe

Internal MISP references

UUID 198891fb-26a4-455a-9719-4130bedba103 which can be used as unique global reference for Enjey in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/839022018230112256 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin - Email

Fairware

Ransomware Target Linux O.S.

Internal MISP references

UUID 6771b42f-1d95-4b2e-bbb5-9ab703bbaa9d which can be used as unique global reference for Fairware in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	2

Fakben

Ransomware Based on Hidden Tear

Internal MISP references

UUID c308346a-2746-4900-8149-464a09086b55 which can be used as unique global reference for Fakben in MISP communities and other software using the MISP galaxy

External references

• https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code - webarchive
• https://id-ransomware.blogspot.com/2016/07/fakben-team-ransomware-aes-256-1505.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Bitcoin
price	1.50520802
ransomnotes-filenames	['READ ME FOR DECRYPT.txt']

FakeCryptoLocker

Ransomware

Internal MISP references

UUID abddc01f-7d76-47d4-985d-ea6d16acccb1 which can be used as unique global reference for FakeCryptoLocker in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/PolarToffee/status/812312402779836416 - webarchive

Associated metadata

Metadata key	Value
extensions	['.cryptolocker']
payment-method	Bitcoin
price	0.5

Fantom

Ransomware Based on EDA2

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fantom.

Known Synonyms
Comrad Circle

Internal MISP references

UUID 35be87a5-b498-4693-8b8d-8b17864ac088 which can be used as unique global reference for Fantom in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.fantom', '.comrade']
payment-method	Email
ransomnotes	['RESTORE-FILES![id]']
ransomnotes-filenames	['DECRYPT_YOUR_FILES.HTML']

FenixLocker

Ransomware

Internal MISP references

UUID f9f54046-ed5d-4353-8b81-d92b51f596b4 which can be used as unique global reference for FenixLocker in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/fenixlocker - webarchive
• https://twitter.com/fwosar/status/777197255057084416 - webarchive
• https://id-ransomware.blogspot.com/2016/09/fenixlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.FenixIloveyou!!']
payment-method	Email
ransomnotes-filenames	['Help to decrypt.txt']

FILE FROZR

Ransomware RaaS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FILE FROZR.

Known Synonyms
FileFrozr

Internal MISP references

UUID 2a50f476-7355-4d58-b0ce-4235b2546c90 which can be used as unique global reference for FILE FROZR in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/rommeljoven17/status/846973265650335744 - webarchive
• https://id-ransomware.blogspot.com/2017/03/filefrozr-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1

FileLocker

Ransomware

Internal MISP references

UUID b92bc550-7edb-4f8f-96fc-cf47d437df32 which can be used as unique global reference for FileLocker in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/jiriatvirlab/status/836616468775251968 - webarchive

Associated metadata

Metadata key	Value
extensions	['.ENCR']
payment-method	Bitcoin
price	0.09 (100$ with discount price) - 150$

FireCrypt

Ransomware

Internal MISP references

UUID 721ba430-fd28-454c-8512-24339ef2235f which can be used as unique global reference for FireCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/ - webarchive
• https://id-ransomware.blogspot.com/2017/01/bleedgreen-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.firecrypt']
payment-method	Bitcoin
price	500$
ransomnotes-filenames	['[random_chars]-READ_ME.html']

Related clusters

To see the related clusters, click here.

Flyper

Ransomware Based on EDA2 / HiddenTear

Internal MISP references

UUID 1a110f7e-8820-4a9a-86c0-db4056f0b911 which can be used as unique global reference for Flyper in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/773771485643149312 - webarchive
• https://id-ransomware.blogspot.com/2016/09/flyper-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Bitcoin
price	0.5

Fonco

Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents

Internal MISP references

UUID 3d75cb84-2f14-408d-95bd-f1316bf854e6 which can be used as unique global reference for Fonco in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
payment-method	Email
ransomnotes-filenames	['help-file-decrypt.enc', '/pronk.txt']

FortuneCookie

Ransomware

Internal MISP references

UUID 2db3aafb-b219-4b52-8dfe-ce41416ebeab which can be used as unique global reference for FortuneCookie in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/842302481774321664 - webarchive

Associated metadata

Metadata key	Value

Free-Freedom

Ransomware Unlock code is: adam or adamdude9

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Free-Freedom.

Known Synonyms
Roga

Internal MISP references

UUID 175ebcc0-d74f-49b2-9226-c660ca1fe2e8 which can be used as unique global reference for Free-Freedom in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/812135608374226944 - webarchive
• https://id-ransomware.blogspot.com/2016/12/roga-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.madebyadam']
payment-method	Playstore Card (Gift)
price	25£ or 30$

Related clusters

To see the related clusters, click here.

FSociety

Ransomware Based on EDA2 and RemindMe

Internal MISP references

UUID d1e7c0d9-3c96-41b7-a4a2-7eaef64d7b0f which can be used as unique global reference for FSociety in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/ - webarchive
• http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/ - webarchive
• https://twitter.com/siri_urz/status/795969998707720193 - webarchive
• https://id-ransomware.blogspot.com/2016/08/fsociety-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.fs0ciety', '.dll']
payment-method	No Ransom - No Descrypter
ransomnotes-filenames	['fs0ciety.html', 'DECRYPT_YOUR_FILES.HTML']

Fury

Ransomware

Internal MISP references

UUID 291997b1-72b6-43ea-9365-b4d55eddca71 which can be used as unique global reference for Fury in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive

Associated metadata

Metadata key	Value

GhostCrypt

Ransomware Based on Hidden Tear

Internal MISP references

UUID 3b681f76-b0e4-4ba7-a113-5dd87d6ee53b which can be used as unique global reference for GhostCrypt in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip - webarchive
• http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/ - webarchive
• https://id-ransomware.blogspot.com/2016/05/ghostcrypt-ransomware-aes-256-2-bitcoins.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.Z81928819']
payment-method	Bitcoin
price	2

Gingerbread

Ransomware

Internal MISP references

UUID c6419971-47f8-4c80-a685-77292ff30fa7 which can be used as unique global reference for Gingerbread in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/ni_fi_70/status/796353782699425792 - webarchive

Associated metadata

Metadata key	Value
payment-method	Email

Globe v1

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Globe v1.

Known Synonyms
Purge

Internal MISP references

UUID b247b6e5-f51b-4bb5-8f5a-1628843abe99 which can be used as unique global reference for Globe v1 in MISP communities and other software using the MISP galaxy

External references

• https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221 - webarchive
• http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/ - webarchive
• https://id-ransomware.blogspot.com/2017/07/purge-kind-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	Blowfish
extensions	['.purge']
payment-method	Bitcoin
price	250$
ransomnotes-filenames	['How to restore files.hta']

GNL Locker

Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker

Internal MISP references

UUID 390abe30-8b9e-439e-a6d3-2ee978f05fba which can be used as unique global reference for GNL Locker in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/ - webarchive
• http://id-ransomware.blogspot.ru/2016/05/gnl-locker-ransomware-gnl-locker-ip.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked', '.locked, e.g., bill.!ID!8MMnF!ID!.locked']
payment-method	Bitcoin
price	0.5(190 - 250 $)
ransomnotes-filenames	['UNLOCK_FILES_INSTRUCTIONS.html', 'UNLOCK_FILES_INSTRUCTIONS.txt']

Related clusters

To see the related clusters, click here.

Gomasom

Ransomware

Internal MISP references

UUID 70b85861-f419-4ad5-9aa6-254db292e043 which can be used as unique global reference for Gomasom in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive
• http://id-ransomware.blogspot.com/2016/05/gomasom-ransonware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypt', '!___[EMAILADDRESS]_.crypt']
payment-method	Email

Goopic

Ransomware

Internal MISP references

UUID 3229a370-7a09-4b93-ad89-9555a847b1dd which can be used as unique global reference for Goopic in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	500 $
ransomnotes-filenames	['Your files have been crypted.html']

Gopher

Ransomware OS X ransomware (PoC)

Internal MISP references

UUID ec461b8a-5390-4304-9d2a-a20c7ed6a9db which can be used as unique global reference for Gopher in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	mars 2021

Hacked

Ransomware Jigsaw Ransomware variant

Internal MISP references

UUID 7f2df0cd-5962-4687-90a2-a49eab2b12bc which can be used as unique global reference for Hacked in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/806878803507101696 - webarchive
• http://id-ransomware.blogspot.com/2016/12/hackedlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.versiegelt', '.encrypted', '.payrmts', '.locked', '.Locked']
payment-method	Bitcoin
price	0.33 - 0.5

HappyDayzz

Ransomware

Internal MISP references

UUID e71c76f3-8274-4ec5-ac11-ac8b8286d069 which can be used as unique global reference for HappyDayzz in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/847114064224497666 - webarchive
• http://id-ransomware.blogspot.com/2017/03/happydayzz-blackjocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	3DES, AES-128, AES-192, AES-256, DES, RC2, RC4
payment-method	MoneyPak
price	0.5

Harasom

Ransomware

Internal MISP references

UUID 5cadd11c-002a-4062-bafd-aadb7d740f59 which can be used as unique global reference for Harasom in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.html']
payment-method	MoneyPak
price	100 $

HDDCryptor

Ransomware Uses https://diskcryptor.net for full disk encryption

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HDDCryptor.

Known Synonyms
Mamba

Internal MISP references

UUID 95be4cd8-1d98-484f-a328-a5917a05e3c8 which can be used as unique global reference for HDDCryptor in MISP communities and other software using the MISP galaxy

External references

• https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho - webarchive
• blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/
• http://id-ransomware.blogspot.com/2016/09/hddcryptor-ransomware-mbr.html - webarchive

Associated metadata

Metadata key	Value
encryption	Custom (net shares), XTS-AES (disk)
payment-method	Email

Related clusters

To see the related clusters, click here.

Heimdall

Ransomware File marker: "Heimdall---"

Internal MISP references

UUID c6d6ddf0-2afa-4cca-8982-ba2a7c0441ae which can be used as unique global reference for Heimdall in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/ - webarchive
• https://id-ransomware.blogspot.com/2016/11/heimdall-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128-CBC
payment-method	Bitcoin

Help_dcfile

Ransomware

Internal MISP references

UUID 2fdc6daa-6b6b-41b9-9a25-1030101478c3 which can be used as unique global reference for Help_dcfile in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/09/helpdcfile-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.XXX']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['help_dcfile.txt']

Herbst

Ransomware

Internal MISP references

UUID 6489895b-0213-4564-9cfc-777df58d84c9 which can be used as unique global reference for Herbst in MISP communities and other software using the MISP galaxy

External references

• https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware - webarchive
• https://id-ransomware.blogspot.com/2016/06/herbst-autumn-ransomware-aes-256-01.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.herbst']
payment-method	Bitcoin
price	0.1

Related clusters

To see the related clusters, click here.

Hi Buddy!

Ransomware Based on HiddenTear

Internal MISP references

UUID a0d6563d-1e98-4e49-9151-39fbeb09ef76 which can be used as unique global reference for Hi Buddy! in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/hibuddy.html - webarchive
• http://id-ransomware.blogspot.ru/2016/05/hi-buddy-ransomware-aes-256-0.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.cry']
payment-method	Bitcoin
price	0.77756467

Hitler

Ransomware Deletes files

Internal MISP references

UUID 8807752b-bd26-45a7-ba34-c8ddd8e5781d which can be used as unique global reference for Hitler in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/ - webarchive
• https://twitter.com/jiriatvirlab/status/825310545800740864 - webarchive
• http://id-ransomware.blogspot.com/2016/08/hitler-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['removes extensions']
payment-method	Vodafone card
price	25 €

HolyCrypt

Ransomware

Internal MISP references

UUID c71819a4-f6ce-4265-b0cd-24a98d84321c which can be used as unique global reference for HolyCrypt in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/ - webarchive
• https://id-ransomware.blogspot.com/2016/07/holycrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['(encrypted)']
payment-method	Link (onion)

Related clusters

To see the related clusters, click here.

HTCryptor

Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear

Internal MISP references

UUID 728aecfc-9b99-478f-a0a3-8c0fb6896353 which can be used as unique global reference for HTCryptor in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/803288396814839808 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	vary

HydraCrypt

Ransomware CrypBoss Family

Internal MISP references

UUID 335c3ab6-8f2c-458c-92a3-2f3a09a6064c which can be used as unique global reference for HydraCrypt in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive
• http://www.malware-traffic-analysis.net/2016/02/03/index2.html - webarchive
• https://id-ransomware.blogspot.com/2016/06/hydracrypt-ransomware-aes-256-cbc-rsa.html - webarchive

Associated metadata

Metadata key	Value
extensions	['hydracrypt_ID_[\w]{8}']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['README_DECRYPT_HYRDA_ID_[ID number].txt']

iLock

Ransomware

Internal MISP references

UUID 68e90fa4-ea66-4159-b454-5f48fdae3d89 which can be used as unique global reference for iLock in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/817085367144873985 - webarchive

Associated metadata

Metadata key	Value
extensions	['.crime']
payment-method	Website onion

iLockLight

Ransomware

Internal MISP references

UUID cb374ee8-76c0-4db8-9026-a57a51d9a0a1 which can be used as unique global reference for iLockLight in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
extensions	['.crime']
payment-method	Bitcoin
price	300 $

International Police Association

Ransomware CryptoTorLocker2015 variant

Internal MISP references

UUID a66fbb1e-ba59-48c1-aac8-8678b4a98dc1 which can be used as unique global reference for International Police Association in MISP communities and other software using the MISP galaxy

External references

• http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe - webarchive

Associated metadata

Metadata key	Value
extensions	['<6 random characters>']
payment-method	Bitcoin
price	100 $
ransomnotes-filenames	['%Temp%\.bmp']

iRansom

Ransomware

Internal MISP references

UUID 4514ecd4-850d-446f-82cb-0668d2c94ffa which can be used as unique global reference for iRansom in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/796134264744083460 - webarchive
• http://id-ransomware.blogspot.com/2016/11/iransom-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.Locked']
payment-method	Bitcoin
price	0.15

JagerDecryptor

Ransomware Prepends filenames

Internal MISP references

UUID 25a086aa-e25c-4190-a848-69d9f46fd8ab which can be used as unique global reference for JagerDecryptor in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/757873976047697920 - webarchive

Associated metadata

Metadata key	Value
extensions	['!ENC']
payment-method	Bitcoin
price	50 $
ransomnotes-filenames	['Important_Read_Me.html']

Jeiphoos

Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Jeiphoos.

Known Synonyms
Encryptor RaaS
Sarento

Internal MISP references

UUID 50014fe7-5efd-4639-82ef-30d36f4d2918 which can be used as unique global reference for Jeiphoos in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/RaaS.html - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/ - webarchive

Associated metadata

Metadata key	Value
encryption	RC6 (files), RSA 2048 (RC6 key)
payment-method	Bitcoin
price	0.046627
ransomnotes-filenames	['readme_liesmich_encryptor_raas.txt']

Jhon Woddy

Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH

Internal MISP references

UUID fedd7285-d4bd-4411-985e-087954cee96d which can be used as unique global reference for Jhon Woddy in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip - webarchive
• https://twitter.com/BleepinComputer/status/822509105487245317 - webarchive

Associated metadata

Metadata key	Value
extensions	['.killedXXX']
payment-method	PaySafeCard
price	0.1

Jigsaw

Ransomware Has a GUI

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Jigsaw.

Known Synonyms
CryptoHitMan
Jigsaw Original

Internal MISP references

UUID 1e3384ae-4b48-4c96-b7c2-bc1cc1eda203 which can be used as unique global reference for Jigsaw in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/ - webarchive
• https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/ - webarchive
• https://twitter.com/demonslay335/status/795819556166139905 - webarchive
• https://id-ransomware.blogspot.com/2016/04/jigsaw-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.btc', '.kkk', '.fun', '.gws', '.porno', '.payransom', '.payms', '.paymst', '.AFD', '.paybtcs', '.epic', '.xyz', '.encrypted', '.hush', '.paytounlock', '.uk-dealer@sigaint.org', '.gefickt', '.nemo-hacks.at.sigaint.org', '.LolSec']
payment-method	PaySafeCard
price	0.4 (150 $)

Related clusters

To see the related clusters, click here.

Job Crypter

Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Job Crypter.

Known Synonyms
JobCrypter

Internal MISP references

UUID 7c9a273b-1534-4a13-b201-b7a782b6c32a which can be used as unique global reference for Job Crypter in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/jobcrypter.html - webarchive
• http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html - webarchive
• https://twitter.com/malwrhunterteam/status/828914052973858816 - webarchive
• http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	TripleDES
extensions	['.locked', '.css']
payment-method	PaySafeCard
price	300 €
ransomnotes-filenames	['Comment débloquer mes fichiers.txt', 'Readme.txt']

JohnyCryptor

Ransomware

Internal MISP references

UUID 5af5be3e-549f-4485-8c2e-1459d4e5c7d7 which can be used as unique global reference for JohnyCryptor in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/04/johnycryptor-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Email

KawaiiLocker

Ransomware

Internal MISP references

UUID b6d0ea4d-4e55-4b42-9d60-485d605d6c49 which can be used as unique global reference for KawaiiLocker in MISP communities and other software using the MISP galaxy

External references

• https://safezone.cc/resources/kawaii-decryptor.195/ - webarchive
• http://id-ransomware.blogspot.com/2016/09/kawaiilocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	rubles
price	6 000
ransomnotes-filenames	['How Decrypt Files.txt']

KeRanger

Ransomware OS X Ransomware

Internal MISP references

UUID 63292b32-9867-4fb2-9e59-d4983d4fd5d1 which can be used as unique global reference for KeRanger in MISP communities and other software using the MISP galaxy

External references

• http://news.drweb.com/show/?i=9877&lng=en&c=5 - webarchive
• http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/ - webarchive
• https://id-ransomware.blogspot.com/2016/03/keranger-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.encrypted']
payment-method	Bitcoin
price	1

Related clusters

To see the related clusters, click here.

KeyBTC

Ransomware

Internal MISP references

UUID 3964e617-dde5-4c95-b4a0-e7c19c6e7d7f which can be used as unique global reference for KeyBTC in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/ - webarchive

Associated metadata

Metadata key	Value
extensions	['keybtc@inbox_com']
payment-method	Email
ransomnotes-filenames	['DECRYPT_YOUR_FILES.txt', 'READ.txt', 'readme.txt']

KEYHolder

Ransomware via remote attacker. tuyuljahat@hotmail.com contact address

Internal MISP references

UUID 66eda328-9408-4e98-ad27-572fd6b2acd8 which can be used as unique global reference for KEYHolder in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml - webarchive
• https://id-ransomware.blogspot.com/2016/06/keyholder-ransomware-xor-cfb-cipher.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1.5 (500 $)
ransomnotes-filenames	['how_decrypt.gif', 'how_decrypt.html']

KillerLocker

Ransomware Possibly Portuguese dev

Internal MISP references

UUID ea8e7350-f243-4ef7-bc31-4648df8a4d96 which can be used as unique global reference for KillerLocker in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/782232299840634881 - webarchive
• http://id-ransomware.blogspot.com/2016/10/killerlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.rip']
payment-method	Bitcoin

KimcilWare

Ransomware websites only

Internal MISP references

UUID 950e2514-8a7e-4fdb-a3ad-5679f6342e5d which can be used as unique global reference for KimcilWare in MISP communities and other software using the MISP galaxy

External references

• https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it - webarchive
• http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/ - webarchive
• http://id-ransomware.blogspot.com/2016/04/kimcilware-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.kimcilware', '.locked']
payment-method	Dollars
price	140 - 415

Korean

Ransomware Based on HiddenTear

Internal MISP references

UUID 4febffe0-3837-41d7-b95f-e26d126275e4 which can be used as unique global reference for Korean in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/koreanRansom.html - webarchive
• http://id-ransomware.blogspot.com/2016/08/korean-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.암호화됨']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['ReadMe.txt']

Kozy.Jozy

Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kozy.Jozy.

Known Synonyms
QC

Internal MISP references

UUID 47b5d261-11bd-4c7b-91f9-e5651578026a which can be used as unique global reference for Kozy.Jozy in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/KozyJozy.html - webarchive
• http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/kozy.html - webarchive

Associated metadata

Metadata key	Value
encryption	RSA-2048
extensions	['.31392E30362E32303136_[ID-KEY]LSBJ1', '.([0-9A-Z]{20})([0-9]{2})_([A-Z0-9]{4,5})']
payment-method	Email
ransomnotes-filenames	['w.jpg']

KratosCrypt

Ransomware kratosdimetrici@gmail.com

Internal MISP references

UUID cc819741-830b-4859-bb7c-ccedf3356acd which can be used as unique global reference for KratosCrypt in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/746090483722686465 - webarchive
• https://id-ransomware.blogspot.com/2016/06/kratoscrypt-ransomware-aes-256-0.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.kratos']
payment-method	Bitcoin
price	0.03
ransomnotes-filenames	['README_ALL.html']

KryptoLocker

Ransomware Based on HiddenTear

Internal MISP references

UUID e68d4f37-704a-4f8e-9718-b12039fbe424 which can be used as unique global reference for KryptoLocker in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/07/kryptolocker-ransomware-aes-256.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
payment-method	ransom
ransomnotes-filenames	['KryptoLocker_README.txt']

LanRan

Ransomware Variant of open-source MyLittleRansomware

Internal MISP references

UUID 9e152871-fb16-475d-bf3b-f3b870d0237a which can be used as unique global reference for LanRan in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/847689644854595584 - webarchive
• http://id-ransomware.blogspot.com/2017/03/lanran-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.5
ransomnotes	['@help@']

LeChiffre

Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker

Internal MISP references

UUID ea1ba874-07e6-4a6d-82f0-e4ce4210e34e which can be used as unique global reference for LeChiffre in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/lechiffre - webarchive
• https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/ - webarchive
• http://id-ransomware.blogspot.com/2016/05/lechiffre-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.LeChiffre']
payment-method	Email
ransomnotes-filenames	['How to decrypt LeChiffre files.html']

Lick

Ransomware Variant of Kirk

Internal MISP references

UUID f2e76070-0cea-4c9c-8d6b-1d847e777575 which can be used as unique global reference for Lick in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/842404866614038529 - webarchive
• https://www.2-spyware.com/remove-lick-ransomware-virus.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.Licked']
payment-method	Monero
price	50 - 500
ransomnotes-filenames	['RANSOM_NOTE.txt']

Linux.Encoder

Ransomware Linux Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linux.Encoder.

Known Synonyms
Linux.Encoder.{0,3}

Internal MISP references

UUID b4992483-a693-4e73-b39e-0f45c9f645b5 which can be used as unique global reference for Linux.Encoder in MISP communities and other software using the MISP galaxy

External references

• https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1 (450 $)

LK Encryption

Ransomware Based on HiddenTear

Internal MISP references

UUID af52badb-3211-42b0-a1ac-e4d35d5829d7 which can be used as unique global reference for LK Encryption in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/845183290873044994 - webarchive
• http://id-ransomware.blogspot.com/2017/03/lk-encryption-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.5

LLTP Locker

Ransomware Targeting Spanish speaking victims

Internal MISP references

UUID 0cec6928-80c7-4085-ba47-cdc52177dfd3 which can be used as unique global reference for LLTP Locker in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/ - webarchive
• http://id-ransomware.blogspot.com/2017/03/lltp-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.ENCRYPTED_BY_LLTP', '.ENCRYPTED_BY_LLTPp']
payment-method	Bitcoin
price	0.2 (200 $)
ransomnotes-filenames	['LEAME.txt']

Locker

Ransomware has GUI

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Locker.

Known Synonyms
LockeR

Internal MISP references

UUID abc7883c-244a-44ac-9c86-559dafa4eb63 which can be used as unique global reference for Locker in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545 - webarchive
• https://id-ransomware.blogspot.com/2016/04/locker-ransomware-2015.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.1

LockLock

Ransomware

Internal MISP references

UUID 7850bf92-394b-443b-8830-12f9ddbb50dc which can be used as unique global reference for LockLock in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/ - webarchive
• https://id-ransomware.blogspot.com/2016/09/locklock-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locklock']
payment-method	Email
ransomnotes-filenames	['READ_ME.TXT']

Locky

Ransomware Affiliations with Dridex and Necurs botnets

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Locky.

Known Synonyms
Locky-Odin
Locky-Osiris
Locky-Osiris 2016
Locky-Osiris 2017

Internal MISP references

UUID 8d51a22e-3485-4480-af96-8ed0305a7aa6 which can be used as unique global reference for Locky in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/ - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/ - webarchive
• https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/ - webarchive
• https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/ - webarchive
• https://id-ransomware.blogspot.com/2016/02/locky.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.locky', '.zepto', '.odin', '.shit', '.thor', '.aesir', '.zzzzz', '.osiris', '([A-F0-9]{32}).locky', '([A-F0-9]{32}).zepto', '([A-F0-9]{32}).odin', '([A-F0-9]{32}).shit', '([A-F0-9]{32}).thor', '([A-F0-9]{32}).aesir', '([A-F0-9]{32}).zzzzz', '([A-F0-9]{32}).osiris', '.lukitus']
payment-method	Bitcoin
price	3 - 5 - 7
ransomnotes	['DesktopOSIRIS.(bmp
ransomnotes-filenames	['_Locky_recover_instructions.txt', '_Locky_recover_instructions.bmp', '_HELP_instructions.txt', '_HELP_instructions.bmp', '_HOWDO_text.html', '_WHAT_is.html', '_INSTRUCTION.html', 'OSIRIS-[0-9]{4}.htm', 'lukitus.htm']

Related clusters

To see the related clusters, click here.

Lortok

Ransomware

Internal MISP references

UUID bc23872a-7cd3-4a66-9d25-6b4e6f90cc4e which can be used as unique global reference for Lortok in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/06/lortok-ransomware-aes-256-5.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crime']
payment-method	Dollars
price	5

LowLevel04

Ransomware Prepends filenames

Internal MISP references

UUID d4fb0463-6cd1-45ac-a7d2-6eea8be39590 which can be used as unique global reference for LowLevel04 in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/04/lowlevel04-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['oor.']
payment-method	Bitcoin
price	4

M4N1F3STO

Ransomware Does not encrypt Unlock code=suckmydicknigga

Internal MISP references

UUID f5d19af8-1c85-408b-818e-db50208d62b1 which can be used as unique global reference for M4N1F3STO in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/jiriatvirlab/status/808015275367002113 - webarchive
• http://id-ransomware.blogspot.com/2016/12/m4n1f3sto-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.3

Mabouia

Ransomware OS X ransomware (PoC)

Internal MISP references

UUID f9214319-6ad4-4c4e-bc6d-fb710f61da48 which can be used as unique global reference for Mabouia in MISP communities and other software using the MISP galaxy

External references

• https://www.youtube.com/watch?v=9nJv_PN2m1Y - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

MacAndChess

Ransomware Based on HiddenTear

Internal MISP references

UUID fae8bf6e-47d1-4449-a1c6-761a4970fc38 which can be used as unique global reference for MacAndChess in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2017/03/macandchess-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.5

Magic

Ransomware Based on EDA2

Internal MISP references

UUID 31fa83fc-8247-4347-940a-e463acd66bac which can be used as unique global reference for Magic in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/04/magic-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.magic']
payment-method	Bitcoin
price	1 - 2
ransomnotes-filenames	['DECRYPT_ReadMe1.TXT', 'DECRYPT_ReadMe.TXT']

MaktubLocker

Ransomware

Internal MISP references

UUID ef6ceb04-243e-4783-b476-8e8e9f06e8a7 which can be used as unique global reference for MaktubLocker in MISP communities and other software using the MISP galaxy

External references

• https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/ - webarchive
• http://id-ransomware.blogspot.com/2016/04/maktub-locker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + RSA-2048
extensions	['[a-z]{4,6}']
payment-method	Bitcoin
price	1.4 - 3.9
ransomnotes-filenames	['DECRYPT_INFO[extension pattern].html']

MarsJoke

Ransomware

Internal MISP references

UUID 933bd53f-5ccf-4262-a70c-c01a6f05af3e which can be used as unique global reference for MarsJoke in MISP communities and other software using the MISP galaxy

External references

• https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker - webarchive
• http://id-ransomware.blogspot.com/2016/09/jokefrommars-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.a19', '.ap19']
payment-method	Bitcoin
price	0.7 - 1.1
ransomnotes-filenames	['!!! Readme For Decrypt !!!.txt', 'ReadMeFilesDecrypt!!!.txt']

Meister

Ransomware Targeting French victims

Internal MISP references

UUID ce5a82ef-d2a3-405c-ac08-3dca71057eb5 which can be used as unique global reference for Meister in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/siri_urz/status/840913419024945152 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.1

Meteoritan

Ransomware

Internal MISP references

UUID 34f292d9-cb68-4bcf-a3db-a717362aca77 which can be used as unique global reference for Meteoritan in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/844614889620561924 - webarchive
• http://id-ransomware.blogspot.com/2017/03/meteoritan-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Email
ransomnotes-filenames	['where_are_your_files.txt', 'readme_your_files_have_been_encrypted.txt']

MIRCOP

Ransomware Prepends files Demands 48.48 BTC

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MIRCOP.

Known Synonyms
Crypt888
MicroCop

Internal MISP references

UUID 7dd326a5-1168-4309-98b1-f2146d9cf8c7 which can be used as unique global reference for MIRCOP in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/ - webarchive
• https://www.avast.com/ransomware-decryption-tools#! - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/ - webarchive
• http://www.nyxbone.com/malware/Mircop.html - webarchive
• https://id-ransomware.blogspot.com/2016/06/mircop-ransomware-4848.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['Lock.']
payment-method	Bitcoin
price	48.48

MireWare

Ransomware Based on HiddenTear

Internal MISP references

UUID 9f01ded7-99f6-4863-b3a3-9d32aabf96c3 which can be used as unique global reference for MireWare in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/05/mireware-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.fucked', '.fuck']
payment-method	Bitcoin - Email
ransomnotes-filenames	['READ_IT.txt']

Mischa

Ransomware Packaged with Petya PDFBewerbungsmappe.exe

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mischa.

Known Synonyms
"Petya's little brother"
Misha
Petya+Mischa
Petya-2

Internal MISP references

UUID a029df89-2bb1-409d-878b-a67572217a65 which can be used as unique global reference for Mischa in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/ - webarchive
• https://id-ransomware.blogspot.com/2016/05/petya-mischa-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.([a-zA-Z0-9]{4})']
payment-method	Bitcoin
price	1.9338
ransomnotes	['YOUR_FILES_ARE_ENCRYPTED.TXT ']
ransomnotes-filenames	['YOUR_FILES_ARE_ENCRYPTED.HTML']

MM Locker

Ransomware Based on EDA2

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MM Locker.

Known Synonyms
Booyah

Internal MISP references

UUID b95aa3fb-9f32-450e-8058-67d94f196913 which can be used as unique global reference for MM Locker in MISP communities and other software using the MISP galaxy

External references

• https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered - webarchive
• https://id-ransomware.blogspot.com/2016/06/mm-locker-ransomware-aes-2256-1.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin
price	1.011 (400 $)
ransomnotes-filenames	['READ_IT.txt']

Related clusters

To see the related clusters, click here.

Mobef

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mobef.

Known Synonyms
CryptoBit
Yakes

Internal MISP references

UUID 681f212a-af1b-4e40-a718-81b0dc46dc52 which can be used as unique global reference for Mobef in MISP communities and other software using the MISP galaxy

External references

• http://nyxbone.com/malware/Mobef.html - webarchive
• http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/ - webarchive
• http://nyxbone.com/images/articulos/malware/mobef/0.png - webarchive
• http://id-ransomware.blogspot.com/2016/05/mobef-yakes-ransomware-4-bitcoins-2000.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.KEYZ', '.KEYH0LES']
payment-method	Bitcoin
price	4
ransomnotes	['IMPORTANT.README']
ransomnotes-filenames	['4-14-2016-INFECTION.TXT']

Related clusters

To see the related clusters, click here.

Monument

Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant

Internal MISP references

UUID 2702fb96-8118-4519-bd75-23eed40f25e9 which can be used as unique global reference for Monument in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/844826339186135040 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.15 - 0.2

N-Splitter

Ransomware Russian Koolova Variant

Internal MISP references

UUID 8ec55495-fb31-49c7-a720-40250b5e085f which can be used as unique global reference for N-Splitter in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/815961663644008448 - webarchive
• https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q - webarchive

Associated metadata

Metadata key	Value
extensions	['.кибер разветвитель']
payment-method	Bitcoin
price	0.5

n1n1n1

Ransomware Filemaker: "333333333333"

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular n1n1n1.

Known Synonyms
N1N1N1

Internal MISP references

UUID a439b37b-e123-4b1d-9400-94aca70b223a which can be used as unique global reference for n1n1n1 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/790608484303712256 - webarchive
• https://twitter.com/demonslay335/status/831891344897482754 - webarchive
• http://id-ransomware.blogspot.com/2016/09/n1n1n1-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1.5
ransomnotes-filenames	['decrypt explanations.html']

NanoLocker

Ransomware no extension change, has a GUI

Internal MISP references

UUID 03a91686-c607-49a8-a4e2-2054833c0013 which can be used as unique global reference for NanoLocker in MISP communities and other software using the MISP galaxy

External references

• http://github.com/Cyberclues/nanolocker-decryptor - webarchive
• https://id-ransomware.blogspot.com/2016/06/nanolocker-ransomware-aes-256-rsa-01.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + RSA
payment-method	Bitcoin
price	0.1 (43 $)
ransomnotes-filenames	['ATTENTION.RTF']

Related clusters

To see the related clusters, click here.

Nemucod

Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nemucod.

Known Synonyms
Nemucod-7z
Nemucod-AES

Internal MISP references

UUID f1ee9ae8-b798-4e6f-8f98-874395d0fa18 which can be used as unique global reference for Nemucod in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/nemucod - webarchive
• https://github.com/Antelox/NemucodFR - webarchive
• http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/ - webarchive
• https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/ - webarchive
• http://id-ransomware.blogspot.com/2016/04/nemucod-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	XOR(255) + 7zip
extensions	['.crypted']
payment-method	Bitcoin
price	0.39983 - 4
ransomnotes-filenames	['Decrypted.txt']

Netix

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Netix.

Known Synonyms
RANSOM_NETIX.A

Internal MISP references

UUID 5d3ec71e-9e0f-498a-aa33-0433799e80b4 which can be used as unique global reference for Netix in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/ - webarchive
• https://id-ransomware.blogspot.com/2017/01/netflix-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['AES-256']
payment-method	Bitcoin
price	0.18 (100 $)

Nhtnwcuf

Ransomware Does not encrypt the files / Files are destroyed

Internal MISP references

UUID 1d8e8ca3-da2a-494c-9db3-5b1b6277c363 which can be used as unique global reference for Nhtnwcuf in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/839221457360195589 - webarchive
• http://id-ransomware.blogspot.com/2017/03/nhtnwcuf-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1
ransomnotes-filenames	['!RECOVERY_HELP!.txt', 'HELP_ME_PLEASE.txt']

NMoreira

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NMoreira.

Known Synonyms
XPan
XRatTeam

Internal MISP references

UUID 51f00a39-f4b9-4ed2-ba0d-258c6bf3f71a which can be used as unique global reference for NMoreira in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/nmoreira - webarchive
• https://twitter.com/fwosar/status/803682662481174528 - webarchive
• id-ransomware.blogspot.com/2016/11/nmoreira-ransomware.html

Associated metadata

Metadata key	Value
encryption	mix of RSA and AES-256
extensions	['.maktub', '.__AiraCropEncrypted!']
payment-method	Bitcoin
price	0.5 - 1.5
ransomnotes-filenames	['Recupere seus arquivos. Leia-me!.txt']

NoobCrypt

Ransomware

Internal MISP references

UUID aeb76911-ed45-4bf2-9a60-e023386e02a4 which can be used as unique global reference for NoobCrypt in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/757267550346641408 - webarchive
• https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/ - webarchive
• https://id-ransomware.blogspot.com/2016/07/noobcrypt-ransomare-250-nzd.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	250 NZD (299 $)

Nuke

Ransomware

Internal MISP references

UUID e0bcb7d2-6032-43a0-b490-c07430d8a598 which can be used as unique global reference for Nuke in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/10/nuke-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.nuclear55']
payment-method	Email
ransomnotes-filenames	['!!RECOVERY_instructions!!.html', '!!RECOVERY_instructions!!.txt']

Nullbyte

Ransomware

Internal MISP references

UUID 460b700b-5d03-43f9-99e7-916ff180a036 which can be used as unique global reference for Nullbyte in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip - webarchive
• https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/ - webarchive
• http://id-ransomware.blogspot.com/2016/08/nullbyte-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['_nullbyte']
payment-method	Bitcoin
price	0.1

ODCODC

Ransomware

Internal MISP references

UUID f90724e4-c148-4479-ae1a-109498b4688f which can be used as unique global reference for ODCODC in MISP communities and other software using the MISP galaxy

External references

• http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip - webarchive
• http://www.nyxbone.com/malware/odcodc.html - webarchive
• https://twitter.com/PolarToffee/status/813762510302183424 - webarchive
• http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png - webarchive
• http://id-ransomware.blogspot.com/2016/05/odcodc-ransomware-rsa-2048.html - webarchive

Associated metadata

Metadata key	Value
encryption	XOR
extensions	['.odcodc', 'C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['HOW_TO_RESTORE_FILES.txt']

Offline ransomware

Ransomware email addresses overlap with .777 addresses

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Offline ransomware.

Known Synonyms
Cryakl
Vipasana

Internal MISP references

UUID 3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39 which can be used as unique global reference for Offline ransomware in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive
• http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.cbf', 'email-[params].cbf']
payment-method	Email
ransomnotes-filenames	['desk.bmp', 'desk.jpg']

Related clusters

To see the related clusters, click here.

OMG! Ransomware

Ransomware. Infection: drive-by-download; Platform: Windows; Extorsion by Prepaid Voucher

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OMG! Ransomware.

Known Synonyms
GPCode

Internal MISP references

UUID 7914f9c9-3257-464c-b918-3754c4d018af which can be used as unique global reference for OMG! Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/pdf/2102.06249.pdf - webarchive

Associated metadata

Metadata key	Value
Encryption	RSA
extensions	['.LOL!', '.OMG!']
payment-method	Bitcoin
price	100 $
ransomnotes-filenames	['how to get data.txt']

Related clusters

To see the related clusters, click here.

Operation Global III

Ransomware Is a file infector (virus)

Internal MISP references

UUID e5800883-c663-4eb0-b05e-6034df5bc6e0 which can be used as unique global reference for Operation Global III in MISP communities and other software using the MISP galaxy

External references

• http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.EXE']
payment-method	Bitcoin
price	250 $

Owl

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Owl.

Known Synonyms
CryptoWire

Internal MISP references

UUID 4bb11db7-17a0-4536-b817-419ae6299004 which can be used as unique global reference for Owl in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/842342996775448576 - webarchive
• https://id-ransomware.blogspot.com/2016/10/cryptowire-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['dummy_file.encrypted', 'dummy_file.encrypted.[extension]']
payment-method	Bitcoin
price	0.29499335
ransomnotes-filenames	['log.txt']

Related clusters

To see the related clusters, click here.

PadCrypt

Ransomware has a live support chat

Internal MISP references

UUID 57c5df76-e72f-41b9-be29-89395f83a77c which can be used as unique global reference for PadCrypt in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/ - webarchive
• https://twitter.com/malwrhunterteam/status/798141978810732544 - webarchive
• http://id-ransomware.blogspot.com/2016/04/padcrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.padcrypt']
payment-method	Bitcoin
price	0.8
ransomnotes-filenames	['IMPORTANT READ ME.txt', 'File Decrypt Help.html']

Related clusters

To see the related clusters, click here.

Padlock Screenlocker

Ransomware Unlock code is: ajVr/G\ RJz0R

Internal MISP references

UUID 8f41c9ce-9bd4-4bbd-96d7-c965d1621be7 which can be used as unique global reference for Padlock Screenlocker in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/811635075158839296 - webarchive

Associated metadata

Metadata key	Value
payment-method	no ransom

Patcher

Ransomware Targeting macOS users

Internal MISP references

UUID e211ea8d-5042-48ae-86c6-15186d1f8dba which can be used as unique global reference for Patcher in MISP communities and other software using the MISP galaxy

External references

• https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypt']
payment-method	Bitcoin
price	0.25
ransomnotes-filenames	['README!.txt']

Related clusters

To see the related clusters, click here.

Petya

Ransomware encrypts disk partitions PDFBewerbungsmappe.exe

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Petya.

Known Synonyms
Goldeneye

Internal MISP references

UUID 7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a which can be used as unique global reference for Petya in MISP communities and other software using the MISP galaxy

External references

• http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator - webarchive
• https://www.youtube.com/watch?v=mSqxFjZq_z4 - webarchive
• https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/ - webarchive
• https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/ - webarchive

Associated metadata

Metadata key	Value
encryption	Modified Salsa20
payment-method	Bitcoin - Website (onion)
ransomnotes-filenames	['YOUR_FILES_ARE_ENCRYPTED.TXT']

Related clusters

To see the related clusters, click here.

Philadelphia

Ransomware Coded by "The_Rainmaker"

Internal MISP references

UUID 6fd25982-9cf8-4379-a126-433c91aaadf2 which can be used as unique global reference for Philadelphia in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/philadelphia - webarchive
• www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/
• http://id-ransomware.blogspot.ru/2016/09/philadelphia-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked', '.locked']
payment-method	Bitcoin
price	0.3

PizzaCrypts

Ransomware

Internal MISP references

UUID 2482122b-1df6-488e-8867-215b165a4f66 which can be used as unique global reference for PizzaCrypts in MISP communities and other software using the MISP galaxy

External references

• http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip - webarchive
• https://id-ransomware.blogspot.com/2016/07/pizzacrypts-ransomware-1.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.id-[victim_id]-maestro@pizzacrypts.info']
payment-method	Email

PokemonGO

Ransomware Based on Hidden Tear

Internal MISP references

UUID 8b151275-d4c4-438a-9d06-92da2835586d which can be used as unique global reference for PokemonGO in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/pokemonGO.html - webarchive
• http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/ - webarchive
• https://id-ransomware.blogspot.com/2016/08/pokemongo-ransomware-aes-256.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin - Email

Polyglot

Ransomware Immitates CTB-Locker

Internal MISP references

UUID b22cafb4-ccef-4935-82f4-631a6e539b8e which can be used as unique global reference for Polyglot in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/8547 - webarchive
• https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
payment-method	Website (onion)

Related clusters

To see the related clusters, click here.

PowerWare

Ransomware Open-sourced PowerShell

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerWare.

Known Synonyms
PoshCoder

Internal MISP references

UUID 9fa93bb7-2997-4864-aa0e-0e667990dec8 which can be used as unique global reference for PowerWare in MISP communities and other software using the MISP galaxy

External references

• https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py - webarchive
• https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip - webarchive
• https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/ - webarchive
• http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/ - webarchive
• http://id-ransomware.blogspot.com/2016/04/powerware-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.locky']
payment-method	Bitcoin
price	500 $

Related clusters

To see the related clusters, click here.

PowerWorm

Ransomware no decryption possible, throws key away, destroys the files

Internal MISP references

UUID b54d59d7-b604-4b01-8002-5a2930732ca6 which can be used as unique global reference for PowerWorm in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
encryption	AES
payment-method	Website (onion)
ransomnotes-filenames	['DECRYPT_INSTRUCTION.html']

Princess Locker

Ransomware

Internal MISP references

UUID 7c8ff7e5-2cad-48e8-92e8-4c8226933cbc which can be used as unique global reference for Princess Locker in MISP communities and other software using the MISP galaxy

External references

• https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/ - webarchive
• https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/ - webarchive
• https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/ - webarchive
• http://id-ransomware.blogspot.com/2016/09/princess-locker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['[a-z]{4,6},[0-9]']
payment-method	Bitcoin
price	3 (1 800 $)
ransomnotes	['.id']
ransomnotes-filenames	['!HOW_TO_RESTORE[extension].TXT', '!HOW_TO_RESTORE[extension].html', '!HOW_TO_RESTOREid.txt', '@_USE_TO_FIX_JJnY.txt']

PRISM

Ransomware

Internal MISP references

UUID c0ebfb75-254d-4d85-9d02-a7af8e655068 which can be used as unique global reference for PRISM in MISP communities and other software using the MISP galaxy

External references

• http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/ - webarchive

Associated metadata

Metadata key	Value
payment-method	MoneyPak
price	300 $

Ps2exe

Ransomware

Internal MISP references

UUID 1da6653c-8657-4cdc-9eaf-0df9d2ebbf10 which can be used as unique global reference for Ps2exe in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/jiriatvirlab/status/803297700175286273 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

R

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular R.

Known Synonyms
NM3

Internal MISP references

UUID f7cd8956-2825-4104-94b1-e9589ab1089a which can be used as unique global reference for R in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/846705481741733892 - webarchive
• http://id-ransomware.blogspot.com/2017/03/r-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1 - 2
ransomnotes-filenames	['Ransomware.txt']

R980

Ransomware

Internal MISP references

UUID 6a7ebb0a-78bc-4fdc-92ae-1b02976b5499 which can be used as unique global reference for R980 in MISP communities and other software using the MISP galaxy

External references

• https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/ - webarchive
• http://id-ransomware.blogspot.com/2016/07/r980-ransomware-aes-256-rsa4096-05.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypt']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['DECRYPTION INSTRUCTIONS.txt', 'rtext.txt']

RAA encryptor

Ransomware Possible affiliation with Pony

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RAA encryptor.

Known Synonyms
RAA
RAA SEP

Internal MISP references

UUID b6d4faa1-6d76-42ff-8a18-238eb70cff06 which can be used as unique global reference for RAA encryptor in MISP communities and other software using the MISP galaxy

External references

• https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ - webarchive
• http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/raa-ransomware-aes-256-039-250.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Bitcoin
price	0.39 (215 $)
ransomnotes-filenames	['!!!README!!![id].rtf']

Rabion

Ransomware RaaS Copy of Ranion RaaS

Internal MISP references

UUID 4a95257a-6646-492f-93eb-d15dff7ce1eb which can be used as unique global reference for Rabion in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/CryptoInsane/status/846181140025282561 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.05

Radamant

Ransomware

Internal MISP references

UUID 674c3bf6-2e16-427d-ab0f-b91676a460cd which can be used as unique global reference for Radamant in MISP communities and other software using the MISP galaxy

External references

• https://decrypter.emsisoft.com/radamant - webarchive
• http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/ - webarchive
• http://www.nyxbone.com/malware/radamant.html - webarchive
• https://id-ransomware.blogspot.com/2016/04/radamant-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.RDM', '.RRK', '.RAD', '.RADAMANT']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['YOUR_FILES.url']

Related clusters

To see the related clusters, click here.

Rakhni

Ransomware Files might be partially encrypted

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rakhni.

Known Synonyms
Agent.iih
Aura
Autoit
Bandarchor
Cryptokluchen
Isda
Lamer
Pletor
Rotor

Internal MISP references

UUID c85a41a8-a0a1-4963-894f-84bb980e6e86 which can be used as unique global reference for Rakhni in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/us/viruses/disinfection/10556 - webarchive
• https://id-ransomware.blogspot.com/2016/07/bandarchor-ransomware-aes-256.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked', '.kraken', '.darkness', '.nochance', '.oshit', '.oplata@qq_com', '.relock@qq_com', '.crypto', '.helpdecrypt@ukr.net', '.pizda@qq_com', '.dyatel@qq_com', '_ryp', '.nalog@qq_com', '.chifrator@qq_com', '.gruzin@qq_com', '.troyancoder@qq_com', '.encrypted', '.cry', '.AES256', '.enc', '.hb15', '.coderksu@gmail_com_id[0-9]{2,3}', '.crypt@india.com.[\w]{4,12}', '!@#$%_____%$#@.mail']
payment-method	Email
ransomnotes-filenames	['\fud.bmp', '\paycrypt.bmp', '\strongcrypt.bmp', '\maxcrypt.bmp', '%APPDATA%\Roaming\.bmp']

Related clusters

To see the related clusters, click here.

Ramsomeer

Ransomware Based on the DUMB ransomware

Internal MISP references

UUID 5b81ea66-9a44-43d8-bceb-22e5b0582f8d which can be used as unique global reference for Ramsomeer in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.3169

Rannoh

Ransomware

Internal MISP references

UUID d45f089b-efc7-45f8-a681-845374349d83 which can be used as unique global reference for Rannoh in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/8547 - webarchive

Associated metadata

Metadata key	Value
extensions	['locked-.[a-zA-Z]{4}']
payment-method	PaySafeCard
price	1000 $

RanRan

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RanRan.

Known Synonyms
ZXZ

Internal MISP references

UUID e01a0cfa-2c8c-4e08-963a-4fa1e8cc6a34 which can be used as unique global reference for RanRan in MISP communities and other software using the MISP galaxy

External references

• https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption - webarchive
• http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.zXz']
payment-method	Bitcoin
ransomnotes	['VictemKey_0_5', 'VictemKey_5_30', 'VictemKey_30_100', 'VictemKey_100_300', 'VictemKey_300_700', 'VictemKey_700_2000', 'VictemKey_2000_3000', 'VictemKey_3000']
ransomnotes-filenames	['zXz.html']

Ransoc

Ransomware Doesn't encrypt user files

Internal MISP references

UUID f0fcbac5-6216-4c3c-adcb-3aa06ab23340 which can be used as unique global reference for Ransoc in MISP communities and other software using the MISP galaxy

External references

• https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles - webarchive
• https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	100 $

Related clusters

To see the related clusters, click here.

Ransom32

Ransomware no extension change, Javascript Ransomware

Internal MISP references

UUID d74e2fa6-6b8d-49ed-80f9-07b274eecef8 which can be used as unique global reference for Ransom32 in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/04/ransom32.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
payment-method	Bitcoin
price	1

RansomLock

Ransomware Locks the desktop

Internal MISP references

UUID 24f98123-192c-4e31-b2ee-4c77afbdc3be which can be used as unique global reference for RansomLock in MISP communities and other software using the MISP galaxy

External references

• https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2 - webarchive

Associated metadata

Metadata key	Value
encryption	Asymmetric 1024
payment-method	Bitcoin
price	500 $

RarVault

Ransomware

Internal MISP references

UUID c8ee96a3-ac22-40c7-8ed2-df67aeaca08d which can be used as unique global reference for RarVault in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/09/rarvault-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1 - 50
ransomnotes-filenames	['RarVault.htm']

Razy

Ransomware

Internal MISP references

UUID f2a38c7b-054e-49ab-aa0e-67a7aac71837 which can be used as unique global reference for Razy in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/Razy(German).html - webarchive
• http://nyxbone.com/malware/Razy.html - webarchive
• http://id-ransomware.blogspot.com/2016/08/razy-ransomware-aes.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-128
extensions	['.razy', '.fear']
payment-method	Link

Rector

Ransomware

Internal MISP references

UUID 08f519f4-df8f-4baf-b7ac-c7a0c66f7e74 which can be used as unique global reference for Rector in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/4264 - webarchive

Associated metadata

Metadata key	Value
extensions	['.vscrypt', '.infected', '.bloc', '.korrektor']
payment-method	Bitcoin Email

RektLocker

Ransomware

Internal MISP references

UUID 5448f038-0558-45c7-bda7-76950f82846a which can be used as unique global reference for RektLocker in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/4264 - webarchive
• http://id-ransomware.blogspot.com/2016/08/rektlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.rekt']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['Readme.txt']

RemindMe

Ransomware

Internal MISP references

UUID 0120015c-7d37-469c-a966-7a0d42166e67 which can be used as unique global reference for RemindMe in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/RemindMe.html - webarchive
• http://i.imgur.com/gV6i5SN.jpg - webarchive
• http://id-ransomware.blogspot.com/2016/05/remindme-ransomware-2.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.remind', '.crashed']
payment-method	Bitcoin
price	2
ransomnotes	['decypt_your_files.html ']

Rokku

Ransomware possibly related with Chimera

Internal MISP references

UUID 61184aea-e87b-467d-b36e-cfc75ccb242f which can be used as unique global reference for Rokku in MISP communities and other software using the MISP galaxy

External references

• https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/ - webarchive
• https://id-ransomware.blogspot.com/2016/04/rokku-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	Curve25519 + ChaCha
extensions	['.rokku']
payment-method	Bitcoin
price	0.2403 (100.29 $)
ransomnotes-filenames	['README_HOW_TO_UNLOCK.TXT', 'README_HOW_TO_UNLOCK.HTML']

Related clusters

To see the related clusters, click here.

RoshaLock

Ransomware Stores your files in a password protected RAR file

Internal MISP references

UUID e88a7509-9c79-42c1-8b0c-5e63af8e25b5 which can be used as unique global reference for RoshaLock in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/siri_urz/status/842452104279134209 - webarchive
• https://id-ransomware.blogspot.com/2017/02/allyourdocuments-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.35

Runsomewere

Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background

Internal MISP references

UUID 266b366b-2b4f-41af-a30f-eab1c63c9976 which can be used as unique global reference for Runsomewere in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/801812325657440256 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

RussianRoulette

Ransomware Variant of the Philadelphia ransomware

Internal MISP references

UUID 1149197c-89e7-4a8f-98aa-40ac0a9c0914 which can be used as unique global reference for RussianRoulette in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/823925410392080385 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.3

SADStory

Ransomware Variant of CryPy

Internal MISP references

UUID 6d81cee2-6c99-41fb-8b54-6581422d85dc which can be used as unique global reference for SADStory in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/845356853039190016 - webarchive
• http://id-ransomware.blogspot.com/2017/03/sadstory-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Email

Sage 2.2

Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.

Internal MISP references

UUID eacf3aee-ffb1-425a-862f-874e444a218d which can be used as unique global reference for Sage 2.2 in MISP communities and other software using the MISP galaxy

External references

• https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate - webarchive
• https://malwarebreakdown.com/2017/03/10/finding-a-good-man/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.sage']
payment-method	Bitcoin
price	0.52803 (625 $)

Samas-Samsam

Ransomware Targeted attacks -Jexboss -PSExec -Hyena

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Samas-Samsam.

Known Synonyms
MIKOPONI.exe
RikiRafael.exe
SamSam
SamSam Ransomware
Samas
Samsam
samsam.exe
showmehowto.exe

Internal MISP references

UUID 731e4a5e-35f2-47b1-80ba-150b95fdc14d which can be used as unique global reference for Samas-Samsam in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip - webarchive
• http://blog.talosintel.com/2016/03/samsam-ransomware.html - webarchive
• http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf - webarchive
• https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/ - webarchive
• https://www.bleepingcomputer.com/news/security/samsam-ransomware-crew-made-nearly-6-million-from-ransom-payments/ - webarchive
• https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf - webarchive
• https://id-ransomware.blogspot.com/2016/03/samsam.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES(256) + RSA(2096)
extensions	['.encryptedAES', '.encryptedRSA', '.encedRSA', '.justbtcwillhelpyou', '.btcbtcbtc', '.btc-help-you', '.only-we_can-help_you', '.iwanthelpuuu', '.notfoundrans', '.encmywork', '.VforVendetta', '.theworldisyours', '.Whereisyourfiles', '.helpmeencedfiles', '.powerfulldecrypt', '.noproblemwedecfiles', '.weareyourfriends', '.otherinformation', '.letmetrydecfiles', '.encryptedyourfiles', '.weencedufiles', '.iaufkakfhsaraf', '.cifgksaffsfyghd', '.iloveworld', '.weapologize']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['HELP_DECRYPT_YOUR_FILES.html', '###-READ-FOR-HELLPP.html', '000-PLEASE-READ-WE-HELP.html', 'CHECK-IT-HELP-FILES.html', 'WHERE-YOUR-FILES.html', 'HELP-ME-ENCED-FILES.html', 'WE-MUST-DEC-FILES.html', '000-No-PROBLEM-WE-DEC-FILES.html', 'TRY-READ-ME-TO-DEC.html', '000-IF-YOU-WANT-DEC-FILES.html', 'LET-ME-TRY-DEC-FILES.html', '001-READ-FOR-DECRYPT-FILES.html', 'READ-READ-READ.html', 'IF_WANT_FILES_BACK_PLS_READ.html', 'READ_READ_DEC_FILES.html', 'HOW_TO_DECRYPT_FILES.html', 'HELP_FOR_DECRYPT_FILE.html', 'I_WILL_HELP_YOU_DECRYPT.html', 'PLEASE_READ_FOR_DECRYPT_FILES.html', 'WE-CAN-HELP-U.html', '0001-WE-CAN-HELP-U.html', 'SORRY-FOR-FILES.html']

Related clusters

To see the related clusters, click here.

Sanction

Ransomware Based on HiddenTear, but heavily modified keygen

Internal MISP references

UUID e7b69fbe-26ba-49df-aa62-a64525f89343 which can be used as unique global reference for Sanction in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/05/sanction-ransomware-3.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + RSA-2096
extensions	['.sanction']
payment-method	Bitcoin
price	3
ransomnotes-filenames	['DECRYPT_YOUR_FILES.HTML']

Sanctions

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sanctions.

Known Synonyms
Sanctions 2017

Internal MISP references

UUID 7b517c02-9f93-44c7-b957-10346803c43c which can be used as unique global reference for Sanctions in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/ - webarchive
• http://id-ransomware.blogspot.com/2017/03/sanctions-2017-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + RSA-2048
extensions	['.wallet']
payment-method	Bitcoin
price	6
ransomnotes-filenames	['RESTORE_ALL_DATA.html']

Sardoninir

Ransomware

Internal MISP references

UUID 6e49ecfa-1c25-4841-ae60-3b1c3c9c7710 which can be used as unique global reference for Sardoninir in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/835955409953357825 - webarchive

Associated metadata

Metadata key	Value
extensions	['.enc']
payment-method	Bitcoin
price	100 $

Satana

Ransomware

Internal MISP references

UUID a127a59e-9e4c-4c2b-b833-cabd076c3016 which can be used as unique global reference for Satana in MISP communities and other software using the MISP galaxy

External references

• https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/ - webarchive
• https://blog.kaspersky.com/satana-ransomware/12558/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/satana-ransomware-0.html - webarchive

Associated metadata

Metadata key	Value
extensions	['Sarah_G@ausi.com___']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['!satana!.txt']

Related clusters

To see the related clusters, click here.

Scraper

Ransomware

Internal MISP references

UUID c0c685b8-a59d-4922-add9-e572d5fd48cd which can be used as unique global reference for Scraper in MISP communities and other software using the MISP galaxy

External references

• http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/ - webarchive

Associated metadata

Metadata key	Value

Serpico

Ransomware DetoxCrypto Variant

Internal MISP references

UUID bd4bfbab-c21d-4971-b70c-b180bcf40630 which can be used as unique global reference for Serpico in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/Serpico.html - webarchive
• http://id-ransomware.blogspot.com/2016/08/serpico-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
payment-method	Euros
price	50

Related clusters

To see the related clusters, click here.

Shark

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shark.

Known Synonyms
Atom

Internal MISP references

UUID 503c9910-902f-4bae-8c33-ea29db8bdd7f which can be used as unique global reference for Shark in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/ - webarchive
• http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin
price	50 - 100 - 200 $
ransomnotes-filenames	['Readme.txt']

Related clusters

To see the related clusters, click here.

ShinoLocker

Ransomware

Internal MISP references

UUID bc029327-ee34-4eba-8933-bd85f2a1e9d1 which can be used as unique global reference for ShinoLocker in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/JakubKroustek/status/760560147131408384 - webarchive
• http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/ - webarchive
• https://id-ransomware.blogspot.com/2016/08/shinolocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.shino']
payment-method	no ransom

Shujin

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shujin.

Known Synonyms
KinCrypt

Internal MISP references

UUID b9963d52-a391-4e9c-92e7-d2a147d5451f which can be used as unique global reference for Shujin in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/chineseRansom.html - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/ - webarchive
• http://id-ransomware.blogspot.com/2016/05/chinese-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1
ransomnotes-filenames	['文件解密帮助.txt']

Related clusters

To see the related clusters, click here.

Simple_Encoder

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Simple_Encoder.

Known Synonyms
Tilde

Internal MISP references

UUID 2709b2ff-a2be-49a9-b268-2576170a5dff which can be used as unique global reference for Simple_Encoder in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/ - webarchive
• https://id-ransomware.blogspot.com/2016/07/tilde-ransomware-aes-08.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.~']
payment-method	Bitcoin
price	0.8
ransomnotes-filenames	['_RECOVER_INSTRUCTIONS.ini']

SkidLocker

Ransomware Based on EDA2

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SkidLocker.

Known Synonyms
Pompous

Internal MISP references

UUID 44b6b99e-b1d9-4605-95c2-55c14c7c25be which can be used as unique global reference for SkidLocker in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/ - webarchive
• http://www.nyxbone.com/malware/SkidLocker.html - webarchive
• http://id-ransomware.blogspot.com/2016/04/pompous-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin
price	0.5
ransomnotes-filenames	['READ_IT.txt']

Smash!

Ransomware

Internal MISP references

UUID 27283e74-abc6-4d8a-bcb6-a60804b8e264 which can be used as unique global reference for Smash! in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/ - webarchive

Associated metadata

Metadata key	Value
payment-method	no ransom

Smrss32

Ransomware

Internal MISP references

UUID cd21bb2a-0c6a-463b-8c0e-16da251f69ae which can be used as unique global reference for Smrss32 in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/08/smrss32-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypted']
payment-method	Bitcoin
price	0.66 (300 $)
ransomnotes-filenames	['_HOW_TO_Decrypt.bmp']

SNSLocker

Ransomware Based on EDA2

Internal MISP references

UUID 82658f48-6a62-4dee-bd87-382e76b84c3d which can be used as unique global reference for SNSLocker in MISP communities and other software using the MISP galaxy

External references

• http://nyxbone.com/malware/SNSLocker.html - webarchive
• http://nyxbone.com/images/articulos/malware/snslocker/16.png - webarchive
• http://id-ransomware.blogspot.com/2016/05/sns-locker-ransomware-aes-256-066.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.RSNSlocked', '.RSplited']
payment-method	Bitcoin
price	0.66 (300 $)
ransomnotes-filenames	['READ_Me.txt']

Sport

Ransomware

Internal MISP references

UUID 9526efea-8853-42f2-89be-a04ee1ca4c7d which can be used as unique global reference for Sport in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
extensions	['.sport']
payment-method	Bitcoin

Stampado

Ransomware Coded by "The_Rainmaker" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key

Internal MISP references

UUID 6b8729b0-7ffc-4d07-98de-e5210928b274 which can be used as unique global reference for Stampado in MISP communities and other software using the MISP galaxy

External references

• https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221 - webarchive
• http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/ - webarchive
• https://decrypter.emsisoft.com/stampado - webarchive
• https://cdn.streamable.com/video/mp4/kfh3.mp4 - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/ - webarchive
• https://id-ransomware.blogspot.com/2016/07/stampado-ransomware-1.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin
price	1
ransomnotes	['Random message includes bitcoin wallet address with instructions']

Strictor

Ransomware Based on EDA2, shows Guy Fawkes mask

Internal MISP references

UUID d75bdd85-032a-46b7-a339-257fd5656c11 which can be used as unique global reference for Strictor in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/Strictor.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin
price	500 - 1000 $

Surprise

Ransomware Based on EDA2

Internal MISP references

UUID 6848b77c-92c8-40ec-90ac-9c14b9f17272 which can be used as unique global reference for Surprise in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/05/surprise-ransomware-aes-256.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.surprise', '.tzu']
payment-method	Bitcoin
price	0.5 - 25
ransomnotes	['DECRYPTION_HOWTO.Notepad']

Survey

Ransomware Still in development, shows FileIce survey

Internal MISP references

UUID 11725992-3634-4715-ae17-b6f5ed13b877 which can be used as unique global reference for Survey in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/ - webarchive

Associated metadata

Metadata key	Value
payment-method	no ransom
ransomnotes-filenames	['ThxForYurTyme.txt']

SynoLocker

Ransomware Exploited Synology NAS firmware directly over WAN

Internal MISP references

UUID 27740d5f-30cf-4c5c-812c-15c0918ce9f0 which can be used as unique global reference for SynoLocker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
payment-method	Website (onion)

SZFLocker

Ransomware

Internal MISP references

UUID a7845bbe-d7e6-4c7b-a9b8-dccbd93bc4b2 which can be used as unique global reference for SZFLocker in MISP communities and other software using the MISP galaxy

External references

• http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/szflocker-polish-ransomware-email.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.szf']
payment-method	Email

TeamXrat

Ransomware

Internal MISP references

UUID 65a31863-4f59-4c66-bc2d-31e8fb68bbe8 which can be used as unique global reference for TeamXrat in MISP communities and other software using the MISP galaxy

External references

• https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.___xratteamLucked']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['Como descriptografar os seus arquivos.txt']

TeslaCrypt 0.x - 2.2.0

Ransomware Factorization

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeslaCrypt 0.x - 2.2.0.

Known Synonyms
AlphaCrypt

Internal MISP references

UUID af92c71e-935e-4486-b4e7-319bf16d622e which can be used as unique global reference for TeslaCrypt 0.x - 2.2.0 in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ - webarchive
• http://www.talosintel.com/teslacrypt_tool/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.vvv', '.ecc', '.exx', '.ezz', '.abc', '.aaa', '.zzz', '.xyz']
payment-method	Bitcoin
ransomnotes-filenames	['HELP_TO_SAVE_FILES.txt', 'Howto_RESTORE_FILES.html']

TeslaCrypt 3.0+

Ransomware 4.0+ has no extension

Internal MISP references

UUID bd19dfff-7c8d-4c94-967e-f8ffc19e7dd9 which can be used as unique global reference for TeslaCrypt 3.0+ in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ - webarchive
• http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ - webarchive
• https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + ECHD + SHA1
extensions	['.micro', '.xxx', '.ttt', '.mp3']
payment-method	Bitcoin

TeslaCrypt 4.1A

Ransomware

Internal MISP references

UUID ab6b8f56-cf2d-4733-8f9c-df3d52c05e66 which can be used as unique global reference for TeslaCrypt 4.1A in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ - webarchive
• http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ - webarchive
• https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/ - webarchive
• https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 + ECHD + SHA1
payment-method	Bitcoin
ransomnotes-filenames	['RECOVER<5_chars>.html', 'RECOVER<5_chars>.png', 'RECOVER<5_chars>.txt', 'how_recover+.txt', '_how_recover+.html', 'help_recover_instructions+.html', 'help_recover_instructions+.txt', 'help_recover_instructions+.BMP', '_H_e_l_p_RECOVER_INSTRUCTIONS+.txt', '_H_e_l_p_RECOVER_INSTRUCTIONS+.html', '_H_e_l_p_RECOVER_INSTRUCTIONS+.png', 'Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt', 'RESTORE_FILES.TXT , e.g. restore_files_kksli.bmp', 'HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp', 'HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt', 'HELP_TO_SAVE_FILES.txt', 'HELP_TO_SAVE_FILES.bmp']

TeslaCrypt 4.2

Ransomware

Internal MISP references

UUID eed65c12-b179-4002-a11b-7a2e2df5f0c8 which can be used as unique global reference for TeslaCrypt 4.2 in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ - webarchive
• http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ - webarchive
• https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/ - webarchive
• http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
ransomnotes-filenames	['RECOVER<5_chars>.html', 'RECOVER<5_chars>.png', 'RECOVER<5_chars>.txt', 'how_recover+.txt', '_how_recover+.html', 'help_recover_instructions+.BMP', 'help_recover_instructions+.html', 'help_recover_instructions+.txt', '_H_e_l_p_RECOVER_INSTRUCTIONS+.txt', '_H_e_l_p_RECOVER_INSTRUCTIONS+.html', '_H_e_l_p_RECOVER_INSTRUCTIONS+.png', 'Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt', 'RESTORE_FILES.TXT , e.g. restore_files_kksli.bmp', 'HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp', 'HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt', 'HELP_TO_SAVE_FILES.txt', 'HELP_TO_SAVE_FILES.bmp']

Threat Finder

Ransomware Files cannot be decrypted Has a GUI

Internal MISP references

UUID c0bce92a-63b8-4538-93dc-0911ae46596d which can be used as unique global reference for Threat Finder in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	1.25
ransomnotes-filenames	['HELP_DECRYPT.HTML']

TorrentLocker

Ransomware Newer variants not decryptable. Only first 2 MB are encrypted

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TorrentLocker.

Known Synonyms
Crypt0L0cker
CryptoFortress
Teerac

Internal MISP references

UUID b817ce63-f1c3-49de-bd8b-fd56c3f956c9 which can be used as unique global reference for TorrentLocker in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/ - webarchive
• https://twitter.com/PolarToffee/status/804008236600934403 - webarchive
• http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html - webarchive
• http://id-ransomware.blogspot.ru/2016/05/torrentlocker-ransomware-aes-cbc-2048.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt
extensions	['.Encrypted', '.enc']
payment-method	Bitcoin
price	4.081
ransomnotes-filenames	['HOW_TO_RESTORE_FILES.html', 'DECRYPT_INSTRUCTIONS.html', 'DESIFROVANI_POKYNY.html', 'INSTRUCCIONES_DESCIFRADO.html', 'ISTRUZIONI_DECRITTAZIONE.html', 'ENTSCHLUSSELN_HINWEISE.html', 'ONTSLEUTELINGS_INSTRUCTIES.html', 'INSTRUCTIONS_DE_DECRYPTAGE.html', 'SIFRE_COZME_TALIMATI.html', 'wie_zum_Wiederherstellen_von_Dateien.txt']

Related clusters

To see the related clusters, click here.

TowerWeb

Ransomware

Internal MISP references

UUID 4d470cf8-09b6-4d0e-8e5a-2f618e48c560 which can be used as unique global reference for TowerWeb in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/towerweb-ransonware-100.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	100 - 150 $
ransomnotes-filenames	['Payment_Instructions.jpg']

Toxcrypt

Ransomware

Internal MISP references

UUID 08fc7534-fe85-488b-92b0-630c0d91ecbe which can be used as unique global reference for Toxcrypt in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2016/06/toxcrypt-ransomware-aes-crypto-0.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.toxcrypt']
payment-method	Bitcoin
price	0.23
ransomnotes-filenames	['tox.html']

Trojan

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.

Known Synonyms
BrainCrypt

Internal MISP references

UUID 97673387-75ae-4da4-9a5f-38773f2492e7 which can be used as unique global reference for Trojan in MISP communities and other software using the MISP galaxy

External references

• https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip - webarchive
• https://twitter.com/PolarToffee/status/811249250285842432 - webarchive
• http://id-ransomware.blogspot.com/2016/12/braincrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.braincrypt']
payment-method	Email
ransomnotes-filenames	['!!! HOW TO DECRYPT FILES !!!.txt']

Troldesh orShade, XTBL

Ransomware May download additional malware after encryption

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Troldesh orShade, XTBL.

Known Synonyms
Shade
Troldesh

Internal MISP references

UUID 6c3dd006-3501-4ebc-ab86-b06e4d555194 which can be used as unique global reference for Troldesh orShade, XTBL in MISP communities and other software using the MISP galaxy

External references

• https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf - webarchive
• http://www.nyxbone.com/malware/Troldesh.html - webarchive
• https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/troldesh-ransomware-email.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.breaking_bad', '.better_call_saul', '.xtbl', '.da_vinci_code', '.windows10', '.no_more_ransom']
payment-method	Email
ransomnotes-filenames	['README.txt', 'nomoreransom_note_original.txt']

TrueCrypter

Ransomware

Internal MISP references

UUID c46bfed8-7010-432a-8108-138f6d067000 which can be used as unique global reference for TrueCrypter in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/ - webarchive
• http://id-ransomware.blogspot.com/2016/04/truecrypter-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.enc']
payment-method	Bitcoin
price	0.2 (115 $)

Turkish

Ransomware

Internal MISP references

UUID 132c39fc-1364-4210-aef9-48f73afc1108 which can be used as unique global reference for Turkish in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/821991600637313024 - webarchive

Associated metadata

Metadata key	Value
extensions	['.sifreli']
payment-method	Bitcoin
price	100 $

Turkish Ransom

Ransomware

Internal MISP references

UUID 174dd201-0b0b-4a76-95c7-71f8141684d0 which can be used as unique global reference for Turkish Ransom in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/turkishRansom.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.locked']
payment-method	Bitcoin
price	2
ransomnotes-filenames	['DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html']

UmbreCrypt

Ransomware CrypBoss Family

Internal MISP references

UUID 028b3489-51da-45d7-8bd0-62044e9ea49f which can be used as unique global reference for UmbreCrypt in MISP communities and other software using the MISP galaxy

External references

• http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware - webarchive
• https://id-ransomware.blogspot.com/2016/06/umbrecrypt-ransomware-aes.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['umbrecrypt_ID_[VICTIMID]']
payment-method	Email
ransomnotes-filenames	['README_DECRYPT_UMBRE_ID_[victim_id].jpg', 'README_DECRYPT_UMBRE_ID_[victim_id].txt', 'default32643264.bmp', 'default432643264.jpg']

UnblockUPC

Ransomware

Internal MISP references

UUID 5a9f9ebe-f4c8-4985-8890-743f59d658fd which can be used as unique global reference for UnblockUPC in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/ - webarchive
• http://id-ransomware.blogspot.com/2016/09/unblockupc-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Website
price	0.18
ransomnotes-filenames	['Files encrypted.txt']

Ungluk

Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key

Internal MISP references

UUID bb8c6b80-91cb-4c01-b001-7b9e73228420 which can be used as unique global reference for Ungluk in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/05/bitmessage-ransomware-aes-256-25-btc.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.H3LL', '.0x0', '.1999']
payment-method	Website
price	2.5
ransomnotes-filenames	['READTHISNOW!!!.txt', 'Hellothere.txt', 'YOUGOTHACKED.TXT']

Unlock92

Ransomware

Internal MISP references

UUID dfe760e5-f878-492d-91d0-05fa45a2849d which can be used as unique global reference for Unlock92 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/839038399944224768 - webarchive
• http://id-ransomware.blogspot.com/2017/02/unlock26-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.CRRRT', '.CCCRRRPPP']
payment-method	Website
ransomnotes-filenames	['READ_ME_!.txt']

VapeLauncher

Ransomware CryptoWire variant

Internal MISP references

UUID 7799247c-4e6a-4c20-b0b3-d8e6a8ab6783 which can be used as unique global reference for VapeLauncher in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/839771195830648833 - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	200 $

VaultCrypt

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VaultCrypt.

Known Synonyms
CrypVault
Zlader

Internal MISP references

UUID 63a82b7f-9a71-47a8-9a79-14acc6595da5 which can be used as unique global reference for VaultCrypt in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/russianRansom.html - webarchive

Associated metadata

Metadata key	Value
encryption	uses gpg.exe
extensions	['.vault', '.xort', '.trun']
payment-method	Bitcoin
price	0.438
ransomnotes-filenames	['VAULT.txt', 'xort.txt', 'trun.txt', '.hta

Related clusters

To see the related clusters, click here.

VBRANSOM 7

Ransomware

Internal MISP references

UUID 44a56cd0-8cd8-486f-972d-4b1b416e9077 which can be used as unique global reference for VBRANSOM 7 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/817851339078336513 - webarchive

Associated metadata

Metadata key	Value
extensions	['.VBRANSOM']
payment-method	Website (onion)

VenusLocker

Ransomware Based on EDA2

Internal MISP references

UUID 7340c6d6-a16e-4a01-8bb4-8ad3edc64d28 which can be used as unique global reference for VenusLocker in MISP communities and other software using the MISP galaxy

External references

• https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social - webarchive
• http://www.nyxbone.com/malware/venusLocker.html - webarchive
• https://id-ransomware.blogspot.com/2016/08/venuslocker-ransomware-aes-256.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.Venusf', '.Venusp']
payment-method	Bitcoin
price	0.15 (100 $)
ransomnotes-filenames	['ReadMe.txt']

Virlock

Ransomware Polymorphism / Self-replication

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Virlock.

Known Synonyms
NSMF

Internal MISP references

UUID 5c736959-6c58-4bf2-b084-7197b42e500a which can be used as unique global reference for Virlock in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/Virlock.html - webarchive
• http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.exe']
payment-method	Bitcoin
price	250 $

Virus-Encoder

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Virus-Encoder.

Known Synonyms
CrySiS

Internal MISP references

UUID 15a30d84-4f5f-4b75-a162-e36107d30215 which can be used as unique global reference for Virus-Encoder in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/ - webarchive
• http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip - webarchive
• http://www.nyxbone.com/malware/virus-encoder.html - webarchive
• http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES-256
extensions	['.CrySiS', '.xtbl', '.crypt', '.DHARMA', '.id-########.decryptformoney@india.com.xtbl', '.[email_address].DHARMA']
payment-method	Bitcoin
price	2.5 - 3
ransomnotes-filenames	['How to decrypt your data.txt']

WildFire Locker

Ransomware Zyklon variant

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WildFire Locker.

Known Synonyms
Hades Locker

Internal MISP references

UUID 31945e7b-a734-4333-9ea2-e52051ca015a which can be used as unique global reference for WildFire Locker in MISP communities and other software using the MISP galaxy

External references

• https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/wildfire-locker-ransomware-aes-256-cbc.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.wflx']
payment-method	Bitcoin
price	299 $
ransomnotes-filenames	['HOW_TO_UNLOCK_FILES_README_().txt']

Related clusters

To see the related clusters, click here.

Xorist

Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length

Internal MISP references

UUID 0a15a920-9876-4985-9d3d-bb0794722258 which can be used as unique global reference for Xorist in MISP communities and other software using the MISP galaxy

External references

• https://support.kaspersky.com/viruses/disinfection/2911 - webarchive
• https://decrypter.emsisoft.com/xorist - webarchive
• https://twitter.com/siri_urz/status/1006833669447839745 - webarchive
• https://id-ransomware.blogspot.com/2016/06/xrtn-ransomware-rsa-1024-gnu-privacy.html - webarchive

Associated metadata

Metadata key	Value
encryption	XOR or TEA
extensions	['.EnCiPhErEd', '.73i87A', '.p5tkjw', '.PoAr2w', '.fileiscryptedhard', '.encoderpass', '.zc3791', '.antihacker2017', '....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT']
payment-method	Bitcoin
price	0.8
ransomnotes-filenames	['HOW TO DECRYPT FILES.TXT']
ransomnotes-refs	['https://pbs.twimg.com/media/Dfj9G_2XkAE0ZS2.jpg', 'https://pbs.twimg.com/media/Dfj9H66WkAEHazN.jpg']

XRTN

Ransomware VaultCrypt family

Internal MISP references

UUID 22ff9f8c-f658-46cc-a404-1a54e1b74569 which can be used as unique global reference for XRTN in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
extensions	['.xrtn']

You Have Been Hacked!!!

Ransomware Attempt to steal passwords

Internal MISP references

UUID 0810ea3e-1cd6-4ea3-a416-5895fb685c5b which can be used as unique global reference for You Have Been Hacked!!! in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/808280549802418181 - webarchive

Associated metadata

Metadata key	Value
extensions	['.Locked']
payment-method	Bitcoin
price	0.25

Zcrypt

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zcrypt.

Known Synonyms
Zcryptor

Internal MISP references

UUID 7eed5e96-0219-4355-9a9c-44643272894c which can be used as unique global reference for Zcrypt in MISP communities and other software using the MISP galaxy

External references

• https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/ - webarchive
• http://id-ransomware.blogspot.com/2016/05/zcrypt-ransomware-rsa-2048-email.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.zcrypt']
payment-method	Bitcoin
price	1.2 - 5

Zimbra

Ransomware mpritsken@priest.com

Internal MISP references

UUID 07346620-a0b4-48d5-9158-5048741f5078 which can be used as unique global reference for Zimbra in MISP communities and other software using the MISP galaxy

External references

• http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/ - webarchive
• https://id-ransomware.blogspot.com/2016/06/zimbra-ransomware-aes-optzimbrastore.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crypto']
payment-method	Bitcoin
price	3
ransomnotes-filenames	['how.txt']

Zlader

Ransomware VaultCrypt family

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zlader.

Known Synonyms
CrypVault
Russian
VaultCrypt

Internal MISP references

UUID 2195387d-ad9c-47e6-8f14-a49388b26eab which can be used as unique global reference for Zlader in MISP communities and other software using the MISP galaxy

External references

• http://www.nyxbone.com/malware/russianRansom.html - webarchive

Associated metadata

Metadata key	Value
encryption	RSA
extensions	['.vault']
payment-method	Bitcoin
price	100 - 900 $

Related clusters

To see the related clusters, click here.

Zorro

Ransomware

Internal MISP references

UUID b2bd25e1-d41c-42f2-8971-ecceceb6ba08 which can be used as unique global reference for Zorro in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/BleepinComputer/status/844538370323812353 - webarchive
• http://id-ransomware.blogspot.com/2017/03/zorro-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.zorro']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['Take_Seriously (Your saving grace).txt']

Zyklon

Ransomware Hidden Tear family, GNL Locker variant

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zyklon.

Known Synonyms
GNL Locker
Zyklon Locker

Internal MISP references

UUID 78ef77ac-a570-4fb9-af80-d04c09dff9ab which can be used as unique global reference for Zyklon in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2016/05/zyklon-locker-ransomware-windows-250.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.zyklon']
payment-method	Euro
price	250

Related clusters

To see the related clusters, click here.

vxLock

Ransomware

Internal MISP references

UUID 37950a1c-0035-49e0-9278-e878df0a10f3 which can be used as unique global reference for vxLock in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2017/01/vxlock-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.vxLock']
payment-method	Bitcoin
price	0.3

Jaff

We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.

Internal MISP references

UUID 8e3d44d0-6768-4b54-88b0-2e004a7f2297 which can be used as unique global reference for Jaff in MISP communities and other software using the MISP galaxy

External references

• http://blog.talosintelligence.com/2017/05/jaff-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/ - webarchive
• http://id-ransomware.blogspot.com/2017/05/jaff-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.jaff']
payment-method	Bitcoin
price	1.82 - 2.036
ransomnotes-filenames	['WallpapeR.bmp', 'ReadMe.bmp', 'ReadMe.html', 'ReadMe.txt']

Related clusters

To see the related clusters, click here.

Uiwix Ransomware

Using EternalBlue SMB Exploit To Infect Victims

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Uiwix Ransomware.

Known Synonyms
UIWIX

Internal MISP references

UUID 369d6fda-0284-44aa-9e74-f6651416fec4 which can be used as unique global reference for Uiwix Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/ - webarchive
• http://id-ransomware.blogspot.com/2017/05/uiwix-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	may be a mixture of AES and RC4.
extensions	['._[10_digit_victim_id].UIWIX']
payment-method	Bitcoin
price	0.122
ransomnotes-filenames	['DECODE_FILES.txt']

SOREBRECT

Fileless, Code-injecting Ransomware

Internal MISP references

UUID 34cedaf0-b1f0-4b5d-b7bd-2eadfc630ea7 which can be used as unique global reference for SOREBRECT in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.pr0tect']
payment-method	Email
ransomnotes-refs	['http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg']

Cyron

claims it detected "Children Pornsites" in your browser history

Internal MISP references

UUID f597d388-886e-46d6-a5cc-26deeb4674f2 which can be used as unique global reference for Cyron in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/899524853426008064 - webarchive
• https://id-ransomware.blogspot.com/2017/08/cyron-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.CYRON']
payment-method	PaySafeCard
price	50 €
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg']

Kappa

Made with OXAR builder; decryptable

Internal MISP references

UUID 3330e226-b71a-4ee4-8612-2b06b58368fc which can be used as unique global reference for Kappa in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/899528477824700416 - webarchive

Associated metadata

Metadata key	Value
extensions	['.OXR']
payment-method	Bitcoin Email
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg']

Trojan Dz

CyberSplitter variant

Internal MISP references

UUID 1fe6c23b-863e-49e4-9439-aa9e999aa2e1 which can be used as unique global reference for Trojan Dz in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/899537940539478016 - webarchive

Associated metadata

Metadata key	Value
extensions	['.Isis']
payment-method	Bitcoin
price	0.5
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg']

Xolzsec

ransomware written by self proclaimed script kiddies that should really be considered trollware

Internal MISP references

UUID f2930308-2e4d-4af5-b119-746be0fe7f2c which can be used as unique global reference for Xolzsec in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/899916577252028416 - webarchive
• http://id-ransomware.blogspot.com/2017/08/xolzsec-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.xolzsec']
payment-method	no ransom

FlatChestWare

HiddenTear variant; decryptable

Internal MISP references

UUID d29341fd-f48e-4caa-8a28-b17853b779d1 which can be used as unique global reference for FlatChestWare in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/900238572409823232 - webarchive
• https://id-ransomware.blogspot.com/2017/08/flatchestware-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.flat']
payment-method	Bitcoin
price	250 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg']

SynAck

The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SynAck.

Known Synonyms
Syn Ack

Internal MISP references

UUID 04585cd8-54ae-420f-9191-8ddb9b88a80c which can be used as unique global reference for SynAck in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/ - webarchive
• https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/ - webarchive
• https://id-ransomware.blogspot.com/2017/09/synack-ransomware.html - webarchive

Associated metadata

Metadata key	Value
links	['http://xqkz2rmrqkeqf6sjbrb47jfwnqxcd4o2zvaxxzrpbh2piknms37rw2ad.onion/']
payment-method	Bitcoin
price	2 100 $
ransomnotes-filenames	['RESTORE_INFO-[id].txt']

Related clusters

To see the related clusters, click here.

SyncCrypt

A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.

Internal MISP references

UUID 83d10b83-9038-4dd6-b305-f14c21478588 which can be used as unique global reference for SyncCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/ - webarchive
• http://id-ransomware.blogspot.com/2017/08/synccrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.kk']
payment-method	Bitcoin
price	0.1
ransomnotes-filenames	['readme.html', 'readme.png']

Related clusters

To see the related clusters, click here.

Bad Rabbit

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bad Rabbit.

Known Synonyms
Bad-Rabbit
BadRabbit

Internal MISP references

UUID e8af6388-6575-4812-94a8-9df1567294c5 which can be used as unique global reference for Bad Rabbit in MISP communities and other software using the MISP galaxy

External references

• http://blog.talosintelligence.com/2017/10/bad-rabbit.html - webarchive
• https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html - webarchive
• https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ - webarchive
• https://securelist.com/bad-rabbit-ransomware/82851/ - webarchive
• http://www.intezer.com/notpetya-returns-bad-rabbit/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES+RSA
payment-method	Bitcoin
price	0.05 (300 $)
ransomnotes	['https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png']

Related clusters

To see the related clusters, click here.

Halloware

A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.

Internal MISP references

UUID b366627d-dbc0-45ba-90bc-5f5694f45e35 which can be used as unique global reference for Halloware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/ - webarchive
• http://id-ransomware.blogspot.com/2017/11/halloware-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['(Lucifer) [prepend]']
payment-method	Bitcoin
price	150 $

StorageCrypt

Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User's have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices.

Internal MISP references

UUID 0b920d03-971f-413c-8057-60d187192140 which can be used as unique global reference for StorageCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/ - webarchive
• https://id-ransomware.blogspot.com/2017/11/storagecrypter.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Bitcoin
price	0.2 - 0.4 - 2
ransomnotes	["Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:"]
ransomnotes-filenames	['_READ_ME_FOR_DECRYPT.txt']

HC7

A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network. Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor. Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.

Internal MISP references

UUID 9325e097-9fea-490c-9b89-c2d40c166101 which can be used as unique global reference for HC7 in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/ - webarchive
• https://id-ransomware.blogspot.com/2017/12/hc7-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.GOTYA']
payment-method	Bitcoin
price	500 - 700 $
ransomnotes	['ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK']
ransomnotes-filenames	['RECOVERY.txt']

HC6

Predecessor of HC7

Internal MISP references

UUID 909fde65-e015-40a9-9012-8d3ef62bba53 which can be used as unique global reference for HC6 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw - webarchive
• https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/ - webarchive
• http://id-ransomware.blogspot.com/2017/11/hc6-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.fucku']
payment-method	Bitcoin
price	2 500 $

qkG

Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular qkG.

Known Synonyms
QkG

Internal MISP references

UUID 1f3eab7f-da0a-4e0b-8a9f-cda2f146c819 which can be used as unique global reference for qkG in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/ - webarchive
• http://id-ransomware.blogspot.com/2017/11/qkg-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	300 $

Scarab

The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year. Written in Delphi, the first version was simplistic and was recognizable via the ".scarab" extension it appended after the names of encrypted files. Malwarebytes researcher Marcelo Rivera spotted a second version in July that used the ".scorpio" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension. The current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file's name with the ".[suupport@protonmail.com].scarab" extension. Scarab also deletes shadow volume copies and drops a ransom note named "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" on users' computers, which it opens immediately.

Internal MISP references

UUID cf8fbd03-4510-41cc-bec3-712fa7609aa4 which can be used as unique global reference for Scarab in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/ - webarchive
• https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/ - webarchive
• https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware - webarchive
• https://twitter.com/malwrhunterteam/status/933643147766321152 - webarchive
• https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/ - webarchive
• https://twitter.com/demonslay335/status/1006222754385924096 - webarchive
• https://twitter.com/demonslay335/status/1006908267862396928 - webarchive
• https://twitter.com/demonslay335/status/1007694117449682945 - webarchive
• https://twitter.com/demonslay335/status/1049316344183836672 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive
• https://twitter.com/Amigo_A_/status/1039105453735784448 - webarchive
• https://twitter.com/GrujaRS/status/1072057088019496960 - webarchive
• http://id-ransomware.blogspot.com/2017/06/scarab-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.scarab', '.scorpio', '.[suupport@protonmail.com].scarab', '.fastrecovery@airmail.cc', '.files-xmail@cock.li.TXT', '.leen', '.qweuirtksd', '.mammon', '.omerta', '.bomber', '.CRYPTO', '.lolita', '.stevenseagal@airmail.cc', '.lol', '.crypted034', '.ironhead']
payment-method	Bitcoin Email
ransomnotes	['Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!', "Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future."]
ransomnotes-filenames	['IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT', 'HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT', 'HOW TO RECOVER ENCRYPTED FILES.TXT', 'INSTRUCTIONS FOR RESTORING FILES.TXT', '!!!ReadMeToDecrypt.txt', '_How to restore files.TXT', 'How to restore encrypted files.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtzAAIAW0AEHC86[1].jpg', 'https://pbs.twimg.com/media/DuC07vPWkAAMekP.jpg']

File Spider

A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like"Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular File Spider.

Known Synonyms
Spider

Internal MISP references

UUID 3e75ce6b-b6de-4e5a-9501-8f9f847c819c which can be used as unique global reference for File Spider in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/ - webarchive
• http://id-ransomware.blogspot.com/2017/12/file-spider-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.spider']
payment-method	Bitcoin
price	0.00725
ransomnotes	['As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section.']
ransomnotes-filenames	['HOW TO DECRYPT FILES.url']

FileCoder

A barely functional piece of macOS ransomware, written in Swift.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FileCoder.

Known Synonyms
FindZip
Patcher

Internal MISP references

UUID 091c9923-5939-4bde-9db5-56abfb51f1a2 which can be used as unique global reference for FileCoder in MISP communities and other software using the MISP galaxy

External references

• https://objective-see.com/blog/blog_0x25.html#FileCoder - webarchive

Associated metadata

Metadata key	Value
date	Febuary 2017
payment-method	Bitcoin
price	0.25

Related clusters

To see the related clusters, click here.

MacRansom

A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.

Internal MISP references

UUID 7574c7f1-5075-4230-aca9-d6c0956f1fac which can be used as unique global reference for MacRansom in MISP communities and other software using the MISP galaxy

External references

• https://objective-see.com/blog/blog_0x25.html - webarchive

Associated metadata

Metadata key	Value
date	June 2017
payment-method	Bitcoin
price	0.25 (700 $)

Related clusters

To see the related clusters, click here.

GandCrab

A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.

Internal MISP references

UUID 5920464b-e093-4fa0-a275-438dffef228f which can be used as unique global reference for GandCrab in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/ - webarchive
• https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/ - webarchive
• https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/ - webarchive
• https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/ - webarchive
• https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/ - webarchive
• https://id-ransomware.blogspot.com/2018/01/gandcrab-ransomware.html - webarchive

Associated metadata

Metadata key	Value
date	January 2018
extensions	['.Crab', '.CRAB']
payment-method	Dash
price	1 - 3
ransomnotes	['---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!', '---= GANDCRAB =---\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]\n5. Follow the instructions on this page\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\nIf you can\'t download TOR and use it, or in your country TOR blocked, read it:\n1. Visit https://tox.chat/download.html\n2. Download and install qTOX on your PC.\n3. Open it, click "New Profile" and create profile.\n4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5\n5. In message please write your ID and wait our answer: 6361f798c4ba3647\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!', 'ENCRYPTED BY GANDCRAB 3\n\nDEAR [user_name],\n\nYOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR\n\nFor further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.', ' ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter "username": [id]\n1) Enter "password": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It\'s fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! ']
ransomnotes-filenames	['GDCB-DECRYPT.txt', 'CRAB-Decrypt.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/g/gandcrab/v3/desktop-background.jpg', 'https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/gandcrab-fallout.jpg']

Related clusters

To see the related clusters, click here.

ShurL0ckr

Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.

Internal MISP references

UUID cc7f6da3-fafd-444f-b7e9-f0e650fb4d4f which can be used as unique global reference for ShurL0ckr in MISP communities and other software using the MISP galaxy

External references

• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications - webarchive

Associated metadata

Metadata key	Value
date	Febuary 2018
payment-method	Bitcoin
price	0.01 - 0.1

Cryakl

ransomware

Internal MISP references

UUID 4f3e494e-0e37-4894-94b2-741a8100f07a which can be used as unique global reference for Cryakl in MISP communities and other software using the MISP galaxy

External references

• https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/ - webarchive
• https://www.technologynews.tech/cryakl-ransomware-virus - webarchive
• http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/ - webarchive

Associated metadata

Metadata key	Value
date	January 2018
extensions	['.fairytail']
payment-method	Bitcoin

Related clusters

To see the related clusters, click here.

Thanatos

first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)

Internal MISP references

UUID 361d7a90-2fde-4fc7-91ed-fdce26eb790f which can be used as unique global reference for Thanatos in MISP communities and other software using the MISP galaxy

External references

• https://mobile.twitter.com/EclecticIQ/status/968478323889332226 - webarchive
• https://www.eclecticiq.com/resources/thanatos--ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report - webarchive
• http://id-ransomware.blogspot.com/2018/02/thanatos-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.THANATOS']
payment-method	Bitcoin
price	0.1

Related clusters

To see the related clusters, click here.

RSAUtil

RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RSAUtil.

Known Synonyms
DONTSLIP
Vagger

Internal MISP references

UUID f80b0a42-21ef-11e8-8ac7-0317408794e2 which can be used as unique global reference for RSAUtil in MISP communities and other software using the MISP galaxy

External references

• https://www.securityweek.com/rsautil-ransomware-distributed-rdp-attacks - webarchive
• https://www.bleepingcomputer.com/news/security/rsautil-ransomware-helppme-india-com-installed-via-hacked-remote-desktop-services/ - webarchive
• http://id-ransomware.blogspot.lu/2017/04/rsautil-ransomware.html - webarchive
• http://id-ransomware.blogspot.lu/2017/04/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	750 $
ransomnotes	['Hello... :)\nFor instructions on how to recovery the files, write to me:\njonskuper578@india.com\njonskuper578@gmx.de\njonskuper578@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.', 'WARNING!!!\nYour ID 83624883\nOUR FILES ARE DECRIPTED\nYour documents, photos, database, save games and other important data was encrypted.\nData recovery the necessary interpreter. To get the interpreter, should send an email to helppme@india.com or hepl1112@aol.com.\nIn a letter to include Your personal ID (see the beginning of this document).\nIn response to the letter You will receive the address of your Bitcoin wallet to which you want to perform the transfer.\nWhen money transfer is confirmed, You will receive the decrypter file for Your computer.\nAfter starting the programm-interpreter, all Your files will be restored.\nAttention! Do not attempt to remove a program or run the anti-virus tools.', 'ПРЕДУПРЕЖДЕНИЕ!!!\nВаш ID 83624883\nOUR FILES ARE DECRIPTED\nЗашифрованы ваши документы, фотографии, база данных, сохранения игр и другие важные данные.\nВосстановить данные нужен интерпретатор. Для получения интерпретатора надо отправить email на helppme@india.com или hepl1112@aol.com.\nВ письме укажите Ваш личный ID (см. начало этого документа).\nВ ответ на письмо Вы получите адрес вашего биткойн-кошелька, на который Вы хотите сделать перевод.\nКогда денежный перевод будет подтвержден, вы получите файл-декриптер для Вашего компьютера.\nПосле запуска программы-интерпретатора все Ваши файлы будут восстановлены.\nВнимание! Не пытайтесь удалить программу или запустить антивирусные программы.', 'Hello…\nFor instructions on how to recovery the files, write to me:\nvine77725@gmx.de\nvine77725@india.com\nvine77725@protonmail.com\nIn the letter, indicate your personal ID (see the file format).\nIf you have not received an answer, write to me again.', 'Привет мой друг!\nВсе файлы на твоем ПК зашифрованы!\nМой email: helppme@india.com или\nhepl1112@aol.com', 'Hello my friend!\nAll files on your PC encryphted!\nmy email: helppme@india.com or\nhepl1112@aol.com']
ransomnotes-filenames	['How_return_files.txt', 'Image.jpg']
ransomnotes-refs	['https://4.bp.blogspot.com/-6jE-GW6wCr8/WQY1L_uHsFI/AAAAAAAAE-A/3YR0bwwBJqgp8CsApZq4F_44JkMB0m2WwCLcB/s320/image-note.jpg', 'https://2.bp.blogspot.com/-T4lvnNISc_A/WQY1SI1r1mI/AAAAAAAAE-E/tH7p02nS2LUTvXmq66poiyM1RYhHc4HbwCLcB/s200/lock-note.jpg']

Qwerty Ransomware

A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.

Internal MISP references

UUID 15c370c0-2799-11e8-a959-57cdcd57e3bf which can be used as unique global reference for Qwerty Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/qwerty-ransomware-utilizes-gnupg-to-encrypt-a-victims-files/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
ransomnotes	['Your computer is encrypted . Mail cryz1@protonmail.com . Send your ID 5612.\nNote! You have only 72 hours for write on e-mail (see below) or all your files will be lost!']
ransomnotes-filenames	['README_DECRYPT.txt']

Zenis Ransomware

A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.

Internal MISP references

UUID cbe3ee70-2d11-11e8-84bb-9b3c525a48d9 which can be used as unique global reference for Zenis Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/ - webarchive
• https://id-ransomware.blogspot.com/2018/03/zenis-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin Email (Tor)
ransomnotes	[' All your files has been encrypted \n\nI am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I\'m coming to discover a new world. A world in digital space that you are supposed to play the role of my toys.\n\nIf you want to win in this game, you have to listen carefully to my instructions, otherwise you will be caught up in a one-step game and you will become the main loser of the story.\n\nMy instructions are simple and clear. Then follow these steps:\n\n1. Send this file (Zenis-Instructions.html) to my email with one your encrypted file less than 2 MB to trust to the game.\n\n2. I decrypt your file for free and send for you.\n\n3. If you confirm the correctness of the files, verify that the files are correct via email\n\n4. Then receive the price of decrypting files\n\n5. After you have deposited, please send me the payment details\n\n6. After i confirm deposit, i send you the "Zenis Decryptor" along with "Private Key" to recovery all your files.\n\nNow you can finish the game. You won the game. congratulations.\n\n\nPlease submit your request to both emails:\n\nTheZenis@Tutanota.com\n\nTheZenis@MailFence.com\n\nIf you did not receive an email after six hours, submit your request to the following emails:\n\nTheZenis@Protonmail.com\n\nTheZenis@Mail2Tor.com (On the TOR network)\n\n\nWarning: 3rd party and public programs, It may cause irreversible damage to your files. And your files will be lost forever.']
ransomnotes-filenames	['Zenis-Instructions.html']

Flotera Ransomware

Internal MISP references

UUID aab356ac-396c-11e8-90c8-631229f19d7a which can be used as unique global reference for Flotera Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/ - webarchive
• http://id-ransomware.blogspot.com/2017/03/flotera-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Dollars
price	199

Black Ruby

A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can. Discovered on February 6, 2018. May have been distributed through unknown vectors. Will not encrypt a machine if its IP address is identified as coming from Iran; this feature enables actors to avoid a particular Iranian cybercrime law that prohibits Iran-based actors from attacking Iranian victims. Encrypts files on the infected machine, scrambles files, and appends the .BlackRuby extension to them. Installs a Monero miner on the infected computer that utilizes the machine’s maximum CPU power. Delivers a ransom note in English asking for US$650 in Bitcoins. Might be installed via Remote Desktop Services.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Black Ruby.

Known Synonyms
BlackRuby

Internal MISP references

UUID abf3001c-396c-11e8-8da6-ef501eef12e1 which can be used as unique global reference for Black Ruby in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/ - webarchive
• https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf - webarchive

Associated metadata

Metadata key	Value
extensions	['.BlackRuby']
payment-method	Monero miner on the computer
ransomnotes	[' _ __ __ __\n / __ ) / /____ _ _____ / /__ / __ \ __ __ / / __ __\n / __
ransomnotes-filenames	['HOW-TO-DECRYPT-FILES.txt']

WhiteRose

A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.

Internal MISP references

UUID abc80362-396c-11e8-bc5c-8bca89c0f797 which can be used as unique global reference for WhiteRose in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/ - webarchive
• http://id-ransomware.blogspot.com/2018/03/whiterose-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.WHITEROSE', '_ENCRYPTED_BY.WHITEROSE']
payment-method	Website Tor
ransomnotes	['[Rose ASCII art]\n\n[WhiteRose written in ASCII art]\n\nThe singing of the sparrows, the breezes of the northern mountains and smell of the earth that was raining in the morning filled the entire garden space. I\'m sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day.\n\nBehind me is an empty house of dreams and in front of me, full of beautiful white roses. To my left is an empty blue pool of red fish and my right, trees full of spring white blooms.\n\n I drink coffee, I\'ll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend.\n\nI have neither a pet, nor a friend or an enemy; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I\'m just a little interested in hacking and programming. My only electronic devices in this big garden are an old laptop for do projects and an iPhone for check out the news feeds for malware analytics on Twitter without likes posts.\n\nBelieve me, my only assets are the white roses of this garden. I think of days and write at night: the story, poem, code, exploit or the accumulation of the number of white roses sold and I say to myself that the wealth is having different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses.\n\nToday, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the worth of unity, intimacy, joy and love and is the decision to release white roses and to give gifts to all peoples of the world.\n\nI do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it\'s important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. Wait for good days with White Rose.\n\nI hope you accept this gift from me and if it reaches you, close your eyes and place yourself in a large garden on a wooden chair and feel this beautiful scene to reduce your anxiety and everyday tension.\n\nThank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\n[Recovery Instructions]\n\n I. Download qTox on your computer from [https://tox.chat/download.html]\nII. Create new profile then enter our ID in search contacts\n Our Tox ID: "6F548F217897AA4140FB4C514C8187F2FFDBA3CAFC83795DEE2FBCA369E689006B7CED4A18E9". III. Wait for us to accept your request.\nIV. Copy \'[PersonalKey]\' in "HOW-TO-RECOVERY-FILES.TXT" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat.\n IV.I. Only if you did not receive a reply after 24 hours from us, send your message to our secure tor email address "TheWhiteRose@Torbox3uiot6wchz.onion".\n IV.II. For perform "Step IV.I" and enter the TOR network, you must download tor and register in "http://torbox3uiot6wchz.onion" Mail Service)\nV. We decrypt your two files and we will send you.\nVI. After ensuring the integrity of the files, We will send you payment info.\nVII. Now after payment, you get "WhiteRose Decryptor" Along with the private key of your system.\nVIII.Everything returns to the normal and your files will be released.\n\n/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////\n\nWhat is encryption?\n\n In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it, and those who are not authorized cannot. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm – a cipher – generating ciphertext that can be read only if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. in your case “WhiteRose Decryptor” software for safe and complete decryption of all your files and data.\n\nAny other way?\n\nIf you look through this text in the Internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support.']
ransomnotes-filenames	['HOW-TO-RECOVERY-FILES.TXT']

PUBG Ransomware

In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds. Discovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.

Internal MISP references

UUID 2239b3ca-3c9b-11e8-873e-53608d51ee71 which can be used as unique global reference for PUBG Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/ - webarchive
• https://id-ransomware.blogspot.com/2018/04/pubg-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.PUBG']
payment-method	Game
price	Play to decrypt
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/p/pubg-ransomware/pubg-ransomware.jpg']

LockCrypt

LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.

Internal MISP references

UUID ac070e9a-3cbe-11e8-9f9d-839e888f2340 which can be used as unique global reference for LockCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/ - webarchive
• https://twitter.com/malwrhunterteam/status/1034436350748053504 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive
• http://id-ransomware.blogspot.com/2017/06/lockcrypt-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.BadNews']
payment-method	Bitcoin
price	0.5 - 1
ransomnotes-filenames	['How To Decode Files.hta']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg']

Magniber Ransomware

Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.

Internal MISP references

UUID a0c1790a-3ee7-11e8-9774-93351d675a9e which can be used as unique global reference for Magniber Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/ - webarchive
• https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/ - webarchive
• https://twitter.com/demonslay335/status/1005133410501787648 - webarchive
• http://id-ransomware.blogspot.com/2017/10/my-decryptor-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.ihsdj', '.kgpvwnr', '.ndpyhss']
payment-method	Bitcoin
price	0.2
ransomnotes	[' ALL Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED!\n ====================================================================================================\n Your files are NOT damaged! Your files are modified only. This modification is reversible.\n\n The only 1 way to decrypt your files is to receive the private key and decryption program.\n\n Any attempts to restore your files with the third-party software will be fatal for your files!\n ====================================================================================================\n To receive the private key and decryption program follow the instructions below:\n\n 1. Download "Tor Browser" from https://www.torproject.org/ and install it.\n\n 2. In the "Tor Browser" open your personal page here:\n\n\n http://[victim_id].ofotqrmsrdc6c3rz.onion/EP866p5M93wDS513\n\n\n Note! This page is available via "Tor Browser" only.\n ====================================================================================================\n Also you can use temporary addresses on your personal page without using "Tor Browser":\n\n\n http://[victim_id].bankme.date/EP866p5M93wDS513\n\n http://[victim_id].jobsnot.services/EP866p5M93wDS513\n\n http://[victim_id].carefit.agency/EP866p5M93wDS513\n\n http://[victim_id].hotdisk.world/EP866p5M93wDS513\n\n\n Note! These are temporary addresses! They will be available for a limited amount of time!']
ransomnotes-filenames	['READ_ME_FOR_DECRYPT_[id].txt']

Vurten

Internal MISP references

UUID 7666e948-3f09-11e8-b0b2-af79c067d856 which can be used as unique global reference for Vurten in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/siri_urz/status/981191281195044867 - webarchive
• http://id-ransomware.blogspot.com/2018/04/vurten-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.improved']
payment-method	Bitcoin
price	10 000 $
ransomnotes	['UNCRYPT.README']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/april/6/vurten.jpg']

Reveton ransomware

A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.

Internal MISP references

UUID 1912ec68-4145-11e8-ac06-9b6643035a71 which can be used as unique global reference for Reveton ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/ - webarchive
• https://en.wikipedia.org/wiki/Ransomware#Reveton - webarchive
• https://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed-explained-and-eliminated/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	200 $

Fusob

Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob. Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well. In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob. When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively. Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.

Internal MISP references

UUID c921d9ac-4145-11e8-965b-df5002d4cad8 which can be used as unique global reference for Fusob in MISP communities and other software using the MISP galaxy

External references

• https://en.wikipedia.org/wiki/Ransomware#Fusob - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	100 - 200 $

OXAR

Internal MISP references

UUID b0ce2b90-4171-11e8-af82-0f4431fd2726 which can be used as unique global reference for OXAR in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/981270787905720320 - webarchive

Associated metadata

Metadata key	Value
extensions	['.FUCK']
ransomnotes	['What Happened to My Computer?\nYour important files are encrypted.\nMany of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.\n\nCan I Recover My Files?\nSure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.\nBut if you want to decrypt all your files, you need to pay.\n\nHow Do I Pay?\nPayment is accepted in Bitcoin only.\nPlease check the current price of Bitcoin and buy some bitcoins.\nAnd send the correct amount to the address specified in this window.\n\nWe strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!\nOnce the payment is sent, send us an e-mail to the specified address specifying your "Client ID", you will be sent your decryption key in return.\nHow to buy Bitcoins?\n\nStep 1 : Create a portfolio on the Blockchain website at the address : https://blockchain.info/fr/wallet/#/signup\nStep 2 : Sign in to your account you just created and purchase the amount shown : https://blockchain.info/wallet/#/buy-sell\n Step 3 : Send the amount to the indicated Bitcoin address, once this is done send us an email with your "Client ID" you can retreive this in the file "instruction.txt" or "Whats Appens With My File.s.txt" in order to ask us the key of decryption of your data.\n\nContact us at : spaghetih@protonmail.com\nSend 20$ to Bitcoin at 1MFA4PEuDoe2UCKgabrwm8P4KztASKtiuv if you want decrypt your files !\nYour Client ID is : [id]']
ransomnotes-refs	['https://pastebin.com/xkRaRytW']

BansomQare Manna Ransomware

Internal MISP references

UUID b95a76d8-4171-11e8-b9b3-1bf62ec3265e which can be used as unique global reference for BansomQare Manna Ransomware in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2018/03/bansomqarewanna-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	100 $

Haxerboi Ransomware

Internal MISP references

UUID 60e79876-4178-11e8-8c04-63662c94ba03 which can be used as unique global reference for Haxerboi Ransomware in MISP communities and other software using the MISP galaxy

SkyFile

Internal MISP references

UUID b4654c94-417a-11e8-8c2c-5b5748496f92 which can be used as unique global reference for SkyFile in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/982229994364547073 - webarchive
• http://id-ransomware.blogspot.com/2018/04/skyfile-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin Email

MC Ransomware

Supposed joke ransomware, decrypt when running an exectable with the string "Minecraft"

Internal MISP references

UUID 443c55c6-43d1-11e8-9072-6fdcf89aa4e6 which can be used as unique global reference for MC Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Game

CSGO Ransomware

Supposed joke ransomware, decrypt when running an exectable with the string "csgo"

Internal MISP references

UUID 449e18b0-43d1-11e8-847e-0fed641732a1 which can be used as unique global reference for CSGO Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Game
price	Play during 5 hours

XiaoBa ransomware

Internal MISP references

UUID ef094aa6-4465-11e8-81ce-739cce28650b which can be used as unique global reference for XiaoBa ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/ - webarchive
• https://twitter.com/malwrhunterteam/status/923847744137154560 - webarchive
• https://twitter.com/struppigel/status/926748937477939200 - webarchive
• https://twitter.com/demonslay335/status/968552114787151873 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive
• https://twitter.com/malwrhunterteam/status/1004048636530094081 - webarchive
• https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.Encrypted[BaYuCheng@yeah.net].XiaBa', '.XiaoBa1', '.XiaoBa2', '.XiaoBa3', '.XiaoBa4', '.XiaoBa5', '.XiaoBa6', '.XiaoBa7', '.XiaoBa8', '.XiaoBa9', '.XiaoBa10', '.XiaoBa11', '.XiaoBa12', '.XiaoBa13', '.XiaoBa14', '.XiaoBa15', '.XiaoBa16', '.XiaoBa17', '.XiaoBa18', '.XiaoBa19', '.XiaoBa20', '.XiaoBa21', '.XiaoBa22', '.XiaoBa23', '.XiaoBa24', '.XiaoBa25', '.XiaoBa26', '.XiaoBa27', '.XiaoBa28', '.XiaoBa29', '.XiaoBa30', '.XiaoBa31', '.XiaoBa32', '.XiaoBa33', '.XiaoBa34', '.AdolfHitler']
payment-method	Bitcoin
price	1 200 yuan (180,81 $)
ransomnotes-filenames	['@XiaoBa@.bmp', '@Explanation@.hta', 'XiaoBa_Info.hta', 'XiaoBa_Info.bmp', '# # DECRYPT MY FILE # #.bmp']
ransomnotes-refs	['https://pbs.twimg.com/media/DNIoIFuX4AAce7J.jpg', 'https://pbs.twimg.com/media/DNx5Of-X0AASVda.jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De8WvF_X0AARtYr[1].jpg']

NMCRYPT Ransomware

The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.

Internal MISP references

UUID bd71be69-fb8c-4b1f-9d96-993ab23d5f2b which can be used as unique global reference for NMCRYPT Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://sensorstechforum.com/nmcrypt-files-ransomware-virus-remove-restore-data/ - webarchive
• https://www.enigmasoftware.com/nmcryptansomware-removal/ - webarchive

Associated metadata

Metadata key	Value
date	April 2018
encryption	AES+RSA
extensions	['.NMCRYPT']
payment-method	Bitcoin
price	7000 $
ransomnotes	['Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! Important use Firefox or Chrome browser To proceed with the purchase you must access one of the link below https://lylh3uqyzay3lhrd.onion.to/ https://lylh3uqyzay3lhrd.onion.link/ If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser...']
ransomnotes-refs	['https://sensorstechforum.com/wp-content/uploads/2018/04/stf-NMCRYPT-ransomware-virus-ransom-note-tor-onion-network-page-768x827.png']

Iron

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example. We know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design) DMA Locker (Iron Unlocker, decryption tool) Satan (exclusion list)

Internal MISP references

UUID ba64d47c-46cd-11e8-87df-ff6252b4ea76 which can be used as unique global reference for Iron in MISP communities and other software using the MISP galaxy

External references

• https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html - webarchive
• http://id-ransomware.blogspot.com/2018/04/ironlocker-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.2
ransomnotes	['We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…']
ransomnotes-filenames	['!HELP_YOUR_FILES.HTML']

Tron ransomware

Internal MISP references

UUID 94290f1c-46ff-11e8-b9c6-ef8852c58952 which can be used as unique global reference for Tron ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/985152346773696512 - webarchive
• http://id-ransomware.blogspot.com/2018/04/tron-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.tron']
payment-method	Bitcoin
price	0.007305 - 0.05
ransomnotes-refs	['https://pbs.twimg.com/media/DavxIr-W4AEq3Ny.jpg']

Unnamed ramsomware 1

A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

Internal MISP references

UUID c1788ac0-4fa0-11e8-b0fd-63f5a2914926 which can be used as unique global reference for Unnamed ramsomware 1 in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ - webarchive

Associated metadata

Metadata key	Value
extensions	['sequre@tuta.io_[hex]']
payment-method	Bitcoin
price	0.14
ransomnotes-filenames	['HOW DECRIPT FILES.hta']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/c/compiled-ransomware/ransom-note.jpg']

HPE iLO 4 Ransomware

Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. According to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim's was different from other reported ones. An interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim's are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims. Finally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from "stealing" another victim's payment and using it to unlock their computer. In a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.

Internal MISP references

UUID 39cb0268-528b-11e8-ac30-0fa44afdc8de which can be used as unique global reference for HPE iLO 4 Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/ - webarchive
• https://twitter.com/M_Shahpasandi/status/989157283799162880 - webarchive
• https://id-ransomware.blogspot.com/2018/04/hpe-ilo-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	2
ransomnotes	["Security Notice\n\nHey. Your hard disk is encrypted using RSA 2048 asymmetric encryption. To decrypt files you need to obtain the private key.\nIt means We are the only ones in the world to recover files back to you. Not even god can help you. Its all math and cryptography .\nIf you want your files back, Please send an email to 15fd9ngtetwjtdc@yopmail.com.\nWe don't know who are you, All what we need is some money and we are doing it for good cause.\nDon't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.\nYou can use of that bitcoin exchangers for transfering bitcoin.\nhttps://localbitcoins.com\nhttps://www.kraken.com\nPlease use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.\n\nProcess:\n1) Pay some BTC to our wallet address.(negotations almost impossible unless you are a russian citizen)\n2) We will send you private key and instructions to decrypt your hard drive\n3) Boom! You got your files back."]

Sigrun Ransomware

When Sigrun is executed it will first check "HKEY_CURRENT_USER\Keyboard Layout\Preload" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself. Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders.

Internal MISP references

UUID 5a53eec2-6993-11e8-a4d5-67480005dcbd which can be used as unique global reference for Sigrun Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/ - webarchive
• http://id-ransomware.blogspot.com/2018/05/sigrun-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.sigrun']
payment-method	Bitcoin Email
price	2500 $
ransomnotes	['SIGRUN 1.0 RANSOMWARE\n\nAll your important files are encrypted\n\nYour files has been encrypted by sigrun ransomware with unique decryption key.\n\nThere is only one way to get your files back: contact with us, pay, and get decryptor software. \n\nWe accept Bitcoin and Dash, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and https://www.dash.org/exchanges/ and others.\n\nYou have unique idkey (in a yellow frame), write it in letter when contact with us.\n\nAlso you can decrypt 3 files for test, its guarantee what we can decrypt your files.\n\nIDKEY:\n>>> [id_key] <<<\nContact information:\n\nemail: sigrun_decryptor@protonmail.ch', "~~~~~~SIGRUN 1.0 RANSOMWARE~~~~~~~~~\n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .sigrun\n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\nBut don't worry! You still can restore it!\n\nIn order to restore it you need to contact with us via e-mail.\n\n-----------------------------------------------\n
ransomnotes-filenames	['RESTORE-SIGRUN.html', 'RESTORE-SIGRUN.txt']

CryBrazil

Mostly Hidden Tear with some codes from Eda2 & seems compiled w/ Italian VS. Maybe related to OpsVenezuela?

Internal MISP references

UUID 30625df6-6e3e-11e8-b0cf-a7103cb03e05 which can be used as unique global reference for CryBrazil in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1002953824590614528 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive
• https://id-ransomware.blogspot.com/2018/06/crybrazil-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.crybrazil']
payment-method	Website
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/crybrazil.jpg']

Pedcont

new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.

Internal MISP references

UUID b0e074fc-6e45-11e8-8366-dbfc88552a23 which can be used as unique global reference for Pedcont in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/
• http://id-ransomware.blogspot.com/2018/06/pedcont-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.0065 (50 $)
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De00yEDVQAE_p9z[1].jpg']

DiskDoctor

new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DiskDoctor.

Known Synonyms
Scarab-DiskDoctor

Internal MISP references

UUID aa66e0c2-6fb5-11e8-851d-4722b7b3e9b9 which can be used as unique global reference for DiskDoctor in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.DiskDoctor']
payment-method	Bitcoin Email
ransomnotes-filenames	['HOW TO RECOVER ENCRYPTED FILES.TXT']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De2sj4GW0AAuQer[1].jpg']

RedEye

Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.

Internal MISP references

UUID e675e8fa-7065-11e8-95e0-cfdc107099d8 which can be used as unique global reference for RedEye in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive
• https://twitter.com/JakubKroustek/status/1004463935905509376 - webarchive
• https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html - webarchive
• https://id-ransomware.blogspot.com/2018/06/redeye-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.RedEye']
payment-method	Bitcoin
price	0.1
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/DfCO0T2WsAQvclJ[1].jpg']

Aurora Ransomware

Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aurora Ransomware.

Known Synonyms
Zorro Ransomware

Internal MISP references

UUID 3ee0664e-706d-11e8-800d-9f690298b437 which can be used as unique global reference for Aurora Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ - webarchive
• https://twitter.com/demonslay335/status/1004435398687379456 - webarchive
• https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/ - webarchive
• https://id-ransomware.blogspot.com/2018/05/aurora-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.aurora', '.animus', '.Aurora', '.desu', '.ONI']
payment-method	Bitcoin
price	100 - 500
ransomnotes	['==========================# aurora ransomware #==========================\n\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nWe STRONGLY RECOMMEND you NOT to use any "decryption tools".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you have to get RSA private key.\nIn order to get private key, write here:\nbig.fish@vfemail.net\nAnd send me your id, your id:\n[redacted]\nAnd pay 200$ on 1GSbmCoKzkHVkSUxqdSH5t8SxJQVnQCeYf wallet\nIf someone else offers you files restoring, ask him for test decryption.\n Only we can successfully decrypt your files; knowing this can protect you from fraud.\nYou will receive instructions of what to do next.\n==========================# aurora ransomware #==========================', '%UserProfile%wall.i', '==========================# zorro ransomware #==========================\nSORRY! Your files are encrypted.\nFile contents are encrypted with random key.\nRandom key is encrypted with RSA public key (2048 bit)\n.We STRONGLY RECOMMEND you NOT to use any "decryption tools".\nThese tools can damage your data, making recover IMPOSSIBLE.\nAlso we recommend you not to contact data recovery companies.\nThey will just contact us, buy the key and sell it to you at a higher price.\nIf you want to decrypt your files, you need to get the RSA-key from us.\n--\nTo obtain an RSA-key, follow these steps in order:\n1. pay this sum 500$ to this BTC-purse: 18sj1xr86c3YHK44Mj2AXAycEsT2QLUFac\n2. write on the e-mail ochennado@tutanota.com or anastacialove21@mail.com indicating in the letter this ID-[id] and BTC-purse, from which paid.\nIn the reply letter you will receive an RSA-key and instructions on what to do next.\nWe guarantee you the recovery of files, if you do it right.\n==========================# zorro ransomware #==========================']
ransomnotes-filenames	['#RECOVERY-PC#.txt', '!-GET_MY_FILES-!.txt', '@RESTORE-FILES@.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/a/aurora/ransom-note.jpg', 'https://www.bleepstatic.com/images/news/ransomware/a/aurora/wallpaper.jpg']

PGPSnippet Ransomware

Internal MISP references

UUID 682ff7ac-7073-11e8-8c8b-bf1271b8800b which can be used as unique global reference for PGPSnippet Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1005138187621191681 - webarchive

Associated metadata

Metadata key	Value
extensions	['.digiworldhack@tutanota.com']
payment-method	Bitcoin
price	500 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/pgpsnippet-variant.jpg', 'http://id-ransomware.blogspot.com/2018/05/pgpsnippet-ransomware.html']

Spartacus Ransomware

Internal MISP references

UUID fe42c270-7077-11e8-af82-d7bf7e6ab8a9 which can be used as unique global reference for Spartacus Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1005136022282428419 - webarchive
• https://id-ransomware.blogspot.com/2018/04/spartacus-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.SF']
payment-method	Bitcoin Email

Donut

S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com.

Internal MISP references

UUID e57e1f4a-72da-11e8-8c0d-af46e8f393d2 which can be used as unique global reference for Donut in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/siri_urz/status/1005438610806583296 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/ - webarchive
• http://id-ransomware.blogspot.com/2018/06/donut-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.donut']
payment-method	Bitcoin
price	100 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/15/DfQI_lnXUAAukGK[1].jpg']

NemeS1S Ransomware

Ransomware as a Service

Internal MISP references

UUID 3ac0f41e-72e0-11e8-85a8-f7ae254ab629 which can be used as unique global reference for NemeS1S Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/Damian1338B/status/1005411102660923392 - webarchive
• https://www.bleepingcomputer.com/news/security/nemes1s-raas-is-padcrypt-ransomwares-affiliate-system/ - webarchive
• https://id-ransomware.blogspot.com/2017/01/nemesis-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	10

Paradise Ransomware

MalwareHunterTeam discovered a new Paradise Ransomware variant that uses the extension _V.0.0.0.1{paradise@all-ransomware.info}.prt and drops a ransom note named PARADISE_README_paradise@all-ransomware.info.txt.

Internal MISP references

UUID db06d2e0-72f9-11e8-9413-73999e1a9373 which can be used as unique global reference for Paradise Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1005420103415017472 - webarchive
• https://twitter.com/malwrhunterteam/status/993499349199056897 - webarchive
• http://id-ransomware.blogspot.com/2017/09/paradise-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['_V.0.0.0.1{paradise@all-ransomware.info}.prt']
payment-method	Bitcoin Email
ransomnotes-filenames	['PARADISE_README_paradise@all-ransomware.info.txt']

B2DR Ransomware

uses the .reycarnasi1983@protonmail.com.gw3w amd a ransom note named ScrewYou.txt

Internal MISP references

UUID 4a341cf4-72ff-11e8-8371-b74902a1dff3 which can be used as unique global reference for B2DR Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1006220895302705154 - webarchive
• https://id-ransomware.blogspot.com/2018/03/b2dr-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.reycarnasi1983@protonmail.com.gw3w', '.ssananunak1987@protonmail.com.b2fr']
payment-method	Bitcoin
price	0.1 - 0.3
ransomnotes	['Your files were encrypted with AES-256.\n\nAsk how to restore your files by email reycarnasi1983@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: reycarnasi1983@torbox3uiot6wchz.onion\nATTENTION: e-mail (reycarnasi1983@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]-----END KEY-----', 'Your files were encrypted with AES-256.\n\nAsk how to restore your files by email ssananunak1987@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: ssananunak1987@torbox3uiot6wchz.onion\nATTENTION: e-mail (ssananunak1987@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]']
ransomnotes-filenames	['ScrewYou.txt', 'Readme.txt']

YYTO Ransomware

uses the extension .codyprince92@mail.com.ovgm and drops a ransom note named Readme.txt

Internal MISP references

UUID ef38d8b4-7392-11e8-ba1e-cfb37f0b9c73 which can be used as unique global reference for YYTO Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1006237353474756610 - webarchive
• http://id-ransomware.blogspot.com/2017/05/yyto-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.codyprince92@mail.com.ovgm']
payment-method	Email Tor
ransomnotes	['Hello. Your files have been encrypted.\n\nFor help, write to this e-mail: codyprince92@mail.com\nAttach to the letter 1-2 files (no more than 3 MB) and your personal key.\n\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: codyprince@torbox3uiot6wchz.onion\n\n\nATTENTION: e-mail (codyprince@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n\n\nYour personal key:\n\n[redacted hex]']
ransomnotes-filenames	['Readme.txt']

Unnamed ramsomware 2

Internal MISP references

UUID 53e6e068-739c-11e8-aae4-df58f7f27ee5 which can be used as unique global reference for Unnamed ramsomware 2 in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1007334654918250496 - webarchive

Associated metadata

Metadata key	Value
extensions	['.qnbqw']
payment-method	Email
ransomnotes	['Your files was encrypted using AES-256 algorithm. Write me to e-mail: qnbqwqe@protonmail.com to get your decryption key.\nYour USERKEY: [redacted 1024 bytes in base64]']
ransomnotes-filenames	['Notice.txt']

Everbe Ransomware

Internal MISP references

UUID 9d09ac4a-73a0-11e8-b71c-63b86eedf9a2 which can be used as unique global reference for Everbe Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/ - webarchive
• https://twitter.com/malwrhunterteam/status/1065675918000234497 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/ - webarchive
• http://id-ransomware.blogspot.com/2018/03/everbe-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.[everbe@airmail.cc].everbe', '.embrace', 'pain', '.[yoursalvations@protonmail.ch].neverdies@tutanota.com']
payment-method	Bitcoin
price	3003 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsoIB_0U0AAXgEz[1].jpg']

DirCrypt

Internal MISP references

UUID cdcc59a0-955e-412d-b481-8dff4bce6fdf which can be used as unique global reference for DirCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

Related clusters

To see the related clusters, click here.

DBGer Ransomware

The authors of the Satan ransomware have rebranded their "product" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.

Internal MISP references

UUID 541a479c-73a5-11e8-9d70-47736508231f which can be used as unique global reference for DBGer Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/ - webarchive
• http://id-ransomware.blogspot.com/2018/06/dbger-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['image.png -- > [dbger@protonmail.com]image.png.dbger']
payment-method	Bitcoin
price	1
ransomnotes	['Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:']
ransomnotes-filenames	['_How_to_decrypt_files.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/u/986406/Ransomware/DBGer/DBGer-ransom-note.png']

RASTAKHIZ

Hidden Tear variant discovered in October 2016. After activation, provides victims with an unlimited amount of time to gather the requested ransom money and pay it. Related unlock keys and the response sent to and from a Gmail addres

Internal MISP references

UUID 884eaa14-9ba8-11e8-a6ec-7f903f720e60 which can be used as unique global reference for RASTAKHIZ in MISP communities and other software using the MISP galaxy

External references

• https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf - webarchive
• https://id-ransomware.blogspot.com/2017/11/rastakhiz-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	250 $

TYRANT

DUMB variant discovered on November 16, 2017. Disguised itself as a popular virtual private network (VPN) in Iran known as Psiphon and infected Iranian users. Included Farsi-language ransom note, decryptable in the same way as previous DUMB-based variants. Message requested only US$15 for unlock key. Advertised two local and Iran-based payment processors: exchange.ir and webmoney.ir.Shared unique and specialized indicators with RASTAKHIZ; iDefense threat intelligence analysts believe this similarity confirms that the same actor was behind the repurposing of both types of ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TYRANT.

Known Synonyms
Crypto Tyrant

Internal MISP references

UUID 701f2a3e-9baa-11e8-a044-4b8bc49ea971 which can be used as unique global reference for TYRANT in MISP communities and other software using the MISP galaxy

External references

• https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf - webarchive
• http://id-ransomware.blogspot.com/2017/10/tyrant-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	15 $

WannaSmile

zCrypt variant discovered on November 17, 2017, one day after the discovery of TYRANT. Used Farsi-language ransom note asking for a staggering 20 Bitcoin ransom payment. Also advertised local Iran-based payment processors and exchanges—www.exchangeing[.]ir, www.payment24[.]ir, www.farhadexchange.net, and www.digiarz.com)—through which Bitcoins could be acquired.

Internal MISP references

UUID b3f04486-9bc4-11e8-bbfe-cf096483b45e which can be used as unique global reference for WannaSmile in MISP communities and other software using the MISP galaxy

External references

• https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf - webarchive
• https://id-ransomware.blogspot.com/2017/11/wannasmile-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	20

Unnamed Android Ransomware

Uses APK Editor Pro. Picks and activates DEX>Smali from APK Editor. Utilizes LockService application and edits the “const-string v4, value” to a desired unlock key. Changes contact information within the ransom note. Once the victim has downloaded the malicious app, the only way to recover its content is to pay the ransom and receive the unlock key.

Internal MISP references

UUID b48a7d62-9bc4-11e8-a7c5-47d13fad265f which can be used as unique global reference for Unnamed Android Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf - webarchive

Associated metadata

Metadata key	Value
payment-method	Email

KEYPASS

A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEYPASS.

Known Synonyms
KeyPass

Internal MISP references

UUID 22b4070e-9efe-11e8-b617-ab269f54596c which can be used as unique global reference for KEYPASS in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/ - webarchive
• https://www.kaspersky.com/blog/keypass-ransomware/23447/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.KEYPASS']
payment-method	Bitcoin
price	300 $
ransomnotes	['Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]']
ransomnotes-filenames	['!!!KEYPASS_DECRYPTION_INFO!!!.txt']

STOP Ransomware

Emmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.

Internal MISP references

UUID c76c4d24-9f99-11e8-808d-a7f1c66a53c5 which can be used as unique global reference for STOP Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/Emm_ADC_Soft/status/1064459080016760833 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/ - webarchive
• https://twitter.com/MarceloRivero/status/1065694365056679936 - webarchive
• http://id-ransomware.blogspot.com/2017/12/stop-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.INFOWAIT', '-DATASTOP', '.PUMA']
payment-method	Bitcoin
price	200 - 600 $
ransomnotes-filenames	['!readme.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsW33OQXgAAwJzv[1].jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsobVENXcAAR3GC[1].jpg']

Barack Obama's Everlasting Blue Blackmail Virus Ransomware

A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Barack Obama's Everlasting Blue Blackmail Virus Ransomware.

Known Synonyms
Barack Obama's Blackmail Virus Ransomware

Internal MISP references

UUID 1a98f5ca-b024-11e8-b828-1fb7dbd6619e which can be used as unique global reference for Barack Obama's Everlasting Blue Blackmail Virus Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1032242391665790981 - webarchive
• https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/ - webarchive
• https://id-ransomware.blogspot.com/2018/08/barack-obamas-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
ransomnotes	["Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information."]
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg']

CryptoNar

When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted. If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.

Internal MISP references

UUID 10f92054-b028-11e8-a51f-2f82236ac72d which can be used as unique global reference for CryptoNar in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/ - webarchive
• https://twitter.com/malwrhunterteam/status/1034492151541977088 - webarchive
• https://id-ransomware.blogspot.com/2018/08/cryptonar-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.fully.cryptoNar', '.partially.cryptoNar']
payment-method	Bitcoin
price	200 $
ransomnotes-filenames	['CRYPTONAR RECOVERY INFORMATION.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg']

Related clusters

To see the related clusters, click here.

CreamPie Ransomware

Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.

Internal MISP references

UUID 1b5a756e-b034-11e8-9e7d-c3271796acab which can be used as unique global reference for CreamPie Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive
• https://twitter.com/JakubKroustek/status/1033656080839139333 - webarchive
• https://id-ransomware.blogspot.com/2018/08/creampie-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.[backdata@cock.li].CreamPie']
payment-method	Bitcoin

Jeff the Ransomware

Looks to be in-development as it does not encrypt.

Internal MISP references

UUID 7854c8bc-b036-11e8-bfb0-4ff71e54bbb2 which can be used as unique global reference for Jeff the Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/leotpsc/status/1033625496003731458 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive

Associated metadata

Metadata key	Value

Cassetto Ransomware

Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.

Internal MISP references

UUID 7d3287f0-b03d-11e8-b1ef-23485f43e7f9 which can be used as unique global reference for Cassetto Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1034213399922524160 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive
• https://id-ransomware.blogspot.com/2018/08/cassetto-ransomware.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.cassetto']
payment-method	Bitcoin
price	0.5
ransomnotes	['L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.']
ransomnotes-filenames	['IMPORTANT ABOUT DECRYPT.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg']

Acroware Cryptolocker Ransomware

Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Acroware Cryptolocker Ransomware.

Known Synonyms
Acroware Screenlocker

Internal MISP references

UUID f1b76b66-b044-11e8-8ae7-cbe7e28dd584 which can be used as unique global reference for Acroware Cryptolocker Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/leotpsc/status/1034346447112679430 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	80 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg']

Termite Ransomware

Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.

Internal MISP references

UUID a8a772b4-b04d-11e8-ad94-ab9124dff412 which can be used as unique global reference for Termite Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/B_H101/status/1034379267956715520 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.aaaaaa']
payment-method	Bitcoin
price	100 - 500 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg']

PICO Ransomware

S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PICO Ransomware.

Known Synonyms
Pico Ransomware

Internal MISP references

UUID 5d0c28f6-b050-11e8-95a8-7b8e480b9bd2 which can be used as unique global reference for PICO Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/ - webarchive
• https://twitter.com/siri_urz/status/1035138577934557184 - webarchive

Associated metadata

Metadata key	Value
extensions	['.PICO']
payment-method	Bitcoin
price	100 $
ransomnotes-filenames	['README.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg']

Sigma Ransomware

Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.

Internal MISP references

UUID df025902-b29e-11e8-a2ab-739167419c52 which can be used as unique global reference for Sigma Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	400 $
ransomnotes-filenames	['ReadMe.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg', 'https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg', 'https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg']

Crypt0saur

Internal MISP references

UUID 32406292-b738-11e8-ab97-1f674b130624 which can be used as unique global reference for Crypt0saur in MISP communities and other software using the MISP galaxy

Mongo Lock

An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.

Internal MISP references

UUID 2aa481fe-c254-11e8-ad1c-efee78419960 which can be used as unique global reference for Mongo Lock in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.1
ransomnotes	["Your database was encrypted by 'Mongo Lock'. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don't delete 'Unique_KEY' and save it to safe place, without that we cannot help you. Send email to us: mongodb@8chan.co for decryption service."]

Kraken Cryptor Ransomware

The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.

Internal MISP references

UUID c49f88f6-c87d-11e8-b005-d76e8162ced5 which can be used as unique global reference for Kraken Cryptor Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/ - webarchive
• https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/ - webarchive
• https://twitter.com/MarceloRivero/status/1059575186117328898 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Dollars
price	80
ransomnotes-refs	['https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg']

SAVEfiles

Internal MISP references

UUID 76bfb132-cc70-11e8-8623-bb3f209be6c9 which can be used as unique global reference for SAVEfiles in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.SAVEfiles.']
payment-method	Email
ransomnotes-filenames	['!!!SAVE__FILES__INFO!!!.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg']

File-Locker

The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim's are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back. This ransomware uses AES encryption with a static password of "dnwls07193147", so it is easily decryptable.

Internal MISP references

UUID c06a1938-dcee-11e8-bc74-474b0080f0e5 which can be used as unique global reference for File-Locker in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Won
price	50 000 (50 $)
ransomnotes	['한국어: 경고!!! 모든 문서, 사진, 데이테베이스 및 기타 중요한 파일이 암호화되었습니다!!\n당신은 돈을 지불해야 합니다\n비트코인 5만원을 fasfry2323@naver.com로 보내십시오 비트코인 지불코드: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 결제 사이트 http://www.localbitcoins.com/ \nEnglish: Warning!!! All your documents, photos, databases and other important personal files were encrypted!!\nYou have to pay for it.\nSend fifty thousand won to fasfry2323@naver.com Bitcoin payment code: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Payment site http://www.localbitcoins.com/']
ransomnotes-filenames	['Warning!!!!!!.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/f/file-locker/ransom-note%20-%20Copy.jpg']

CommonRansom

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files.

Internal MISP references

UUID c0dffb94-dcee-11e8-81b9-3791d1c6638f which can be used as unique global reference for CommonRansom in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.[old@nuke.africa].CommonRansom']
payment-method	Bitcoin
price	0.1
ransomnotes	["+-----------------------+\n¦----+CommonRansom+-----¦\n+-----------------------+\nHello dear friend,\nYour files were encrypted!\nYou have only 12 hours to decrypt it\nIn case of no answer our team will delete your decryption password\nWrite back to our e-mail: old@nuke.africa\n\n\nIn your message you have to write:\n1. This ID-[VICTIM_ID]\n2. [IP_ADDRESS]:PORT(rdp) of infected machine\n3. Username:Password with admin rights\n4. Time when you have paid 0.1 btc to this bitcoin wallet:\n35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF\n\n\nAfter payment our team will decrypt your files immediatly\n\n\nFree decryption as guarantee:\n1. File must be less than 10MB\n2. Only .txt or .lnk files, no databases\n3. Only 5 files\n\n\nHow to obtain bitcoin:\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/"]
ransomnotes-filenames	['DECRYPTING.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/c/CommonRansom/ransom-note.jpg']

God Crypt Joke Ransomware

MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular God Crypt Joke Ransomware.

Known Synonyms
Godsomware v1.0
Ransomware God Crypt

Internal MISP references

UUID 1b74bfda-c32c-4713-8ff6-793d8e787645 which can be used as unique global reference for God Crypt Joke Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1048616343975682048 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin Website

DecryptFox Ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.

Internal MISP references

UUID a920dea5-9f30-4fa2-9665-63f306874381 which can be used as unique global reference for DecryptFox Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive
• https://twitter.com/demonslay335/status/1049325784979132417 - webarchive

Associated metadata

Metadata key	Value
extensions	['.encr']
payment-method	Email
ransomnotes	['Attention! All your files are encrypted!\nTo recover your files and access them,\nsend a message with your id to email DecryptFox@protonmail.com\n \nPlease note when installing or running antivirus will be deleted\n important file to decrypt your files and data will be lost forever!!!!\n \nYou have 5 attempts to enter the code. If you exceed this\nthe number, all the data, will be irreversibly corrupted. Be\ncareful when entering the code!\n \nyour id [redacted 32 lowercase hex]']
ransomnotes-filenames	['readmy.txt']

garrantydecrypt

Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named #RECOVERY_FILES#.txt

Internal MISP references

UUID f251740b-1594-460a-a378-371f3a2ae92c which can be used as unique global reference for garrantydecrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/ - webarchive
• https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.garrantydecrypt']
payment-method	Bitcoin
price	780 $
ransomnotes-filenames	['#RECOVERY_FILES#.txt']

MVP Ransomware

Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.

Internal MISP references

UUID ea643bfd-613e-44d7-9408-4991d53e08fa which can be used as unique global reference for MVP Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/siri_urz/status/1039077365039673344 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.mvp']
payment-method	Bitcoin
price	1
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/mvp.jpg']

StorageCrypter

Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StorageCrypter.

Known Synonyms
SambaCry

Internal MISP references

UUID 3675e50d-3f76-45f8-b3f3-4a645779e14d which can be used as unique global reference for StorageCrypter in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.8
ransomnotes	["All your important files on this device have been encrypted.\n\nNo one can decrypt your files except us.\n\nIf you want to recover all your files. contact us via E-mail.\nDON'T forget to send us your ID!!!\n\nTo recover your files,You have to pay 0.8 bitcoin.\n\n\n\n\nContact Email : Leviathan13@protonmail.com\n\nYour ID :\n\n[redacted 0x200 bytes in base64 form]\n\n\nFree decryption as guarantee\n\nIf you can afford the specified amount of bitcoin,\nyou can send to us up to 2 files for demonstration.\n\nPlease note that files must NOT contain valuable information\nand their total size must be less than 2Mb."]
ransomnotes-filenames	['read_me_for_recover_your_files.txt']

Rektware

GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension

Internal MISP references

UUID e90a57b5-cd17-4dce-b83f-d007053c7b35 which can be used as unique global reference for Rektware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/ - webarchive
• https://twitter.com/GrujaRS/status/1040677247735279616 - webarchive

Associated metadata

Metadata key	Value
extensions	['.CQScSFy']
payment-method	Email

M@r1a ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular M@r1a ransomware.

Known Synonyms
BlackHeart
M@r1a

Internal MISP references

UUID 1009b7f3-e737-49fd-a872-1e0fd1df4c00 which can be used as unique global reference for M@r1a ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1058775145005887489 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.mariacbc']
payment-method	Bitcoin
price	0.002 (50 $)
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/9/moira.jpg']

"prepending (enc) ransomware" (Not an official name)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular "prepending (enc) ransomware" (Not an official name).

Known Synonyms
Aperfectday2018

Internal MISP references

UUID ad600737-6d5f-4771-ae80-3e434e29c749 which can be used as unique global reference for "prepending (enc) ransomware" (Not an official name) in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1059470985055875074 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/ - webarchive

Associated metadata

Metadata key	Value
extensions	['(enc) prepend']
payment-method	Bitcoin
price	25 000 sek (sweden)
ransomnotes	["Hi. Thank you for using my program. If you're reading this, a lot of your files have\nbeen encrypted. To decrypt them, you need my decryption program. For this, I want 25 000 sek, I want\nthem in bitcoin. Email me when you've paid with details about the transaction. I'll give you two days.\nIf you have not paid in two days(from the day you received the email), It will cost 1000 sek more per day.\n If I have not heard from you after five days (from the day you received the email), I assume your files are not that\nimportant to you. So I'll delete your decryption-key, and you will never see your files again.\n\n\nAfter the payment, email me the following information:\n the bitcoin address you sent from (important, write it down when you do the transaction)\n the ID at the bottom of this document (this is important!! Otherwise I don't know which key belongs\nto you).\nThen I will send you the decryption-program and provide you with instructions of how to remove\nthe virus if you have not already figured it out.\n\n\nEmail:\naperfectday2018@protonmail.com\n\nBitcoin adress: \n1LX3tBkW161hoF5DbGzbrm3sdXaF6XHv2D\n\nMake sure to get the bitcoin adress right, copy and paste and double check. If you send the bitcoin\nto the wrong adress, it will be lost forever. You cant stop or regret a bitcoin transaction.\n\n\nIMPORTANT: \n\nDo not loose this document. You also have a copy of it on your desktop.\nDo NOT change any filenames!!! !!!\n\n\nThank you for the money, it means a lot to me. \n\n\n\nID: [redacted 13 numbers]"]
ransomnotes-filenames	['aboutYourFiles.txt']

PyCL Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PyCL Ransomware.

Known Synonyms
Dxh26wam

Internal MISP references

UUID f7fa6978-c932-4e62-b4fc-3fbbbc195602 which can be used as unique global reference for PyCL Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1060921043957755904 - webarchive

Associated metadata

Metadata key	Value
extensions	['.impect']
payment-method	Bitcoin
price	300 $
ransomnotes	['Attention MOTHERFUCKER!\n\nAll your main files were encrypted!\n\nYour personal files (documents, databases, jpeg, docx, doc,\netc.) were encrypted, their further using impossible.\nTO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR\nSOFTWARE WILL ALLOW YOU DECRYPT YOUR FILES.\nNOTE:\nYou have only 6 hours from the moment when an encryption was done to buy our software at $300, in bitcoin\nYou all files will get deleted after the lapse of 6 hours.\nAny attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.\nDo not send any emails with threats and rudeness to us. Example of email format: Hi, I need a decryption of my files.\n\nBitcoin address = 1GstvLM6SumX3TMMgN9PvXQsEy3FR9ZqWX\n\nContact us by email only: ayaan321308@gmail.com']
ransomnotes-filenames	['how to get back you files.txt']
ransomnotes-refs	['https://pbs.twimg.com/media/DrkmCriWwAMCdqF.jpg']

Vapor Ransomware

MalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.

Internal MISP references

UUID f53205a0-7a8f-41d1-a427-bf3ab9bd77bb which can be used as unique global reference for Vapor Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1063769884608348160 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.Vapor']
payment-method	Email
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/vapor.jpg']

EnyBenyHorsuke Ransomware

GrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.

Internal MISP references

UUID 677aeb47-587d-40a4-80b7-22672ba1160c which can be used as unique global reference for EnyBenyHorsuke Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/ - webarchive
• https://twitter.com/GrujaRS/status/1063930127610986496 - webarchive

Associated metadata

Metadata key	Value
extensions	['.Horsuke ']
payment-method	Bitcoin
price	0.00000001
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsPVGaHXcAAtnXz[1].jpg']

DeLpHiMoRix

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DeLpHiMoRix.

Known Synonyms
DelphiMorix
DelphiMorix!

Internal MISP references

UUID 7f82fb04-1bd2-40a1-9baa-895b53c6f7d4 which can be used as unique global reference for DeLpHiMoRix in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/petrovic082/status/1065223932637315074 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/ - webarchive
• https://twitter.com/demonslay335/status/1066099799705960448 - webarchive

Associated metadata

Metadata key	Value
extensions	['.demonslay335_you_cannot_decrypt_me!', '.malwarehunterteam']
payment-method	Bitcoin
price	999999.5
ransomnotes-filenames	['!=How_recovery_files=!.html']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsiUA0LXgAAoqkd[1].jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsuMFrZW0AIIUXs[1].jpg']

EnyBeny Nuclear Ransomware

@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.

Internal MISP references

UUID 950d5501-b5eb-4f53-b33d-76e789912c16 which can be used as unique global reference for EnyBeny Nuclear Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/ - webarchive
• https://twitter.com/GrujaRS/status/1066799421080461312 - webarchive
• https://www.youtube.com/watch?v=_aaFon7FVbc - webarchive

Associated metadata

Metadata key	Value
extensions	['.PERSONAL_ID:.Nuclear']
payment-method	Bitcoin
price	0.00000001
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg', 'https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg', 'https://pbs.twimg.com/media/Ds4IYbfWsAECNuJ.jpg']

Lucky Ransomware

Michael Gillespie discovered a new ransomware that renamed encrypted files to "[[email]][original].[random].lucky" and drops a ransom note named How_To_Decrypt_My_File.txt.

Internal MISP references

UUID a8eb9743-dfb6-4e13-a95e-e68153df94e9 which can be used as unique global reference for Lucky Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1067109661076262913 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/ - webarchive

Associated metadata

Metadata key	Value
extensions	['[]..lucky']
payment-method	Bitcoin
price	1
ransomnotes	['I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]']
ransomnotes-filenames	['How_To_Decrypt_My_File.txt']

WeChat Ransom

Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WeChat Ransom.

Known Synonyms
UNNAMED1989

Internal MISP references

UUID b2aa807d-98fa-48e4-927b-4e81a50736e5 which can be used as unique global reference for WeChat Ransom in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/ - webarchive
• https://www.bleepingcomputer.com/news/security/chinese-police-arrest-dev-behind-unnamed1989-wechat-ransomware/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Yuan
price	110 (16 $)

IsraBye

Internal MISP references

UUID 3ade75c8-6ef7-4c54-84d0-cab0161d3415 which can be used as unique global reference for IsraBye in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/ - webarchive
• https://www.youtube.com/watch?v=QevoUzbqNTQ - webarchive
• https://twitter.com/GrujaRS/status/1070011234521673728 - webarchive

Associated metadata

Metadata key	Value
extensions	['.israbye']
payment-method	Politic
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dtlxf0eW4AAJCdZ[1].jpg', 'https://pbs.twimg.com/media/DtlxfFsW4AAs-Co.jpg']

Dablio Ransomware

Internal MISP references

UUID d3337bec-fd4e-11e8-a3ad-e799cc59c59c which can be used as unique global reference for Dablio Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/struppigel/status/1069905624954269696 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/ - webarchive

Associated metadata

Metadata key	Value
extensions	['prepend (encrypted)']
payment-method	Bitcoin Website
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/DtkQKCDWoAM13kD[1].jpg']

Related clusters

To see the related clusters, click here.

Gerber Ransomware 1.0

Internal MISP references

UUID 3bcc725f-6b89-4350-ad79-f50daa30f74e which can be used as unique global reference for Gerber Ransomware 1.0 in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/ - webarchive
• https://twitter.com/petrovic082/status/1071003939015925760 - webarchive
• https://twitter.com/Emm_ADC_Soft/status/1071716275590782976 - webarchive

Associated metadata

Metadata key	Value
extensions	['.XY6LR', '.gerber5', '.FJ7QvaR9VUmi']
payment-method	Email
ransomnotes-filenames	['DECRYPT.txt']
ransomnotes-refs	['https://pbs.twimg.com/media/Dtz4PD2WoAIWtRv.jpg', 'https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/14/Dt-APfCW0AADWV8[1].jpg']

Gerber Ransomware 3.0

Internal MISP references

UUID 54240144-05c2-43f0-8386-4301a85330bb which can be used as unique global reference for Gerber Ransomware 3.0 in MISP communities and other software using the MISP galaxy

Outsider

Internal MISP references

UUID 9ebfa028-a9dd-46ec-a915-1045fb297824 which can be used as unique global reference for Outsider in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/ - webarchive
• https://twitter.com/GrujaRS/status/1071153192975642630 - webarchive
• https://www.youtube.com/watch?v=iB019lDvArs - webarchive

Associated metadata

Metadata key	Value
extensions	['.protected']
payment-method	Bitcoin
price	900 $
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/december/7/Dt1_DpMXcAMC8J_[1].jpg']

JungleSec

Uses http://ccrypt.sourceforge.net/ encryption program

Internal MISP references

UUID 23fcbbf1-93ee-4baf-9082-67ca26553643 which can be used as unique global reference for JungleSec in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1071123090564923393 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.3

EQ Ransomware

GrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.

Internal MISP references

UUID edd4c8d0-d971-40a6-b7c6-5c57a4b51e48 which can be used as unique global reference for EQ Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/GrujaRS/status/1071349228172124160 - webarchive
• https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-14th-2018-slow-week/ - webarchive
• https://www.youtube.com/watch?v=uHYY6XZZEw4 - webarchive

Associated metadata

Metadata key	Value
extensions	['.fuck']
payment-method	Bitcoin
price	1
ransomnotes-filenames	['README_BACK_FILES.htm']
ransomnotes-refs	['https://pbs.twimg.com/media/Dt4xTDjWwAEBjBh.jpg']

Mercury Ransomware

extension ".Mercury", note "!!!READ_IT!!!.txt" with 4 different 64-char hex as ID, 3 of which have dashes. Possible filemarker, same in different victim's files.

Internal MISP references

UUID 968cf828-0653-4d86-a01d-186db598f391 which can be used as unique global reference for Mercury Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1072164314608480257 - webarchive

Associated metadata

Metadata key	Value
extensions	['.mercury']
payment-method	Email
ransomnotes	["!!! ATTENTION, YOUR FILES WERE ENCRYPTED !!!\n\nPlease follow few steps below:\n\n1.Send us your ID.\n2.We can decrypt 1 file what would you make sure that we have decription tool!\n3.Then you'll get payment instruction and after payment you will get your decryption tool!\n\n\n Do not try to rename files!!! Only we can decrypt all your data!\n\n Contact us:\n\ngetmydata@india.com\nmydataback@aol.com\n\n Your ID:[redacted 64 uppercase hex]:[redacted 64 uppercase hex with dashes]\n[redacted 64 uppercase hex with dashes]:[redacted 64 uppercase hex with dashes]"]
ransomnotes-filenames	['!!!READ_IT!!!.txt']

Forma Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Forma Ransomware.

Known Synonyms
FORMA

Internal MISP references

UUID ea390fa7-94ac-4287-8a2d-c211330671b0 which can be used as unique global reference for Forma Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/GrujaRS/status/1072468548977680385 - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Email
ransomnotes-filenames	['ODSZYFRFUJ_PLIKI_TERAZ.txt']
ransomnotes-refs	['https://pbs.twimg.com/media/DuIsIoWXQAEGKlr.jpg']

Djvu

Internal MISP references

UUID e37ddc9e-8ceb-4817-a17e-755aa379ed14 which can be used as unique global reference for Djvu in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/demonslay335/status/1072907748155842565 - webarchive

Associated metadata

Metadata key	Value
extensions	['.djvu']
payment-method	Email
ransomnotes	["---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED ----------------------------------------------- \n\nDon't worry, you can return all your files!\nAll your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nThis software will decrypt all your encrypted files.\nWhat guarantees do we give to you?\nYou can send one of your encrypted file from your PC and we decrypt it for free.\nBut we can decrypt only 1 file for free. File must not contain valuable information\nDon't try to use third-party decrypt tools because it will destroy your files.\nDiscount 50% available if you contact us first 72 hours.\n\n---------------------------------------------------------------------------------------------------------------------------\n\n\nTo get this software you need write on our e-mail:\nhelpshadow@india.com\n\nReserve e-mail address to contact us:\nhelpshadow@firemail.cc\n\nYour personal ID:\n[redacted 43 alphanumeric chars]"]
ransomnotes-filenames	['_openme.txt']

Ryuk ransomware

Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.

Internal MISP references

UUID f9464c80-b776-4f37-8682-ffde0cf8f718 which can be used as unique global reference for Ryuk ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - webarchive
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	13.57
ransomnotes-filenames	['RyukReadMe.txt']
ransomnotes-refs	['https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig3.png', 'https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig4.png']

BitPaymer

In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BitPaymer.

Known Synonyms
FriedEx
IEncrypt

Internal MISP references

UUID 09fa0e0a-f0b2-46ea-8477-653e627b1c22 which can be used as unique global reference for BitPaymer in MISP communities and other software using the MISP galaxy

External references

• https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin Email

LockerGoga

Internal MISP references

UUID 1e19dae5-80c3-4358-abcd-2bf0ba4c76fe which can be used as unique global reference for LockerGoga in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/ - webarchive
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf - webarchive

Associated metadata

Metadata key	Value
extensions	['.locked']
payment-method	Email
ransomnotes-filenames	['README-NOW.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/u/1100723/Ransomware/LockerGoga-ransom-note.png']

Related clusters

To see the related clusters, click here.

Princess Evolution

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates. The new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Princess Evolution.

Known Synonyms
PrincessLocker Evolution

Internal MISP references

UUID 53da7991-62b7-4fe2-af02-447a0734f41d which can be used as unique global reference for Princess Evolution in MISP communities and other software using the MISP galaxy

External references

• https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.12 (773 $)

Jokeroo

A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. According to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Jokeroo.

Known Synonyms
Fake GandCrab

Internal MISP references

UUID 8cfa694b-3e6b-410a-828f-037d981870b2 which can be used as unique global reference for Jokeroo in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.0077

GlobeImposter

During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.

Internal MISP references

UUID a4631cef-dc51-4bee-a51f-3f1ea75ff201 which can be used as unique global reference for GlobeImposter in MISP communities and other software using the MISP galaxy

External references

• https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.35

BlackWorm

BlackWorm Ransomware is a malicious computer infection that encrypts your files, and then does everything it can to prevent you from restoring them. It needs you to pay $200 for the decryption key, but there is no guarantee that the people behind this infection would really issue the decryption tool for you.

Internal MISP references

UUID 457e9a45-607e-41ef-8ad1-bf8684722445 which can be used as unique global reference for BlackWorm in MISP communities and other software using the MISP galaxy

External references

• https://spyware-techie.com/blackworm-ransomware-removal-guide - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	200 $

Tellyouthepass

Tellyouthepass is a ransomware that alters system files, registry entries and encodes personal photos, documents, and servers or archives. Army-grade encryption algorithms get used to change the original code of the file and make the data useless.

Internal MISP references

UUID c6ca9b44-d0cd-40c9-9d00-39e0f7bcae79 which can be used as unique global reference for Tellyouthepass in MISP communities and other software using the MISP galaxy

External references

• https://malware.wikia.org/wiki/Tellyouthepass - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.2

BigBobRoss

BigBobRoss ransomware is the cryptovirus that requires a ransom in Bitcoin to return encrypted files marked with .obfuscated appendix.

Internal MISP references

UUID 5d3fc33b-8e90-4d9d-8f45-f047264ce8cb which can be used as unique global reference for BigBobRoss in MISP communities and other software using the MISP galaxy

External references

• https://www.2-spyware.com/remove-bigbobross-ransomware.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

Planetary

First discovered by malware security analyst, Lawrence Abrams, PLANETARY is an updated variant of another high-risk ransomware called HC7.

Internal MISP references

UUID 7c742031-6b3d-4c3a-8b36-9154a6dc7b30 which can be used as unique global reference for Planetary in MISP communities and other software using the MISP galaxy

External references

• https://www.pcrisk.com/removal-guides/12121-planetary-ransomware - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

Cr1ptT0r

Cr1ptT0r Ransomware Targets NAS Devices with Old Firmware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cr1ptT0r.

Known Synonyms
Cr1pt0r
Criptt0r
Cripttor

Internal MISP references

UUID e19d92d7-cf17-4b2b-8ec2-1efc6df2fa1e which can be used as unique global reference for Cr1ptT0r in MISP communities and other software using the MISP galaxy

External references

• https://www.coveware.com/blog/2019/3/13/cr1ptt0r-ransomware-targets-nas-devices-with-old-firmware - webarchive
• https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

Sodinokibi

Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called "Sodinokibi." Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco's Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sodinokibi.

Known Synonyms
REvil
Revil

Internal MISP references

UUID 24bd9a4b-2b66-428b-8e1c-6b280b056c00 which can be used as unique global reference for Sodinokibi in MISP communities and other software using the MISP galaxy

External references

• https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html - webarchive

Associated metadata

Metadata key	Value
links	['http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/', 'http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/', 'http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion/Blog']

Phobos

Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phobos.

Known Synonyms
Java NotDharma

Internal MISP references

UUID d2c7fb08-293e-453b-a213-adeb79505767 which can be used as unique global reference for Phobos in MISP communities and other software using the MISP galaxy

External references

• https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/ - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin

GetCrypt

A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit.

Internal MISP references

UUID 7c9df1bd-9212-4ce3-b407-636e41bc4eea which can be used as unique global reference for GetCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	300 $

Nemty

A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.

Internal MISP references

UUID 5fb75933-1ed5-4512-a062-d39865eedab0 which can be used as unique global reference for Nemty in MISP communities and other software using the MISP galaxy

External references

• https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections - webarchive

Associated metadata

Metadata key	Value
links	['http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion']
payment-method	Bitcoin
price	1000 $

Related clusters

To see the related clusters, click here.

Buran

Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.

Internal MISP references

UUID a92b2165-29e7-463a-b3d5-c8b7d8a25f65 which can be used as unique global reference for Buran in MISP communities and other software using the MISP galaxy

External references

• https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit - webarchive

Associated metadata

Metadata key	Value

Hildacrypt

The Hildacrypt ransomware encrypts the victim’s files with a strong encryption algorithm and the filename extension .hilda until the victim pays a fee to get them back.

Internal MISP references

UUID 25fcb177-7219-4414-b5de-8aeb2e6d146f which can be used as unique global reference for Hildacrypt in MISP communities and other software using the MISP galaxy

External references

• https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/ - webarchive

Associated metadata

Metadata key	Value

Mr.Dec

Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. The ransomware encrypts all personal data on the device with the help of AES encryption algorithm and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mr.Dec.

Known Synonyms
MrDec
Sherminator

Internal MISP references

UUID 2e8aa6da-00b1-4222-b212-c48a7348893c which can be used as unique global reference for Mr.Dec in MISP communities and other software using the MISP galaxy

External references

• https://www.2-spyware.com/remove-mr-dec-ransomware.html - webarchive
• https://id-ransomware.blogspot.com/2018/05/mrdec-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES

Freeme

Freezing crypto ransomware encrypts user data using AES, and then requires a ransom in # BTC to return the files. Original title: not indicated in the note. The file says: FreeMe.exe

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Freeme.

Known Synonyms
Freezing

Internal MISP references

UUID 9b074569-b90c-44e6-b9b2-e6e19a48118d which can be used as unique global reference for Freeme in MISP communities and other software using the MISP galaxy

External references

• http://id-ransomware.blogspot.com/2019/06/freeme-freezing-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES

DoppelPaymer

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DoppelPaymer.

Known Synonyms
BitPaymer
FriedEx
IEncrypt
Pay OR Grief

Internal MISP references

UUID 3d8989dc-9a10-4cae-ab24-ff0abed487f4 which can be used as unique global reference for DoppelPaymer in MISP communities and other software using the MISP galaxy

External references

• https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/ - webarchive
• https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer - webarchive

Associated metadata

Metadata key	Value
encryption	AES
links	['http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/']

Desync

This crypto ransomware encrypts enterprise LAN data with AES (ECB mode), and then requires a ransom in # BTC to return the files.

Internal MISP references

UUID e5288fc1-ff2a-4992-a1fb-6a8ef612de51 which can be used as unique global reference for Desync in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html - webarchive

Associated metadata

Metadata key	Value
encryption	AES

Maze

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Internal MISP references

UUID c60776a6-91dd-499b-8b4c-7940479e71fc which can be used as unique global reference for Maze in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.maze - webarchive
• https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us - webarchive

Associated metadata

Metadata key	Value
encryption	ChaCha20 and RSA
links	['http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion']

Related clusters

To see the related clusters, click here.

Cyborg Ransomware

Ransomware delivered using fake Windows Update spam

Internal MISP references

UUID 0a0b9311-8cbc-4d97-b337-42c9a018ebe0 which can be used as unique global reference for Cyborg Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-windows-update-spam-leads-to-cyborg-ransomware-and-its-builder/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.777']
ransomnotes-filenames	['Cyborg_DECRYPT.txt']
ransomnotes-refs	['https://npercoco.typepad.com/.a/6a0133f264aa62970b0240a4ebff1b200b-pi']

FTCode

A targeted email campaign has been spotted distributing the JasperLoader to victims. While the JasperLoader was originally used to then install Gootkit, Certego has observed it now being used to infect victims with a new ransomware dubbed FTCODE. Using an invoice-themed email appearing to target Italian users, the attackers attempt to convince users to allow macros in a Word document. The macro is used to run PowerShell to retrieve additional PowerShell code.

Internal MISP references

UUID 6f9b7c54-45fa-422c-97f0-0f0c015e3c4e which can be used as unique global reference for FTCode in MISP communities and other software using the MISP galaxy

External references

• https://www.certego.net/en/news/malware-tales-ftcode/ - webarchive
• https://exchange.xforce.ibmcloud.com/collection/FTCODE-Ransomware-45dacdc2d5cf30722ced20b9d37988c2 - webarchive
• https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode - webarchive

Associated metadata

Metadata key	Value
payment-method	Bitcoin
price	0.06

Clop

Observed for the first time in Febuary 2019, variant from CryptoMix Family, itself a variation from CryptXXX and CryptoWall family

Internal MISP references

UUID 21b349c3-ede2-4e11-abda-1444eb272eff which can be used as unique global reference for Clop in MISP communities and other software using the MISP galaxy

External references

• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.CIop', '.Clop', '.Ciop', '.Clop2']
links	['http://ekbgzchl6x2ias37.onion', 'http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/']

PornBlackmailer

A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.

Internal MISP references

UUID a1a730e2-f1a4-4d7b-9930-80529cd97f3c which can be used as unique global reference for PornBlackmailer in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/ - webarchive

Associated metadata

Metadata key	Value
ransomnotes	['https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg']

KingOuroboros

This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.

Internal MISP references

UUID 303a07bf-c990-4fbe-ac7d-57b8c3cb29b6 which can be used as unique global reference for KingOuroboros in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html - webarchive

Associated metadata

Metadata key

Value

ransomnotes

['Your files has been safely encrypted\n---\nEncrypted files: 276\n*\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: **\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted.']

MAFIA Ransomware

The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MAFIA Ransomware.

Known Synonyms
Mafia

Internal MISP references

UUID 9ea6333f-1437-4a57-8acc-d73019378ef2 which can be used as unique global reference for MAFIA Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html - webarchive

Associated metadata

Metadata key	Value

5ss5c Ransomware

The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip

Internal MISP references

UUID 8ac9fc73-05db-4be8-8f46-33bbd6b3502b which can be used as unique global reference for 5ss5c Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['如何解密我的文件.txt']
ransomnotes-refs	['https://1.bp.blogspot.com/-T0B4txHlNHs/Xh4-raVFVtI/AAAAAAAACTE/R-YoW8QHFLsuD140AF9vD-_rOifULExUgCLcBGAsYHQ/s1600/note.PNG']

Nodera Ransomware

Nodera is a ransomware family that uses the Node.js framework and was discovered by Quick Heal researchers. The infection chain starts with a VBS script embedded with multiple JavaScript files. Upon execution, a directory is created and both the main node.exe program and several required NodeJS files are downloaded into the directory. Additionally, a malicious JavaScript payload that performs the encryption process is saved in this directory. After checking that it has admin privileges and setting applicable variables, the malicious JavaScript file enumerates the drives to create a list of targets. Processes associated with common user file types are stopped and volume shadow copies are deleted. Finally, all user-specific files on the C: drive and all files on other drives are encrypted and are appended with a .encrypted extension. The ransom note containing instructions on paying the Bitcoin ransom are provided along with a batch script to be used for decryption after obtaining the private key. Some mistakes in the ransom note identified by the researchers include the fact that it mentions a 2048-bit RSA public key instead of 4096-bit (the size that was actually used), a hard-coded private key destruction time dating back almost 2 years ago, and a lack of instructions for how the private key will be obtained after the ransom is paid. These are signs that the ransomware may be in the development phase and was likely written by an amateur. For more information, see the QuickHeal blog post in the Reference section below.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nodera Ransomware.

Known Synonyms
Nodera

Internal MISP references

UUID 0529c53a-afe7-4549-899e-3f8735467f96 which can be used as unique global reference for Nodera Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://exchange.xforce.ibmcloud.com/collection/6f18908ce6d9cf4efb551911e00d9ec4 - webarchive
• https://blogs.quickheal.com/first-node-js-based-ransomware-nodera/ - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypted']

MegaCortex

Discovered in May 2019. dropped throught networks compromised by trojan like Emotet or TrickBot. Tools and methods used are similar to LockerGoga

Internal MISP references

UUID f1041289-f42b-416f-b649-7bb8e543011f which can be used as unique global reference for MegaCortex in MISP communities and other software using the MISP galaxy

External references

• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - webarchive

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

RobinHood

Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RobinHood.

Known Synonyms
HelpYemen

Internal MISP references

UUID 000fb0bf-8be3-4ff1-8bbd-cc0513bcdd89 which can be used as unique global reference for RobinHood in MISP communities and other software using the MISP galaxy

External references

• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - webarchive

Associated metadata

Metadata key	Value
links	['https://robinhoodleaks.tumblr.com']

Bart ransomware

Bart ransomware is distributed by the same Russian Cyber Mafia behind Dridex 220 and Locky. Bart doesn't communicate with a command and control (C&C) server, so it can encrypt files without being connected to a computer. Bart is spread to end users via phishing emails containing .zip attachments with JavaScript Code and use social engineering to trick users into opening the 'photo' attachments. The zipped files are obfuscated to make it more hard to tell what actions they are performing. See screenshot above for an example of what they look like. If opened, these attachments download and install the intermediary loader RockLoader which downloads Bart onto the machine over HTTPS. Once executed, it will first check the language on the infected computer. If the malware detects Russian, Belorussian, or Ukrainian, the ransomware will terminate and will not proceed with the infection. If it's any other language, it will start scanning the computer for certain file extensions to encrypt. Because Bart does not require communication with C&C infrastructure prior to encrypting files, Bart could possibly encrypt machines sitting behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bart ransomware.

Known Synonyms
Locky Bart

Internal MISP references

UUID 05d5263f-ec23-4279-bb98-55fc233d7e89 which can be used as unique global reference for Bart ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.knowbe4.com/bart-ransomware - webarchive

Associated metadata

Metadata key	Value

Razor

Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim's desktop wallpaper. Razor renames files by appending the ".razor" extension to their filenames. For example, it renames "1.jpg" to "1.jpg.razor", and so on. It creates a ransom note which is a text file named "#RECOVERY#.txt", this file contains instructions on how to contact Razor's developers (cyber criminals) and other details. As stated in the "#RECOVERY#.txt" file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor's developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet's address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.

Internal MISP references

UUID ea35282c-0686-4115-a001-bc4203549418 which can be used as unique global reference for Razor in MISP communities and other software using the MISP galaxy

External references

• https://www.pcrisk.com/removal-guides/17016-razor-ransomware - webarchive

Associated metadata

Metadata key	Value
extensions	['.razor']
ransomnotes	['All your files have been ENCRYPTED!!!\nWrite to our email: \n razor2020@protonmail.ch\n ICQ:\n @razor2020\n Or contact us via jabber:\n razor2020@jxmpp.jp\nJabber (Pidgin) client installation instructions, you can find on youtube - hxxps://www.youtube.com/results?search_query=pidgin+jabber+install\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\ntell your unique ID']
ransomnotes-filenames	['#RECOVERY#.txt']
ransomnotes-refs	['https://www.pcrisk.com/images/stories/screenshots202002/razor-ransom-note.jpg']

Wadhrama

Internal MISP references

UUID 42148074-196b-4f8c-b149-12163fc385fa which can be used as unique global reference for Wadhrama in MISP communities and other software using the MISP galaxy

External references

• https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ - webarchive
• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=ransom:win32/wadhrama.c&ThreatID=2147730655 - webarchive

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

Mespinoza

Mespinoza ransomware is used at least since october 2018. First versions used the common extension ".locked". SInce december 2019 a new version in open sourced and documented, this new version uses the ".pyza" extension.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mespinoza.

Known Synonyms
Pysa
Pyza

Internal MISP references

UUID deed3c10-93b6-41b9-b150-f4dd1b665d87 which can be used as unique global reference for Mespinoza in MISP communities and other software using the MISP galaxy

External references

• https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/ - webarchive
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf - webarchive
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf - webarchive

Associated metadata

Metadata key	Value
colt-average	70d
colt-median	66d
extensions	['.pyza', '.locked', '.pysa']
links	['http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/partners.html']
ransomnotes-filenames	['RECOVER_YOUR_DATA.txt']

CoronaVirus

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner. With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan. This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.

Internal MISP references

UUID 575b2b3c-d762-4ba6-acbd-51ecdb57249f which can be used as unique global reference for CoronaVirus in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/ - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['CoronaVirus.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/c/coronavirus-ransomware/ransom-note.jpg', 'https://www.bleepstatic.com/images/news/ransomware/c/coronavirus-ransomware/mbr-locker.jpg', 'https://www.bleepstatic.com/images/news/ransomware/c/coronavirus-ransomware/changed-mbrlocker-screen.jpg']

Snake Ransomware

Snake ransomware first attracted the attention of malware analysts in January 2020 when they observed the crypto-malware family targeting entire corporate networks. Shortly after this discovery, the threat quieted down. It produced few new detected infections in the wild for the next few months. That was until May 4, when ID Ransomware registered a sudden spike in submissions for the ransomware.

Internal MISP references

UUID e390e1bb-2af1-4139-8e61-6e534d707dfb which can be used as unique global reference for Snake Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://www.cybersecurity-insiders.com/meet-the-snake-ransomware-which-encrypts-all-connected-devices/ - webarchive
• https://www.tripwire.com/state-of-security/security-data-protection/massive-spike-in-snake-ransomware-activity-attributed-to-new-campaign/ - webarchive
• https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware-campaign-targets-healthcare-more/ - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['Decrypt-Your-Files.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/s/SNAKE/may-2020-campaign/snake-ransom-note.jpg']

eCh0raix

Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below. eCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer. On June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.

Internal MISP references

UUID f3ded787-783e-4c6b-909a-8da01254380c which can be used as unique global reference for eCh0raix in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/ - webarchive
• https://www.anomali.com/blog/the-ech0raix-ransomware - webarchive

Associated metadata

Metadata key	Value
extensions	['.encrypt']
links	['http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion']
ransomnotes	['All your data has been locked(crypted).\n\u200bHow to unclock(decrypt) instruction located in this TOR website:\nhttp://sg3dwqfpnr4sl5hh.onion/order/[Bitcoin address]\nUse TOR browser for access .onion websites.\nhttps://duckduckgo.com/html?q=tor+browser+how+to\n\nDo NOT remove this file and NOT remove last line in this file!\n[base64 encoded encrypted data]']
ransomnotes-filenames	['README_FOR_DECRYPT.txt']

Egregor

The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.

Internal MISP references

UUID 8bd094a7-103f-465f-8640-18dcc53042e5 which can be used as unique global reference for Egregor in MISP communities and other software using the MISP galaxy

External references

• https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor - webarchive
• https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/ - webarchive
• https://cybersecuritynews.com/egregor-ransomware/ - webarchive
• https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/ - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['RECOVER-FILES.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg', 'https://2kjpox12cnap3zv36440iue7-wpengine.netdna-ssl.com/wp-content/uploads/2020/10/egregor-ransom-demanding-message.png']

Related clusters

To see the related clusters, click here.

SunCrypt

SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SunCrypt.

Known Synonyms
Sun
Suncrypt

Internal MISP references

UUID 4fa25527-99f6-42ee-aaf2-7ca395e5fabc which can be used as unique global reference for SunCrypt in MISP communities and other software using the MISP galaxy

External references

• https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware - webarchive
• https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/ - webarchive
• https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/ - webarchive

Associated metadata

Metadata key	Value
links	['http://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion/', 'http://nbzzb6sa6xuura2z.onion']
ransomnotes-filenames	['YOUR_FILES_ARE_ENCRYPTED.HTML']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/s/suncrypt/maze-cartel/ransom-note.jpg']

LockBit

LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force. After gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LockBit.

Known Synonyms
ABCD ransomware

Internal MISP references

UUID 8eda8bf1-db5a-412d-8511-45e2f7621d51 which can be used as unique global reference for LockBit in MISP communities and other software using the MISP galaxy

External references

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/ - webarchive
• https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware - webarchive

Associated metadata

Metadata key	Value
extensions	['.abcd', '.LockBit']
links	['http://lockbitkodidilol.onion']
ransomnotes-filenames	['Restore-My-Files.txt']
ransomnotes-refs	['https://www.mcafee.com/wp-content/uploads/2020/04/content-in-restore-my-files.png']

Related clusters

To see the related clusters, click here.

WastedLocker

WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection. Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.

Internal MISP references

UUID 6955c28e-e698-4bb2-8c70-ccc6d11ba1ee which can be used as unique global reference for WastedLocker in MISP communities and other software using the MISP galaxy

External references

• https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020 - webarchive
• https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/ - webarchive
• https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['_info']
ransomnotes-refs	['https://blog.malwarebytes.com/wp-content/uploads/2020/06/ransomnote.png']

Babuk Ransomsware

Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil. For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.

Internal MISP references

UUID c52a65d5-9bea-4a09-a81b-7f789ab48ce0 which can be used as unique global reference for Babuk Ransomsware in MISP communities and other software using the MISP galaxy

External references

• http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/ - webarchive

Associated metadata

Metadata key	Value
date	January 2021

Darkside

Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts. Through their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t. Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Darkside.

Known Synonyms
BlackMatter

Internal MISP references

UUID f514a46e-53ff-4f07-b75a-aed289cf221f which can be used as unique global reference for Darkside in MISP communities and other software using the MISP galaxy

External references

• https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/ - webarchive
• https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/ - webarchive
• https://darksidedxcftmqa.onion.foundation/ - webarchive

Associated metadata

Metadata key	Value
colt-average	11d
colt-median	7d
links	['http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/', 'http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion']

RansomEXX

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year. RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomEXX.

Known Synonyms
Defray 2018
Defray-777
Defray777
Ransom X

Internal MISP references

UUID dff71334-c173-45b6-8647-af66be0605d7 which can be used as unique global reference for RansomEXX in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx - webarchive
• https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html - webarchive
• https://github.com/Bleeping/Ransom.exx - webarchive
• https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/ - webarchive
• https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/ - webarchive
• https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/ - webarchive
• https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ - webarchive

Associated metadata

Metadata key	Value
extensions	['', '.', '.', '.txd0t', '.dbe', '.0s']
links	['http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/']
ransomnotes	['Greetings, Texas Department of Transportation!\nRead this message CAREFULLY and contact someone from IT department..\nYour files are securely ENCRYPTED.\nNo third party decryption software EXISTS.\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all Files\nFrom all aFFected systems ANY TIME.\nEncrypted File SHOULD NOT contain sensitive inFormation (technical, backups, databases, large documents).\nThe rest oF data will be available aFter the PAYMENT.\ninfrastructure rebuild will cost you MUCH more.\nContact us ONLY if you officially represent the whole affected network.\nThe ONLY attachments we accept are non archived encrypted files For test decryption.\nSpeak ENGLISH when contacting us.\nMail us: ***@protonmail.com\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\nThe PRICE depends on how quickly you do it. ']
ransomnotes-filenames	['TXDOT_READ_ME! .Txt', ' _READ_ME! .txt']
ransomnotes-refs	['https://1.bp.blogspot.com/-hbdqo4g6OaE/XvpFV4qbjrI/AAAAAAAAT1I/RtASzBEd_VEZIhDCCCdaxrN0iGCnnocFwCLcBGAsYHQ/s1600/note-original.png', 'https://1.bp.blogspot.com/-A0tAbQoei_Y/X1UxQkema_I/AAAAAAAAVV8/QuJY6v3n6943ZFax3ztDt9FXwkpAKMPPACLcBGAsYHQ/s1600/note2-9-20.png', 'https://1.bp.blogspot.com/-RIwIgb6n0n4/X8-l2HIf88I/AAAAAAAAXRI/oyET6d1XSnwJXDIaJlwItyTFLcp4tz5mQCLcBGAsYHQ/s882/note-8-12-20.png']

CovidLock

Mobile ransomware. The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device. The app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user for several authorizations, including admin rights. In fact, this ransomware does not encrypt nor steal anything and only lock the device with an hard coded code.

Internal MISP references

UUID b5fe83e9-c5d7-4b0e-99ab-4f1d356d1749 which can be used as unique global reference for CovidLock in MISP communities and other software using the MISP galaxy

External references

• https://www.zscaler.com/blogs/security-research/covidlock-android-ransomware-walkthrough-and-unlocking-routine - webarchive

Associated metadata

Metadata key	Value
ransomnotes-refs	['https://www.zscaler.com/sites/default/files/images/blogs/covid/covid_lock_screen_edited_4.png', 'https://www.zscaler.com/sites/default/files/images/blogs/covid/covid_pastebin_5.png']

Tycoon

This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries. Tycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server.

Internal MISP references

UUID 39781a7a-cd3a-4e24-aeb8-94a767a2551b which can be used as unique global reference for Tycoon in MISP communities and other software using the MISP galaxy

External references

• https://cyberflorida.org/threat-advisory/tycoon-ransomware/ - webarchive
• https://usf.app.box.com/s/83xh0t5w99klrsoisorir7kgs14o972s - webarchive

Associated metadata

Metadata key	Value
date	december 2019

Ragnar Locker

Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ragnar Locker.

Known Synonyms
RagnarLocker

Internal MISP references

UUID e69f9836-873a-43d3-92a8-97ab783a4171 which can be used as unique global reference for Ragnar Locker in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/ - webarchive
• https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - webarchive
• https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/ - webarchive

Associated metadata

Metadata key	Value
links	['http://rgleak7op734elep.onion', 'http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion/', 'http://p6o7m73ujalhgkiv.onion']

Related clusters

To see the related clusters, click here.

Sekhmet

Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.

Internal MISP references

UUID 6fb1ea9e-5389-4932-8b22-c691b74b75a8 which can be used as unique global reference for Sekhmet in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/ - webarchive
• https://www.zdnet.com/article/as-maze-ransomware-group-retires-clients-turn-to-sekhmet-ransomware-spin-off-egregor/ - webarchive
• https://blog.malwarebytes.com/detections/ransom-sekhmet/ - webarchive
• https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/ - webarchive

Associated metadata

Metadata key	Value
ransomnotes-filenames	['RECOVER-FILES.txt']
ransomnotes-refs	['https://blog.malwarebytes.com/wp-content/uploads/2020/11/Sekhmet_ransom_note.png']

Related clusters

To see the related clusters, click here.

$$$

Ransomware

Internal MISP references

UUID 79bc13e7-6e96-4974-8110-ffd8e0d12e3e which can be used as unique global reference for $$$ in MISP communities and other software using the MISP galaxy

$ucyLocker

Ransomware

Internal MISP references

UUID b93d2b67-aabd-4e36-a3ca-2fdfc8f0ae3b which can be used as unique global reference for $ucyLocker in MISP communities and other software using the MISP galaxy

10001

Ransomware

Internal MISP references

UUID f90db14d-e3fd-4f34-b8f8-ba82534732aa which can be used as unique global reference for 10001 in MISP communities and other software using the MISP galaxy

05250lock

Ransomware

Internal MISP references

UUID cdcf2ad5-afc3-4b7c-8d03-839e54538858 which can be used as unique global reference for 05250lock in MISP communities and other software using the MISP galaxy

0kilobypt

Ransomware

Internal MISP references

UUID b4c4f949-2537-47cb-8ccd-653cc37b9309 which can be used as unique global reference for 0kilobypt in MISP communities and other software using the MISP galaxy

1337-Locker

Ransomware

Internal MISP references

UUID a663f830-5722-4798-abcf-6c02cb5ba515 which can be used as unique global reference for 1337-Locker in MISP communities and other software using the MISP galaxy

24H

Ransomware

Internal MISP references

UUID 0ec8cfbc-7f5b-45c6-9fc1-1bef0d8df161 which can be used as unique global reference for 24H in MISP communities and other software using the MISP galaxy

3nCRY

Ransomware

Internal MISP references

UUID d76b9b9e-a265-4253-a586-3121612d5f9d which can be used as unique global reference for 3nCRY in MISP communities and other software using the MISP galaxy

4rw5w

Ransomware

Internal MISP references

UUID c36a66c0-1d52-4a2e-ad9c-1965cd18d8f8 which can be used as unique global reference for 4rw5w in MISP communities and other software using the MISP galaxy

5ss5c(5ss5cCrypt)

Ransomware

Internal MISP references

UUID a617852d-480c-4e16-8983-1ea7c2543eea which can be used as unique global reference for 5ss5c(5ss5cCrypt) in MISP communities and other software using the MISP galaxy

777(Legion)

Ransomware

Internal MISP references

UUID a355ec31-a100-40f2-807b-27f3f0b71067 which can be used as unique global reference for 777(Legion) in MISP communities and other software using the MISP galaxy

7h9r

Ransomware

Internal MISP references

UUID 8f63b8d3-085d-4272-88ea-bf5334f845b1 which can be used as unique global reference for 7h9r in MISP communities and other software using the MISP galaxy

7z Portuguese

Ransomware

Internal MISP references

UUID 66f8ad61-5959-4888-bafe-9f9d4868b3a9 which can be used as unique global reference for 7z Portuguese in MISP communities and other software using the MISP galaxy

AAC

Ransomware

Internal MISP references

UUID 37479546-7993-4232-9766-de19b0755bc3 which can be used as unique global reference for AAC in MISP communities and other software using the MISP galaxy

ABCLocker

Ransomware

Internal MISP references

UUID 461327b8-c465-4d39-8987-dbeb9e296b08 which can be used as unique global reference for ABCLocker in MISP communities and other software using the MISP galaxy

Adonis

Ransomware

Internal MISP references

UUID 4f7f33e7-ab6a-4643-aa51-da59732a6932 which can be used as unique global reference for Adonis in MISP communities and other software using the MISP galaxy

AepCrypt

Ransomware

Internal MISP references

UUID 4d4c478d-2349-4d1c-8693-233517d226ec which can be used as unique global reference for AepCrypt in MISP communities and other software using the MISP galaxy

AES-Matrix

Ransomware

Internal MISP references

UUID c0590d85-d30d-4bf6-b245-4baeab6e6cae which can be used as unique global reference for AES-Matrix in MISP communities and other software using the MISP galaxy

AES-NI: April Edition

Ransomware

Internal MISP references

UUID adbd5acc-27d5-4483-8b9d-73cbda7498fa which can be used as unique global reference for AES-NI: April Edition in MISP communities and other software using the MISP galaxy

Afrodita

Ransomware

Internal MISP references

UUID 0c1587c6-ac37-48b5-8056-53f4fd454288 which can be used as unique global reference for Afrodita in MISP communities and other software using the MISP galaxy

Alco

Ransomware

Internal MISP references

UUID 417027d0-15bc-497e-98a2-a1aaa328fe44 which can be used as unique global reference for Alco in MISP communities and other software using the MISP galaxy

AllCry

Ransomware

Internal MISP references

UUID ef762a95-cb95-4a94-84df-2c083cbcf5a6 which can be used as unique global reference for AllCry in MISP communities and other software using the MISP galaxy

AlldataLocker

Ransomware

Internal MISP references

UUID 74101521-d42c-498a-9c1c-ee31672aaba5 which can be used as unique global reference for AlldataLocker in MISP communities and other software using the MISP galaxy

Amnesia

Ransomware

Internal MISP references

UUID f8194c43-d40b-47b5-966c-99ffbafa3934 which can be used as unique global reference for Amnesia in MISP communities and other software using the MISP galaxy

Amnesia-2

Ransomware

Internal MISP references

UUID 0372f2e5-9585-43b7-b171-d765edeedfa0 which can be used as unique global reference for Amnesia-2 in MISP communities and other software using the MISP galaxy

Anatova

Ransomware

Internal MISP references

UUID cbbf82f2-f614-4cd2-87ea-65262caa79c3 which can be used as unique global reference for Anatova in MISP communities and other software using the MISP galaxy

AnDROid

Ransomware

Internal MISP references

UUID 342ab9d1-70d5-460f-8870-dc6c89037d6d which can be used as unique global reference for AnDROid in MISP communities and other software using the MISP galaxy

AngryKite

Ransomware

Internal MISP references

UUID 3d519e27-01e8-4038-9eb5-8a3155cf20a7 which can be used as unique global reference for AngryKite in MISP communities and other software using the MISP galaxy

AnimusLocker

Ransomware

Internal MISP references

UUID 41de97ab-964c-46af-a003-b8158add1658 which can be used as unique global reference for AnimusLocker in MISP communities and other software using the MISP galaxy

Annabelle

Ransomware

Internal MISP references

UUID 9659d9ea-7110-46ef-befe-a1f3c2d1ade2 which can be used as unique global reference for Annabelle in MISP communities and other software using the MISP galaxy

Annabelle 2.1

Ransomware

Internal MISP references

UUID dc5e13f7-ab37-4a4f-a3e3-65a9347e3313 which can be used as unique global reference for Annabelle 2.1 in MISP communities and other software using the MISP galaxy

AnonCrack

Ransomware

Internal MISP references

UUID 40c30d33-3808-4b9e-a721-21cc967f7ab7 which can be used as unique global reference for AnonCrack in MISP communities and other software using the MISP galaxy

AnonPop

Ransomware

Internal MISP references

UUID 5ca1e51d-4f75-471c-b6d6-0f3ab84c5945 which can be used as unique global reference for AnonPop in MISP communities and other software using the MISP galaxy

AnteFrigus

Ransomware

Internal MISP references

UUID 2b5904c0-37f1-4e62-bdc4-2e3bdf9f8796 which can be used as unique global reference for AnteFrigus in MISP communities and other software using the MISP galaxy

Anti-DDos

Ransomware

Internal MISP references

UUID 8d435ed6-1e4e-4082-8407-de85c715a465 which can be used as unique global reference for Anti-DDos in MISP communities and other software using the MISP galaxy

Antihacker2017

Ransomware

Internal MISP references

UUID 2d9071ae-3e29-452a-8335-3525a5fa749e which can be used as unique global reference for Antihacker2017 in MISP communities and other software using the MISP galaxy

Anubi NotBTCWare

Ransomware

Internal MISP references

UUID 4a03bd26-20b0-4233-b021-8e6496fc42da which can be used as unique global reference for Anubi NotBTCWare in MISP communities and other software using the MISP galaxy

Apocalypse-Missing

Ransomware

Internal MISP references

UUID cba27bf4-1275-407f-ad81-9849ba3a6f45 which can be used as unique global reference for Apocalypse-Missing in MISP communities and other software using the MISP galaxy

ApolloLocker

Ransomware

Internal MISP references

UUID 63057077-494f-46af-b94d-902f5f526b76 which can be used as unique global reference for ApolloLocker in MISP communities and other software using the MISP galaxy

Argus

Ransomware

Internal MISP references

UUID c7f5c709-5624-4665-ac56-154b0e4eb594 which can be used as unique global reference for Argus in MISP communities and other software using the MISP galaxy

Armage

Ransomware

Internal MISP references

UUID 8686cf61-5612-4e7a-8a12-cc31ee5c4daf which can be used as unique global reference for Armage in MISP communities and other software using the MISP galaxy

Armageddon

Ransomware

Internal MISP references

UUID d2ff3b81-3d0c-471d-8f57-cfa7eaf75e7e which can be used as unique global reference for Armageddon in MISP communities and other software using the MISP galaxy

ArmaLocky

Ransomware

Internal MISP references

UUID c83ea76e-b34b-47f3-a7c3-9ac4239a6d46 which can be used as unique global reference for ArmaLocky in MISP communities and other software using the MISP galaxy

Arsium

Ransomware

Internal MISP references

UUID 6219e7b3-31e6-41b7-a519-9897ebc531b6 which can be used as unique global reference for Arsium in MISP communities and other software using the MISP galaxy

Assembly

Ransomware

Internal MISP references

UUID 0065470b-3cbd-45b9-a2ea-daa688a21521 which can be used as unique global reference for Assembly in MISP communities and other software using the MISP galaxy

Ataware

Ransomware

Internal MISP references

UUID d39b8edb-9607-4089-82f3-3a14a05cb372 which can be used as unique global reference for Ataware in MISP communities and other software using the MISP galaxy

Atchbo

Ransomware

Internal MISP references

UUID 3e5f91c2-96ca-4056-9043-39fe4327828a which can be used as unique global reference for Atchbo in MISP communities and other software using the MISP galaxy

ATLAS

Ransomware

Internal MISP references

UUID cb2d9643-46af-4512-be90-359bef60359f which can be used as unique global reference for ATLAS in MISP communities and other software using the MISP galaxy

Australian-AES

Ransomware

Internal MISP references

UUID cfba4795-cd22-4c8e-8067-9600e3cc56f4 which can be used as unique global reference for Australian-AES in MISP communities and other software using the MISP galaxy

AutoEncryptor

Ransomware

Internal MISP references

UUID a54e8231-6665-41b4-991c-1140a5fd8d00 which can be used as unique global reference for AutoEncryptor in MISP communities and other software using the MISP galaxy

AutoWannaCryV2

Ransomware

Internal MISP references

UUID 57970f54-2957-444d-a60d-5c10f129064c which can be used as unique global reference for AutoWannaCryV2 in MISP communities and other software using the MISP galaxy

Auuahk-Ouuohk

Ransomware

Internal MISP references

UUID 5225f660-288c-4e30-829c-a61d732ff10a which can be used as unique global reference for Auuahk-Ouuohk in MISP communities and other software using the MISP galaxy

AVCrypt

Ransomware

Internal MISP references

UUID 61fc0258-6fd5-481c-b044-2b5e22185049 which can be used as unique global reference for AVCrypt in MISP communities and other software using the MISP galaxy

AxCrypter

Ransomware

Internal MISP references

UUID 1ee82db5-c1f6-4b2c-96d0-e2f9519e5406 which can be used as unique global reference for AxCrypter in MISP communities and other software using the MISP galaxy

aZaZeL

Ransomware

Internal MISP references

UUID 71eef963-71ad-4641-9e73-3f78a5e2891c which can be used as unique global reference for aZaZeL in MISP communities and other software using the MISP galaxy

BadEncript

Ransomware

Internal MISP references

UUID 281091db-9517-4ac0-9315-6846f85c567f which can be used as unique global reference for BadEncript in MISP communities and other software using the MISP galaxy

Balbaz

Ransomware

Internal MISP references

UUID 76d8ccdb-37cf-4eb7-bb64-d3b48b0dfc89 which can be used as unique global reference for Balbaz in MISP communities and other software using the MISP galaxy

Baliluware

Ransomware

Internal MISP references

UUID 3d0b5aa1-3164-4db8-8c87-ced896784ab5 which can be used as unique global reference for Baliluware in MISP communities and other software using the MISP galaxy

Bam!

Ransomware

Internal MISP references

UUID dfce034f-30b2-4761-b55e-e88cafb4526a which can be used as unique global reference for Bam! in MISP communities and other software using the MISP galaxy

BananaCrypt

Ransomware

Internal MISP references

UUID 7f156e6d-7612-4e74-a5af-a53ea6d19b01 which can be used as unique global reference for BananaCrypt in MISP communities and other software using the MISP galaxy

BancoCrypt HT

Ransomware

Internal MISP references

UUID ac962a32-e2d2-4e64-ab29-524d570a0dcd which can be used as unique global reference for BancoCrypt HT in MISP communities and other software using the MISP galaxy

Barack Obama's EBBV

Ransomware

Internal MISP references

UUID e65f4496-0560-49ba-b52a-30df8f1a0d44 which can be used as unique global reference for Barack Obama's EBBV in MISP communities and other software using the MISP galaxy

Basilisque Locker

Ransomware

Internal MISP references

UUID 834bd641-fb8e-40b7-a310-da6aa3f67399 which can be used as unique global reference for Basilisque Locker in MISP communities and other software using the MISP galaxy

BASS-FES

Ransomware

Internal MISP references

UUID 736f68d4-9a7f-488d-a8ff-7fd4988c6399 which can be used as unique global reference for BASS-FES in MISP communities and other software using the MISP galaxy

BB

Ransomware

Internal MISP references

UUID d1846b2a-6017-4c18-8e7d-edcf831ada71 which can be used as unique global reference for BB in MISP communities and other software using the MISP galaxy

BeethoveN

Ransomware

Internal MISP references

UUID 0854242f-a664-43bf-b13f-d0e4b718c7b4 which can be used as unique global reference for BeethoveN in MISP communities and other software using the MISP galaxy

BestChangeRu

Ransomware

Internal MISP references

UUID aecde5c7-0d8b-41a3-9772-0aba95d87fac which can be used as unique global reference for BestChangeRu in MISP communities and other software using the MISP galaxy

BigBossHorse

Ransomware

Internal MISP references

UUID dda4fb07-113a-4feb-81e5-c04c35addcd3 which can be used as unique global reference for BigBossHorse in MISP communities and other software using the MISP galaxy

Birbware

Ransomware

Internal MISP references

UUID abc0f12a-0414-4049-8ee7-90bc1d5d98d9 which can be used as unique global reference for Birbware in MISP communities and other software using the MISP galaxy

BitCrypt

Ransomware

Internal MISP references

UUID 4be6c6d2-3417-41ce-8334-c31811c161db which can be used as unique global reference for BitCrypt in MISP communities and other software using the MISP galaxy

BitCrypt 2.0

Ransomware

Internal MISP references

UUID 06d438c7-81fa-4c2e-8a48-bd8e3d63a946 which can be used as unique global reference for BitCrypt 2.0 in MISP communities and other software using the MISP galaxy

BitKangoroo

Ransomware

Internal MISP references

UUID 5b45c3e8-7d91-41d4-a7d3-a7bbb0ebdd83 which can be used as unique global reference for BitKangoroo in MISP communities and other software using the MISP galaxy

BitPyLock

Ransomware

Internal MISP references

UUID f66ac6a3-e71c-4cf8-ac5b-02ca80749252 which can be used as unique global reference for BitPyLock in MISP communities and other software using the MISP galaxy

Bitshifter

Ransomware

Internal MISP references

UUID e92e4a0e-7fdb-482a-8ff9-3fa36eb0ca95 which can be used as unique global reference for Bitshifter in MISP communities and other software using the MISP galaxy

BKRansomware

Ransomware

Internal MISP references

UUID b7f51df4-138c-47fb-8c74-419478cc8cba which can be used as unique global reference for BKRansomware in MISP communities and other software using the MISP galaxy

Black Feather

Ransomware

Internal MISP references

UUID 47fcb57a-4d58-46df-a3f1-3c621c9c5508 which can be used as unique global reference for Black Feather in MISP communities and other software using the MISP galaxy

BlackFireEye

Ransomware

Internal MISP references

UUID 353e2676-d8c0-4e2b-bf7b-b12aaada96cf which can be used as unique global reference for BlackFireEye in MISP communities and other software using the MISP galaxy

BlackHat-Mehtihack

Ransomware

Internal MISP references

UUID 85fcfa86-65bc-4c35-8584-1f0515a61df3 which can be used as unique global reference for BlackHat-Mehtihack in MISP communities and other software using the MISP galaxy

BlackKingdom

Ransomware

Internal MISP references

UUID 6dccf9ae-d58d-4a45-baaf-cd873a2fd7bc which can be used as unique global reference for BlackKingdom in MISP communities and other software using the MISP galaxy

BlackMist

Ransomware

Internal MISP references

UUID a57d5a37-c3fc-4c26-aac0-0803d4ef8adb which can be used as unique global reference for BlackMist in MISP communities and other software using the MISP galaxy

Blackout

Ransomware

Internal MISP references

UUID b05ae01a-bcc4-4642-a165-40b503ad260f which can be used as unique global reference for Blackout in MISP communities and other software using the MISP galaxy

BlackPink

Ransomware

Internal MISP references

UUID 3485d93d-c6cd-4a45-85c9-6e3cda016ae6 which can be used as unique global reference for BlackPink in MISP communities and other software using the MISP galaxy

BlackRose

Ransomware

Internal MISP references

UUID 01fcca8a-a5b7-4683-b457-66a720f6e569 which can be used as unique global reference for BlackRose in MISP communities and other software using the MISP galaxy

BlackSheep

Ransomware

Internal MISP references

UUID 8fba79e8-a902-4fbe-8c84-67e2b266ddb6 which can be used as unique global reference for BlackSheep in MISP communities and other software using the MISP galaxy

Black Worm

Ransomware

Internal MISP references

UUID 14e57527-58cc-4e0a-8e14-9f00a0167610 which can be used as unique global reference for Black Worm in MISP communities and other software using the MISP galaxy

Blank

Ransomware

Internal MISP references

UUID 0ac4a0b6-c4db-408d-8b0d-7bd4fa7d9c5d which can be used as unique global reference for Blank in MISP communities and other software using the MISP galaxy

Blind

Ransomware

Internal MISP references

UUID 1edc8d40-837b-4ec2-9be4-15c63d5dd266 which can be used as unique global reference for Blind in MISP communities and other software using the MISP galaxy

Blitzkrieg

Ransomware

Internal MISP references

UUID 11a5a5ac-91f6-41b0-a4c9-010d7754f938 which can be used as unique global reference for Blitzkrieg in MISP communities and other software using the MISP galaxy

BlockFile12

Ransomware

Internal MISP references

UUID cda890bf-1d9e-4566-9bc7-3bb4cd3ee571 which can be used as unique global reference for BlockFile12 in MISP communities and other software using the MISP galaxy

BloodJaws

Ransomware

Internal MISP references

UUID a79b56a9-50e7-42c4-b8b6-fda1fa2dc097 which can be used as unique global reference for BloodJaws in MISP communities and other software using the MISP galaxy

Blooper

Ransomware

Internal MISP references

UUID 01ef6f02-22e4-478f-b02f-6515caf078e3 which can be used as unique global reference for Blooper in MISP communities and other software using the MISP galaxy

BlueCheeser

Ransomware

Internal MISP references

UUID 147e865d-90f6-4332-bdad-967ea69a4b11 which can be used as unique global reference for BlueCheeser in MISP communities and other software using the MISP galaxy

Bluerose

Ransomware

Internal MISP references

UUID 3c40df84-ef3b-4f59-86ed-a7a6acd0d902 which can be used as unique global reference for Bluerose in MISP communities and other software using the MISP galaxy

BOK

Ransomware

Internal MISP references

UUID 13f3e911-757c-401f-b2c9-fedf7f089d3f which can be used as unique global reference for BOK in MISP communities and other software using the MISP galaxy

BoooamCrypt

Ransomware

Internal MISP references

UUID 0c9f224c-2649-4aa7-bdce-fd8655b1fe92 which can be used as unique global reference for BoooamCrypt in MISP communities and other software using the MISP galaxy

BooM

Ransomware

Internal MISP references

UUID 88533a36-b417-4a90-888e-a4a70dab39fe which can be used as unique global reference for BooM in MISP communities and other software using the MISP galaxy

Boris HT

Ransomware

Internal MISP references

UUID 12007b9f-af6b-4dcd-ac50-99154b1045be which can be used as unique global reference for Boris HT in MISP communities and other software using the MISP galaxy

BrainLag

Ransomware

Internal MISP references

UUID c316df34-8f12-49ef-9534-b28b640047cc which can be used as unique global reference for BrainLag in MISP communities and other software using the MISP galaxy

BRansomware

Ransomware

Internal MISP references

UUID 3e83ee9d-bfc7-49bf-9ecf-6185d887b51e which can be used as unique global reference for BRansomware in MISP communities and other software using the MISP galaxy

Brick

Ransomware

Internal MISP references

UUID b1298047-13af-4241-b491-305ceb5af7e7 which can be used as unique global reference for Brick in MISP communities and other software using the MISP galaxy

BrickR

Ransomware

Internal MISP references

UUID 74284a53-0078-4819-817a-2283ff04e9d8 which can be used as unique global reference for BrickR in MISP communities and other software using the MISP galaxy

BtcKING

Ransomware

Internal MISP references

UUID 8903296a-2ebb-4ec6-97e4-2379348906ff which can be used as unique global reference for BtcKING in MISP communities and other software using the MISP galaxy

BTCWare-Aleta

Ransomware

Internal MISP references

UUID 52ce04e8-c764-4ded-8df6-f3df15a5b117 which can be used as unique global reference for BTCWare-Aleta in MISP communities and other software using the MISP galaxy

BTCWare-Gryphon

Ransomware

Internal MISP references

UUID d11b8d25-7731-43e6-8880-4ed6bc4d66cd which can be used as unique global reference for BTCWare-Gryphon in MISP communities and other software using the MISP galaxy

BTCWare-Master

Ransomware

Internal MISP references

UUID 6416e35d-8507-4144-b1ad-323161f25217 which can be used as unique global reference for BTCWare-Master in MISP communities and other software using the MISP galaxy

BTCWare-Nuclear

Ransomware

Internal MISP references

UUID a8bd5e60-954c-463d-94b6-a76c45310f6b which can be used as unique global reference for BTCWare-Nuclear in MISP communities and other software using the MISP galaxy

BTCWare-Onyon

Ransomware

Internal MISP references

UUID 670eec47-c2ae-491d-b102-328866b8a312 which can be used as unique global reference for BTCWare-Onyon in MISP communities and other software using the MISP galaxy

BTCWare-PayDay

Ransomware

Internal MISP references

UUID 7c37c90b-7750-4f5f-ba64-3f058ac83788 which can be used as unique global reference for BTCWare-PayDay in MISP communities and other software using the MISP galaxy

BTCWare-Wyvern

Ransomware

Internal MISP references

UUID f6246bb2-bb04-43ef-acbf-f88b5bc78440 which can be used as unique global reference for BTCWare-Wyvern in MISP communities and other software using the MISP galaxy

Bud

Ransomware

Internal MISP references

UUID 4f0ddce5-6f85-4f76-b93a-48e15d45f211 which can be used as unique global reference for Bud in MISP communities and other software using the MISP galaxy

BugWare

Ransomware

Internal MISP references

UUID 80b3b6cd-9cc7-4a98-b342-c83d7a167abf which can be used as unique global reference for BugWare in MISP communities and other software using the MISP galaxy

BulbaCrypt HT

Ransomware

Internal MISP references

UUID d3fdd556-cfb4-4aba-b4a9-6698a95cd17c which can be used as unique global reference for BulbaCrypt HT in MISP communities and other software using the MISP galaxy

BWall

Ransomware

Internal MISP references

UUID ce6c2b29-8195-4754-ae24-2e1321764afe which can be used as unique global reference for BWall in MISP communities and other software using the MISP galaxy

C0hen Locker

Ransomware

Internal MISP references

UUID cafacee4-da55-4ec0-ae5c-f7b9d80d0ebf which can be used as unique global reference for C0hen Locker in MISP communities and other software using the MISP galaxy

CA$HOUT

Ransomware

Internal MISP references

UUID d56bd7ad-8620-407f-9429-0ff3a0b106b9 which can be used as unique global reference for CA$HOUT in MISP communities and other software using the MISP galaxy

CainXPii

Ransomware

Internal MISP references

UUID 708623d0-bbc7-4a8c-9ef8-0266fbf44196 which can be used as unique global reference for CainXPii in MISP communities and other software using the MISP galaxy

Cephalo

Ransomware

Internal MISP references

UUID 5261a5d0-a1b0-46f4-b5ae-f32e2728b1cb which can be used as unique global reference for Cephalo in MISP communities and other software using the MISP galaxy

Cerberos

Ransomware

Internal MISP references

UUID cabe1175-a46b-47e4-9d25-655af0411208 which can be used as unique global reference for Cerberos in MISP communities and other software using the MISP galaxy

Charmant

Ransomware

Internal MISP references

UUID 1fc9a816-ba8d-4811-b930-e2b3c732566f which can be used as unique global reference for Charmant in MISP communities and other software using the MISP galaxy

Chekyshka

Ransomware

Internal MISP references

UUID c9bc4999-a62e-46d5-b0a2-56de5fcde9d5 which can be used as unique global reference for Chekyshka in MISP communities and other software using the MISP galaxy

ChernoLocker

Ransomware

Internal MISP references

UUID cabdc3c6-17cc-43f1-b469-2372be8d9474 which can be used as unique global reference for ChernoLocker in MISP communities and other software using the MISP galaxy

ChinaYunLong

Ransomware

Internal MISP references

UUID cfd553d0-385b-459a-bc24-dee116249614 which can be used as unique global reference for ChinaYunLong in MISP communities and other software using the MISP galaxy

Christmas

Ransomware

Internal MISP references

UUID 8b644615-af51-4f46-ad09-68274e48ce2b which can be used as unique global reference for Christmas in MISP communities and other software using the MISP galaxy

ClicoCrypter

Ransomware

Internal MISP references

UUID b87bf395-3e4f-4b2b-bad5-ac88a6c19741 which can be used as unique global reference for ClicoCrypter in MISP communities and other software using the MISP galaxy

ClicoCrypter-2

Ransomware

Internal MISP references

UUID 5a4c04f0-0d05-4068-ba64-bd4979b58d5c which can be used as unique global reference for ClicoCrypter-2 in MISP communities and other software using the MISP galaxy

Clouded

Ransomware

Internal MISP references

UUID 81b6aafe-7b16-4d86-94d7-23fc172d0b81 which can be used as unique global reference for Clouded in MISP communities and other software using the MISP galaxy

Cmd

Ransomware

Internal MISP references

UUID 5f784db9-36e0-4763-aebc-474b53558cef which can be used as unique global reference for Cmd in MISP communities and other software using the MISP galaxy

Codemanager

Ransomware

Internal MISP references

UUID 9bb10b99-a440-4dea-905c-87e95e13e1ae which can be used as unique global reference for Codemanager in MISP communities and other software using the MISP galaxy

Coin Locker

Ransomware

Internal MISP references

UUID 905eb47a-0494-402b-ac95-ad201627ff20 which can be used as unique global reference for Coin Locker in MISP communities and other software using the MISP galaxy

Comrade HT

Ransomware

Internal MISP references

UUID d3b9dd33-3928-4999-8934-aff1ec1fc1a8 which can be used as unique global reference for Comrade HT in MISP communities and other software using the MISP galaxy

CoNFicker

Ransomware

Internal MISP references

UUID e0d382e1-0ad3-476e-a953-e7f53c42a703 which can be used as unique global reference for CoNFicker in MISP communities and other software using the MISP galaxy

Coom

Ransomware

Internal MISP references

UUID 3f3bdf79-67c9-41f5-bc26-398b11cc9551 which can be used as unique global reference for Coom in MISP communities and other software using the MISP galaxy

CorruptCrypt

Ransomware

Internal MISP references

UUID 66f35862-3f0c-4328-a792-12e90b6baca8 which can be used as unique global reference for CorruptCrypt in MISP communities and other software using the MISP galaxy

Creeper

Ransomware

Internal MISP references

UUID 5dc6d20f-db0c-44e9-95a3-ee4adb1aa3ad which can be used as unique global reference for Creeper in MISP communities and other software using the MISP galaxy

Creepy

Ransomware

Internal MISP references

UUID a3ff8fe7-54b5-4404-b7b7-cf823027e647 which can be used as unique global reference for Creepy in MISP communities and other software using the MISP galaxy

Cripton

Ransomware

Internal MISP references

UUID 8d927c7b-2526-4cf4-a3e6-093f929fa264 which can be used as unique global reference for Cripton in MISP communities and other software using the MISP galaxy

Cripton7zp

Ransomware

Internal MISP references

UUID 5470834d-dc90-492f-8ed8-666c40911515 which can be used as unique global reference for Cripton7zp in MISP communities and other software using the MISP galaxy

Cry36

Ransomware

Internal MISP references

UUID d4a347c9-6f9b-4578-b7d2-fdcbc0c04d1d which can be used as unique global reference for Cry36 in MISP communities and other software using the MISP galaxy

Cry9

Ransomware

Internal MISP references

UUID 67543823-e4d9-4321-82a0-06820f6cc3e0 which can be used as unique global reference for Cry9 in MISP communities and other software using the MISP galaxy

CryCipher

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryCipher.

Known Synonyms
PayPalGenerator2019

Internal MISP references

UUID 92ca663a-347a-47d7-b7da-1208b84a7217 which can be used as unique global reference for CryCipher in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

CryForMe

Ransomware

Internal MISP references

UUID 381ef192-e5ee-4d58-86a3-de853837cb9e which can be used as unique global reference for CryForMe in MISP communities and other software using the MISP galaxy

Crying

Ransomware

Internal MISP references

UUID 654fdcba-0432-42e4-9ca9-8b89dd9f0d98 which can be used as unique global reference for Crying in MISP communities and other software using the MISP galaxy

CryMore

Ransomware

Internal MISP references

UUID 4b7d257a-db3a-418a-a295-56ead7fa573c which can be used as unique global reference for CryMore in MISP communities and other software using the MISP galaxy

Cryp70n1c

Ransomware

Internal MISP references

UUID b08ca08b-7561-4425-95c7-aa01589022cf which can be used as unique global reference for Cryp70n1c in MISP communities and other software using the MISP galaxy

Crypt0 HT

Ransomware

Internal MISP references

UUID 56cdf22e-2c02-4413-9d5f-e30d458c995c which can be used as unique global reference for Crypt0 HT in MISP communities and other software using the MISP galaxy

Crypt0

Ransomware

Internal MISP references

UUID be108e7d-d3d8-4e21-88d7-093d4674eb88 which can be used as unique global reference for Crypt0 in MISP communities and other software using the MISP galaxy

Crypt0L0cker

Ransomware

Internal MISP references

UUID e4f33b48-653a-4d11-94fd-16d81360e2af which can be used as unique global reference for Crypt0L0cker in MISP communities and other software using the MISP galaxy

Crypt0r

Ransomware

Internal MISP references

UUID b4841b77-1f57-4d7a-8801-1808ca291cfc which can be used as unique global reference for Crypt0r in MISP communities and other software using the MISP galaxy

Crypt12

Ransomware

Internal MISP references

UUID 291daba8-62d3-4bd0-bcfa-68dcba4425c5 which can be used as unique global reference for Crypt12 in MISP communities and other software using the MISP galaxy

CryptFuck

Ransomware

Internal MISP references

UUID 5a23ab82-e373-4429-99e9-743119000dea which can be used as unique global reference for CryptFuck in MISP communities and other software using the MISP galaxy

CryptGh0st

Ransomware

Internal MISP references

UUID d07b4335-f967-4e82-80dd-861cd3864c28 which can be used as unique global reference for CryptGh0st in MISP communities and other software using the MISP galaxy

Crypto_Lab

Ransomware

Internal MISP references

UUID 6181604f-86e3-4aca-acd1-e715092a5f0f which can be used as unique global reference for Crypto_Lab in MISP communities and other software using the MISP galaxy

CryptoApp

Ransomware

Internal MISP references

UUID 7864b740-8f71-43f0-afa8-585a12dd7a8b which can be used as unique global reference for CryptoApp in MISP communities and other software using the MISP galaxy

Crypto-Blocker

Ransomware

Internal MISP references

UUID bb0e8fd4-e737-4781-860c-9f97fc7724b6 which can be used as unique global reference for Crypto-Blocker in MISP communities and other software using the MISP galaxy

CryptoBoss

Ransomware

Internal MISP references

UUID 5ba61618-2e80-4330-88ef-101c5c1d8432 which can be used as unique global reference for CryptoBoss in MISP communities and other software using the MISP galaxy

CryptoCat

Ransomware

Internal MISP references

UUID 72be1360-a686-4f32-8179-a2a466d0898e which can be used as unique global reference for CryptoCat in MISP communities and other software using the MISP galaxy

CryptoClone

Ransomware

Internal MISP references

UUID 876c1bbb-0723-46b2-92a2-1fe0917e432a which can be used as unique global reference for CryptoClone in MISP communities and other software using the MISP galaxy

CryptoDark

Ransomware

Internal MISP references

UUID be33ab7d-d272-4430-8e8c-7fdbd379e188 which can be used as unique global reference for CryptoDark in MISP communities and other software using the MISP galaxy

CryptoGod 2017

Ransomware

Internal MISP references

UUID 4a9a48f2-5aa9-4a3c-9c7a-928ee513abf2 which can be used as unique global reference for CryptoGod 2017 in MISP communities and other software using the MISP galaxy

CryptoGod 2018

Ransomware

Internal MISP references

UUID 5360787b-68b8-4827-a38e-af04ae150943 which can be used as unique global reference for CryptoGod 2018 in MISP communities and other software using the MISP galaxy

CryptoLite

Ransomware

Internal MISP references

UUID 0cb45ddc-d7c7-42b8-b006-3aecff1d5ebc which can be used as unique global reference for CryptoLite in MISP communities and other software using the MISP galaxy

CryptolockerEmulator

Ransomware

Internal MISP references

UUID 97320061-1478-486c-ba54-62018fe31fdb which can be used as unique global reference for CryptolockerEmulator in MISP communities and other software using the MISP galaxy

CryptoLockerEU 2016

Ransomware

Internal MISP references

UUID ca054485-d14d-45df-92ae-47b9b4dbc4c7 which can be used as unique global reference for CryptoLockerEU 2016 in MISP communities and other software using the MISP galaxy

CryptoManiac

Ransomware

Internal MISP references

UUID 8538f7d6-9fcb-4070-bb0c-aff7bb7874f1 which can be used as unique global reference for CryptoManiac in MISP communities and other software using the MISP galaxy

CryptoMix-0000

Ransomware

Internal MISP references

UUID 20b848d1-3f21-403b-a4c8-c5d2a89faeb9 which can be used as unique global reference for CryptoMix-0000 in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Arena

Ransomware

Internal MISP references

UUID 771706fa-1015-4bcd-9a74-293285fcd051 which can be used as unique global reference for CryptoMix-Arena in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Azer

Ransomware

Internal MISP references

UUID ecaef53f-a4a2-4360-b8e1-cca7b606596a which can be used as unique global reference for CryptoMix-Azer in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Backup

Ransomware

Internal MISP references

UUID 2fec3512-9782-4b3b-a880-30fda4641858 which can be used as unique global reference for CryptoMix-Backup in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-CK

Ransomware

Internal MISP references

UUID 8c484784-308a-498f-948b-bc5df8ba4725 which can be used as unique global reference for CryptoMix-CK in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Coban

Ransomware

Internal MISP references

UUID aabd25a5-021a-49db-bda8-a922f41c678c which can be used as unique global reference for CryptoMix-Coban in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-DLL

Ransomware

Internal MISP references

UUID c1092c4f-91a1-469a-a144-c5d10a94fed6 which can be used as unique global reference for CryptoMix-DLL in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Empty

Ransomware

Internal MISP references

UUID 86d45c08-bb85-4d0f-a5d5-3d73d65bd2e5 which can be used as unique global reference for CryptoMix-Empty in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Error

Ransomware

Internal MISP references

UUID 41d393ee-a8ee-4a9d-b510-e1b6a59054f9 which can be used as unique global reference for CryptoMix-Error in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Exte

Ransomware

Internal MISP references

UUID ea68b5a8-6f9e-441a-a308-5e4fda8dbab6 which can be used as unique global reference for CryptoMix-Exte in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

Cryptomix-FILE

Ransomware

Internal MISP references

UUID 26fa33ba-528c-49f8-94c2-db4047a37bd0 which can be used as unique global reference for Cryptomix-FILE in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-MOLE66

Ransomware

Internal MISP references

UUID d61b7ace-ba80-4d79-9ff2-b6f80af5770b which can be used as unique global reference for CryptoMix-MOLE66 in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Noob

Ransomware

Internal MISP references

UUID ef2f721b-0bc0-4f2a-8803-263368fa467d which can be used as unique global reference for CryptoMix-Noob in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Ogonia

Ransomware

Internal MISP references

UUID 3c3b5442-f81f-4011-a176-f0f63e6fcd3f which can be used as unique global reference for CryptoMix-Ogonia in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Pirate

Ransomware

Internal MISP references

UUID 312c93ae-9405-445b-be11-2d0e4aec4f84 which can be used as unique global reference for CryptoMix-Pirate in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

CryptoMix-Revenge

Ransomware

Internal MISP references

UUID 6a8ed1dd-34f1-42a3-9d9a-f81d91f53f7c which can be used as unique global reference for CryptoMix-Revenge in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

Cryptomix-SERVER

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cryptomix-SERVER.

Known Synonyms
SERVER Cryptomix

Internal MISP references

UUID 460e3f42-15dc-4e73-ad39-76af8d272379 which can be used as unique global reference for Cryptomix-SERVER in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-Shark

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-Shark.

Known Synonyms
Shark CryptoMix

Internal MISP references

UUID fc5ee56f-3cd1-4120-9b33-48993987d98d which can be used as unique global reference for CryptoMix-Shark in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-System

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-System.

Known Synonyms
System CryptoMix

Internal MISP references

UUID 00ca9891-c7dd-44db-a374-14b92169741a which can be used as unique global reference for CryptoMix-System in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-Tastylock

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-Tastylock.

Known Synonyms
Tastylock CryptoMix

Internal MISP references

UUID d8fcab2d-f80c-4165-88f5-db29f7aa1087 which can be used as unique global reference for CryptoMix-Tastylock in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-Test

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-Test.

Known Synonyms
Test CryptoMix

Internal MISP references

UUID a4bac628-162c-4487-9bb5-c34e42dec72a which can be used as unique global reference for CryptoMix-Test in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-Wallet

Ransomware

Internal MISP references

UUID 51b0559d-547f-40c0-850a-df9f67c08baf which can be used as unique global reference for CryptoMix-Wallet in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

Cryptomix-WORK

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cryptomix-WORK.

Known Synonyms
WORK CryptoMix

Internal MISP references

UUID 99c5cbdd-9c04-4c18-bcdd-9ee9b4dba862 which can be used as unique global reference for Cryptomix-WORK in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-x1881

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-x1881.

Known Synonyms
x1881 CryptoMix

Internal MISP references

UUID b55c38f8-b369-4f91-904c-b0758927bd99 which can be used as unique global reference for CryptoMix-x1881 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-XZZX

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-XZZX.

Known Synonyms
XZZX CryptoMix

Internal MISP references

UUID e1eea458-c466-48d8-a121-f5fe14a1cc75 which can be used as unique global reference for CryptoMix-XZZX in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

CryptoMix-Zayka

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix-Zayka.

Known Synonyms
Zayka CryptoMix

Internal MISP references

UUID 548e3dcd-8448-4318-830a-b8fa46f34fd3 which can be used as unique global reference for CryptoMix-Zayka in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

Crypton

Ransomware

Internal MISP references

UUID 19d80d86-1f3d-47b5-82f1-5c2b3ab279d8 which can be used as unique global reference for Crypton in MISP communities and other software using the MISP galaxy

CryptoPatronum

Ransomware

Internal MISP references

UUID 02fef633-e89f-43f5-bf52-a4e18f670a2d which can be used as unique global reference for CryptoPatronum in MISP communities and other software using the MISP galaxy

CryptoPokemon

Ransomware

Internal MISP references

UUID 334525f2-9e02-4d7e-b866-6a950341b848 which can be used as unique global reference for CryptoPokemon in MISP communities and other software using the MISP galaxy

CryptorBit

Ransomware

Internal MISP references

UUID d5ccf284-90c3-44b6-9b90-ddc4717defac which can be used as unique global reference for CryptorBit in MISP communities and other software using the MISP galaxy

CryptoShield 2.0

Ransomware

Internal MISP references

UUID b1a948b2-d072-47d3-9512-e22fe8fb9fb1 which can be used as unique global reference for CryptoShield 2.0 in MISP communities and other software using the MISP galaxy

CryptoSpider

Ransomware

Internal MISP references

UUID e28ac7f9-cb1e-4e28-aace-27162529e96c which can be used as unique global reference for CryptoSpider in MISP communities and other software using the MISP galaxy

CryptoViki

Ransomware

Internal MISP references

UUID 84a6d707-6163-4c05-a3a2-d5c605cb6267 which can be used as unique global reference for CryptoViki in MISP communities and other software using the MISP galaxy

Cryptre

Ransomware

Internal MISP references

UUID 6260f9a3-b4c6-4f0b-910f-c98c3a13a2de which can be used as unique global reference for Cryptre in MISP communities and other software using the MISP galaxy

CrypTron

Ransomware

Internal MISP references

UUID 39f15885-0ef0-4f04-a837-f1da4b4813bc which can be used as unique global reference for CrypTron in MISP communities and other software using the MISP galaxy

Crysis XTBL

Ransomware

Internal MISP references

UUID d757c892-1d05-41f7-9aec-cb9f72316432 which can be used as unique global reference for Crysis XTBL in MISP communities and other software using the MISP galaxy

Crystal

Ransomware

Internal MISP references

UUID bfd0bcdc-3cc6-4d4b-bf5c-e1467e985610 which can be used as unique global reference for Crystal in MISP communities and other software using the MISP galaxy

CrystalCrypt

Ransomware

Internal MISP references

UUID e64a7cc3-2454-4e77-8fd9-ed12d854e2dd which can be used as unique global reference for CrystalCrypt in MISP communities and other software using the MISP galaxy

CryTekk

Ransomware

Internal MISP references

UUID e429df1e-ee56-48ff-801f-5648ce9b47cb which can be used as unique global reference for CryTekk in MISP communities and other software using the MISP galaxy

CSP

Ransomware

Internal MISP references

UUID 76b33701-ac6e-4ef1-95b8-b7e18204b901 which can be used as unique global reference for CSP in MISP communities and other software using the MISP galaxy

CTB-Locker Original

Ransomware

Internal MISP references

UUID 1fda05ea-74c7-4942-ac5d-0d9b6adc4eed which can be used as unique global reference for CTB-Locker Original in MISP communities and other software using the MISP galaxy

CTF

Ransomware

Internal MISP references

UUID ce5eb940-5fd6-4d2f-bfa8-2191ae3e4239 which can be used as unique global reference for CTF in MISP communities and other software using the MISP galaxy

Curumim

Ransomware

Internal MISP references

UUID ed087a5a-41f7-4997-9701-ef46c984d89d which can be used as unique global reference for Curumim in MISP communities and other software using the MISP galaxy

CVLocker

Ransomware

Internal MISP references

UUID 6cd337d7-b073-4950-afe9-8979151137ae which can be used as unique global reference for CVLocker in MISP communities and other software using the MISP galaxy

Cyber Police HT

Ransomware

Internal MISP references

UUID a255f8e2-5ffa-4b4e-91b7-f5620cf8a2ea which can be used as unique global reference for Cyber Police HT in MISP communities and other software using the MISP galaxy

CyberDrill2

Ransomware

Internal MISP references

UUID 6b6d567b-dcaf-4ebd-b3c7-d81ecaf6e820 which can be used as unique global reference for CyberDrill2 in MISP communities and other software using the MISP galaxy

CyberResearcher

Ransomware

Internal MISP references

UUID 59dc87a1-e66f-48a3-8eb9-9591b3c8339b which can be used as unique global reference for CyberResearcher in MISP communities and other software using the MISP galaxy

CyberSCCP

Ransomware

Internal MISP references

UUID b9a0558f-b975-4406-8381-7e93e2d96394 which can be used as unique global reference for CyberSCCP in MISP communities and other software using the MISP galaxy

CyberSoldier

Ransomware

Internal MISP references

UUID 3a69e0f9-ef7e-418e-87f5-821b5f7c7d3d which can be used as unique global reference for CyberSoldier in MISP communities and other software using the MISP galaxy

Cyclone

Ransomware

Internal MISP references

UUID 67e652fe-2689-41f1-b7fe-1550ec3031ab which can be used as unique global reference for Cyclone in MISP communities and other software using the MISP galaxy

CypherPy

Ransomware

Internal MISP references

UUID d1ed0b02-020f-467f-9b4b-4c1c910257a2 which can be used as unique global reference for CypherPy in MISP communities and other software using the MISP galaxy

Cyspt

Ransomware

Internal MISP references

UUID bb8b3841-4e99-4114-b640-00dfef8206cf which can be used as unique global reference for Cyspt in MISP communities and other software using the MISP galaxy

Czech

Ransomware

Internal MISP references

UUID b536d9b6-f3b6-446d-94d7-a6ac36f2ecf8 which can be used as unique global reference for Czech in MISP communities and other software using the MISP galaxy

D00mEd

Ransomware

Internal MISP references

UUID 8971edef-7b24-4682-8a6e-9aff32778ebf which can be used as unique global reference for D00mEd in MISP communities and other software using the MISP galaxy

D2+D

Ransomware

Internal MISP references

UUID fcf7240e-7d1b-4b0d-84b8-7ab0919b5444 which can be used as unique global reference for D2+D in MISP communities and other software using the MISP galaxy

DarkKomet

Ransomware

Internal MISP references

UUID 15d3732d-5ca8-4dc4-bf9b-8f7791706d17 which can be used as unique global reference for DarkKomet in MISP communities and other software using the MISP galaxy

DarkLocker

Ransomware

Internal MISP references

UUID a3e8d4f9-d24d-40de-9ba9-256774da6d17 which can be used as unique global reference for DarkLocker in MISP communities and other software using the MISP galaxy

DarkoderCryptor

Ransomware

Internal MISP references

UUID 27d38148-e9d4-4b4b-8b7b-514060493a40 which can be used as unique global reference for DarkoderCryptor in MISP communities and other software using the MISP galaxy

DataKeeper

Ransomware

Internal MISP references

UUID 4c90d525-b24f-43b5-941e-2bc3038669ff which can be used as unique global reference for DataKeeper in MISP communities and other software using the MISP galaxy

Datebatut

Ransomware

Internal MISP references

UUID 0f22483f-8227-4977-8097-55d5f3971a32 which can be used as unique global reference for Datebatut in MISP communities and other software using the MISP galaxy

DCRTR

Ransomware

Internal MISP references

UUID 3f550aa8-f9ec-4040-be24-1182c0f6637f which can be used as unique global reference for DCRTR in MISP communities and other software using the MISP galaxy

DCRTR-WDM

Ransomware

Internal MISP references

UUID 3b0aa35a-b0f7-4263-b7a6-50efdb5b4c42 which can be used as unique global reference for DCRTR-WDM in MISP communities and other software using the MISP galaxy

DCry

Ransomware

Internal MISP references

UUID 25d55a0a-7a5c-4ce2-be3e-7fda4be4cfe6 which can be used as unique global reference for DCry in MISP communities and other software using the MISP galaxy

DDE

Ransomware

Internal MISP references

UUID 6bc76688-d22f-414b-8019-a4e22d76a662 which can be used as unique global reference for DDE in MISP communities and other software using the MISP galaxy

DeadSec-Crypto

Ransomware

Internal MISP references

UUID 7af4bdcb-bfeb-4ad1-8b6c-eae6df8f81b0 which can be used as unique global reference for DeadSec-Crypto in MISP communities and other software using the MISP galaxy

DeathHiddenTear (Large&Small HT) >

Ransomware

Internal MISP references

UUID ee027575-6c9e-4803-80fa-6ff4f4d0af68 which can be used as unique global reference for DeathHiddenTear (Large&Small HT) > in MISP communities and other software using the MISP galaxy

DeathNote

Ransomware

Internal MISP references

UUID 101c648e-8c7a-4082-902f-37a536c38063 which can be used as unique global reference for DeathNote in MISP communities and other software using the MISP galaxy

DeathRansom

Ransomware

Internal MISP references

UUID b4ad80c6-1a90-4f20-a3e2-8e127a295861 which can be used as unique global reference for DeathRansom in MISP communities and other software using the MISP galaxy

DecryptIomega

Ransomware

Internal MISP references

UUID 8c7cd622-c0cb-4d4a-991b-99de948baf8d which can be used as unique global reference for DecryptIomega in MISP communities and other software using the MISP galaxy

Decryption Assistant

Ransomware

Internal MISP references

UUID b298b00f-1cc9-4b08-b2a2-8b16cafdee73 which can be used as unique global reference for Decryption Assistant in MISP communities and other software using the MISP galaxy

DecService

Ransomware

Internal MISP references

UUID 54a0441c-c25d-4a7a-b572-2a8fb1d91a61 which can be used as unique global reference for DecService in MISP communities and other software using the MISP galaxy

DecYourData

Ransomware

Internal MISP references

UUID 89f73121-682a-4675-815e-af3b3183c000 which can be used as unique global reference for DecYourData in MISP communities and other software using the MISP galaxy

Defender

Ransomware

Internal MISP references

UUID d14aacd7-dea9-44ea-8160-ffee220fb572 which can be used as unique global reference for Defender in MISP communities and other software using the MISP galaxy

Defray (Glushkov)

Ransomware

Internal MISP references

UUID ca4b65f9-b49e-4531-90a9-4448e0a1fbce which can be used as unique global reference for Defray (Glushkov) in MISP communities and other software using the MISP galaxy

Deos

Ransomware

Internal MISP references

UUID fac72d3c-e12e-4ec0-8006-176d2f10df56 which can be used as unique global reference for Deos in MISP communities and other software using the MISP galaxy

Desktop

Ransomware

Internal MISP references

UUID 8fab2ebc-526e-46ce-9f32-4ae06337acd4 which can be used as unique global reference for Desktop in MISP communities and other software using the MISP galaxy

Diamond

Ransomware

Internal MISP references

UUID e2a2169c-73ac-4ee3-aa0d-05c00fffd9f2 which can be used as unique global reference for Diamond in MISP communities and other software using the MISP galaxy

DilmaLocker

Ransomware

Internal MISP references

UUID 1435b9b7-2c3d-4f0d-b651-617b67877273 which can be used as unique global reference for DilmaLocker in MISP communities and other software using the MISP galaxy

Dishwasher

Ransomware

Internal MISP references

UUID a3ea2517-9e89-4088-9433-6091f29b8a22 which can be used as unique global reference for Dishwasher in MISP communities and other software using the MISP galaxy

District

Ransomware

Internal MISP references

UUID b28aa31f-32cf-44eb-ae6f-2d952b1e9a01 which can be used as unique global reference for District in MISP communities and other software using the MISP galaxy

DMA Locker 1.0-2.0-3.0

Ransomware

Internal MISP references

UUID 517622cc-b402-4791-b5cd-b793f7bcf232 which can be used as unique global reference for DMA Locker 1.0-2.0-3.0 in MISP communities and other software using the MISP galaxy

DMA Locker 4.0

Ransomware

Internal MISP references

UUID 0a852768-faaa-4e9f-88b4-cdc8887a4518 which can be used as unique global reference for DMA Locker 4.0 in MISP communities and other software using the MISP galaxy

DMALocker Imposter

Ransomware

Internal MISP references

UUID b7a27265-4300-401b-b8e4-82ec20cea5f9 which can be used as unique global reference for DMALocker Imposter in MISP communities and other software using the MISP galaxy

Dodger

Ransomware

Internal MISP references

UUID 0416d649-c1e1-4e52-9b02-dd78dc4829ba which can be used as unique global reference for Dodger in MISP communities and other software using the MISP galaxy

DolphinTear

Ransomware

Internal MISP references

UUID 29d2e73b-dda0-4206-9c45-597dd2fd2c81 which can be used as unique global reference for DolphinTear in MISP communities and other software using the MISP galaxy

Donald Trump

Ransomware

Internal MISP references

UUID dec37a2c-1f82-4a42-9ac4-1cbadcec28a7 which can be used as unique global reference for Donald Trump in MISP communities and other software using the MISP galaxy

Donation1

Ransomware

Internal MISP references

UUID abb380f4-1237-421f-8b34-5616acdabdfb which can be used as unique global reference for Donation1 in MISP communities and other software using the MISP galaxy

Done

Ransomware

Internal MISP references

UUID 2e8f75c9-5122-4f5d-a32d-c6b500f7cd28 which can be used as unique global reference for Done in MISP communities and other software using the MISP galaxy

Dont_Worry

Ransomware

Internal MISP references

UUID 177d029a-4414-4300-8ef3-2dd476f006e9 which can be used as unique global reference for Dont_Worry in MISP communities and other software using the MISP galaxy

DotNoData

Ransomware

Internal MISP references

UUID d029f838-1bf1-4a35-bd7c-43bd0a513693 which can be used as unique global reference for DotNoData in MISP communities and other software using the MISP galaxy

DotZeroCMD

Ransomware

Internal MISP references

UUID bbb53d99-09e9-42a9-812e-96539da0ed4b which can be used as unique global reference for DotZeroCMD in MISP communities and other software using the MISP galaxy

Dr. Fucker

Ransomware

Internal MISP references

UUID b544ea57-deee-4e66-91c4-b4d02a9e283e which can be used as unique global reference for Dr. Fucker in MISP communities and other software using the MISP galaxy

Dr. Jimbo

Ransomware

Internal MISP references

UUID 10731cae-b25b-49a7-b821-c4b655e99a38 which can be used as unique global reference for Dr. Jimbo in MISP communities and other software using the MISP galaxy

Drakos

Ransomware

Internal MISP references

UUID 099c3512-a86b-40dc-94f9-7f2052991212 which can be used as unique global reference for Drakos in MISP communities and other software using the MISP galaxy

DriedSister

Ransomware

Internal MISP references

UUID 68b0ba66-0c9e-4ae2-856d-d43c024c5e0c which can be used as unique global reference for DriedSister in MISP communities and other software using the MISP galaxy

Dviide

Ransomware

Internal MISP references

UUID c14d0a23-5394-4a51-b3d6-7602b4b8d6ac which can be used as unique global reference for Dviide in MISP communities and other software using the MISP galaxy

eBayWall

Ransomware

Internal MISP references

UUID bfd3bb40-5057-4774-983f-1d61ab5fd38d which can be used as unique global reference for eBayWall in MISP communities and other software using the MISP galaxy

EbolaRnsmwr

Ransomware

Internal MISP references

UUID 1222a73b-6ae7-4e21-9fd0-df2ddc2d9ef3 which can be used as unique global reference for EbolaRnsmwr in MISP communities and other software using the MISP galaxy

ECLR

Ransomware

Internal MISP references

UUID 19638b5e-cfc9-4bbd-9f21-0efc7cd1929a which can be used as unique global reference for ECLR in MISP communities and other software using the MISP galaxy

EggLocker

Ransomware

Internal MISP references

UUID b166020d-baac-4424-ab13-fbdfcd52dee5 which can be used as unique global reference for EggLocker in MISP communities and other software using the MISP galaxy

Ekati demo tool

Ransomware

Internal MISP references

UUID 1c8c31ef-0d95-4e70-baf2-7d85fa46f1fd which can be used as unique global reference for Ekati demo tool in MISP communities and other software using the MISP galaxy

Enc1

Ransomware

Internal MISP references

UUID 5f47e7f6-b872-443c-83d5-5993dca85e0b which can be used as unique global reference for Enc1 in MISP communities and other software using the MISP galaxy

EncoderCSL

Ransomware

Internal MISP references

UUID a24aee63-5e3c-4aec-a79d-6cb3cf2ee7a5 which can be used as unique global reference for EncoderCSL in MISP communities and other software using the MISP galaxy

EnCrypt

Ransomware

Internal MISP references

UUID 8856e9e4-4774-44af-a89c-00ee64af95b3 which can be used as unique global reference for EnCrypt in MISP communities and other software using the MISP galaxy

EncryptedBatch

Ransomware

Internal MISP references

UUID 7f2f2f1c-43ec-40a4-92f3-e6b27a86fd66 which can be used as unique global reference for EncryptedBatch in MISP communities and other software using the MISP galaxy

EncryptServer2018

Ransomware

Internal MISP references

UUID cb1db616-8c54-46c9-9a54-c59b0f34203e which can be used as unique global reference for EncryptServer2018 in MISP communities and other software using the MISP galaxy

EnybenyCrypt

Ransomware

Internal MISP references

UUID 049a556e-143c-4ed4-a1d5-b32a5818e3f5 which can be used as unique global reference for EnybenyCrypt in MISP communities and other software using the MISP galaxy

EOEO

Ransomware

Internal MISP references

UUID 44816458-fbf1-46f5-9189-031a4f5a9494 which can be used as unique global reference for EOEO in MISP communities and other software using the MISP galaxy

Epoblockl

Ransomware

Internal MISP references

UUID 34b549c2-e28f-475c-916e-d164b7d984bf which can be used as unique global reference for Epoblockl in MISP communities and other software using the MISP galaxy

Erica2020

Ransomware

Internal MISP references

UUID 50a03182-fb83-4d2d-a33b-13bbab4f9c94 which can be used as unique global reference for Erica2020 in MISP communities and other software using the MISP galaxy

Eris

Ransomware

Internal MISP references

UUID 1d48b852-ddb9-4294-9502-244b2664fe0c which can be used as unique global reference for Eris in MISP communities and other software using the MISP galaxy

Estemani

Ransomware

Internal MISP references

UUID 35275d91-8878-45fd-aa11-d5932a4a3707 which can be used as unique global reference for Estemani in MISP communities and other software using the MISP galaxy

Eternal

Ransomware

Internal MISP references

UUID b1fe23d0-e3f3-4164-ab96-4e859a25e639 which can be used as unique global reference for Eternal in MISP communities and other software using the MISP galaxy

Eternity

Ransomware

Internal MISP references

UUID 97c7c06d-e2b6-459c-92ec-bde5a4dd54ff which can be used as unique global reference for Eternity in MISP communities and other software using the MISP galaxy

Euclid

Ransomware

Internal MISP references

UUID 4b7906b7-1e17-4c5d-a56f-abf238e42dcf which can be used as unique global reference for Euclid in MISP communities and other software using the MISP galaxy

Evasive HT

Ransomware

Internal MISP references

UUID 6287e47b-7919-4be1-9ee8-c3a9a7f0feab which can be used as unique global reference for Evasive HT in MISP communities and other software using the MISP galaxy

Evolution

Ransomware

Internal MISP references

UUID 47554d81-a6d9-4017-ad8c-cab653e6a1b3 which can be used as unique global reference for Evolution in MISP communities and other software using the MISP galaxy

Executioner

Ransomware

Internal MISP references

UUID 803671d5-8d84-45c9-aef0-13dbaedd2b4c which can be used as unique global reference for Executioner in MISP communities and other software using the MISP galaxy

ExecutionerPlus

Ransomware

Internal MISP references

UUID ed1bebe5-6bad-448c-8b92-ca7fd8563a2b which can be used as unique global reference for ExecutionerPlus in MISP communities and other software using the MISP galaxy

Exocrypt XTC

Ransomware

Internal MISP references

UUID 23fe7df3-ad1b-4270-b519-3d7db4d62d0b which can be used as unique global reference for Exocrypt XTC in MISP communities and other software using the MISP galaxy

ExoLock

Ransomware

Internal MISP references

UUID 89aed7ce-b8db-4d66-91b3-cae5def39255 which can be used as unique global reference for ExoLock in MISP communities and other software using the MISP galaxy

ExpBoot

Ransomware

Internal MISP references

UUID 80304c6b-de78-4db0-a0b9-7e3164f818d2 which can be used as unique global reference for ExpBoot in MISP communities and other software using the MISP galaxy

Explorer

Ransomware

Internal MISP references

UUID 7b9fa522-8db4-4b29-adcf-7c01c21c39b4 which can be used as unique global reference for Explorer in MISP communities and other software using the MISP galaxy

Extortion Scam

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Extortion Scam.

Known Synonyms
Sextortion Scam

Internal MISP references

UUID 08890a08-8ffc-49f5-b5b9-6a89002327f3 which can be used as unique global reference for Extortion Scam in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value

Extractor

Ransomware

Internal MISP references

UUID 59c28ba7-d42a-42d8-afaa-69fcbe9eaadb which can be used as unique global reference for Extractor in MISP communities and other software using the MISP galaxy

EyLamo

Ransomware

Internal MISP references

UUID a6ef13a1-5429-47eb-8d8b-5ffde2ebdff0 which can be used as unique global reference for EyLamo in MISP communities and other software using the MISP galaxy

EZDZ

Ransomware

Internal MISP references

UUID 919cadc1-9089-4fd4-a8d9-c83089f78391 which can be used as unique global reference for EZDZ in MISP communities and other software using the MISP galaxy

Fabiansomware

Ransomware

Internal MISP references

UUID 0c22c2e4-f83e-4f16-841c-534d569a1b30 which can be used as unique global reference for Fabiansomware in MISP communities and other software using the MISP galaxy

Facebook HT

Ransomware

Internal MISP references

UUID 7ccbce77-7251-451f-ba92-da1439a916d0 which can be used as unique global reference for Facebook HT in MISP communities and other software using the MISP galaxy

Faizal

Ransomware

Internal MISP references

UUID f656c54f-d252-4441-af31-f88a9fcc6ee4 which can be used as unique global reference for Faizal in MISP communities and other software using the MISP galaxy

Fake Cerber

Ransomware

Internal MISP references

UUID 27e5da0f-5f6c-460c-b1b7-03e78724ab07 which can be used as unique global reference for Fake Cerber in MISP communities and other software using the MISP galaxy

Fake DMA

ransomware

Internal MISP references

UUID bc7a4be2-1997-40ba-beb7-553120b1411b which can be used as unique global reference for Fake DMA in MISP communities and other software using the MISP galaxy

FartPlz

ransomware

Internal MISP references

UUID 29cd31bb-819f-4d01-9805-ba9656a2d215 which can be used as unique global reference for FartPlz in MISP communities and other software using the MISP galaxy

FBLocker

ransomware

Internal MISP references

UUID 6d97efca-8d12-45d3-93c3-93a4d3839110 which can be used as unique global reference for FBLocker in MISP communities and other software using the MISP galaxy

FCP

ransomware

Internal MISP references

UUID 3a05c407-80bc-491d-9065-97b53137694c which can be used as unique global reference for FCP in MISP communities and other software using the MISP galaxy

FCrypt

ransomware

Internal MISP references

UUID 42aea797-8789-43ed-aca5-0c492a3a8970 which can be used as unique global reference for FCrypt in MISP communities and other software using the MISP galaxy

FCT

ransomware

Internal MISP references

UUID 010a5c7b-ec43-4540-9c67-4b4f73c82c06 which can be used as unique global reference for FCT in MISP communities and other software using the MISP galaxy

Fenrir

ransomware

Internal MISP references

UUID 4e344305-4a3b-43b5-a2a6-5cf669e416e7 which can be used as unique global reference for Fenrir in MISP communities and other software using the MISP galaxy

File Ripper

ransomware

Internal MISP references

UUID 7c698732-90bb-4a72-a8ac-f6194761c546 which can be used as unique global reference for File Ripper in MISP communities and other software using the MISP galaxy

FileFuck

ransomware

Internal MISP references

UUID 35c968af-cee9-40bf-9d62-b8ba5d6dbc8f which can be used as unique global reference for FileFuck in MISP communities and other software using the MISP galaxy

FilesL0cker

ransomware

Internal MISP references

UUID 39a197ff-be4b-45a7-bdc8-fc17af421d63 which can be used as unique global reference for FilesL0cker in MISP communities and other software using the MISP galaxy

Final

ransomware

Internal MISP references

UUID 06db1c0f-5dcd-4dad-8fb5-cdf8afdf2ab6 which can be used as unique global reference for Final in MISP communities and other software using the MISP galaxy

FindZip

ransomware

Internal MISP references

UUID 02c5bf92-23e8-404c-9fe9-5e50f587d0c4 which can be used as unique global reference for FindZip in MISP communities and other software using the MISP galaxy

Flatcher3

ransomware

Internal MISP references

UUID b9f1d220-2ef0-4b1d-84ed-ae6843e5828e which can be used as unique global reference for Flatcher3 in MISP communities and other software using the MISP galaxy

Fluffy-TAR

ransomware

Internal MISP references

UUID 51f42a21-1963-40c5-b644-d4c1c5c3f9eb which can be used as unique global reference for Fluffy-TAR in MISP communities and other software using the MISP galaxy

Foxy

ransomware

Internal MISP references

UUID 10254366-b6d0-4266-a277-6ef4eee460b3 which can be used as unique global reference for Foxy in MISP communities and other software using the MISP galaxy

FreeMe

ransomware

Internal MISP references

UUID 0b6e29d4-27e4-422b-944f-72e111462dee which can be used as unique global reference for FreeMe in MISP communities and other software using the MISP galaxy

Freshdesk

ransomware

Internal MISP references

UUID a5e54d82-cb41-420e-a03d-89b762560dcc which can be used as unique global reference for Freshdesk in MISP communities and other software using the MISP galaxy

Frog

ransomware

Internal MISP references

UUID 5df125ae-9362-415d-a915-f478447eece5 which can be used as unique global reference for Frog in MISP communities and other software using the MISP galaxy

FrozrLock

ransomware

Internal MISP references

UUID 61c215e0-835b-488a-8e82-94da05871b80 which can be used as unique global reference for FrozrLock in MISP communities and other software using the MISP galaxy

FRS

ransomware

Internal MISP references

UUID 8467b6f2-7132-4695-87a6-6a7400c3a7d8 which can be used as unique global reference for FRS in MISP communities and other software using the MISP galaxy

FScrypt

ransomware

Internal MISP references

UUID d81208be-6715-4ef5-b354-9283d7eed531 which can be used as unique global reference for FScrypt in MISP communities and other software using the MISP galaxy

FuckTheSystem

ransomware

Internal MISP references

UUID db9571dc-7ebc-4f2b-a31b-944851c16346 which can be used as unique global reference for FuckTheSystem in MISP communities and other software using the MISP galaxy

FuxSocy Encryptor

ransomware

Internal MISP references

UUID 6247ab38-e6dd-4020-8771-f1fdfc9e86bd which can be used as unique global reference for FuxSocy Encryptor in MISP communities and other software using the MISP galaxy

Galacti-Crypter

ransomware

Internal MISP references

UUID 1ef5a7de-9fe2-4cfb-a6ff-7f63bc31bf94 which can be used as unique global reference for Galacti-Crypter in MISP communities and other software using the MISP galaxy

GameOver

ransomware

Internal MISP references

UUID 9734c2bc-d638-4b69-9189-c6141f66bcab which can be used as unique global reference for GameOver in MISP communities and other software using the MISP galaxy

Geminis3

ransomware

Internal MISP references

UUID dd9dd6b6-97c6-4cd1-bd3a-f7e95526b090 which can be used as unique global reference for Geminis3 in MISP communities and other software using the MISP galaxy

Gendarmerie

ransomware

Internal MISP references

UUID 0a59664f-b447-4c5e-b8e4-8842e381390b which can be used as unique global reference for Gendarmerie in MISP communities and other software using the MISP galaxy

Genobot

ransomware

Internal MISP references

UUID 317eee8b-2a8b-4d2a-a17c-9fa651de2f06 which can be used as unique global reference for Genobot in MISP communities and other software using the MISP galaxy

GermanWiper

ransomware

Internal MISP references

UUID 7f94ad48-3321-4fbb-850d-a0e6cb300815 which can be used as unique global reference for GermanWiper in MISP communities and other software using the MISP galaxy

GhosTEncryptor

ransomware

Internal MISP references

UUID 857a6d87-3fe7-426a-8679-7029134800af which can be used as unique global reference for GhosTEncryptor in MISP communities and other software using the MISP galaxy

GhostHammer

ransomware

Internal MISP references

UUID 66c1ee94-a302-4f25-a54a-fdc2e2c3d164 which can be used as unique global reference for GhostHammer in MISP communities and other software using the MISP galaxy

Gibberish

ransomware

Internal MISP references

UUID abf2485a-8fc6-46a5-9400-d188711a3cb2 which can be used as unique global reference for Gibberish in MISP communities and other software using the MISP galaxy

Gibon

ransomware

Internal MISP references

UUID 5845d539-8c80-4957-92ea-7aa968ec784c which can be used as unique global reference for Gibon in MISP communities and other software using the MISP galaxy

Giyotin

ransomware

Internal MISP references

UUID f03fb4bc-7762-4529-bce1-d851619fb0d4 which can be used as unique global reference for Giyotin in MISP communities and other software using the MISP galaxy

GoCryptoLocker

ransomware

Internal MISP references

UUID c18fb798-f2f8-4119-aee3-5888241d129f which can be used as unique global reference for GoCryptoLocker in MISP communities and other software using the MISP galaxy

Godra

ransomware

Internal MISP references

UUID 287f5d11-c1da-4409-8404-543c68cc968e which can be used as unique global reference for Godra in MISP communities and other software using the MISP galaxy

GoGoogle

ransomware

Internal MISP references

UUID df998c50-52d0-462d-9bbb-5b93a5adc7b0 which can be used as unique global reference for GoGoogle in MISP communities and other software using the MISP galaxy

GoHack

ransomware

Internal MISP references

UUID e88b85ed-d20d-416a-bde9-2a2ba60f9c70 which can be used as unique global reference for GoHack in MISP communities and other software using the MISP galaxy

Golden Axe

ransomware

Internal MISP references

UUID c51e8939-8b5d-4b5e-a73e-92944e1392c0 which can be used as unique global reference for Golden Axe in MISP communities and other software using the MISP galaxy

Gomme

ransomware

Internal MISP references

UUID 61fbe157-557a-40c4-919f-d61f6f7b5f2f which can be used as unique global reference for Gomme in MISP communities and other software using the MISP galaxy

GonnaCry Ransmware

ransomware

Internal MISP references

UUID 269bae29-5955-4723-8f33-b81767f44c82 which can be used as unique global reference for GonnaCry Ransmware in MISP communities and other software using the MISP galaxy

Goofed HT

ransomware

Internal MISP references

UUID 9325868e-bc3a-43d7-ba18-cd5d372eea06 which can be used as unique global reference for Goofed HT in MISP communities and other software using the MISP galaxy

GoRansom POC

ransomware

Internal MISP references

UUID 7b8f0dea-b63a-4b70-ae4b-2a06afd9d438 which can be used as unique global reference for GoRansom POC in MISP communities and other software using the MISP galaxy

Gorgon

ransomware

Internal MISP references

UUID 99cf422f-785c-4459-86a0-15f4204f17d2 which can be used as unique global reference for Gorgon in MISP communities and other software using the MISP galaxy

Gotcha

ransomware

Internal MISP references

UUID a7c78489-4545-4d5f-a280-0b919ee23c3f which can be used as unique global reference for Gotcha in MISP communities and other software using the MISP galaxy

GottaCry

ransomware

Internal MISP references

UUID c694aab7-1c1c-4a36-9fa1-da8860f75ab3 which can be used as unique global reference for GottaCry in MISP communities and other software using the MISP galaxy

GPAA

ransomware

Internal MISP references

UUID 11684b37-3bc6-4d74-b72e-8689f5340bc2 which can be used as unique global reference for GPAA in MISP communities and other software using the MISP galaxy

GPGQwerty

ransomware

Internal MISP references

UUID c479cd06-3935-4673-abc2-fb2a69b04c23 which can be used as unique global reference for GPGQwerty in MISP communities and other software using the MISP galaxy

Craftul

ransomware

Internal MISP references

UUID ae7dcbb6-044a-427a-8392-7697c4e1bef7 which can be used as unique global reference for Craftul in MISP communities and other software using the MISP galaxy

Greystars

ransomware

Internal MISP references

UUID 9f7c8936-96ee-4f99-a61c-8c51b4c93c9d which can be used as unique global reference for Greystars in MISP communities and other software using the MISP galaxy

GrodexCrypt

ransomware

Internal MISP references

UUID e7c56607-ad06-4b6c-881d-5076e083d5d4 which can be used as unique global reference for GrodexCrypt in MISP communities and other software using the MISP galaxy

GrujaRSorium

ransomware

Internal MISP references

UUID b7025c7b-e650-4e8e-83b8-1311bd684b65 which can be used as unique global reference for GrujaRSorium in MISP communities and other software using the MISP galaxy

Gruxer

ransomware

Internal MISP references

UUID d980b021-485e-4515-a629-11a42a67b36c which can be used as unique global reference for Gruxer in MISP communities and other software using the MISP galaxy

GusCrypter

ransomware

Internal MISP references

UUID b0d5f511-7542-46e5-b95a-53c2c56a2683 which can be used as unique global reference for GusCrypter in MISP communities and other software using the MISP galaxy

GX40

ransomware

Internal MISP references

UUID e9269244-a119-4c0a-92fd-a3b3617670d8 which can be used as unique global reference for GX40 in MISP communities and other software using the MISP galaxy

H34rtBl33d

ransomware

Internal MISP references

UUID 9cfe0adf-72e8-44c8-bdce-4c2c2a7749bf which can be used as unique global reference for H34rtBl33d in MISP communities and other software using the MISP galaxy

HackdoorCrypt3r

ransomware

Internal MISP references

UUID 1d689032-cca4-4c40-86db-1eabd2a7cd29 which can be used as unique global reference for HackdoorCrypt3r in MISP communities and other software using the MISP galaxy

Hades

ransomware

Internal MISP references

UUID c0091a62-b1cd-495d-898b-d2f3b5af601e which can be used as unique global reference for Hades in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020
links	['http://ixltdyumdlthrtgx.onion']

Related clusters

To see the related clusters, click here.

Hakbit

ransomware

Internal MISP references

UUID 49e5c755-510d-4eca-a45d-8561a53f6bfa which can be used as unique global reference for Hakbit in MISP communities and other software using the MISP galaxy

HappyCrypter

ransomware

Internal MISP references

UUID a5c17b66-ee15-4a08-9eb6-348bb6adeb33 which can be used as unique global reference for HappyCrypter in MISP communities and other software using the MISP galaxy

Haze

ransomware

Internal MISP references

UUID 8d551d9e-f14c-473e-a896-7cee4fc09e82 which can be used as unique global reference for Haze in MISP communities and other software using the MISP galaxy

HCrypto

ransomware

Internal MISP references

UUID e9863c6d-d081-4f8b-bffd-de2004f93897 which can be used as unique global reference for HCrypto in MISP communities and other software using the MISP galaxy

HELP@AUSI

ransomware

Internal MISP references

UUID 3347541a-772d-4b83-a7fd-b9a98569eb8e which can be used as unique global reference for HELP@AUSI in MISP communities and other software using the MISP galaxy

HelpDCFile

ransomware

Internal MISP references

UUID 526166b7-59a5-4946-9d50-d95788e4d28f which can be used as unique global reference for HelpDCFile in MISP communities and other software using the MISP galaxy

HelpMe

ransomware

Internal MISP references

UUID 5ad18348-acb0-430c-8439-ea2b7c6438e6 which can be used as unique global reference for HelpMe in MISP communities and other software using the MISP galaxy

Hermes837

ransomware

Internal MISP references

UUID 718b274e-b547-42dc-ada4-b47e213cd625 which can be used as unique global reference for Hermes837 in MISP communities and other software using the MISP galaxy

HermesVirus HT

ransomware

Internal MISP references

UUID 2b2379e5-098e-4c62-be82-79ee4e3cc61c which can be used as unique global reference for HermesVirus HT in MISP communities and other software using the MISP galaxy

Heropoint

ransomware

Internal MISP references

UUID c7e0650f-efbe-4c2e-bef7-ff824fb5a152 which can be used as unique global reference for Heropoint in MISP communities and other software using the MISP galaxy

HiddenBeer

ransomware

Internal MISP references

UUID 7c2a199e-1ed6-4820-a3e2-80c45ff6f709 which can be used as unique global reference for HiddenBeer in MISP communities and other software using the MISP galaxy

Honor

ransomware

Internal MISP references

UUID 38b8fb07-8545-4f79-8094-fed524e263c4 which can be used as unique global reference for Honor in MISP communities and other software using the MISP galaxy

Horros

ransomware

Internal MISP references

UUID bdd46a71-888d-4091-b55e-2fb9ff11a770 which can be used as unique global reference for Horros in MISP communities and other software using the MISP galaxy

Hydra

ransomware

Internal MISP references

UUID 2e4f26d6-f220-4877-be0e-45059b0f8eeb which can be used as unique global reference for Hydra in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

IGotYou

ransomware

Internal MISP references

UUID 496e3fb8-666c-4dd0-a06f-af1358320f6e which can be used as unique global reference for IGotYou in MISP communities and other software using the MISP galaxy

iGZa4C

ransomware

Internal MISP references

UUID 17e7cef2-74fb-4abc-9d83-a65a50654381 which can be used as unique global reference for iGZa4C in MISP communities and other software using the MISP galaxy

ILElection2020

ransomware

Internal MISP references

UUID f7947cfd-dfac-437d-bc9d-3b71470d222a which can be used as unique global reference for ILElection2020 in MISP communities and other software using the MISP galaxy

Ims00ry

ransomware

Internal MISP references

UUID 03429647-cc47-49ee-b336-4fa866abf510 which can be used as unique global reference for Ims00ry in MISP communities and other software using the MISP galaxy

ImSorry

ransomware

Internal MISP references

UUID 9c8eadbf-c1d0-4726-85ac-3d595efadf9d which can be used as unique global reference for ImSorry in MISP communities and other software using the MISP galaxy

Incanto

ransomware

Internal MISP references

UUID 719a97ab-4324-433f-aee0-f42712feb00b which can be used as unique global reference for Incanto in MISP communities and other software using the MISP galaxy

Indrik

ransomware

Internal MISP references

UUID ddb76772-bfc9-4896-92ee-b7baf6f1a07e which can be used as unique global reference for Indrik in MISP communities and other software using the MISP galaxy

InducVirus

ransomware

Internal MISP references

UUID de63a115-7a2b-4b0a-8898-8f3fa6768414 which can be used as unique global reference for InducVirus in MISP communities and other software using the MISP galaxy

InfinityLock

ransomware

Internal MISP references

UUID 40215dc5-5d28-4770-a85f-b6a71f1db5d9 which can be used as unique global reference for InfinityLock in MISP communities and other software using the MISP galaxy

InfoDot

ransomware

Internal MISP references

UUID 5ec2d8cd-090d-4184-b865-53d71cbbc235 which can be used as unique global reference for InfoDot in MISP communities and other software using the MISP galaxy

INPIVX

ransomware

Internal MISP references

UUID 6a4ac521-4731-4bc1-abf4-639b451018bc which can be used as unique global reference for INPIVX in MISP communities and other software using the MISP galaxy

InsaneCrypt

ransomware

Internal MISP references

UUID 2a1ab564-52e1-4575-8184-20b68c1f23c6 which can be used as unique global reference for InsaneCrypt in MISP communities and other software using the MISP galaxy

IPA

ransomware

Internal MISP references

UUID 82f52546-ed68-468d-96a1-d7064478d0de which can be used as unique global reference for IPA in MISP communities and other software using the MISP galaxy

IT.Books

ransomware

Internal MISP references

UUID 54c9604e-ba28-4fa7-9a39-125fe0fbf0cb which can be used as unique global reference for IT.Books in MISP communities and other software using the MISP galaxy

J-

ransomware

Internal MISP references

UUID 159953eb-01f1-4325-9467-54a4c7bdeebb which can be used as unique global reference for J- in MISP communities and other software using the MISP galaxy

JabaCrypter

ransomware

Internal MISP references

UUID 7770c955-5d04-42c2-8421-3a38c7bebf90 which can be used as unique global reference for JabaCrypter in MISP communities and other software using the MISP galaxy

Jaffe

ransomware

Internal MISP references

UUID d712d488-e189-4fc1-82ce-ef6bb0ecad4e which can be used as unique global reference for Jaffe in MISP communities and other software using the MISP galaxy

James

ransomware

Internal MISP references

UUID 72e2f10d-9c6a-407d-9e7d-f76c1c8248f2 which can be used as unique global reference for James in MISP communities and other software using the MISP galaxy

Java NotDharma

ransomware

Internal MISP references

UUID 5b8990a3-0e8c-4b81-8d3c-cc8e6b5024eb which can be used as unique global reference for Java NotDharma in MISP communities and other software using the MISP galaxy

jCandy

ransomware

Internal MISP references

UUID f1486237-a5da-48aa-8681-45b389ef2fa2 which can be used as unique global reference for jCandy in MISP communities and other software using the MISP galaxy

JeepersCrypt

ransomware

Internal MISP references

UUID d2f5c189-5707-4bec-88d9-0d0bd864cfae which can be used as unique global reference for JeepersCrypt in MISP communities and other software using the MISP galaxy

Jemd

ransomware

Internal MISP references

UUID cd334e6e-893b-4dc1-beeb-484f542d0d50 which can be used as unique global reference for Jemd in MISP communities and other software using the MISP galaxy

JesusCrypt

ransomware

Internal MISP references

UUID 07b4eda8-d346-4218-8c4d-a553ae4f684a which can be used as unique global reference for JesusCrypt in MISP communities and other software using the MISP galaxy

JNEC.a

ransomware

Internal MISP references

UUID 93b502df-b300-4ea6-af49-85901d9bfc6d which can be used as unique global reference for JNEC.a in MISP communities and other software using the MISP galaxy

JoeGo

ransomware

Internal MISP references

UUID 4bbe43a3-ca75-4f93-973b-2179770ad606 which can be used as unique global reference for JoeGo in MISP communities and other software using the MISP galaxy

Jolly Roger

ransomware

Internal MISP references

UUID 2e8763e0-5584-4f9a-ac60-d111a30a887c which can be used as unique global reference for Jolly Roger in MISP communities and other software using the MISP galaxy

JosepCrypt

ransomware

Internal MISP references

UUID 2e63db1d-5ce9-4cb4-a75a-86afd2d450ec which can be used as unique global reference for JosepCrypt in MISP communities and other software using the MISP galaxy

Juwon

ransomware

Internal MISP references

UUID 41ae4021-d6a6-4f19-9414-ff4d78ae2f21 which can be used as unique global reference for Juwon in MISP communities and other software using the MISP galaxy

Kali

ransomware

Internal MISP references

UUID b484ef6b-ac11-4fe2-a87c-5731c280b4aa which can be used as unique global reference for Kali in MISP communities and other software using the MISP galaxy

Kamil

ransomware

Internal MISP references

UUID 6352d423-003a-4545-91d6-bb66425a3edd which can be used as unique global reference for Kamil in MISP communities and other software using the MISP galaxy

Kampret

ransomware

Internal MISP references

UUID 8f8e32fe-05a1-4125-a287-27ff372b9f56 which can be used as unique global reference for Kampret in MISP communities and other software using the MISP galaxy

Karo

ransomware

Internal MISP references

UUID e04a4847-38df-4f14-8b16-6b6da7d5e222 which can be used as unique global reference for Karo in MISP communities and other software using the MISP galaxy

Katafrank

ransomware

Internal MISP references

UUID 739c4582-7471-43f3-aa21-3c181fe6713c which can be used as unique global reference for Katafrank in MISP communities and other software using the MISP galaxy

Katyusha

ransomware

Internal MISP references

UUID 3744333c-49b7-45cb-9059-6933725fa725 which can be used as unique global reference for Katyusha in MISP communities and other software using the MISP galaxy

KCTF Locker

ransomware

Internal MISP references

UUID b17ec2bc-bcc7-4f75-9338-ee7ec64a7a49 which can be used as unique global reference for KCTF Locker in MISP communities and other software using the MISP galaxy

KCW

ransomware

Internal MISP references

UUID 47e97378-20da-40d4-b6bc-99dd2aba84d2 which can be used as unique global reference for KCW in MISP communities and other software using the MISP galaxy

Kee

ransomware

Internal MISP references

UUID a307a755-a243-4b00-b1ef-11b08049ca29 which can be used as unique global reference for Kee in MISP communities and other software using the MISP galaxy

KEKW

ransomware

Internal MISP references

UUID ccb50fe4-dbcf-4773-933b-0cd27b08e81b which can be used as unique global reference for KEKW in MISP communities and other software using the MISP galaxy

Kerkoporta

ransomware

Internal MISP references

UUID 389ad313-aceb-4ee1-8554-8aec78a2f7b6 which can be used as unique global reference for Kerkoporta in MISP communities and other software using the MISP galaxy

KeyMaker

ransomware

Internal MISP references

UUID 55cebdaf-adfb-4943-b169-4652af84e0da which can be used as unique global reference for KeyMaker in MISP communities and other software using the MISP galaxy

KillBot_Virus

ransomware

Internal MISP references

UUID fc59e09e-49a2-4751-a3c8-0def51fbbd61 which can be used as unique global reference for KillBot_Virus in MISP communities and other software using the MISP galaxy

KillDisk-Dimens

ransomware

Internal MISP references

UUID d6d91cbd-4ad9-4cf4-b5fa-a468da62b421 which can be used as unique global reference for KillDisk-Dimens in MISP communities and other software using the MISP galaxy

KillRabbit

ransomware

Internal MISP references

UUID 01dc9bbb-b888-4aa5-b6a2-d216eaa95f84 which can be used as unique global reference for KillRabbit in MISP communities and other software using the MISP galaxy

KillSwitch

ransomware

Internal MISP references

UUID f4d370e2-7d91-4bd0-9b1f-33160d4b989f which can be used as unique global reference for KillSwitch in MISP communities and other software using the MISP galaxy

Kindest

ransomware

Internal MISP references

UUID 74a66fc7-bd18-4f43-a9c1-c22cfe98d101 which can be used as unique global reference for Kindest in MISP communities and other software using the MISP galaxy

KKK

ransomware

Internal MISP references

UUID 7a502648-9097-41ae-a686-8f9365923daa which can be used as unique global reference for KKK in MISP communities and other software using the MISP galaxy

Kovter

ransomware

Internal MISP references

UUID c099771d-82dd-45b6-9a1b-e5590eac897a which can be used as unique global reference for Kovter in MISP communities and other software using the MISP galaxy

Kriptovor

ransomware

Internal MISP references

UUID 6ba8bc69-bd70-4672-a167-123bfb260ecb which can be used as unique global reference for Kriptovor in MISP communities and other software using the MISP galaxy

Krypte

ransomware

Internal MISP references

UUID d93b5179-d747-4845-b4cd-61b9566aa823 which can be used as unique global reference for Krypte in MISP communities and other software using the MISP galaxy

Krypton

ransomware

Internal MISP references

UUID 822b3254-d715-46bc-8011-c5b647d314dc which can be used as unique global reference for Krypton in MISP communities and other software using the MISP galaxy

Kryptonite RBY

ransomware

Internal MISP references

UUID 377a0893-a5f0-4b78-a410-ef814083ae27 which can be used as unique global reference for Kryptonite RBY in MISP communities and other software using the MISP galaxy

Kryptonite Snake

ransomware

Internal MISP references

UUID 4a3ce744-3468-4ddf-95f9-7095bdd0d65e which can be used as unique global reference for Kryptonite Snake in MISP communities and other software using the MISP galaxy

Kupidon

ransomware

Internal MISP references

UUID de0bf4df-c578-41f1-b7db-20a1ae481844 which can be used as unique global reference for Kupidon in MISP communities and other software using the MISP galaxy

Ladon

ransomware

Internal MISP references

UUID a613ff2c-d23c-468b-b53f-c140be5d6457 which can be used as unique global reference for Ladon in MISP communities and other software using the MISP galaxy

Lalabitch_ransomware

ransomware

Internal MISP references

UUID a4a865b8-9b7c-4ec4-b448-ad8b1524f928 which can be used as unique global reference for Lalabitch_ransomware in MISP communities and other software using the MISP galaxy

LazagneCrypt

ransomware

Internal MISP references

UUID a026f575-384f-4a5a-b76d-7baa223661b2 which can be used as unique global reference for LazagneCrypt in MISP communities and other software using the MISP galaxy

Light

ransomware

Internal MISP references

UUID a7c9904b-758f-4107-bffb-12d190e08687 which can be used as unique global reference for Light in MISP communities and other software using the MISP galaxy

LightningCrypt

ransomware

Internal MISP references

UUID cfbc0527-0301-49f5-a38b-d9d2d73c4256 which can be used as unique global reference for LightningCrypt in MISP communities and other software using the MISP galaxy

LIGMA

ransomware

Internal MISP references

UUID 2d3d3c5e-fc6b-4afb-a81b-9b0de8e78446 which can be used as unique global reference for LIGMA in MISP communities and other software using the MISP galaxy

Lime

ransomware

Internal MISP references

UUID dd518ffc-8f62-44f0-9eba-b565137ee4c2 which can be used as unique global reference for Lime in MISP communities and other software using the MISP galaxy

Litra

ransomware

Internal MISP references

UUID c96c1d9c-9f7d-47ac-9849-6a9e4c049f55 which can be used as unique global reference for Litra in MISP communities and other software using the MISP galaxy

LittleFinger

ransomware

Internal MISP references

UUID 0ea3f9fd-9f2a-4491-9492-e655344fd5ec which can be used as unique global reference for LittleFinger in MISP communities and other software using the MISP galaxy

LMAOxUS

ransomware

Internal MISP references

UUID f3dfd38d-9795-4c2f-92f8-683f252c7935 which can be used as unique global reference for LMAOxUS in MISP communities and other software using the MISP galaxy

LockBox

ransomware

Internal MISP references

UUID eed8bf9a-cbb6-4096-9511-7a3cf47d10c4 which can be used as unique global reference for LockBox in MISP communities and other software using the MISP galaxy

Locked_File

ransomware

Internal MISP references

UUID 07b6bb3b-e738-466e-9267-78587c3dea6b which can be used as unique global reference for Locked_File in MISP communities and other software using the MISP galaxy

LockedByte

ransomware

Internal MISP references

UUID 3a29a37a-528a-4fd5-b6c8-a5be64c88c15 which can be used as unique global reference for LockedByte in MISP communities and other software using the MISP galaxy

Locker-Pay

ransomware

Internal MISP references

UUID d62a826b-9d74-4e04-8e12-9cb918c0ee80 which can be used as unique global reference for Locker-Pay in MISP communities and other software using the MISP galaxy

Lockify

ransomware

Internal MISP references

UUID 8622375e-47c3-4542-be21-cc76969cdaa1 which can be used as unique global reference for Lockify in MISP communities and other software using the MISP galaxy

LockMe

ransomware

Internal MISP references

UUID c493f2e3-7fdc-41f5-8450-1e01dd92c339 which can be used as unique global reference for LockMe in MISP communities and other software using the MISP galaxy

LockOn

ransomware

Internal MISP references

UUID 229959ff-de0f-46d5-9ded-5026944adc13 which can be used as unique global reference for LockOn in MISP communities and other software using the MISP galaxy

Lockout

ransomware

Internal MISP references

UUID 70fa1062-fdb1-424b-b29e-c4497c4f9df4 which can be used as unique global reference for Lockout in MISP communities and other software using the MISP galaxy

LongTermMemoryLoss

ransomware

Internal MISP references

UUID 23ccf1d7-4f68-4c95-a8a4-eeff5720be63 which can be used as unique global reference for LongTermMemoryLoss in MISP communities and other software using the MISP galaxy

LonleyCrypt

ransomware

Internal MISP references

UUID 1609a28b-9da4-419f-8df9-0589d842f231 which can be used as unique global reference for LonleyCrypt in MISP communities and other software using the MISP galaxy

LooCipher

ransomware

Internal MISP references

UUID 706d91b7-990b-486f-bf6b-33ffdc704039 which can be used as unique global reference for LooCipher in MISP communities and other software using the MISP galaxy

LordOfShadow

ransomware

Internal MISP references

UUID de60a270-8ed2-4b39-b90c-ebbd7821962d which can be used as unique global reference for LordOfShadow in MISP communities and other software using the MISP galaxy

Losers

ransomware

Internal MISP references

UUID 98c9333d-9c94-436d-9f37-3ba4354cad32 which can be used as unique global reference for Losers in MISP communities and other software using the MISP galaxy

Losers-Dangerous

ransomware

Internal MISP references

UUID 29a65541-4638-4acc-9627-f5cfd5d719d0 which can be used as unique global reference for Losers-Dangerous in MISP communities and other software using the MISP galaxy

Lost_Files

ransomware

Internal MISP references

UUID 2c5d28fa-1ca9-45ff-9ea6-943a1fd375af which can be used as unique global reference for Lost_Files in MISP communities and other software using the MISP galaxy

LuckyJoe

ransomware

Internal MISP references

UUID 92312287-ab2b-4246-a46b-c9b41714571b which can be used as unique global reference for LuckyJoe in MISP communities and other software using the MISP galaxy

Luxnut

ransomware

Internal MISP references

UUID 0e372055-134e-4360-b62e-ad65ee20a2c4 which can be used as unique global reference for Luxnut in MISP communities and other software using the MISP galaxy

Madafakah

ransomware

Internal MISP references

UUID d44c76ea-ab96-4f95-aa51-471c779de3d1 which can be used as unique global reference for Madafakah in MISP communities and other software using the MISP galaxy

MadBit

ransomware

Internal MISP references

UUID 27e23341-bbcd-4eae-992e-f0a0c87e3b40 which can be used as unique global reference for MadBit in MISP communities and other software using the MISP galaxy

Magician

ransomware

Internal MISP references

UUID 7fe890f7-db7f-4cef-ad9f-9e44d445ef8a which can be used as unique global reference for Magician in MISP communities and other software using the MISP galaxy

Malabu

ransomware

Internal MISP references

UUID 8ee63c4b-eb0d-47f1-b867-41afb64a5686 which can be used as unique global reference for Malabu in MISP communities and other software using the MISP galaxy

MalwareTech's CTF

ransomware

Internal MISP references

UUID bd2800dc-62b8-4e77-bde5-1a1b0c4d2502 which can be used as unique global reference for MalwareTech's CTF in MISP communities and other software using the MISP galaxy

Mancros+AI4939

ransomware

Internal MISP references

UUID c430f580-6ba9-44fa-a8c5-9ccfff339940 which can be used as unique global reference for Mancros+AI4939 in MISP communities and other software using the MISP galaxy

Maoloa

ransomware

Internal MISP references

UUID e1b124d6-6a92-4d0a-a116-ae8f448e5dc3 which can be used as unique global reference for Maoloa in MISP communities and other software using the MISP galaxy

Marozka

ransomware

Internal MISP references

UUID cf316be5-f76f-4c9a-8cc1-52214bb18896 which can be used as unique global reference for Marozka in MISP communities and other software using the MISP galaxy

MarraCrypt

ransomware

Internal MISP references

UUID 3121238f-0982-4a10-92fc-047fbd658784 which can be used as unique global reference for MarraCrypt in MISP communities and other software using the MISP galaxy

Matroska

ransomware

Internal MISP references

UUID 20f3f441-7285-4b83-a2a1-fad2d23b1048 which can be used as unique global reference for Matroska in MISP communities and other software using the MISP galaxy

MauriGo

ransomware

Internal MISP references

UUID 9b9f3cc7-7cb8-4431-8187-d7494703d618 which can be used as unique global reference for MauriGo in MISP communities and other software using the MISP galaxy

MaxiCrypt

ransomware

Internal MISP references

UUID b219c747-81da-45c5-88a6-50a1a4642ba0 which can be used as unique global reference for MaxiCrypt in MISP communities and other software using the MISP galaxy

Maykolin

ransomware

Internal MISP references

UUID d5c3b64f-c9b4-4f48-9391-6f0d5ac8f5e4 which can be used as unique global reference for Maykolin in MISP communities and other software using the MISP galaxy

Maysomware

ransomware

Internal MISP references

UUID 82b3dd0f-eb99-4866-aaa2-af4f4182d612 which can be used as unique global reference for Maysomware in MISP communities and other software using the MISP galaxy

MBR-ONI

ransomware

Internal MISP references

UUID 2a803db3-8962-4d2f-8397-e3301b57cef7 which can be used as unique global reference for MBR-ONI in MISP communities and other software using the MISP galaxy

MedusaLocker

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.

Internal MISP references

UUID 627d603a-906f-4fbf-b922-f03eea4578fe which can be used as unique global reference for MedusaLocker in MISP communities and other software using the MISP galaxy

External references

• https://www.cisa.gov/uscert/ncas/alerts/aa22-181a - webarchive
• https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf - webarchive

Associated metadata

Metadata key	Value
extensions	['.1btc', '.matlock20', '.marlock02', '.readinstructions', '.bec', '.mylock', '.jpz.nz', '.marlock11', '.cn', '.NET1', '.key1', '.fileslocked', '.datalock', '.NZ', '.lock', '.lockfilesUS', '.deadfilesgr', '.tyco', '.lockdata7', '.rs', '.faratak', '.uslockhh', '.lockfiles', '.fileslock', '.zoomzoom', '.perfection', '.marlock13', 'n.exe', '.Readinstruction', '.marlock08', '.marlock25', 'nt_lock20', '.READINSTRUCTION', '.marlock6', '.marlock01', '.ReadInstructions']
links	['https://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion', 'http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion/', 'http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion']
ransomnotes-filenames	['how_to_ recover_data.html', 'how_to_recover_data.html.marlock01', 'instructions.html', 'READINSTRUCTION.html', '!!!HOW_TO_DECRYPT!!!', 'How_to_recovery.txt', 'readinstructions.html', 'readme_to_recover_files', 'recovery_instructions.html', 'HOW_TO_RECOVER_DATA.html', 'recovery_instruction.html']

Meduza

ransomware

Internal MISP references

UUID 6a985c3b-8ad9-4005-b363-854f6f6f4dcd which can be used as unique global reference for Meduza in MISP communities and other software using the MISP galaxy

MegaLocker

ransomware

Internal MISP references

UUID 60ec39c9-25d2-4d04-ad2e-4f9293159e84 which can be used as unique global reference for MegaLocker in MISP communities and other software using the MISP galaxy

Mew767

ransomware

Internal MISP references

UUID 1d274b68-a9c9-4418-a430-df9e4f0d4f4a which can be used as unique global reference for Mew767 in MISP communities and other software using the MISP galaxy

Mike NotSTOP

ransomware

Internal MISP references

UUID 08e17d21-6f58-4eef-aee5-0dd842ca6eee which can be used as unique global reference for Mike NotSTOP in MISP communities and other software using the MISP galaxy

Mikoyan

ransomware

Internal MISP references

UUID dce3f8d4-9381-4b91-8cf5-e33e55a1e199 which can be used as unique global reference for Mikoyan in MISP communities and other software using the MISP galaxy

MindLost

ransomware

Internal MISP references

UUID ae96d561-5f2e-43ce-9b82-7a81e825758a which can be used as unique global reference for MindLost in MISP communities and other software using the MISP galaxy

MindSystem

ransomware

Internal MISP references

UUID 8051a21d-8967-4674-a6c3-dc794df43fe0 which can be used as unique global reference for MindSystem in MISP communities and other software using the MISP galaxy

Mini

ransomware

Internal MISP references

UUID 804c576e-8679-47ff-9550-0c1abe896e46 which can be used as unique global reference for Mini in MISP communities and other software using the MISP galaxy

Minotaur

ransomware

Internal MISP references

UUID 63f2149a-c736-4a7d-86f9-0993cb568630 which can be used as unique global reference for Minotaur in MISP communities and other software using the MISP galaxy

MMM

ransomware

Internal MISP references

UUID 6c01d999-123f-4301-939d-a65bbcf00d90 which can be used as unique global reference for MMM in MISP communities and other software using the MISP galaxy

MNS CryptoLocker

ransomware

Internal MISP references

UUID c4461bdf-560d-4f89-a5cb-f0960a720687 which can be used as unique global reference for MNS CryptoLocker in MISP communities and other software using the MISP galaxy

MoneroPay

ransomware

Internal MISP references

UUID 98c9ebce-d11c-41b7-9923-4e94dca22fb0 which can be used as unique global reference for MoneroPay in MISP communities and other software using the MISP galaxy

MongoLock

ransomware

Internal MISP references

UUID 4f579928-8f50-459c-8878-df1c75437c38 which can be used as unique global reference for MongoLock in MISP communities and other software using the MISP galaxy

MoonCryptor

ransomware

Internal MISP references

UUID 8e103d80-1e53-42b0-a21a-5a2bcefa7d3f which can be used as unique global reference for MoonCryptor in MISP communities and other software using the MISP galaxy

Mordor

ransomware

Internal MISP references

UUID b14d39e1-36ea-45a9-8609-95ac7ffce3cd which can be used as unique global reference for Mordor in MISP communities and other software using the MISP galaxy

MorrisBatchCrypt

ransomware

Internal MISP references

UUID 21181132-affd-464e-81cd-35ef575fc56d which can be used as unique global reference for MorrisBatchCrypt in MISP communities and other software using the MISP galaxy

Moth

ransomware

Internal MISP references

UUID eecce3be-ba24-4cf4-b9cf-8780533dc487 which can be used as unique global reference for Moth in MISP communities and other software using the MISP galaxy

MoWare H.F.D

ransomware

Internal MISP references

UUID a319539b-ccd0-4278-83fa-9419331bb1f2 which can be used as unique global reference for MoWare H.F.D in MISP communities and other software using the MISP galaxy

Mr.Locker

ransomware

Internal MISP references

UUID c21111d1-fc51-437a-9c73-1b89922bea95 which can be used as unique global reference for Mr.Locker in MISP communities and other software using the MISP galaxy

Mr403Forbidden

ransomware

Internal MISP references

UUID 7221c504-c3a3-4020-9490-01e569aeddcb which can be used as unique global reference for Mr403Forbidden in MISP communities and other software using the MISP galaxy

MuchLove

ransomware

Internal MISP references

UUID 754ea5a6-6d56-482c-bb0a-c6618fca4390 which can be used as unique global reference for MuchLove in MISP communities and other software using the MISP galaxy

Muhstik

ransomware

Internal MISP references

UUID 7f8d5860-35db-4f23-a174-514a0066e573 which can be used as unique global reference for Muhstik in MISP communities and other software using the MISP galaxy

Mystic

ransomware

Internal MISP references

UUID 0a68c300-6ce0-4664-9956-3abafb3e526e which can be used as unique global reference for Mystic in MISP communities and other software using the MISP galaxy

MZP

ransomware

Internal MISP references

UUID 6aa66f32-54f7-46b7-bb5b-9e953bf97ced which can be used as unique global reference for MZP in MISP communities and other software using the MISP galaxy

N2019cov

ransomware

Internal MISP references

UUID eeb3c94c-1424-49a9-831b-36bbd9e81a1d which can be used as unique global reference for N2019cov in MISP communities and other software using the MISP galaxy

Naampa

ransomware

Internal MISP references

UUID c06b039c-7a68-4f35-9948-87934f287ddd which can be used as unique global reference for Naampa in MISP communities and other software using the MISP galaxy

NazCrypt

ransomware

Internal MISP references

UUID 2fe2b576-9673-46b2-b558-811c26db3f6b which can be used as unique global reference for NazCrypt in MISP communities and other software using the MISP galaxy

Nefilim

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

Internal MISP references

UUID d12f369c-f776-468a-8abf-8000b1b30642 which can be used as unique global reference for Nefilim in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://hxt254aygrsziejn.onion']

Related clusters

To see the related clusters, click here.

Negozl

ransomware

Internal MISP references

UUID 38fbf2d7-10a2-4cb2-9d50-cb2434a55c10 which can be used as unique global reference for Negozl in MISP communities and other software using the MISP galaxy

Neitrino

ransomware

Internal MISP references

UUID 686d157c-6c30-4ffb-b192-ca99d90770da which can be used as unique global reference for Neitrino in MISP communities and other software using the MISP galaxy

NewWave

ransomware

Internal MISP references

UUID 78c192ac-7fb6-4c85-8e20-9f86f4633873 which can be used as unique global reference for NewWave in MISP communities and other software using the MISP galaxy

NextCry

ransomware

Internal MISP references

UUID d6899ce2-7d67-4730-9a32-4721051d33f9 which can be used as unique global reference for NextCry in MISP communities and other software using the MISP galaxy

Nightmare

ransomware

Internal MISP references

UUID e361e083-de14-4ffd-80b9-f071096ab973 which can be used as unique global reference for Nightmare in MISP communities and other software using the MISP galaxy

NinjaLoc

ransomware

Internal MISP references

UUID d79ab668-4720-4875-8959-436c7fd81022 which can be used as unique global reference for NinjaLoc in MISP communities and other software using the MISP galaxy

NM4

ransomware

Internal MISP references

UUID ab9ece36-6218-4467-929f-d07192a98b6a which can be used as unique global reference for NM4 in MISP communities and other software using the MISP galaxy

Noblis

ransomware

Internal MISP references

UUID fd447eea-9e79-4143-8e7d-246b022c7950 which can be used as unique global reference for Noblis in MISP communities and other software using the MISP galaxy

Nog4yH4n

ransomware

Internal MISP references

UUID 6db73f66-912d-43f7-ae21-7988aed2ea22 which can be used as unique global reference for Nog4yH4n in MISP communities and other software using the MISP galaxy

Nomikon

ransomware

Internal MISP references

UUID 2a0b033f-c14c-42ec-9f10-57dc2de3639e which can be used as unique global reference for Nomikon in MISP communities and other software using the MISP galaxy

NotAHero

ransomware

Internal MISP references

UUID bf54e9f3-81af-43f7-b378-0109c4adc489 which can be used as unique global reference for NotAHero in MISP communities and other software using the MISP galaxy

Nozelesn

ransomware

Internal MISP references

UUID 6fc911ca-2f9c-428e-8986-aff706edee92 which can be used as unique global reference for Nozelesn in MISP communities and other software using the MISP galaxy

Nulltica

ransomware

Internal MISP references

UUID 619ccdda-2f40-48fe-9492-dd12c70a4029 which can be used as unique global reference for Nulltica in MISP communities and other software using the MISP galaxy

Nx / OSR

ransomware

Internal MISP references

UUID 8f869515-4c4e-4cd0-8b15-9dc3f9a43902 which can be used as unique global reference for Nx / OSR in MISP communities and other software using the MISP galaxy

Nyton

ransomware

Internal MISP references

UUID e8bc21bf-ddfa-4245-89b4-19cfb430eb7d which can be used as unique global reference for Nyton in MISP communities and other software using the MISP galaxy

NZMR

ransomware

Internal MISP references

UUID 641b511e-c974-4584-b8ab-08c1296ac73b which can be used as unique global reference for NZMR in MISP communities and other software using the MISP galaxy

Ogre

ransomware

Internal MISP references

UUID 9686665e-b862-4399-84b9-407714df1677 which can be used as unique global reference for Ogre in MISP communities and other software using the MISP galaxy

OhNo!

ransomware

Internal MISP references

UUID c1470d12-fd35-497e-b1cf-0484e755b7a2 which can be used as unique global reference for OhNo! in MISP communities and other software using the MISP galaxy

Oled

ransomware

Internal MISP references

UUID 652d3fdd-a641-4553-8695-69e0ef74bd1c which can be used as unique global reference for Oled in MISP communities and other software using the MISP galaxy

OmniSphere

ransomware

Internal MISP references

UUID 9162c2e1-6936-4c13-a8c3-c10eab321bd5 which can be used as unique global reference for OmniSphere in MISP communities and other software using the MISP galaxy

One

ransomware

Internal MISP references

UUID 47273227-8079-46e6-9b89-3abdd39c017f which can be used as unique global reference for One in MISP communities and other software using the MISP galaxy

ONI

ransomware

Internal MISP references

UUID 3358ae46-afcd-4685-81b6-75970f502660 which can be used as unique global reference for ONI in MISP communities and other software using the MISP galaxy

OoPS Ramenware

ransomware

Internal MISP references

UUID d056b6f3-4cb0-41a8-a0f5-4fec33871697 which can be used as unique global reference for OoPS Ramenware in MISP communities and other software using the MISP galaxy

OopsLocker

ransomware

Internal MISP references

UUID 3c2ce8a5-e060-4466-847a-3c2db9282bd6 which can be used as unique global reference for OopsLocker in MISP communities and other software using the MISP galaxy

OPdailyallowance

ransomware

Internal MISP references

UUID 88b486e5-ccb2-4f67-8967-f841fb28ea76 which can be used as unique global reference for OPdailyallowance in MISP communities and other software using the MISP galaxy

OpenToYou

ransomware

Internal MISP references

UUID 1e63a74c-a975-4997-ae2c-4ac9196412e4 which can be used as unique global reference for OpenToYou in MISP communities and other software using the MISP galaxy

Ordinal

ransomware

Internal MISP references

UUID c1a4ddf5-cfe6-4482-a8d4-69761eff0554 which can be used as unique global reference for Ordinal in MISP communities and other software using the MISP galaxy

Ordinypt

ransomware

Internal MISP references

UUID c624a4b1-b4aa-4810-b860-45545c6ecb50 which can be used as unique global reference for Ordinypt in MISP communities and other software using the MISP galaxy

Pacman

ransomware

Internal MISP references

UUID 0ef81fda-237e-4d28-8bd7-f05c748eb0d8 which can be used as unique global reference for Pacman in MISP communities and other software using the MISP galaxy

PassLock

ransomware

Internal MISP references

UUID 4857ec1b-7d5f-487d-a2cd-91588158fe49 which can be used as unique global reference for PassLock in MISP communities and other software using the MISP galaxy

Pay-or-Lost

ransomware

Internal MISP references

UUID 8acc6960-3eb9-479d-a745-7c7eddacc0f2 which can be used as unique global reference for Pay-or-Lost in MISP communities and other software using the MISP galaxy

PayForNature

ransomware

Internal MISP references

UUID dc5be315-4829-448a-9359-05d5b9187756 which can be used as unique global reference for PayForNature in MISP communities and other software using the MISP galaxy

Paymen45

ransomware

Internal MISP references

UUID ef63051e-a99e-43db-b81d-80ec95e74610 which can be used as unique global reference for Paymen45 in MISP communities and other software using the MISP galaxy

Payment

ransomware

Internal MISP references

UUID 7a2eeb1a-6ae3-4e1c-a4f7-af4a0be2d98e which can be used as unique global reference for Payment in MISP communities and other software using the MISP galaxy

PClock и PClock2

ransomware

Internal MISP references

UUID 2a20dd7e-242e-45ac-8245-1864320ed157 which can be used as unique global reference for PClock и PClock2 in MISP communities and other software using the MISP galaxy

PPDDDP

ransomware

Internal MISP references

UUID fc91d065-21c2-44ae-9169-241d60f1a786 which can be used as unique global reference for PPDDDP in MISP communities and other software using the MISP galaxy

PEC 2017

ransomware

Internal MISP references

UUID 0df4ba53-b7c9-4e2a-979d-f8e3d7737aa9 which can be used as unique global reference for PEC 2017 in MISP communities and other software using the MISP galaxy

Pendor

ransomware

Internal MISP references

UUID 05f9a3ce-2611-40b9-b788-c8dc7233e5a7 which can be used as unique global reference for Pendor in MISP communities and other software using the MISP galaxy

Pennywise

ransomware

Internal MISP references

UUID 48bef862-8a8c-4eeb-b72c-a756762b52c7 which can be used as unique global reference for Pennywise in MISP communities and other software using the MISP galaxy

PewCrypt +decrypt

ransomware

Internal MISP references

UUID 512d011c-81a8-4218-866c-1497f4572caf which can be used as unique global reference for PewCrypt +decrypt in MISP communities and other software using the MISP galaxy

PewDiePie

ransomware

Internal MISP references

UUID c37cf393-f299-4b02-864c-5e7e5f244d04 which can be used as unique global reference for PewDiePie in MISP communities and other software using the MISP galaxy

PhobosImposter

ransomware

Internal MISP references

UUID bbbfe905-6236-419a-ab21-a33202597b1c which can be used as unique global reference for PhobosImposter in MISP communities and other software using the MISP galaxy

PhoneNumber

ransomware

Internal MISP references

UUID 37a26943-99b6-40ae-984d-91e044546d1b which can be used as unique global reference for PhoneNumber in MISP communities and other software using the MISP galaxy

PHP

ransomware

Internal MISP references

UUID 70ce8986-d1c3-4e10-8096-1ee2539f11d7 which can be used as unique global reference for PHP in MISP communities and other software using the MISP galaxy

Pirateware

ransomware

Internal MISP references

UUID 5822a3dc-64b3-4303-b0ba-d2e804a5015c which can be used as unique global reference for Pirateware in MISP communities and other software using the MISP galaxy

PoisonFang

ransomware

Internal MISP references

UUID 88c32b3b-daa1-4cec-8e05-753ee5785704 which can be used as unique global reference for PoisonFang in MISP communities and other software using the MISP galaxy

PonyFinal

ransomware

Internal MISP references

UUID fc3984d8-b1c6-45e7-8d36-e51532c9b7fc which can be used as unique global reference for PonyFinal in MISP communities and other software using the MISP galaxy

PooleZoor

ransomware

Internal MISP references

UUID bd401c00-e690-4dae-80ac-c47aab227e5f which can be used as unique global reference for PooleZoor in MISP communities and other software using the MISP galaxy

PopCornTime

ransomware

Internal MISP references

UUID d494a2e6-17e6-435f-9bcd-ef728d18f504 which can be used as unique global reference for PopCornTime in MISP communities and other software using the MISP galaxy

PowerHentai

ransomware

Internal MISP references

UUID 3687c99c-f44e-421d-a04d-0a80d086c53a which can be used as unique global reference for PowerHentai in MISP communities and other software using the MISP galaxy

PowerLocky

ransomware

Internal MISP references

UUID 662bf791-0a13-48e8-9f21-07dfb328d02b which can be used as unique global reference for PowerLocky in MISP communities and other software using the MISP galaxy

PowerShell Locker 2013

ransomware

Internal MISP references

UUID 5ed83975-a681-4061-8314-9ef76f319ef2 which can be used as unique global reference for PowerShell Locker 2013 in MISP communities and other software using the MISP galaxy

PowerShell Locker 2015

ransomware

Internal MISP references

UUID b9a6faf4-733d-44b3-889b-ec468697ba3f which can be used as unique global reference for PowerShell Locker 2015 in MISP communities and other software using the MISP galaxy

Pr0tector

ransomware

Internal MISP references

UUID 535916a2-283b-4512-bc8b-e5d98c055fab which can be used as unique global reference for Pr0tector in MISP communities and other software using the MISP galaxy

Predator

ransomware

Internal MISP references

UUID d8da450f-5e17-4301-b1ba-5468aa69d17a which can be used as unique global reference for Predator in MISP communities and other software using the MISP galaxy

Priapos

ransomware

Internal MISP references

UUID bd351d3d-3633-4aba-a35e-82cb7a00b2d5 which can be used as unique global reference for Priapos in MISP communities and other software using the MISP galaxy

Project23

ransomware

Internal MISP references

UUID 114fbac2-6d2b-46b5-bc08-ed0c94cd756e which can be used as unique global reference for Project23 in MISP communities and other software using the MISP galaxy

Project57

ransomware

Internal MISP references

UUID 084f9aec-4ebc-46a2-be97-0d1d172be044 which can be used as unique global reference for Project57 in MISP communities and other software using the MISP galaxy

ProLock

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.

Internal MISP references

UUID c4417bfb-717f-48d9-bd56-bc9e85d07c19 which can be used as unique global reference for ProLock in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion']

Related clusters

To see the related clusters, click here.

Prometey

ransomware

Internal MISP references

UUID f5390f29-d832-434d-8547-5cab7f82a93b which can be used as unique global reference for Prometey in MISP communities and other software using the MISP galaxy

Protected

ransomware

Internal MISP references

UUID a732a730-3fb4-4642-a4c5-25edaf0a1b9f which can be used as unique global reference for Protected in MISP communities and other software using the MISP galaxy

PSCrypt

ransomware

Internal MISP references

UUID 4274477b-65c7-4497-846b-c8beebc264a2 which can be used as unique global reference for PSCrypt in MISP communities and other software using the MISP galaxy

PshCrypt

ransomware

Internal MISP references

UUID 801d7e9f-8076-4d6f-894e-c557f3b9cfeb which can be used as unique global reference for PshCrypt in MISP communities and other software using the MISP galaxy

PTP

ransomware

Internal MISP references

UUID 7cce4912-900f-4d16-b2c5-37b9078f3d7b which can be used as unique global reference for PTP in MISP communities and other software using the MISP galaxy

Pulpy

ransomware

Internal MISP references

UUID 64c5896a-141c-41fb-bc58-705f008c7b8f which can be used as unique global reference for Pulpy in MISP communities and other software using the MISP galaxy

PureLocker

ransomware

Internal MISP references

UUID 119b0b4d-034e-4e58-a7a4-833f083848cd which can be used as unique global reference for PureLocker in MISP communities and other software using the MISP galaxy

PwndLocker

ransomware

Internal MISP references

UUID a8b6433c-fc01-4c77-9a89-5f0f57136aaa which can be used as unique global reference for PwndLocker in MISP communities and other software using the MISP galaxy

PyteHole

ransomware

Internal MISP references

UUID bf927535-eaf2-48e4-9b38-287de9ec4a0b which can be used as unique global reference for PyteHole in MISP communities and other software using the MISP galaxy

Python

ransomware

Internal MISP references

UUID ee55d30a-8735-42f4-b8e9-3610959be772 which can be used as unique global reference for Python in MISP communities and other software using the MISP galaxy

PZDC

ransomware

Internal MISP references

UUID b79b60a4-2b47-4bb1-b36e-602a03afc7cd which can be used as unique global reference for PZDC in MISP communities and other software using the MISP galaxy

Qinynore

ransomware

Internal MISP references

UUID 89cc64e1-d33c-4922-84d4-0467bdeddba6 which can be used as unique global reference for Qinynore in MISP communities and other software using the MISP galaxy

QNAPCrypt

ransomware

Internal MISP references

UUID 8f5b9eff-242d-4f9b-9aa6-c24f92f7f0f9 which can be used as unique global reference for QNAPCrypt in MISP communities and other software using the MISP galaxy

QP

ransomware

Internal MISP references

UUID 9bd4c0c6-e8fe-495a-99b8-b5ea741ff8ae which can be used as unique global reference for QP in MISP communities and other software using the MISP galaxy

QuakeWay

ransomware

Internal MISP references

UUID 380c73bf-7734-44c4-9f46-063cbd20475f which can be used as unique global reference for QuakeWay in MISP communities and other software using the MISP galaxy

Qweuirtksd

ransomware

Internal MISP references

UUID 60f4c416-8752-4d59-8e9e-b12f16afda83 which can be used as unique global reference for Qweuirtksd in MISP communities and other software using the MISP galaxy

R3store

ransomware

Internal MISP references

UUID 2943ea4b-42e8-4e5c-9abb-d6c3e94b84ce which can be used as unique global reference for R3store in MISP communities and other software using the MISP galaxy

RabbitFox

ransomware

Internal MISP references

UUID 8b1f7d30-1115-4ad2-a986-fd797edf2b4d which can be used as unique global reference for RabbitFox in MISP communities and other software using the MISP galaxy

Ramsey

ransomware

Internal MISP references

UUID c07fd277-f133-4deb-84ef-2f651aa0d989 which can be used as unique global reference for Ramsey in MISP communities and other software using the MISP galaxy

RandomLocker

ransomware

Internal MISP references

UUID 93e70c60-6bd2-4f01-a28a-1ae287349d61 which can be used as unique global reference for RandomLocker in MISP communities and other software using the MISP galaxy

RanRans

ransomware

Internal MISP references

UUID d2b23d28-c12d-422f-8558-0d79ed98d335 which can be used as unique global reference for RanRans in MISP communities and other software using the MISP galaxy

Rans0mLocked

ransomware

Internal MISP references

UUID d2d0d87f-249f-4223-82b2-71c82df6c7f2 which can be used as unique global reference for Rans0mLocked in MISP communities and other software using the MISP galaxy

Ransed

ransomware

Internal MISP references

UUID 0c1b4371-9c6e-41f2-9410-e76a1094d0ca which can be used as unique global reference for Ransed in MISP communities and other software using the MISP galaxy

Ransom102

ransomware

Internal MISP references

UUID dfdc4876-bc48-4748-822a-dcce1c4058c4 which can be used as unique global reference for Ransom102 in MISP communities and other software using the MISP galaxy

RansomAES

ransomware

Internal MISP references

UUID 493847f8-57b1-42cc-9303-6b1eb9576580 which can be used as unique global reference for RansomAES in MISP communities and other software using the MISP galaxy

RansomCuck

ransomware

Internal MISP references

UUID b63ed281-5357-4d20-afef-3377b70fd48b which can be used as unique global reference for RansomCuck in MISP communities and other software using the MISP galaxy

RansomMine

ransomware

Internal MISP references

UUID 65844c85-ad66-46e9-bb44-f99e601179a2 which can be used as unique global reference for RansomMine in MISP communities and other software using the MISP galaxy

Ransomnix

ransomware

Internal MISP references

UUID 1f5c7ad1-5ec5-4e0f-b7e0-c87232693a5d which can be used as unique global reference for Ransomnix in MISP communities and other software using the MISP galaxy

Ransom Prank

ransomware

Internal MISP references

UUID 1fe7d70f-8540-4f21-8675-2fe72bacce85 which can be used as unique global reference for Ransom Prank in MISP communities and other software using the MISP galaxy

RansomUserLocker

ransomware

Internal MISP references

UUID 7ec4a72d-12d3-46bb-a796-0296db298935 which can be used as unique global reference for RansomUserLocker in MISP communities and other software using the MISP galaxy

RansomWarrior

ransomware

Internal MISP references

UUID 8af10e62-84e7-45c5-ae10-db1106cec43a which can be used as unique global reference for RansomWarrior in MISP communities and other software using the MISP galaxy

Rapid

ransomware

Internal MISP references

UUID 9fd0b741-44fb-42fe-bf3d-b36b807878fe which can be used as unique global reference for Rapid in MISP communities and other software using the MISP galaxy

Rapid 2.0

ransomware

Internal MISP references

UUID 8a7c32fd-9851-40c3-9fd9-a889a015db5e which can be used as unique global reference for Rapid 2.0 in MISP communities and other software using the MISP galaxy

Rapid 3.0

ransomware

Internal MISP references

UUID 07ef8e30-7bcd-4f14-af50-a113fdf60774 which can be used as unique global reference for Rapid 3.0 in MISP communities and other software using the MISP galaxy

Rapid-Gillette

ransomware

Internal MISP references

UUID 84160999-eebb-4f76-8253-9e09d447f472 which can be used as unique global reference for Rapid-Gillette in MISP communities and other software using the MISP galaxy

Ra

ransomware

Internal MISP references

UUID 8cd93feb-4bf0-4d97-b5a2-061198652f1a which can be used as unique global reference for Ra in MISP communities and other software using the MISP galaxy

RaRuCrypt

ransomware

Internal MISP references

UUID a9d76a58-0ab3-4942-b364-27f89a1915eb which can be used as unique global reference for RaRuCrypt in MISP communities and other software using the MISP galaxy

RedBoot

ransomware

Internal MISP references

UUID 81e4038a-5e4d-4df1-90b7-c4aef735d757 which can be used as unique global reference for RedBoot in MISP communities and other software using the MISP galaxy

Redkeeper

ransomware

Internal MISP references

UUID c26438bb-5aa3-4de4-a749-329d2560a350 which can be used as unique global reference for Redkeeper in MISP communities and other software using the MISP galaxy

RedFox

ransomware

Internal MISP references

UUID 4b2746c5-77f3-4f46-90de-4a0816dcd621 which can be used as unique global reference for RedFox in MISP communities and other software using the MISP galaxy

RedRum

ransomware

Internal MISP references

UUID 56351998-4871-4b7c-9c4c-201aa2ef7eaa which can be used as unique global reference for RedRum in MISP communities and other software using the MISP galaxy

Redshot

ransomware

Internal MISP references

UUID 7c23a477-ea87-48d9-8c7e-d9333c28e984 which can be used as unique global reference for Redshot in MISP communities and other software using the MISP galaxy

Reetner

ransomware

Internal MISP references

UUID 570ba51b-3ce7-4f5b-88a9-98b9f22f8397 which can be used as unique global reference for Reetner in MISP communities and other software using the MISP galaxy

RekenSom

ransomware

Internal MISP references

UUID ca306262-b8e9-46a1-abcd-db5df38b47d5 which can be used as unique global reference for RekenSom in MISP communities and other software using the MISP galaxy

Relock

ransomware

Internal MISP references

UUID f5d20d2c-2624-4a0a-a136-36457d65360b which can be used as unique global reference for Relock in MISP communities and other software using the MISP galaxy

RensenWare

ransomware

Internal MISP references

UUID a27e94d4-9fcb-4729-926c-b507cad09674 which can be used as unique global reference for RensenWare in MISP communities and other software using the MISP galaxy

Rentyr

ransomware

Internal MISP references

UUID 53386169-9045-4636-b4e9-fd9405663d71 which can be used as unique global reference for Rentyr in MISP communities and other software using the MISP galaxy

RestoLocker

ransomware

Internal MISP references

UUID 11367b8d-0627-4774-894a-032fde021979 which can be used as unique global reference for RestoLocker in MISP communities and other software using the MISP galaxy

Resurrection

ransomware

Internal MISP references

UUID f881e6a3-2298-4e82-9d0a-75ceddf0e822 which can be used as unique global reference for Resurrection in MISP communities and other software using the MISP galaxy

Retis

ransomware

Internal MISP references

UUID 19274b88-c0dc-4e91-957b-93d4a992329b which can be used as unique global reference for Retis in MISP communities and other software using the MISP galaxy

RetMyData

ransomware

Internal MISP references

UUID af2011f8-b076-43cf-afb7-a348a7b00b9a which can be used as unique global reference for RetMyData in MISP communities and other software using the MISP galaxy

Revolution

ransomware

Internal MISP references

UUID 7f750865-50aa-40cb-9614-d7d1c357999b which can be used as unique global reference for Revolution in MISP communities and other software using the MISP galaxy

Reyptson

ransomware

Internal MISP references

UUID 8cf3f181-c136-4f09-82ea-f8c5e6ca4b64 which can be used as unique global reference for Reyptson in MISP communities and other software using the MISP galaxy

Rhino

ransomware

Internal MISP references

UUID 39e600c4-2c5b-4798-8a0e-0fa530c2bd0a which can be used as unique global reference for Rhino in MISP communities and other software using the MISP galaxy

Rijndael

ransomware

Internal MISP references

UUID 8c18e32f-0b02-4551-b53b-2ac25baaccaa which can be used as unique global reference for Rijndael in MISP communities and other software using the MISP galaxy

Rogue HT

ransomware

Internal MISP references

UUID 34bdd9f9-94e6-4805-b6b5-27632686070f which can be used as unique global reference for Rogue HT in MISP communities and other software using the MISP galaxy

Rontok

ransomware

Internal MISP references

UUID 64c573b7-80d1-42d0-9fac-dab07f5df00f which can be used as unique global reference for Rontok in MISP communities and other software using the MISP galaxy

Rozlok

ransomware

Internal MISP references

UUID 0283d153-30f5-4be0-9ab7-8eee91fccd63 which can be used as unique global reference for Rozlok in MISP communities and other software using the MISP galaxy

RSA-NI

ransomware

Internal MISP references

UUID 84a5bfc2-44dc-4ddf-95d7-387ff16c7415 which can be used as unique global reference for RSA-NI in MISP communities and other software using the MISP galaxy

RSA2048Pro

ransomware

Internal MISP references

UUID ce28af26-b03e-45ca-8e6d-20fbb36233db which can be used as unique global reference for RSA2048Pro in MISP communities and other software using the MISP galaxy

Ruby

ransomware

Internal MISP references

UUID 224966b2-8d6a-4602-8d7d-67e7c8b2068f which can be used as unique global reference for Ruby in MISP communities and other software using the MISP galaxy

Rush

ransomware

Internal MISP references

UUID b48f7bab-c2ba-4f80-9547-4f2bfef38959 which can be used as unique global reference for Rush in MISP communities and other software using the MISP galaxy

Russenger

ransomware

Internal MISP references

UUID 15d0121a-aac9-41cb-a140-69c3eb739d4a which can be used as unique global reference for Russenger in MISP communities and other software using the MISP galaxy

Russian EDA2

ransomware

Internal MISP references

UUID 100741e9-1803-4be7-98a8-6e5eeb01a50d which can be used as unique global reference for Russian EDA2 in MISP communities and other software using the MISP galaxy

SAD

ransomware

Internal MISP references

UUID 6c7c182b-2a7a-43be-91d8-2bc34d9273c1 which can be used as unique global reference for SAD in MISP communities and other software using the MISP galaxy

SadComputer

ransomware

Internal MISP references

UUID fb94c242-0b03-4338-8c5a-7e4357e5a69c which can be used as unique global reference for SadComputer in MISP communities and other software using the MISP galaxy

Sadogo

ransomware

Internal MISP references

UUID a5aa9c7d-10f7-4091-9c9a-e02acdbe5ca6 which can be used as unique global reference for Sadogo in MISP communities and other software using the MISP galaxy

Salsa

ransomware

Internal MISP references

UUID dd020ef8-0f84-4403-8e2a-09728582467f which can be used as unique global reference for Salsa in MISP communities and other software using the MISP galaxy

Santa Encryptor

ransomware

Internal MISP references

UUID 2869ae30-4106-4080-a63b-be29caecf5b7 which can be used as unique global reference for Santa Encryptor in MISP communities and other software using the MISP galaxy

Saramat

ransomware

Internal MISP references

UUID 3f8ec946-b80d-45b6-ae82-bffbb0bb05d7 which can be used as unique global reference for Saramat in MISP communities and other software using the MISP galaxy

SARansom

ransomware

Internal MISP references

UUID 43690415-9a4f-4019-a02e-26ec3dd2961c which can be used as unique global reference for SARansom in MISP communities and other software using the MISP galaxy

Satan Cryptor 2.0

ransomware

Internal MISP references

UUID 120b33e8-75e2-45bd-b7ba-6726ed2a4ad7 which can be used as unique global reference for Satan Cryptor 2.0 in MISP communities and other software using the MISP galaxy

Satan's Doom Crypter

ransomware

Internal MISP references

UUID aefd8f3f-20c2-4b08-bd00-99c1e67152c4 which can be used as unique global reference for Satan's Doom Crypter in MISP communities and other software using the MISP galaxy

SatanCryptor Go

ransomware

Internal MISP references

UUID d7a08ff9-af25-45e5-9fb7-c54defd6f62c which can be used as unique global reference for SatanCryptor Go in MISP communities and other software using the MISP galaxy

Saturn

ransomware

Internal MISP references

UUID 90db5ee9-f2de-47aa-a923-2862800b473b which can be used as unique global reference for Saturn in MISP communities and other software using the MISP galaxy

Satyr

ransomware

Internal MISP references

UUID 3f2ed9f6-384b-4846-97d0-8dec61b9f03a which can be used as unique global reference for Satyr in MISP communities and other software using the MISP galaxy

SaveTheQueen

ransomware

Internal MISP references

UUID 4790fcdd-deab-4a9d-a8b6-dc413dee4ff8 which can be used as unique global reference for SaveTheQueen in MISP communities and other software using the MISP galaxy

ScammerLocker HT

ransomware

Internal MISP references

UUID f9884cee-1105-4f39-9e42-dda43841fd56 which can be used as unique global reference for ScammerLocker HT in MISP communities and other software using the MISP galaxy

ScammerLocker Ph

ransomware

Internal MISP references

UUID 9d1e1894-28d6-412b-8014-ac6c92657bc9 which can be used as unique global reference for ScammerLocker Ph in MISP communities and other software using the MISP galaxy

Schwerer

ransomware

Internal MISP references

UUID eaea10da-947e-42f9-99c9-6a576fda3bdc which can be used as unique global reference for Schwerer in MISP communities and other software using the MISP galaxy

ScorpionLocker

ransomware

Internal MISP references

UUID 4b6bea32-12bd-4ede-8912-f9037be3b454 which can be used as unique global reference for ScorpionLocker in MISP communities and other software using the MISP galaxy

Scrabber

ransomware

Internal MISP references

UUID 23a6b580-6df0-4193-a66f-721bacbe60fc which can be used as unique global reference for Scrabber in MISP communities and other software using the MISP galaxy

Scroboscope

ransomware

Internal MISP references

UUID f13796ff-a16c-4cd0-b4e1-9f4593c90d2e which can be used as unique global reference for Scroboscope in MISP communities and other software using the MISP galaxy

SecretSystem

ransomware

Internal MISP references

UUID 1b14e605-c8ce-4281-b09f-3c2478afc4f4 which can be used as unique global reference for SecretSystem in MISP communities and other software using the MISP galaxy

SecureCryptor

ransomware

Internal MISP references

UUID e0e111d1-8499-427d-aa37-41f1e52da79d which can be used as unique global reference for SecureCryptor in MISP communities and other software using the MISP galaxy

SeginChile

ransomware

Internal MISP references

UUID 5142f162-d123-4eca-a428-86033d9d60e0 which can be used as unique global reference for SeginChile in MISP communities and other software using the MISP galaxy

SEND.ID.TO

ransomware

Internal MISP references

UUID 7e9924c3-f166-40be-b1c5-85011b77a7f2 which can be used as unique global reference for SEND.ID.TO in MISP communities and other software using the MISP galaxy

Seon

ransomware

Internal MISP references

UUID db6208a6-16a6-49fa-9259-ccd7626719f9 which can be used as unique global reference for Seon in MISP communities and other software using the MISP galaxy

Sepsis

ransomware

Internal MISP references

UUID de8ddc1c-3e86-46e9-abc5-4409257dd174 which can be used as unique global reference for Sepsis in MISP communities and other software using the MISP galaxy

SepSys

ransomware

Internal MISP references

UUID 75b0d6cd-477c-415b-bf3a-fd8181ea6747 which can be used as unique global reference for SepSys in MISP communities and other software using the MISP galaxy

Shadi

ransomware

Internal MISP references

UUID 8e0a2826-279a-4d7f-901f-223b65d556e2 which can be used as unique global reference for Shadi in MISP communities and other software using the MISP galaxy

ShadowCryptor

ransomware

Internal MISP references

UUID a6a80481-0c0b-470d-bdc4-a35f75c6ec2e which can be used as unique global reference for ShadowCryptor in MISP communities and other software using the MISP galaxy

ShinigamiLocker

ransomware

Internal MISP references

UUID 14162500-23ce-47e5-8375-664516f2bf3c which can be used as unique global reference for ShinigamiLocker in MISP communities and other software using the MISP galaxy

ShkolotaCrypt

ransomware

Internal MISP references

UUID a7b363ef-7dd6-4df4-81c0-299670c11240 which can be used as unique global reference for ShkolotaCrypt in MISP communities and other software using the MISP galaxy

Shrug

ransomware

Internal MISP references

UUID 0e492b45-03c8-4f87-9038-4d37c7203b18 which can be used as unique global reference for Shrug in MISP communities and other software using the MISP galaxy

Shutdown57

ransomware

Internal MISP references

UUID 95b099a1-6549-4bf7-a895-3c06259ea000 which can be used as unique global reference for Shutdown57 in MISP communities and other software using the MISP galaxy

ShutUpAndDance

ransomware

Internal MISP references

UUID 21d4caeb-96e4-4564-8d62-6d7521b0d8ec which can be used as unique global reference for ShutUpAndDance in MISP communities and other software using the MISP galaxy

Sifreli 2017

ransomware

Internal MISP references

UUID 92e5861f-5b20-4401-a75f-f5120269b827 which can be used as unique global reference for Sifreli 2017 in MISP communities and other software using the MISP galaxy

Sifreli 2019

ransomware

Internal MISP references

UUID 87372df7-0fa1-4d1e-bf76-4cfdcdced997 which can be used as unique global reference for Sifreli 2019 in MISP communities and other software using the MISP galaxy

SifreCozucu

ransomware

Internal MISP references

UUID 364013f9-15d2-41c0-b458-fd4085466151 which can be used as unique global reference for SifreCozucu in MISP communities and other software using the MISP galaxy

SilentSpring

ransomware

Internal MISP references

UUID 939e7780-5c6e-43f4-9710-c0c219762bc9 which can be used as unique global reference for SilentSpring in MISP communities and other software using the MISP galaxy

SintaLocker

ransomware

Internal MISP references

UUID c3a9d2d0-d239-40af-86cc-51457ed82b46 which can be used as unique global reference for SintaLocker in MISP communities and other software using the MISP galaxy

Skull

ransomware

Internal MISP references

UUID 7c36b38e-6851-402b-93cd-195e029cba84 which can be used as unique global reference for Skull in MISP communities and other software using the MISP galaxy

Skull HT

ransomware

Internal MISP references

UUID fe5ea390-fe3a-4ec9-b0f6-8365c525f5be which can be used as unique global reference for Skull HT in MISP communities and other software using the MISP galaxy

SkyStars

ransomware

Internal MISP references

UUID 0d3634a3-1766-4b49-8ceb-2274ca2048af which can be used as unique global reference for SkyStars in MISP communities and other software using the MISP galaxy

SlankCryptor

ransomware

Internal MISP references

UUID eae70261-6efc-424f-829f-4d179c7a75ae which can be used as unique global reference for SlankCryptor in MISP communities and other software using the MISP galaxy

Snake-Ekans

ransomware

Internal MISP references

UUID 787ea4ce-23ab-464e-9dd8-bb6d24b0c481 which can be used as unique global reference for Snake-Ekans in MISP communities and other software using the MISP galaxy

SnakeLocker

ransomware

Internal MISP references

UUID 92d45020-2aa0-49ac-8e71-be8f3a3f79eb which can be used as unique global reference for SnakeLocker in MISP communities and other software using the MISP galaxy

Snatch

ransomware

Internal MISP references

UUID 1a58eeac-26dc-40e6-8182-22cd461ba736 which can be used as unique global reference for Snatch in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion', 'https://snatch.press/']

SnowPicnic

ransomware

Internal MISP references

UUID f0a26e38-d67c-4215-8a9d-1723ac984d62 which can be used as unique global reference for SnowPicnic in MISP communities and other software using the MISP galaxy

SoFucked

ransomware

Internal MISP references

UUID f2125a86-a23d-4165-a6b7-821db3b48b95 which can be used as unique global reference for SoFucked in MISP communities and other software using the MISP galaxy

SOLO

ransomware

Internal MISP references

UUID e065c7cc-061d-43a8-9668-1aa187e0fd52 which can be used as unique global reference for SOLO in MISP communities and other software using the MISP galaxy

Somik1

ransomware

Internal MISP references

UUID 48f18fa2-7dea-4bdf-8736-253672b62140 which can be used as unique global reference for Somik1 in MISP communities and other software using the MISP galaxy

Sorry HT

ransomware

Internal MISP references

UUID b5f99a93-0c4f-491d-a36a-617d892b5e38 which can be used as unique global reference for Sorry HT in MISP communities and other software using the MISP galaxy

SpartCrypt

ransomware

Internal MISP references

UUID 2fab1ada-2e01-4704-b4d8-e3bb75e6488b which can be used as unique global reference for SpartCrypt in MISP communities and other software using the MISP galaxy

Spectre

ransomware

Internal MISP references

UUID 1e968067-dd8f-4c15-a756-4f572a0ee2cf which can be used as unique global reference for Spectre in MISP communities and other software using the MISP galaxy

Sphinx

ransomware

Internal MISP references

UUID dbe1f272-07c0-4189-ab91-4a6ee7d1ee9a which can be used as unique global reference for Sphinx in MISP communities and other software using the MISP galaxy

Spiteful Doubletake

ransomware

Internal MISP references

UUID 9dad4770-3fd8-48e8-8dd3-bac621f9932a which can be used as unique global reference for Spiteful Doubletake in MISP communities and other software using the MISP galaxy

SpongeBob

ransomware

Internal MISP references

UUID a73abf3d-abda-4916-9401-8c522f87de7c which can be used as unique global reference for SpongeBob in MISP communities and other software using the MISP galaxy

StalinLocker

ransomware

Internal MISP references

UUID 5eacbcf2-84b9-4467-a8de-4c8e9af2c840 which can be used as unique global reference for StalinLocker in MISP communities and other software using the MISP galaxy

Stinger

ransomware

Internal MISP references

UUID 6a9f0f9f-2033-4361-918b-fbfa1cac5e9b which can be used as unique global reference for Stinger in MISP communities and other software using the MISP galaxy

Storm

ransomware

Internal MISP references

UUID e6b1ec39-e118-47d2-9205-468c87be86c2 which can be used as unique global reference for Storm in MISP communities and other software using the MISP galaxy

StrawHat

ransomware

Internal MISP references

UUID c6ab1853-d980-4eb8-b2d5-5c22d9eb882a which can be used as unique global reference for StrawHat in MISP communities and other software using the MISP galaxy

Streamer

ransomware

Internal MISP references

UUID 928e5d57-8029-4300-be0a-5e6e43c220dd which can be used as unique global reference for Streamer in MISP communities and other software using the MISP galaxy

Striked

ransomware

Internal MISP references

UUID d018d87e-4baa-45bd-880b-496c18726da3 which can be used as unique global reference for Striked in MISP communities and other software using the MISP galaxy

Stroman

ransomware

Internal MISP references

UUID 1ae8b4dd-eaef-4181-a699-02536aece63d which can be used as unique global reference for Stroman in MISP communities and other software using the MISP galaxy

Stupid

ransomware

Internal MISP references

UUID 8371370f-8d53-4e90-95f7-e20540f5d052 which can be used as unique global reference for Stupid in MISP communities and other software using the MISP galaxy

StupidJapan

ransomware

Internal MISP references

UUID b8826051-f533-4e70-b59e-166009946ee3 which can be used as unique global reference for StupidJapan in MISP communities and other software using the MISP galaxy

Styver

ransomware

Internal MISP references

UUID 4d1c8d02-f3e2-4a95-8ca2-f3665ec6cc8d which can be used as unique global reference for Styver in MISP communities and other software using the MISP galaxy

Styx

ransomware

Internal MISP references

UUID 5039d334-c737-4d5b-941c-38a714a014c2 which can be used as unique global reference for Styx in MISP communities and other software using the MISP galaxy

SuperB

ransomware

Internal MISP references

UUID 41ee30d0-4c67-4445-990b-07c3c8f1aa28 which can be used as unique global reference for SuperB in MISP communities and other software using the MISP galaxy

SuperCrypt

ransomware

Internal MISP references

UUID f379af94-1826-41bb-a879-ff84a1319848 which can be used as unique global reference for SuperCrypt in MISP communities and other software using the MISP galaxy

Suri

ransomware

Internal MISP references

UUID f3673646-cfd7-4b6e-bd43-b3366d3391d9 which can be used as unique global reference for Suri in MISP communities and other software using the MISP galaxy

Symbiom

ransomware

Internal MISP references

UUID 60561968-40ba-44b6-9ef5-5577c2422f72 which can be used as unique global reference for Symbiom in MISP communities and other software using the MISP galaxy

SymmyWare

ransomware

Internal MISP references

UUID 59863099-6ef0-4fad-87cb-adf21d22ace4 which can be used as unique global reference for SymmyWare in MISP communities and other software using the MISP galaxy

Syrk

ransomware

Internal MISP references

UUID b779b4c0-f32c-4815-bcdf-b81f44a5efd0 which can be used as unique global reference for Syrk in MISP communities and other software using the MISP galaxy

SYSDOWN

ransomware

Internal MISP references

UUID a1bae9e1-2eed-4004-b289-b572936450a3 which can be used as unique global reference for SYSDOWN in MISP communities and other software using the MISP galaxy

SystemCrypter

ransomware

Internal MISP references

UUID ea3f6dc9-4afe-43c6-be84-1ba9c752c9c6 which can be used as unique global reference for SystemCrypter in MISP communities and other software using the MISP galaxy

T1Happy

ransomware

Internal MISP references

UUID 561090ca-d8a6-43f8-acbb-c2d58d422cbd which can be used as unique global reference for T1Happy in MISP communities and other software using the MISP galaxy

Takahiro Locker

ransomware

Internal MISP references

UUID dcfb11cf-bc62-4c2c-9ff8-f4c019c1141d which can be used as unique global reference for Takahiro Locker in MISP communities and other software using the MISP galaxy

TBHRanso

ransomware

Internal MISP references

UUID 4945d7b7-33a7-4e41-94ba-f55650f336e7 which can be used as unique global reference for TBHRanso in MISP communities and other software using the MISP galaxy

Teamo

ransomware

Internal MISP references

UUID 02467be1-ac0d-4fcd-b2b9-0d0c7d337e06 which can be used as unique global reference for Teamo in MISP communities and other software using the MISP galaxy

Tear Dr0p

ransomware

Internal MISP references

UUID 12622e89-46d4-4cd5-95be-c3a2d12e8a18 which can be used as unique global reference for Tear Dr0p in MISP communities and other software using the MISP galaxy

Technicy

ransomware

Internal MISP references

UUID 6ee1b6e3-dac1-483b-aa8c-6afe4433e1ed which can be used as unique global reference for Technicy in MISP communities and other software using the MISP galaxy

TeslaWare

ransomware

Internal MISP references

UUID db9aa4f1-5f54-4bed-9f7a-a19e906f94b4 which can be used as unique global reference for TeslaWare in MISP communities and other software using the MISP galaxy

TFlower

ransomware

Internal MISP references

UUID d5d35c4f-ebde-43ae-acfc-d41c06210893 which can be used as unique global reference for TFlower in MISP communities and other software using the MISP galaxy

The Brotherhood

ransomware

Internal MISP references

UUID 9867ec9e-a772-4c70-81dc-1517330e58bd which can be used as unique global reference for The Brotherhood in MISP communities and other software using the MISP galaxy

The Magic

ransomware

Internal MISP references

UUID cafb301d-098f-40d3-92c7-722b2cc15172 which can be used as unique global reference for The Magic in MISP communities and other software using the MISP galaxy

TheCursedMurderer

ransomware

Internal MISP references

UUID 8ab31008-966e-4ad5-88a2-9e820b814292 which can be used as unique global reference for TheCursedMurderer in MISP communities and other software using the MISP galaxy

TheDarkEncryptor

ransomware

Internal MISP references

UUID 3ec11602-d4df-4341-a9f0-91caf2be1cc0 which can be used as unique global reference for TheDarkEncryptor in MISP communities and other software using the MISP galaxy

Thor

ransomware

Internal MISP references

UUID 3ecf7a76-9e37-4d36-9dda-be8d0a38d56a which can be used as unique global reference for Thor in MISP communities and other software using the MISP galaxy

THT

ransomware

Internal MISP references

UUID 6c01d67f-2d59-45ae-a5ba-decef1f2cc0d which can be used as unique global reference for THT in MISP communities and other software using the MISP galaxy

ThunderCrypt

ransomware

Internal MISP references

UUID 630d46fe-306d-49fa-b2e4-9f85f8b86000 which can be used as unique global reference for ThunderCrypt in MISP communities and other software using the MISP galaxy

Tk

ransomware

Internal MISP references

UUID 772f6749-a753-42af-8442-e6526f8b9a2a which can be used as unique global reference for Tk in MISP communities and other software using the MISP galaxy

Torchwood

ransomware

Internal MISP references

UUID 904fc008-64f6-4adf-863e-f5b6b63df65c which can be used as unique global reference for Torchwood in MISP communities and other software using the MISP galaxy

TorLocker

ransomware

Internal MISP references

UUID dcf0947c-15f3-438c-97e0-ec65d63b80bb which can be used as unique global reference for TorLocker in MISP communities and other software using the MISP galaxy

TotalWipeOut

ransomware

Internal MISP references

UUID 483cae7f-4554-46db-8bbc-223881ae9a1c which can be used as unique global reference for TotalWipeOut in MISP communities and other software using the MISP galaxy

TPS1.0

ransomware

Internal MISP references

UUID abdb9c59-c07b-4701-8208-e6a0cf9efe98 which can be used as unique global reference for TPS1.0 in MISP communities and other software using the MISP galaxy

Trick-Or-Treat

ransomware

Internal MISP references

UUID 95d5eba2-dbb6-4527-9dee-ba13d1c9ac00 which can be used as unique global reference for Trick-Or-Treat in MISP communities and other software using the MISP galaxy

Trojan-Syria

ransomware

Internal MISP references

UUID 6853449b-8b09-43be-96dc-26b16b4d421b which can be used as unique global reference for Trojan-Syria in MISP communities and other software using the MISP galaxy

TrumpHead

ransomware

Internal MISP references

UUID 18c91134-1df6-4853-a1c2-c8424137f2e6 which can be used as unique global reference for TrumpHead in MISP communities and other software using the MISP galaxy

TurkStatik

ransomware

Internal MISP references

UUID 90c6daf8-8212-4ea8-9b59-af49b290b3b9 which can be used as unique global reference for TurkStatik in MISP communities and other software using the MISP galaxy

Tyrant

ransomware

Internal MISP references

UUID 93277946-177a-4f92-833d-30db9d432656 which can be used as unique global reference for Tyrant in MISP communities and other software using the MISP galaxy

UCCU

ransomware

Internal MISP references

UUID 0407e98d-cd3e-42e1-8daf-3c51d2e4906a which can be used as unique global reference for UCCU in MISP communities and other software using the MISP galaxy

Ukash

ransomware

Internal MISP references

UUID ba4f3704-cb2d-4a12-8d81-c825063aaaca which can be used as unique global reference for Ukash in MISP communities and other software using the MISP galaxy

Ultimo HT

ransomware

Internal MISP references

UUID fbbb3784-ddf9-447a-91d8-e155317edd87 which can be used as unique global reference for Ultimo HT in MISP communities and other software using the MISP galaxy

UltraCrypter

ransomware

Internal MISP references

UUID 911e63bc-ab09-4da1-8db7-2ad9354eafee which can be used as unique global reference for UltraCrypter in MISP communities and other software using the MISP galaxy

Unikey

ransomware

Internal MISP references

UUID a9695d8a-9d83-4ae0-9460-f4f56c41ed90 which can be used as unique global reference for Unikey in MISP communities and other software using the MISP galaxy

Unknown Crypted

ransomware

Internal MISP references

UUID 5ee8d6db-8a82-40ee-9e8e-a96795b3fee0 which can be used as unique global reference for Unknown Crypted in MISP communities and other software using the MISP galaxy

Unknown Lock

ransomware

Internal MISP references

UUID 348fda47-e254-479e-b702-ebefda3f490d which can be used as unique global reference for Unknown Lock in MISP communities and other software using the MISP galaxy

Unknown XTBL

ransomware

Internal MISP references

UUID b73d6fd8-7707-451a-a5cb-0425289b02be which can be used as unique global reference for Unknown XTBL in MISP communities and other software using the MISP galaxy

Unlckr

ransomware

Internal MISP references

UUID f94e3dba-cdd6-438e-bc7e-b71af6e8e161 which can be used as unique global reference for Unlckr in MISP communities and other software using the MISP galaxy

UNNAM3D

ransomware

Internal MISP references

UUID 15140e19-f09e-4543-9a4c-b0f0e96860fe which can be used as unique global reference for UNNAM3D in MISP communities and other software using the MISP galaxy

Unnamed Bin

ransomware

Internal MISP references

UUID d77b1546-d37d-47ed-9a46-52892bdbd639 which can be used as unique global reference for Unnamed Bin in MISP communities and other software using the MISP galaxy

Unrans

ransomware

Internal MISP references

UUID 2fe11a8a-dfc3-41c3-891f-365a10a1debd which can be used as unique global reference for Unrans in MISP communities and other software using the MISP galaxy

UselessDisk

ransomware

Internal MISP references

UUID 10666f8c-9e0a-485e-88cc-98b993321d5f which can be used as unique global reference for UselessDisk in MISP communities and other software using the MISP galaxy

UselessFiles

ransomware

Internal MISP references

UUID f43f4c9a-5008-477c-9105-4d444c883caa which can be used as unique global reference for UselessFiles in MISP communities and other software using the MISP galaxy

USR0

ransomware

Internal MISP references

UUID a6a04c23-9df3-47b9-9095-4b7f9799f51a which can be used as unique global reference for USR0 in MISP communities and other software using the MISP galaxy

Vaca

ransomware

Internal MISP references

UUID edcc3607-b246-44ce-8878-5af1a09976ae which can be used as unique global reference for Vaca in MISP communities and other software using the MISP galaxy

VCrypt

ransomware

Internal MISP references

UUID 74a8637a-ac0d-45dd-91d5-326459f09cb5 which can be used as unique global reference for VCrypt in MISP communities and other software using the MISP galaxy

vCrypt1

ransomware

Internal MISP references

UUID d1deeb03-5084-4b50-bb19-38d7bd36a42f which can be used as unique global reference for vCrypt1 in MISP communities and other software using the MISP galaxy

VegaLocker

ransomware

Internal MISP references

UUID d9dd94aa-a646-40b3-a2d3-5870c6be66cf which can be used as unique global reference for VegaLocker in MISP communities and other software using the MISP galaxy

Velso

ransomware

Internal MISP references

UUID 1ccd6940-4eb7-416c-a0de-1fb672d93c80 which can be used as unique global reference for Velso in MISP communities and other software using the MISP galaxy

Vendetta

ransomware

Internal MISP references

UUID 7fd558de-1dfe-432a-834b-3e2691ee7283 which can be used as unique global reference for Vendetta in MISP communities and other software using the MISP galaxy

VevoLocker

ransomware

Internal MISP references

UUID 3d71e8a0-d823-47c0-8a0d-62e35d348514 which can be used as unique global reference for VevoLocker in MISP communities and other software using the MISP galaxy

VHD

ransomware

Internal MISP references

UUID e089f805-8cc2-41d0-b67e-eae21d78bc6c which can be used as unique global reference for VHD in MISP communities and other software using the MISP galaxy

ViACrypt

ransomware

Internal MISP references

UUID 99edd501-76ca-4492-a0a3-8e1c988be22a which can be used as unique global reference for ViACrypt in MISP communities and other software using the MISP galaxy

Viagra

ransomware

Internal MISP references

UUID 777390e2-0d15-499a-8f87-5a5851cdbd09 which can be used as unique global reference for Viagra in MISP communities and other software using the MISP galaxy

VideoBelle

ransomware

Internal MISP references

UUID 7eb414f6-11d9-4424-b486-e1e379b6840f which can be used as unique global reference for VideoBelle in MISP communities and other software using the MISP galaxy

ViiperWare

ransomware

Internal MISP references

UUID 38c94712-deed-470a-b784-0f4665aebf39 which can be used as unique global reference for ViiperWare in MISP communities and other software using the MISP galaxy

Viro

ransomware

Internal MISP references

UUID 0fecef7e-a387-497f-bc26-9560fd943afb which can be used as unique global reference for Viro in MISP communities and other software using the MISP galaxy

ViroBotnet

ransomware

Internal MISP references

UUID 3f62e429-7e6d-41c5-b716-9eb2304e60dc which can be used as unique global reference for ViroBotnet in MISP communities and other software using the MISP galaxy

VisionCrypt

ransomware

Internal MISP references

UUID fc8cc150-c2fb-40cd-9cca-638b8a091861 which can be used as unique global reference for VisionCrypt in MISP communities and other software using the MISP galaxy

VMola

ransomware

Internal MISP references

UUID dff0c92b-953d-4fef-8b36-f36906f806d2 which can be used as unique global reference for VMola in MISP communities and other software using the MISP galaxy

VoidCrypt

ransomware

Internal MISP references

UUID 823e56de-7d4c-4914-a49b-524a5bb77b02 which can be used as unique global reference for VoidCrypt in MISP communities and other software using the MISP galaxy

Vulston

ransomware

Internal MISP references

UUID 1da33eaf-096e-4076-8676-23da3a97ed74 which can be used as unique global reference for Vulston in MISP communities and other software using the MISP galaxy

Waffle

ransomware

Internal MISP references

UUID a5d35c2d-7d06-4539-a4f7-75499663d152 which can be used as unique global reference for Waffle in MISP communities and other software using the MISP galaxy

Waiting

ransomware

Internal MISP references

UUID 26aec13a-eaf2-4adb-9c67-e6ae8f318a0c which can be used as unique global reference for Waiting in MISP communities and other software using the MISP galaxy

Waldo

ransomware

Internal MISP references

UUID e5b2a647-0107-4309-9695-c7bb7859cf4c which can be used as unique global reference for Waldo in MISP communities and other software using the MISP galaxy

Wanna Decryptor Portuguese

ransomware

Internal MISP references

UUID a3be0f12-ece5-4bdb-bcb6-1f5732eb5735 which can be used as unique global reference for Wanna Decryptor Portuguese in MISP communities and other software using the MISP galaxy

WannabeHappy

ransomware

Internal MISP references

UUID 45259e4f-7c68-4e9a-86af-078607181a84 which can be used as unique global reference for WannabeHappy in MISP communities and other software using the MISP galaxy

WannaCash

ransomware

Internal MISP references

UUID 30a56d79-1dee-401e-ad3d-3ea939c4efde which can be used as unique global reference for WannaCash in MISP communities and other software using the MISP galaxy

WannaDie

ransomware

Internal MISP references

UUID 870836be-0534-437e-a25a-7f1e70f9f394 which can be used as unique global reference for WannaDie in MISP communities and other software using the MISP galaxy

WannaPeace

ransomware

Internal MISP references

UUID b222ca29-29b1-4aaa-a709-a3730a70216a which can be used as unique global reference for WannaPeace in MISP communities and other software using the MISP galaxy

WannaSpam

ransomware

Internal MISP references

UUID 4dd51f0f-ad6b-4117-b071-505ec4b71730 which can be used as unique global reference for WannaSpam in MISP communities and other software using the MISP galaxy

Want Money

ransomware

Internal MISP references

UUID 9540bd2d-638b-4e79-a231-6f06b055c916 which can be used as unique global reference for Want Money in MISP communities and other software using the MISP galaxy

Wesker

ransomware

Internal MISP references

UUID 0ca42fde-477c-459d-89a6-bed041a73b70 which can be used as unique global reference for Wesker in MISP communities and other software using the MISP galaxy

WhatAFuck

ransomware

Internal MISP references

UUID 5e678363-c42e-4852-9a2e-90212310a522 which can be used as unique global reference for WhatAFuck in MISP communities and other software using the MISP galaxy

WhyCry

ransomware

Internal MISP references

UUID 305b6505-1186-43c8-acd9-431322287ec6 which can be used as unique global reference for WhyCry in MISP communities and other software using the MISP galaxy

Windows10

ransomware

Internal MISP references

UUID cb343570-c8a0-4bb6-ba3b-88126449593e which can be used as unique global reference for Windows10 in MISP communities and other software using the MISP galaxy

WininiCrypt

ransomware

Internal MISP references

UUID 99a8b639-1b06-4e4b-9994-a6e4d0601341 which can be used as unique global reference for WininiCrypt in MISP communities and other software using the MISP galaxy

Winsecure

ransomware

Internal MISP references

UUID 1942a99a-5c5a-49ef-8c6d-0cb6b0fb082b which can be used as unique global reference for Winsecure in MISP communities and other software using the MISP galaxy

WinUpdatesDisabler

ransomware

Internal MISP references

UUID 8ec00fe5-475b-47bc-a7fc-b470d15aaa75 which can be used as unique global reference for WinUpdatesDisabler in MISP communities and other software using the MISP galaxy

WTDI

ransomware

Internal MISP references

UUID f14af77c-5a98-4840-953c-2f37af8cdcc5 which can be used as unique global reference for WTDI in MISP communities and other software using the MISP galaxy

X Locker 5.0

ransomware

Internal MISP references

UUID 39bcd377-24cb-42f4-8f2a-2aa17d5171dc which can be used as unique global reference for X Locker 5.0 in MISP communities and other software using the MISP galaxy

XCry

ransomware

Internal MISP references

UUID 78e05406-ce59-478a-bf1e-1b1abe22e116 which can be used as unique global reference for XCry in MISP communities and other software using the MISP galaxy

XD

ransomware

Internal MISP references

UUID 88f4f772-8c6e-4201-92aa-819c5e7af5c1 which can be used as unique global reference for XD in MISP communities and other software using the MISP galaxy

XData

ransomware

Internal MISP references

UUID 9582a86c-c20d-4e1f-a124-bf2c6d8adf33 which can be used as unique global reference for XData in MISP communities and other software using the MISP galaxy

XeroWare

ransomware

Internal MISP references

UUID 4272cc4a-9d93-4712-b641-b7f4fc9f86bc which can be used as unique global reference for XeroWare in MISP communities and other software using the MISP galaxy

Xlockr

ransomware

Internal MISP references

UUID 5ecc109c-9f04-4e56-86c4-83b37181e75b which can be used as unique global reference for Xlockr in MISP communities and other software using the MISP galaxy

XmdXtazX

ransomware

Internal MISP references

UUID a0c2b579-20f0-4357-8a01-596ce20db48a which can be used as unique global reference for XmdXtazX in MISP communities and other software using the MISP galaxy

Xncrypt

ransomware

Internal MISP references

UUID 95d00a69-c048-48c3-bc6b-fa6a655d8ff3 which can be used as unique global reference for Xncrypt in MISP communities and other software using the MISP galaxy

XRat

ransomware

Internal MISP references

UUID d650da35-7ad7-417a-902a-16ea55bd1126 which can be used as unique global reference for XRat in MISP communities and other software using the MISP galaxy

Related clusters

To see the related clusters, click here.

XyuEncrypt

ransomware

Internal MISP references

UUID f5c46d3f-404b-4640-9892-005f845d33a2 which can be used as unique global reference for XyuEncrypt in MISP communities and other software using the MISP galaxy

xXLecXx

ransomware

Internal MISP references

UUID c08fd941-e54c-4ac6-b94a-fc9b5c9617da which can be used as unique global reference for xXLecXx in MISP communities and other software using the MISP galaxy

Yatron

ransomware

Internal MISP references

UUID ebfa8988-8063-4e3c-a635-7da898389aa4 which can be used as unique global reference for Yatron in MISP communities and other software using the MISP galaxy

Yoshikada

ransomware

Internal MISP references

UUID d6791998-5c0a-4943-bda5-b378d1326a13 which can be used as unique global reference for Yoshikada in MISP communities and other software using the MISP galaxy

YYYYBJQOQDU

ransomware

Internal MISP references

UUID e32b8df2-6f03-4232-b64a-2de14b5642f3 which can be used as unique global reference for YYYYBJQOQDU in MISP communities and other software using the MISP galaxy

ZariqaCrypt

ransomware

Internal MISP references

UUID 2f6d77c5-54df-4997-b82c-ca54d6948d6f which can be used as unique global reference for ZariqaCrypt in MISP communities and other software using the MISP galaxy

Zelta Free

ransomware

Internal MISP references

UUID 463d17d4-e35e-4614-9247-47a3a50a8cda which can be used as unique global reference for Zelta Free in MISP communities and other software using the MISP galaxy

ZenCrypt

ransomware

Internal MISP references

UUID fee8e9fa-68b9-4b69-bd62-6213971e7e10 which can be used as unique global reference for ZenCrypt in MISP communities and other software using the MISP galaxy

Zeoticus

ransomware

Internal MISP references

UUID 5e3a2958-6922-465e-bc36-3b6e59ad1bc1 which can be used as unique global reference for Zeoticus in MISP communities and other software using the MISP galaxy

Zeppelin

ransomware

Internal MISP references

UUID bc62429c-1bf7-42c0-997d-d8c2f80355de which can be used as unique global reference for Zeppelin in MISP communities and other software using the MISP galaxy

Zero-Fucks

ransomware

Internal MISP references

UUID 90ac4150-aab9-44a2-bd56-2bcfa773798b which can be used as unique global reference for Zero-Fucks in MISP communities and other software using the MISP galaxy

ZeroLocker

ransomware

Internal MISP references

UUID 9296d2bc-ec26-4724-88b4-82ab682ed11e which can be used as unique global reference for ZeroLocker in MISP communities and other software using the MISP galaxy

Zeronine

ransomware

Internal MISP references

UUID 03686533-7339-4401-b90d-1125eeffa07f which can be used as unique global reference for Zeronine in MISP communities and other software using the MISP galaxy

ZeroRansom

ransomware

Internal MISP references

UUID 4ff2a1ff-a35e-4d3a-a132-2dcefa2995f7 which can be used as unique global reference for ZeroRansom in MISP communities and other software using the MISP galaxy

Zilla

ransomware

Internal MISP references

UUID 2147b5a8-2f4a-433c-95aa-cdeb4349c542 which can be used as unique global reference for Zilla in MISP communities and other software using the MISP galaxy

ZimbraCryptor

ransomware

Internal MISP references

UUID ae9ec6c3-570f-41fc-ac18-5b129976727a which can be used as unique global reference for ZimbraCryptor in MISP communities and other software using the MISP galaxy

ZipLocker

ransomware

Internal MISP references

UUID 0dfbed7c-66c5-4309-b8ba-7c7a6e659512 which can be used as unique global reference for ZipLocker in MISP communities and other software using the MISP galaxy

Zipper

ransomware

Internal MISP references

UUID 774e5809-2d72-4c3d-a28b-5c51f17f1981 which can be used as unique global reference for Zipper in MISP communities and other software using the MISP galaxy

Zoldon

ransomware

Internal MISP references

UUID a67eedaf-84c5-42ed-86fe-853c76599fe5 which can be used as unique global reference for Zoldon in MISP communities and other software using the MISP galaxy

ZorgoCry

ransomware

Internal MISP references

UUID 03e34bcf-af8b-429d-ac66-aeff844e8fd6 which can be used as unique global reference for ZorgoCry in MISP communities and other software using the MISP galaxy

Smaug

ransomware

Internal MISP references

UUID 78541326-4aaa-4eda-8f55-bf21bb2537ab which can be used as unique global reference for Smaug in MISP communities and other software using the MISP galaxy

GammA

ransomware

Internal MISP references

UUID e3cce543-64b0-4f7a-a176-f1ddc429da3f which can be used as unique global reference for GammA in MISP communities and other software using the MISP galaxy

BlackMoon

ransomware

Internal MISP references

UUID c35de33c-8f7c-41f3-9b74-6da34a0d31c6 which can be used as unique global reference for BlackMoon in MISP communities and other software using the MISP galaxy

MilkmanVictory

ransomware

Internal MISP references

UUID ab33547b-2b6c-47ae-8fca-9747735b0955 which can be used as unique global reference for MilkmanVictory in MISP communities and other software using the MISP galaxy

Dragoncyber

ransomware

Internal MISP references

UUID 1263f5e9-7073-443b-a884-caf9ebf47a1a which can be used as unique global reference for Dragoncyber in MISP communities and other software using the MISP galaxy

Solider

ransomware

Internal MISP references

UUID 61513ee1-4667-43eb-831a-3e01d8e1039f which can be used as unique global reference for Solider in MISP communities and other software using the MISP galaxy

Biglock

ransomware

Internal MISP references

UUID a65bde28-b74c-4ec5-ae20-01cbe101b025 which can be used as unique global reference for Biglock in MISP communities and other software using the MISP galaxy

Immuni

ransomware

Internal MISP references

UUID c2880897-759e-4cbf-8d08-a3418567a33c which can be used as unique global reference for Immuni in MISP communities and other software using the MISP galaxy

Black claw

ransomware

Internal MISP references

UUID d848ca6f-c935-4dba-b706-bd06be094a87 which can be used as unique global reference for Black claw in MISP communities and other software using the MISP galaxy

Banks1

ransomware

Internal MISP references

UUID b6096de6-c831-4a64-9108-e3fcfc7fcc44 which can be used as unique global reference for Banks1 in MISP communities and other software using the MISP galaxy

UnluckyWare

ransomware

Internal MISP references

UUID 9683775c-7d36-4a5a-9580-1038ed17d9d2 which can be used as unique global reference for UnluckyWare in MISP communities and other software using the MISP galaxy

Zorab

ransomware

Internal MISP references

UUID 7d949282-005f-45de-96b3-5584a1114cd6 which can be used as unique global reference for Zorab in MISP communities and other software using the MISP galaxy

FonixCrypter

ransomware

Internal MISP references

UUID b56a89d1-1748-42a0-8a78-02e882a219a9 which can be used as unique global reference for FonixCrypter in MISP communities and other software using the MISP galaxy

LickyAgent

ransomware

Internal MISP references

UUID ab0f5636-38cf-4c89-a090-df4f006bd47b which can be used as unique global reference for LickyAgent in MISP communities and other software using the MISP galaxy

DualShot

ransomware

Internal MISP references

UUID d52ba288-4bcc-4f52-be6c-0d9cfadbf194 which can be used as unique global reference for DualShot in MISP communities and other software using the MISP galaxy

RNS

ransomware

Internal MISP references

UUID e68a3736-1d87-4a77-9814-b23c65cee3c3 which can be used as unique global reference for RNS in MISP communities and other software using the MISP galaxy

Such_Crypt

ransomware

Internal MISP references

UUID b1126047-eaaa-4e2f-abc9-f64faa84d692 which can be used as unique global reference for Such_Crypt in MISP communities and other software using the MISP galaxy

20dfs

ransomware

Internal MISP references

UUID c64d6b5d-44a1-461e-acc6-2b4571f6163d which can be used as unique global reference for 20dfs in MISP communities and other software using the MISP galaxy

CryDroid

ransomware

Internal MISP references

UUID cfa9c2ee-6a2f-4cd4-849f-bcf8e9aa77a7 which can be used as unique global reference for CryDroid in MISP communities and other software using the MISP galaxy

TomNom

ransomware

Internal MISP references

UUID 6f011a57-6a70-4e2a-9a51-36d9032bef05 which can be used as unique global reference for TomNom in MISP communities and other software using the MISP galaxy

Yogynicof

ransomware

Internal MISP references

UUID ada0a2d1-f595-4988-b87a-623c5581bbad which can be used as unique global reference for Yogynicof in MISP communities and other software using the MISP galaxy

CobraLocker

ransomware

Internal MISP references

UUID d160c549-3cf8-4f20-b041-8d775469a566 which can be used as unique global reference for CobraLocker in MISP communities and other software using the MISP galaxy

PL

ransomware

Internal MISP references

UUID ca9a3c5c-ef8e-4e09-bd91-0347a6967837 which can be used as unique global reference for PL in MISP communities and other software using the MISP galaxy

CryCryptor

ransomware

Internal MISP references

UUID ed6f4c24-a2eb-4395-ae76-4d4992b21f5b which can be used as unique global reference for CryCryptor in MISP communities and other software using the MISP galaxy

Blocky

ransomware

Internal MISP references

UUID d1c43e2b-75a5-4d75-a8b7-b46fe106ed87 which can be used as unique global reference for Blocky in MISP communities and other software using the MISP galaxy

OhNo-FakePDF

ransomware

Internal MISP references

UUID b7d9e0c2-e772-41e0-9202-5df2bcff9022 which can be used as unique global reference for OhNo-FakePDF in MISP communities and other software using the MISP galaxy

Try2Cry

ransomware

Internal MISP references

UUID 455b864e-47c0-419f-9c0c-a75bac6d5e84 which can be used as unique global reference for Try2Cry in MISP communities and other software using the MISP galaxy

LolKek

ransomware

Internal MISP references

UUID 5e1df833-e4de-44a9-8728-1681a6e6afbc which can be used as unique global reference for LolKek in MISP communities and other software using the MISP galaxy

FlowEncrypt

ransomware

Internal MISP references

UUID 165949bf-bc59-43c8-a9b7-d281da5688ee which can be used as unique global reference for FlowEncrypt in MISP communities and other software using the MISP galaxy

WhoLocker

ransomware

Internal MISP references

UUID 3ae97d00-4b38-4f81-a055-a1057e3cebae which can be used as unique global reference for WhoLocker in MISP communities and other software using the MISP galaxy

Pojie

ransomware

Internal MISP references

UUID ad010794-bdac-4157-adba-e87014a29708 which can be used as unique global reference for Pojie in MISP communities and other software using the MISP galaxy

Aris Locker

ransomware

Internal MISP references

UUID c795358a-c462-48f0-a5ff-9bdc1dd869e5 which can be used as unique global reference for Aris Locker in MISP communities and other software using the MISP galaxy

EduRansom

ransomware

Internal MISP references

UUID 7750a0ed-e17b-4eaf-97f1-ddf097c48858 which can be used as unique global reference for EduRansom in MISP communities and other software using the MISP galaxy

Fastwind

ransomware

Internal MISP references

UUID db954a2d-4602-4722-977d-3b147ebc1858 which can be used as unique global reference for Fastwind in MISP communities and other software using the MISP galaxy

Silvertor

ransomware

Internal MISP references

UUID 51600819-3b88-43a9-b64e-d08bf5d29f7c which can be used as unique global reference for Silvertor in MISP communities and other software using the MISP galaxy

Exorcist

ransomware

Internal MISP references

UUID b8b0933a-896a-45d1-8284-ebc55dff1f98 which can be used as unique global reference for Exorcist in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion']

WyvernLocker

ransomware

Internal MISP references

UUID df5ef12b-c0e3-4069-beaa-e84ea953befc which can be used as unique global reference for WyvernLocker in MISP communities and other software using the MISP galaxy

Ensiko

ransomware

Internal MISP references

UUID 58d0f5cf-5e71-44dc-b493-b0d3c0724587 which can be used as unique global reference for Ensiko in MISP communities and other software using the MISP galaxy

Django

ransomware

Internal MISP references

UUID d667e11f-95d0-4c44-a0c6-b6ab617c307f which can be used as unique global reference for Django in MISP communities and other software using the MISP galaxy

RansomBlox

ransomware

Internal MISP references

UUID 2c754dfc-0748-47d7-8853-652c1d6a93a7 which can be used as unique global reference for RansomBlox in MISP communities and other software using the MISP galaxy

BitRansomware

ransomware

Internal MISP references

UUID a378ddf1-5981-4e76-8672-60dd4cb67dc1 which can be used as unique global reference for BitRansomware in MISP communities and other software using the MISP galaxy

AESMew

ransomware

Internal MISP references

UUID e9cd52e1-b3e0-4da9-b969-4a3947f3f6bf which can be used as unique global reference for AESMew in MISP communities and other software using the MISP galaxy

DeathOfShadow

ransomware

Internal MISP references

UUID 4cd34987-7b49-4a75-8668-a02498b9b1ac which can be used as unique global reference for DeathOfShadow in MISP communities and other software using the MISP galaxy

XMRLocker

ransomware

Internal MISP references

UUID 9acc2bd8-9215-4795-bf2b-c4281a8ca697 which can be used as unique global reference for XMRLocker in MISP communities and other software using the MISP galaxy

WinWord64

ransomware

Internal MISP references

UUID 0aada732-3b59-4410-a043-5a190d391927 which can be used as unique global reference for WinWord64 in MISP communities and other software using the MISP galaxy

ThunderX

ransomware

Internal MISP references

UUID 937d3070-7fc6-4967-98bc-17acb0c8da8e which can be used as unique global reference for ThunderX in MISP communities and other software using the MISP galaxy

Mountlocket

ransomware

Internal MISP references

UUID 7513650c-ba09-49bf-b011-d2974c7ae023 which can be used as unique global reference for Mountlocket in MISP communities and other software using the MISP galaxy

External references

• https://howtofix.guide/ransom-mountlocket/ - webarchive

Associated metadata

Metadata key	Value

Related clusters

To see the related clusters, click here.

Gladius

ransomware

Internal MISP references

UUID 09fac901-8fcf-4faa-b1e3-96407433d0f2 which can be used as unique global reference for Gladius in MISP communities and other software using the MISP galaxy

Cyrat

ransomware

Internal MISP references

UUID 1ff34e4a-a205-493f-bdd0-2212d80fd83c which can be used as unique global reference for Cyrat in MISP communities and other software using the MISP galaxy

Crypt32

ransomware

Internal MISP references

UUID 705e03d1-b0c9-4c0b-9b10-fb751e09a020 which can be used as unique global reference for Crypt32 in MISP communities and other software using the MISP galaxy

BizHack

ransomware

Internal MISP references

UUID 16ebc67f-96d2-4497-84da-a05713352aba which can be used as unique global reference for BizHack in MISP communities and other software using the MISP galaxy

Geneve

ransomware

Internal MISP references

UUID 971bdbfe-d55d-410f-9b07-57ba69027eb8 which can be used as unique global reference for Geneve in MISP communities and other software using the MISP galaxy

Z3

ransomware

Internal MISP references

UUID 361a35bc-c952-41ad-bd27-c32b690aa9e3 which can be used as unique global reference for Z3 in MISP communities and other software using the MISP galaxy

Leakthemall

ransomware

Internal MISP references

UUID e723285e-14ff-4d25-97c3-43e73168d606 which can be used as unique global reference for Leakthemall in MISP communities and other software using the MISP galaxy

Conti

Conti ransomware is a RaaS and has been observed encrypting networks since mid-2020. Conti was developed by the “TrickBot” group, an organized Russian cybercriminal operation. Their reputation has allowed the group to create a strong brand name, attracting many affiliates which has made Conti one of the most widespread ransomware strains in the world. One of the last known “Conti” attacks was against the government of Costa Rica in April 2022 causing the country to declare a state of emergency. Shortly after this final attack, the “Conti” brand disappeared. The group behind it likely switched to a different brand to avoid sanctions and start over with a new, clean reputation.

Internal MISP references

UUID 201eff54-d41e-4f70-916c-5dfb9301730a which can be used as unique global reference for Conti in MISP communities and other software using the MISP galaxy

External references

• https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti - webarchive
• https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines - webarchive

Associated metadata

Metadata key	Value
attribution-confidence	100
country	RU
extensions	['.conti']
links	['http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion/', 'http://continews.click']
ransomnotes	['All of your files are currently encrypted by CONTI ransomware.']

Related clusters

To see the related clusters, click here.

Makop

ransomware

Internal MISP references

UUID f3d28719-fa72-42c3-b0fe-cda484abbaf9 which can be used as unique global reference for Makop in MISP communities and other software using the MISP galaxy

Best Crypt

ransomware

Internal MISP references

UUID b0552a9f-8820-48c3-a75b-158063f17e1b which can be used as unique global reference for Best Crypt in MISP communities and other software using the MISP galaxy

Consciousness

ransomware

Internal MISP references

UUID 784c93bb-4522-4988-92c0-fef89ff6086d which can be used as unique global reference for Consciousness in MISP communities and other software using the MISP galaxy

Flamingo

ransomware

Internal MISP references

UUID 28d7d7e6-3803-4e77-bd89-8a0921a55c17 which can be used as unique global reference for Flamingo in MISP communities and other software using the MISP galaxy

PewPew

ransomware

Internal MISP references

UUID 89346526-4f9d-4369-a1a2-53974a97a651 which can be used as unique global reference for PewPew in MISP communities and other software using the MISP galaxy

DogeCrypt

ransomware

Internal MISP references

UUID 9684f0dc-2c9d-46e3-a12f-65ea85a678e5 which can be used as unique global reference for DogeCrypt in MISP communities and other software using the MISP galaxy

Badbeeteam

ransomware

Internal MISP references

UUID 47354b68-52c9-4750-b783-97c278ddb6a2 which can be used as unique global reference for Badbeeteam in MISP communities and other software using the MISP galaxy

Solve

ransomware

Internal MISP references

UUID e6b40e6b-7c3e-453c-a250-577f4b8a1a7c which can be used as unique global reference for Solve in MISP communities and other software using the MISP galaxy

RenameX12

ransomware

Internal MISP references

UUID 6f7c24e3-b7e6-483c-92f0-99bf562f6397 which can be used as unique global reference for RenameX12 in MISP communities and other software using the MISP galaxy

Zhen

ransomware

Internal MISP references

UUID e3c82188-6f63-48e1-ace8-e93484994792 which can be used as unique global reference for Zhen in MISP communities and other software using the MISP galaxy

Datacloud

ransomware

Internal MISP references

UUID e5ef8579-a215-4450-8294-c887f3d62476 which can be used as unique global reference for Datacloud in MISP communities and other software using the MISP galaxy

Ironcat

ransomware

Internal MISP references

UUID d511beb8-69c6-4ad8-aa82-fb7b56f467a5 which can be used as unique global reference for Ironcat in MISP communities and other software using the MISP galaxy

Dusk

ransomware

Internal MISP references

UUID ea521e5d-0908-4bb4-8111-b27f56b8fb8d which can be used as unique global reference for Dusk in MISP communities and other software using the MISP galaxy

Cutekitty

ransomware

Internal MISP references

UUID 966b504a-b032-4d99-80fa-5008228b2926 which can be used as unique global reference for Cutekitty in MISP communities and other software using the MISP galaxy

Babax

ransomware

Internal MISP references

UUID 3cc0e0d6-2b19-4505-8f2f-11456efeda8f which can be used as unique global reference for Babax in MISP communities and other software using the MISP galaxy

Eyecry

ransomware

Internal MISP references

UUID a7219d8e-e616-4808-8d5d-6eafe423405a which can be used as unique global reference for Eyecry in MISP communities and other software using the MISP galaxy

Osno

ransomware

Internal MISP references

UUID 9f23a356-8ae8-40b2-bbde-d2f4ba62a883 which can be used as unique global reference for Osno in MISP communities and other software using the MISP galaxy

Loki

ransomware

Internal MISP references

UUID 1a49c0c2-3b66-4832-bf9c-d5624e6a5aaa which can be used as unique global reference for Loki in MISP communities and other software using the MISP galaxy

WoodRat

ransomware

Internal MISP references

UUID c4390e31-fdbd-44d9-babf-adc2b20a57ff which can be used as unique global reference for WoodRat in MISP communities and other software using the MISP galaxy

Curator

ransomware

Internal MISP references

UUID 6d1ba8c7-3a86-4ec5-bfdf-f647c6fe984b which can be used as unique global reference for Curator in MISP communities and other software using the MISP galaxy

32aa

ransomware

Internal MISP references

UUID 31c20516-d4ee-46fb-a020-ccc1b44177b7 which can be used as unique global reference for 32aa in MISP communities and other software using the MISP galaxy

Vaggen

ransomware

Internal MISP references

UUID 6ac0f7e3-eebd-4112-a915-b069604c6d2b which can be used as unique global reference for Vaggen in MISP communities and other software using the MISP galaxy

Clay

ransomware

Internal MISP references

UUID fb98368c-79fb-4d34-a7e0-c4cc9847bce0 which can be used as unique global reference for Clay in MISP communities and other software using the MISP galaxy

Pizhon

ransomware

Internal MISP references

UUID 7b2f9d2c-d96a-4515-b57d-cc1cff35de3a which can be used as unique global reference for Pizhon in MISP communities and other software using the MISP galaxy

InstallPay

ransomware

Internal MISP references

UUID 8439a797-4d81-4b8c-b278-3c41c640294f which can be used as unique global reference for InstallPay in MISP communities and other software using the MISP galaxy

MetadataBin

ransomware

Internal MISP references

UUID ff711485-e052-4ca0-934a-748a7a5d6f4c which can be used as unique global reference for MetadataBin in MISP communities and other software using the MISP galaxy

TechandStrat

ransomware

Internal MISP references

UUID bd743e59-1a2a-40ad-9cd4-d1e519d3b91d which can be used as unique global reference for TechandStrat in MISP communities and other software using the MISP galaxy

Mars

ransomware

Internal MISP references

UUID af35e406-7af3-46f1-b32d-305f9711f645 which can be used as unique global reference for Mars in MISP communities and other software using the MISP galaxy

Scatterbrain

ransomware

Internal MISP references

UUID bee837e2-8bdb-4291-a267-4211bdc2a309 which can be used as unique global reference for Scatterbrain in MISP communities and other software using the MISP galaxy

CCECrypt

ransomware

Internal MISP references

UUID 55d3f7c0-7aa8-4b0e-b0f9-86dd68c78968 which can be used as unique global reference for CCECrypt in MISP communities and other software using the MISP galaxy

SZ40

ransomware

Internal MISP references

UUID 5de1dec7-749e-42ad-b0bf-68d5d774d5be which can be used as unique global reference for SZ40 in MISP communities and other software using the MISP galaxy

Pay2Key

ransomware

Internal MISP references

UUID 678bc24d-a5c3-4ddd-9292-40958afa3492 which can be used as unique global reference for Pay2Key in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020
links	['http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion/']

Tripoli

ransomware

Internal MISP references

UUID ae288b5d-062c-4a11-ba81-14794dc6127f which can be used as unique global reference for Tripoli in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

Devos

ransomware

Internal MISP references

UUID dcc12d6f-d59f-4451-999d-7728bf4e95aa which can be used as unique global reference for Devos in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

HowAreYou

ransomware

Internal MISP references

UUID 63397164-fee2-4662-afac-cc651b0426cb which can be used as unique global reference for HowAreYou in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

SifreCikis

ransomware

Internal MISP references

UUID 4be906e7-b6db-453f-8f9b-a8d8d9b29f4b which can be used as unique global reference for SifreCikis in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

68-Random-HEX

ransomware

Internal MISP references

UUID 1bdafae9-51cd-4384-8ee7-774c9db7820f which can be used as unique global reference for 68-Random-HEX in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

RedRoman

ransomware

Internal MISP references

UUID a536a6bd-f567-4631-bdc7-ac38fd9faf81 which can be used as unique global reference for RedRoman in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

MXX

ransomware

Internal MISP references

UUID ce9b4949-aa84-46fe-a532-2d8b7846d1f5 which can be used as unique global reference for MXX in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

Exerwa CTF

ransomware

Internal MISP references

UUID 5553296d-2fe5-490b-bb16-bc2432ede8be which can be used as unique global reference for Exerwa CTF in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

HelloKitty

ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HelloKitty.

Known Synonyms
FiveHands

Internal MISP references

UUID 022c995a-f1ba-498f-b67e-92ef01fd06a3 which can be used as unique global reference for HelloKitty in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020
links	['http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion']

HolidayCheer

ransomware

Internal MISP references

UUID 1496ec2f-76b0-425b-badc-8b7749c7e370 which can be used as unique global reference for HolidayCheer in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

Joker Korean

ransomware

Internal MISP references

UUID d4733b99-e1d7-4101-9653-65d8ed73bd47 which can be used as unique global reference for Joker Korean in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

VenomRAT

ransomware

Internal MISP references

UUID c0222809-cffa-467b-a9b1-b7caaf238b14 which can be used as unique global reference for VenomRAT in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

FileEngineering

ransomware

Internal MISP references

UUID 2a2f3d8f-83c1-490b-94d1-b56b90e81d19 which can be used as unique global reference for FileEngineering in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

LandSlide

ransomware

Internal MISP references

UUID 77714a96-6242-416a-ba6e-a1080e71cd81 which can be used as unique global reference for LandSlide in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

Mobef-JustFun

ransomware

Internal MISP references

UUID 8fa6b51a-a48d-48dc-87ec-cf0d30ad66e8 which can be used as unique global reference for Mobef-JustFun in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	November 2020

Related clusters

To see the related clusters, click here.

Amjixius

ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Amjixius.

Known Synonyms
Ancrypted

Internal MISP references

UUID 1efe19b7-a8f3-455b-aefc-a41a5788bf2c which can be used as unique global reference for Amjixius in MISP communities and other software using the MISP galaxy

External references

• https://malware-guide.com/blog/remove-amjixius-ransomware-restore-encrypted-files - webarchive

Associated metadata

Metadata key	Value
date	December 2020
ransomnotes	['All your files have been encrypted\n\nContact us to this email to decrypt your files:\nancrypted1@gmail.com\nIn case of of no answer in 24 hours contact the secondary email:\nancrypted1@gmail.com\n\nYou can unlock them by buying the special key generated for you\n\nFree decryption as guarantee\nBefore paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived),and files should not contain valuable information. (databases,backups,large excel sheets, etc.)\n\n\nPayment is possible only with bitcoin\n\nHow to obtain bitcoins\nThe easoway to buy bitcoins is LocalBitcoins site. you have to register, click ?Buy bitcoins?, and select the seller by payment method and price.\nHttps://localbitcoins.com/buy_bitcoins\nAlso you can fund other places to buy Bitcoins and beginners guide here:\nHttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\n\nAttention !!!\n1. Do not rename encrypted files.\n2. Do not try to decrypt your data using third party softwares, it may cause permanent data loss.\n3. Decryption or your files with the help of third parties may cause increased price(they add their fee to ours) or you can become a victim of a scam']

DearCry

ransomware

Internal MISP references

UUID c99e4aee-03f7-4cb6-b1ce-2394d00d1472 which can be used as unique global reference for DearCry in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Mars 2021

JoJoCrypter

ransomware

Internal MISP references

UUID 0353ecc5-849c-44a1-9ace-bff14e358c7a which can be used as unique global reference for JoJoCrypter in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Mars 2021

RunExeMemory

ransomware

Internal MISP references

UUID 3742b551-b7e8-4256-81fa-137a05693bb8 which can be used as unique global reference for RunExeMemory in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Mars 2021

Pay2Decrypt

ransomware

Internal MISP references

UUID b0b690c4-b0d3-4e5e-a855-474f312287dc which can be used as unique global reference for Pay2Decrypt in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

Tortoise

ransomware

Internal MISP references

UUID c7da6edc-dd6a-4e7b-8ce2-2f97a98f6efb which can be used as unique global reference for Tortoise in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

EPICALLY

ransomware

Internal MISP references

UUID 401a8f57-7bf6-4a2a-834c-896bc29aa73f which can be used as unique global reference for EPICALLY in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

Random30

ransomware

Internal MISP references

UUID 52a907ab-f38b-4144-ba13-cab33adaab38 which can be used as unique global reference for Random30 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

Hog

ransomware

Internal MISP references

UUID 419955fb-cfe6-4eba-b2ec-de53f4266e25 which can be used as unique global reference for Hog in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

Steel

ransomware

Internal MISP references

UUID f4c25d90-fea1-4bf5-8128-108f4ed279e4 which can be used as unique global reference for Steel in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

JohnBorn

ransomware

Internal MISP references

UUID 8a12618d-caf0-4b97-a4d8-fb475820d6f1 which can be used as unique global reference for JohnBorn in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Egalyty

ransomware

Internal MISP references

UUID 8018e133-c4c9-4a1b-bf39-5007c35c0a54 which can be used as unique global reference for Egalyty in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Namaste

ransomware

Internal MISP references

UUID b7e0a8c9-ffac-416e-8c8e-1670f3b3729f which can be used as unique global reference for Namaste in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

HDLocker

ransomware

Internal MISP references

UUID 570382c4-7b30-4f05-a385-e0691e0abfbc which can be used as unique global reference for HDLocker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	Febuary 2021

Epsilon

ransomware

Internal MISP references

UUID d2776f0d-29d6-45a2-be76-9072c52ce7cc which can be used as unique global reference for Epsilon in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

DeroHE

ransomware

Internal MISP references

UUID 34865f14-c5b4-42b8-9cc1-e1325dbe0d23 which can be used as unique global reference for DeroHE in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Vovalex

ransomware

Internal MISP references

UUID 29a61b85-4c63-46b0-bca0-32525ba1c56b which can be used as unique global reference for Vovalex in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Bonsoir

ransomware

Internal MISP references

UUID 93e45f39-ee69-4907-b7c7-2eb406313b53 which can be used as unique global reference for Bonsoir in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

PulpFictionQuote

ransomware

Internal MISP references

UUID 91381710-823e-4eb6-a52f-28ab163638f3 which can be used as unique global reference for PulpFictionQuote in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

NAS Data Compromiser

ransomware

Internal MISP references

UUID 8fc25ce2-a5f7-49dc-8480-2a7a2cb60606 which can be used as unique global reference for NAS Data Compromiser in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

CNH

ransomware

Internal MISP references

UUID 7f3e44d7-cccb-4fc7-86c6-006d25dc3c5d which can be used as unique global reference for CNH in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Lucy

ransomware

Internal MISP references

UUID 5a7d70c5-c5a2-4f00-be6d-a7499ca350f1 which can be used as unique global reference for Lucy in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

OCT

ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OCT.

Known Synonyms
OctEncrypt

Internal MISP references

UUID e0189c0e-8da9-4e48-9c09-9cb8d8eb2a8b which can be used as unique global reference for OCT in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

Pump

ransomware

Internal MISP references

UUID 556f7792-ed79-42cf-9912-865319e10d48 which can be used as unique global reference for Pump in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

LuciferCrypt

ransomware

Internal MISP references

UUID 33edc2a9-231d-4a41-8dd8-ea9697dd0e13 which can be used as unique global reference for LuciferCrypt in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

Ziggy

ransomware

Internal MISP references

UUID 28ca283a-221f-4e8a-bcc3-feddd67991dc which can be used as unique global reference for Ziggy in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

CoderCrypt

ransomware

Internal MISP references

UUID 0aed6d0e-6ecc-4295-a5ef-90389f1f00f9 which can be used as unique global reference for CoderCrypt in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

BlueEagle

ransomware

Internal MISP references

UUID 97ac3893-4331-454f-882f-1dcd9f2c6bcb which can be used as unique global reference for BlueEagle in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

Povisomware

ransomware

Internal MISP references

UUID e8c800ce-c8e3-4176-87c9-8a0c48a9b5e4 which can be used as unique global reference for Povisomware in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

JCrypt

Ransomware written in C#. Fortunately, all current versions of the MafiaWare666 ransomware are decryptable. The Threat Lab from Avast has developed a free decryption tool for this malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JCrypt.

Known Synonyms
Crypted
Daddycrypt
Foxxy
Iam_watching
Locked
MALKI
MALWAREDEVELOPER
Mafiaware666
Ncovid
NotStonks
Omero
Poison
RIP lmao
Vn_os
Wearefriends

Internal MISP references

UUID dd5712e1-efa8-4054-a5df-fdfdbc9c25b6 which can be used as unique global reference for JCrypt in MISP communities and other software using the MISP galaxy

External references

• https://id-ransomware.blogspot.com/2020/12/jcrypt-ransomware.html - webarchive
• https://twitter.com/kangxiaopao/status/1342027328063295488?lang=en - webarchive
• https://twitter.com/demonslay335/status/1380610583603638277 - webarchive
• https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/ - webarchive
• https://files.avast.com/files/decryptor/avast_decryptor_mafiaware666.exe - webarchive

Associated metadata

Metadata key	Value
date	December 2020
extensions	['.jcrypt', '.locked', '.daddycrypt', '.omero', '.ncovid', '.NotStonks', '.crypted', '.iam_watching', '.vn_os', '.wearefriends', '.MALWAREDEVELOPER', '.MALKI', '.poison', '.foxxy', '.ZAHACKED', '.JEBAĆ_BYDGOSZCZ!!!', '.titancrypt', '.crypt', '.MafiaWare666', '.brutusptCrypt', '.bmcrypt', '.cyberone', '.l33ch']
payment-method	Bitcoin
ransomenotes	['All of your files have been encrypted.\nTo unlock them, please send 1 bitcoin(s) to BTC address: 1BtUL5dhVXHwKLqSdhjyjK9Pe64Vc6CEH1 Afterwards,\nI please email your transaction ID to: this.email.address@gmail.com\nThank you and have a nice day! Encryption Log: ...']
ransomenotes-refs	['https://1.bp.blogspot.com/-OF8CopM3MUw/X-XLjUmRkYI/AAAAAAAAXpY/1mLe136SuT8DuruWJfwIVY5WnVs5B1gcgCLcBGAsYHQ/s943/txt-note.png']
ransomnotes-filenames	['RECOVER_FILES.jcrypt.txt', 'RECOVER__FILES__.jcrypt.txt', '___RECOVER__FILES__.locked.txt', '___RECOVER__FILES__.daddycrypt.txt', '___RECOVER__FILES__.omero.txt', '___RECOVER__FILES__.ncovid.txt', '___RECOVER__FILES__.crypted.txt', '___RECOVER__FILES__.iam_watching.txt', '___RECOVER__FILES__.titancrypt.txt', '#ODZYSKAJ_PLIKI--.JEBAĆ_BYDGOSZCZ!!!.txt']

Uh-Oh

ransomware

Internal MISP references

UUID 9a2ecc67-6462-4d6e-9f18-eacc097ce6c7 which can be used as unique global reference for Uh-Oh in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

Mijnal

ransomware

Internal MISP references

UUID b539d0d8-1dad-4874-b743-e07063f8907e which can be used as unique global reference for Mijnal in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

16x

Internal MISP references

UUID 440f9a8e-9837-433a-b2f3-c6a6914146ef which can be used as unique global reference for 16x in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

Lockedv1

ransomware

Internal MISP references

UUID ac805a25-0b35-4c3e-82a5-2c8d19a53294 which can be used as unique global reference for Lockedv1 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	December 2020

XD Locker

ransomware

Internal MISP references

UUID 658dbbb2-c596-4ca0-a085-7b41f1fcebd0 which can be used as unique global reference for XD Locker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	JanuaryJ 2021

Knot

ransomware

Internal MISP references

UUID c47eb2fa-9fe2-42b8-8339-49e4de7296e2 which can be used as unique global reference for Knot in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Parasite

ransomware

Internal MISP references

UUID 390fc4fc-9f46-480a-b114-aba898564c8a which can be used as unique global reference for Parasite in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Judge

ransomware

Internal MISP references

UUID 9d43444d-205b-4fac-81a8-2affd49b1eb6 which can be used as unique global reference for Judge in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

DEcovid19

ransomware

Internal MISP references

UUID f84b92bb-d8e8-4ddd-848c-1a91df504e8e which can be used as unique global reference for DEcovid19 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
date	January 2021

Ragnarok

Ragnarok is is a ransomware that targetscorporate networks in Big Game Huntingtargeted attacks. The ransomware is associated with 'double-extortion' tactic, stealing and publishing files on a data leak site (DLS).

Internal MISP references

UUID fe7e4df0-97b9-4dd2-b3f8-79404fc8272d which can be used as unique global reference for Ragnarok in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro - webarchive
• https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/ - webarchive

Associated metadata

Metadata key	Value
encryption	AES
extensions	['.ragnarok', '.ragnarok_cry']
links	['http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion', 'http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion/']

WhisperGate

Destructive malware deployed against targets in Ukraine in January 2022.

Internal MISP references

UUID feb5fa26-bad4-46da-921d-986d2fd81a40 which can be used as unique global reference for WhisperGate in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate - webarchive
• https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/ - webarchive
• https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - webarchive

Associated metadata

Metadata key	Value
date	January 2022

BlackCat

BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackCat.

Known Synonyms
ALPHV
Noberus

Internal MISP references

UUID e6c09b63-a424-4d9e-b7f7-b752cbbca02a which can be used as unique global reference for BlackCat in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat - webarchive
• https://1-id--ransomware-blogspot-com.translate.goog/2021/12/blackcat-ransomware.html?_x_tr_enc=1&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=ru - webarchive
• https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809 - webarchive
• https://github.com/f0wl/blackCatConf - webarchive
• https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ - webarchive
• https://www.varonis.com/blog/alphv-blackcat-ransomware - webarchive
• https://www.intrinsec.com/alphv-ransomware-gang-analysis - webarchive
• https://unit42.paloaltonetworks.com/blackcat-ransomware/ - webarchive
• https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	June 2021
encryption	AES
links	['http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion', 'http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion', 'http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/api/blog/all/0/6', 'http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion/']
ransomnotes-refs	['https://unit42.paloaltonetworks.com/wp-content/uploads/2022/01/word-image-78.png']

Related clusters

To see the related clusters, click here.

Mount Locker

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mount Locker.

Known Synonyms
Mount-Locker

Internal MISP references

UUID 1da28691-684a-4cd2-b2f8-e80a123e150c which can be used as unique global reference for Mount Locker in MISP communities and other software using the MISP galaxy

External references

• https://www.cyclonis.com/mount-locker-ransomware-more-dangerous - webarchive
• https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game - webarchive

Associated metadata

Metadata key	Value
links	['http://mountnewsokhwilx.onion']

Astro Locker

Ransomware

Internal MISP references

UUID 9932a2e9-08e3-4594-ac95-78de246de811 which can be used as unique global reference for Astro Locker in MISP communities and other software using the MISP galaxy

External references

• https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/ - webarchive
• https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/ - webarchive

Associated metadata

Metadata key	Value

Pandora

Ransomware

Internal MISP references

UUID 4d37a857-fef2-496d-9992-49f6da11e3cb which can be used as unique global reference for Pandora in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/malwrhunterteam/status/1501857263493001217 - webarchive
• https://dissectingmalwa.re/blog/pandora - webarchive

Associated metadata

Metadata key	Value
links	['http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion/']

Rook

Ransomware

Internal MISP references

UUID bb6d933f-7b6d-4694-853d-1ca400f6bd8f which can be used as unique global reference for Rook in MISP communities and other software using the MISP galaxy

External references

• https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk - webarchive
• https://twitter.com/techyteachme/status/1464317136944435209 - webarchive

Associated metadata

Metadata key	Value
links	['http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion']

HelloXD

HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.

Internal MISP references

UUID 5617e6fa-4e6a-4011-9385-6b1165786563 which can be used as unique global reference for HelloXD in MISP communities and other software using the MISP galaxy

External references

• https://unit42.paloaltonetworks.com/helloxd-ransomware/ - webarchive

Associated metadata

Metadata key	Value
date	Nov. 30, 2021
extensions	['hello']
ransomnotes-filenames	['Hello.txt']
ransomnotes-refs	['https://unit42.paloaltonetworks.com/wp-content/uploads/2022/06/image13.png']

Maui ransomware

Maui ransomware stand out because of a lack of several key features commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, it is believed that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.

Internal MISP references

UUID 995c3772-dbda-4a2a-9e28-c47740d599a3 which can be used as unique global reference for Maui ransomware in MISP communities and other software using the MISP galaxy

External references

• https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-187a - webarchive

Associated metadata

Metadata key	Value

Lorenz Ransomware

Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.

Internal MISP references

UUID d513199e-7f21-43fd-9610-ed708c3f6409 which can be used as unique global reference for Lorenz Ransomware in MISP communities and other software using the MISP galaxy

External references

• https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ - webarchive

Associated metadata

Metadata key	Value
links	['http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion/']
ransomnotes-refs	['https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png']

Hive

First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.

Internal MISP references

UUID 8ce915d3-8c6d-4841-b509-18379d7a8999 which can be used as unique global reference for Hive in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.hive - webarchive
• https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf - webarchive
• https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/ - webarchive
• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/ - webarchive
• https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf - webarchive
• https://www.varonis.com/blog/hive-ransomware-analysis - webarchive
• https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - webarchive

Associated metadata

Metadata key	Value
links	['http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/', 'http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion', 'http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion/v1/companies/disclosed']
ransomnotes	["Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:v \n http://hive[REDACTED].onion/\n \n Login: [REDACTED]\n Password: [REDACTED]\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not modify, rename or delete .key.abc12 files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed.", "Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:\n \n http://hive[REDACTED].onion/\n \n Login: test_hive_username\n Password: test_hive_password\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not delete or reinstall VMs. There will be nothing to decrypt.\n- Do not modify, rename or delete .key files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed"]

QuantumLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QuantumLocker.

Known Synonyms
DagonLocker
Mount Locker
Quantum

Internal MISP references

UUID 0ca6ac54-ad2b-4945-9580-ac90e702fd2c which can be used as unique global reference for QuantumLocker in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker - webarchive
• https://securityscorecard.pathfactory.com/research/quantum-ransomware - webarchive
• https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/ - webarchive
• https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/ - webarchive
• https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html - webarchive
• https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates - webarchive
• https://github.com/Finch4/Malware-Analysis-Reports/tree/master/MountLocker - webarchive
• https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines - webarchive
• https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/ - webarchive
• https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware - webarchive
• https://thedfirreport.com/2022/04/25/quantum-ransomware/ - webarchive

Associated metadata

Metadata key	Value
links	['http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion/', 'http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion']
ransomnotes-refs	['https://www.guidepointsecurity.com/wp-content/uploads/2021/04/Anonymized-Ransom-Note-1-1024x655.png']

Related clusters

To see the related clusters, click here.

BlackBasta

Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

Internal MISP references

UUID 9db5f425-fe49-4137-8598-840e7290ed0f which can be used as unique global reference for BlackBasta in MISP communities and other software using the MISP galaxy

External references

• https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta - webarchive
• https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/ - webarchive
• https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html - webarchive
• https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - webarchive
• https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/ - webarchive
• https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware - webarchive
• https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - webarchive
• https://gbhackers.com/black-basta-ransomware/ - webarchive
• https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html - webarchive
• https://securelist.com/luna-black-basta-ransomware/106950/ - webarchive
• https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware - webarchive
• https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - webarchive
• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta - webarchive
• https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ - webarchive
• https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/ - webarchive
• https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/ - webarchive
• https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html - webarchive

Associated metadata

Metadata key	Value
extensions	['.basta']
links	['https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion/', 'https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion']
ransomnotes	['Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]']
ransomnotes-filenames	['readme.txt']
ransomnotes-refs	['https://www.bleepstatic.com/images/news/ransomware/b/black-basta/wallpaper.jpg', 'https://www.bleepstatic.com/images/news/ransomware/b/black-basta/ransom-note.jpg', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/e/examining-the-black-basta-ransomwares-infection-routine/blackbasta07PII.PNG', 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/e/examining-the-black-basta-ransomwares-infection-routine/blackbasta08PII.PNG']

Related clusters

To see the related clusters, click here.

BlackByte

BlackByte is recently discovered Ransomware with a .NET DLL core payload wrapped in JavaScript. It employs heavy obfuscation both in its JavaScript wrapper and .NET DLL core.

Once the JavaScript wrapper is executed, the malware will de-obfuscate the core payload and execute it in memory. The core .DLL is loaded and BlackByte will check the installed operating system language and terminate if an eastern European language is found.

It will proceed to check for the presence of several anti-virus and sandbox-related .DLLs, attempt to bypass AMSI, delete system shadow-copies in order to hinder system recovery, and modify several other system services (including Windows Firewall) in order to “prep” the system for encryption. Once the system is “ready” for encryption, it will download a symmetric key-file which will be used to encrypt files on the system. If this file is not found, the malware will terminate.

Unlike most Ransomware today, BlackByte uses a single symmetric encryption key, and does not generate a unique encryption key for each victim system, meaning the same key can be used to decrypt all files encrypted by the malware.

This makes for substantially easier key-management for the actors behind BlackByte at the cost of a weaker encryption scheme and easier victim system recovery (as there is only a single online point with a single key to maintain).

As with most Ransomware today, BlackByte has worming capabilities and can infect additional endpoints on the same network.

Internal MISP references

UUID 1c43524e-0f2e-4468-b6b6-8a37f1d0ea87 which can be used as unique global reference for BlackByte in MISP communities and other software using the MISP galaxy

External references

• https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape - webarchive
• https://redcanary.com/blog/blackbyte-ransomware/ - webarchive
• https://www.ic3.gov/Media/News/2022/220211.pdf - webarchive
• https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/ - webarchive
• https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/ - webarchive
• https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure - webarchive
• https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html - webarchive
• https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - webarchive
• https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants - webarchive
• https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups - webarchive
• https://blog.talosintelligence.com/the-blackbyte-ransomware-group-is/ - webarchive
• https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - webarchive
• https://securelist.com/modern-ransomware-groups-ttps/106824/ - webarchive
• https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ - webarchive
• https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/ - webarchive

Associated metadata

Metadata key	Value
links	['http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion', 'http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion', 'http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion', 'http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion', 'http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion/']
ransomnotes	["BLACKBYTE \n\nAll your files have been encrypted, your confidential data has been stolen, in order to decrypt files and avoid leakage, you must follow our steps.\n\n1) Download and install TOR browser from this site: https://torproject.org/ \n\n2) Paste the URL in TOR browser and you will be redirected to our chat with all information that you need. \n\n3) If you won't contact with us within 4 days, your access to our chat will be removed and you wont be able to restore your system. \n\nYour URL: [LINK]\n\nYour Key: [KEY]", "BLACKBYTE\n\nAll your files have been encrypted, your confidential data has been stolen, \nin order to decrypt files and avoid leakage, you must follow our steps.\n\n\n\n1) Download and install TOR Browser from this site: https://torproject.org/\n\n2) Paste the URL in TOR Browser and you will be redirected to our chat with all information that you need.\n\n3) If you do not contact us within 3 days, your chat access key won't be valid.\nAlso, your company will be posted on our blog, darknet and hacker forums,\nwhich will attract unnecessary attention from Journalists and not only them.\nYou are given 3 days to think over the situation, and take reasonable actions on your part.\n\n\nWarning! Connurtcation with us occurs only through this link, or through our mail on our blog.\nWe also strongly DO NOT recommend using third-party tools to decrypt files,\nas this will simply kill them completely without the possibility of recovery.\nI repeat, in this case, no one can help you!\n\n\n\nYour URL: [LINK]\n\nYour Key to access the chat: [PASSW]\n\nFind our blog here (TOR Browser): http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion/"]
ransomnotes-refs	['https://lh5.googleusercontent.com/sw0iG6WGVHRRM7NQsTjmt1ut60TH-_VPe1Fo57XuYeBOMw9PrvI4lCqyCPueiEXvbAZ-ks3KHXmnS81JvGYaMf31tSL1Eejx-BZ973EctAqjb-u3R6k-9UC0GqhkLQxgMC6lqtp7', 'https://lh5.googleusercontent.com/sw0iG6WGVHRRM7NQsTjmt1ut60TH-_VPe1Fo57XuYeBOMw9PrvI4lCqyCPueiEXvbAZ-ks3KHXmnS81JvGYaMf31tSL1Eejx-BZ973EctAqjb-u3R6k-9UC0GqhkLQxgMC6lqtp7']

Related clusters

To see the related clusters, click here.

RedAlert

Ransomware

Internal MISP references

UUID 549c9766-b45d-4d14-86e8-e6a74d69d067 which can be used as unique global reference for RedAlert in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onion/']

Cheerscrypt

Ransomware

Internal MISP references

UUID 00638cb0-d8c5-46c2-9c57-39d93d5bfa36 which can be used as unique global reference for Cheerscrypt in MISP communities and other software using the MISP galaxy

GwisinLocker

Ransomware

Internal MISP references

UUID b4d24c48-c2f7-4ae7-a708-8b321b98075a which can be used as unique global reference for GwisinLocker in MISP communities and other software using the MISP galaxy

Luna Ransomware

Ransomware

Internal MISP references

UUID 2950977b-59bb-464a-8dd8-21728887f72f which can be used as unique global reference for Luna Ransomware in MISP communities and other software using the MISP galaxy

AvosLocker

In March 2022, the FBI and the U.S. Treasury Financial Crimes Enforcement Network released a joint advisory addressing AvosLocker and their activity targeting organizations across several critical infrastructure sectors. The RaaS gang deploys ransomware onto their victim’s networks and systems, then threatens to leak their files on the dark web if they don’t pay up. AvosLocker is both the name of the RaaS gang, as well as the name of the ransomware itself.

In May 2022, AvosLocker took responsibility for attacking and stealing data from the Texas-based healthcare organization, CHRISTUS Health. CHRISTUS Health runs hundreds of healthcare facilities across Mexico, the U.S., and South America. The group stole information from a cancer patient registry which included names, social security numbers, diagnoses, dates of birth, and other medical information. The nonprofit Catholic health system has more than 600 healthcare facilities in Texas, Louisiana, New Mexico, and Arkansas. There are also facilities in Columbia, Mexico, and Chile.

Fortunately, the ransomware attack was quickly identified and was limited. While other healthcare organizations have not been as fortunate with ransomware attacks, the AvosLocker attack didn’t impact CHRISTUS Health’s patient care or clinical operations. CHRISTUS Health didn’t reveal whether or not the security incident included ransomware, data exfiltration or extortion, but due to AvosLocker’s reputation, it is more than likely that the incident included at least one of the three.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AvosLocker.

Known Synonyms
Avos

Internal MISP references

UUID 73d3d8f8-83cc-4fdc-a645-d03b9a7b5a9b which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy

External references

• https://www.avertium.com/resources/threat-reports/in-depth-look-at-avoslocker-ransomware - webarchive
• https://unit42.paloaltonetworks.com/atoms/avoslocker-ransomware/ - webarchive
• https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - webarchive
• https://www.picussecurity.com/resource/avos-locker-ransomware-group - webarchive
• https://brandefense.io/blog/ransomware/in-depth-analysis-of-avoslocker-ransomware/ - webarchive
• https://blog.talosintelligence.com/avoslocker-new-arsenal/ - webarchive
• https://www.techrepublic.com/article/avos-ransomware-updates-attack/ - webarchive
• https://www.tripwire.com/state-of-security/avoslocker-ransomware-what-you-need-to-know - webarchive
• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - webarchive
• https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker - webarchive
• https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker - webarchive
• https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html - webarchive
• https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen - webarchive
• https://www.ic3.gov/Media/News/2022/220318.pdf - webarchive
• https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux - webarchive
• https://blog.lexfo.fr/Avoslocker.html - webarchive
• https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html - webarchive
• https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/ - webarchive
• https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners - webarchive
• https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ - webarchive
• https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/ - webarchive
• https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - webarchive
• https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - webarchive
• https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - webarchive
• https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf - webarchive
• https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html - webarchive
• https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - webarchive

Associated metadata

Metadata key	Value
links	['http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion/', 'http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion']
ransomnotes	["AvosLocker\n\nAttention!\nYour systems have been encrypted, and your confidential documents were downloaded.\nIn order to restore your data, you must pay for the decryption key & application.\nYou may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion.\nThis is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/\nDetails such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website.\nContact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly.\nThe corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion"]
ransomnotes-filenames	['GET_YOUR_FILES_BACK.TXT']
ransomnotes-refs	['https://blog.talosintelligence.com/content/images/AVvXsEhKEpexiVYKoELvESd2mP0ZXLbQYgWcVJaE5VB9--yD3vS6FTVNfNbPkAHtJp3KjN1ANKVLa4zWvuEFN68QaepAj_xF3j9TrzqUMoOwvQXx_zIOH9Ar31JgWYX4mlpUIPLaLi76aWawvifF56qKZ1mgXncCRwAmu_fjqmD_PTWu_84E_uTqnW2qZIPM/s16000/image4.png']

PLAY Ransomware

Ransomware

Internal MISP references

UUID fec32bbf-c4f8-499d-8e2a-743bcdd071e7 which can be used as unique global reference for PLAY Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion', 'http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion']

Qyick Ransomware

Ransomware

Internal MISP references

UUID 1d8cadb9-501c-493e-b89b-b5574ed3f722 which can be used as unique global reference for Qyick Ransomware in MISP communities and other software using the MISP galaxy

Agenda Ransomware

Ransomware

Internal MISP references

UUID 9796a1a4-b2d7-4e68-bfb4-57093fd32fef which can be used as unique global reference for Agenda Ransomware in MISP communities and other software using the MISP galaxy

Karakurt

Ransomware

Internal MISP references

UUID a7623a1b-4551-4e5a-a622-2b91dea16b42 which can be used as unique global reference for Karakurt in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onion/', 'https://www.karanews.live', 'https://karakurt.tech', 'https://karaleaks.com']

0Mega

0mega, a new ransomware operation, has been observed targeting organizations around the world. The ransomware operators are launching double-extortion attacks and demanding millions of dollars as ransom.

0mega ransomware operation launched in May and has already claimed multiple victims. 0mega maintains a dedicated data leak site that the attackers use to post stolen data if the demanded ransom is not paid. The leak site currently hosts 152 GB of data stolen from an electronics repair firm in an attack that happened in May. However, an additional victim has since been removed, implying that they might have paid the ransom to the 0mega group.

How does it work? Hackers add the .0mega extension to the encrypted file’s names and create ransom notes (DECRYPT-FILES[.]txt). The ransom note has a link to a Tor payment negotiation site with a support chat to reach out to the ransomware group. To log in to this site, the victims are asked to upload their ransom notes with a unique Base64-encoded blob identity.

Internal MISP references

UUID 91a085dc-9667-4dcd-9434-8cbb53e592fe which can be used as unique global reference for 0Mega in MISP communities and other software using the MISP galaxy

External references

• https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/ - webarchive
• https://cyware.com/news/new-0mega-ransomware-joins-the-double-extortion-threat-landscape-158fb321 - webarchive

Associated metadata

Metadata key	Value
extensions	['.0mega ']
links	['http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion/', 'https://0mega.cc/']
ransomnotes-filenames	['DECRYPT-FILES.txt']

Abraham's Ax

Abraham's Ax announced their existence and mission through social media channels such as Twitter posts on November 8, 2022. Abraham's Ax use a WordPress blog as the basis for their leak sites. Abraham's Ax site is available in Hebrew, Farsi, and English. The site also provides versions available via Tor websites, although it appeared to be under construction at the time of analysis. Used domain is registered with EgenSajt.se

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Abraham's Ax.

Known Synonyms
Abrahams_Ax

Internal MISP references

UUID 72892710-57ef-4bbb-8b80-752e036797f3 which can be used as unique global reference for Abraham's Ax in MISP communities and other software using the MISP galaxy

External references

• https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff - webarchive

Associated metadata

Metadata key	Value
links	[' http://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onion/ ']

aGl0bGVyCg

Ransomware

Internal MISP references

UUID 71b02418-6b06-48e3-8636-32287f8e0b1d which can be used as unique global reference for aGl0bGVyCg in MISP communities and other software using the MISP galaxy

External references

• https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/malware/hitler_ransomware.txt - webarchive
• https://twitter.com/fr0s7_/status/1460229982278541315 - webarchive

Associated metadata

Metadata key	Value
links	['http://hitlerransomware[.]000webhostapp[.]com/', 'http://hitleransomware[.]cf/']

Related clusters

To see the related clusters, click here.

Ako

Once installed, Ako will attempt to delete Volume Shadow Copies and disable recovery services. It will then begin to encrypt all files that do not match a hard-coded list using an unknown algorithm. Whilst this is happening, Ako will scan the affected network for any connected devices or drives for it to propagate to.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ako.

Known Synonyms
MedusaReborn

Internal MISP references

UUID 7de070ce-4b63-4d3c-be73-1ede22565faf which can be used as unique global reference for Ako in MISP communities and other software using the MISP galaxy

External references

• https://digital.nhs.uk/cyber-alerts/2020/cc-3345 - webarchive
• https://www.pcrisk.com/removal-guides/16737-ako-ransomware - webarchive
• https://www.pcrisk.com/images/stories/screenshots202001/ako-ransom-note-second_variant.jpg - webarchive
• https://www.pcrisk.com/images/stories/screenshots202004/ako-ransomware-update-2020-04-09-text-file.jpg - webarchive
• https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-text-file.jpg - webarchive
• https://www.pcrisk.com/images/stories/screenshots202004/ako-update-2020-04-21-html-file.jpg - webarchive
• https://www.pcrisk.com/images/stories/screenshots202010/ako-ransomware-update-2020-10-15-text-file.gif - webarchive

Associated metadata

Metadata key	Value
extensions	['.A4Wz1b', '.861C7c', '.jJNm9j']
links	[' http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion']
ransomnotes	['Your network have been locked.\n\nAll your files, documents, photos, databases and other important data are encrypted and have the extension: *\n\nBackups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.\nFrom this moment, it will be impossible to use files until they are decrypted.\n\nThe only method of recovering files is to purchase an unique private key.\nOnly we can give you this key and only we can recovery your files.\n\nTo get info (decrypt your files) follow this steps:\n1) Download and install Tor Browser: hxxps://www.torproject.org/download/\n2) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2th cw5gz75qncv7rbhyad.onion/I8VC6PIEQL8JFKHM\n3) Paste your ID in form (you can find your ID below)\n\n!! ATTENTION !!\n!! Any third - party software may damage encrypted data but not recover.\n!! DO NOT MODIFY ENCRYPTED FILES\n!! DO NOT CHANGE YOUR ID\n!! DO NOT REMOVE YOUR ID.KEY FILE\n\n --- BEGIN PERSONAL ID ---\n\n --- END PERSONAL ID ---', 'Your network have been locked.\n\nAll your files, documents, photos, databases and other important data are encrypted and have the extension: **\n\nBackups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.\nFrom this moment, it will be impossible to use files until they are decrypted.\n\nThe only method of recovering files is to purchase an unique private key.\nOnly we can give you this key and only we can recovery your files.\n\nTo get info (decrypt your files) contact us at (email)\ndavidgoldman@cock.li or portedhiggens@firemail.cc\n\nAnd send me your ID\n\n!!ATTENTION !!\n!!Any third - party software may damage encrypted data but not recover.\n!!DO NOT MODIFY ENCRYPTED FILES\n!!DO NOT CHANGE YOUR KEY\n\n--- YOUR ID ---\n-\n--- YOUR ID ---', 'Your network has been hacked and locked.\n\nAll files on each host in the network have been encrypted with a strong algorithm.\n\nBackups were either encrypted or deleted or backup disks were formatted.\nShadow copies also removed. Any 3rd party software may damage encrypted data but not recover.\n\nWe have decryption software for your situation.\nNo decryption software is available in the public.\n\nDO NOT RESET OR SHUTDOWN - files may be damaged.\nDO NOT RENAME OR MOVE the encrypted and readme files.\nDO NOT DELETE readme files.\n\nTo get info (decrypt your files) follow this instructions:\n1) [Recommended] via Tor Browser:\na) Download and install Tor Browser: hxxps://www.torproject.org/download/\nb) Open our website in TOR: hxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/AXYIRRUPSQTS3AHT\n\n2) If you have any problems connecting or using TOR network:\na) Open our website: hxxps://buydecrypt.hk/AXYIRRUPSQTS3AHT\nb) Follow the instructions on the site.\n\nThe faster you get in contact - the lower price you can expect.\n\nExt: .A4Wz1b\nWhen you open our page, paste this key in form:\n\n-', 'Your network has been hacked and locked.\n\nAll files on each host in the network have been encrypted with a strong algorithm.\nDo not worry, we have decryption software for your situation.\n\nWe have also downloaded a lot of sensitive information from your network, so in case of not paying this data will be released.\nIf you dont believe we have any data you can contact us and ask a proof.\nDont forget about GDPR.\n\nWhen you pay us the data will be removed from our disks and decryptor will be given to you, so you can restore all your files.\n\nTo get info (decrypt your files) contact us at and send your key (see it below):\n\ndtddecrypt@protonmail.com or dtddesht@tutanota.com\n\nTo confirm our honest intentions, you can decrypt any file for free.\nThe faster you get in contact - the lower price you can expect.\n\nDecryption of your files with the help of third-party company may cause increased price. (they add their fee to our)\nDo not reset or shutdown - files may be damaged.\nDo not rename or move the encrypted and readme files.\nDo not delete readme files.\n\nMachine ID: .861C7c\nYour key:\n\n-', 'To get info (decrypt your files) contact us at (email) and send your key (see it below)\ndtddecrypt@protonmail.com or dtddesht@tutanota.com\n\n\nThe faster you get in contact - the lower price you can expect.\n\nMachine ID: .861C7c\nKey:\n\n-', '--- We apologize! ---\nYour network have been locked.\n\n------------------------------\n
ransomnotes-filenames	['ako-readme.txt']
ransomnotes-refs	['https://www.pcrisk.com/images/stories/screenshots202001/ako-ransom-note.jpg']

Arvinclub

Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels. The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches. Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arvinclub.

Known Synonyms
Arvin Club

Internal MISP references

UUID 2dfc1668-e338-47f0-ba6c-b4bc3046881e which can be used as unique global reference for Arvinclub in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onion/']

Atomsilo

AtomSilo is a new Ransomware recently seen in September 2021 during one of their attacks by exploiting a recently revealed vulnerability (CVE-2021-26084) in Atlassian’s Confluence Collaboration Software for initial access. The Ransomware used the double extortion method which is gaining popularity among ransomware threat actors where they first, exfiltrate the confidential information and as a second step encrypt the system files.

Internal MISP references

UUID a322f03f-4bc8-455f-b302-e8724c46f80c which can be used as unique global reference for Atomsilo in MISP communities and other software using the MISP galaxy

External references

• https://www.cyfirma.com/outofband/malware-research-on-atomsilo-ransomware/ - webarchive
• https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion - webarchive
• https://twitter.com/siri_urz/status/1437664046556274694 - webarchive
• https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/ - webarchive
• https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/ - webarchive
• https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/ - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
• https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - webarchive
• https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - webarchive
• https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo - webarchive

Associated metadata

Metadata key	Value
extensions	['.ATOMSILO']
links	['http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion', 'http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion/list.html']
ransomenotes-files	['README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta']
ransomnotes	['Atom Slio\nInstructions\nWARNING! YOUR FILES ARE ENCRYPTED AND LEAKED!\n\n--------------------------------------\nWe are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us.\n\nBut don’t worry, your files are safe, provided that you are willing to pay the ransom.\n\nAny forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently!\n\nThe only way to decrypt your files safely is to buy the special decryption software from us.\n\nThe price of decryption software is 1000000 dollars.\nIf you pay within 48 hours, you only need to pay 500000 dollars. No price reduction is accepted.\n\nWe only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others.\n\nYou have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files\n\n--------------------------------------\n\nTime starts at 0:00 on September 11\n--------------------------------------\nSurvival time： 1 Day 14 Hour 26 Min 59 Sec\n\n--------------------------------------\n\nYou can contact us with the following email:\n\nEmail:arvato@atomsilo.com\nIf this email can\'t be contacted, you can find the latest email address on the following website:\n\nhxxp://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion\n\n--------------------------------------\n\nIf you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser:\n\nrun your Internet browser\nenter or copy the address hxxps://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER\nwait for the site loading\non the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed\nrun TorBrowser\nconnect with the button "Connect" (if you use the English version)\na normal Internet browser window will be opened after the initialization\ntype or copy the address in this browser address bar and press ENTER\nthe site should be loaded; if for some reason the site is not loading wait for a moment and try again.\nIf you have any problems during installation or use of TorBrowser, please, visit hxxps://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use.\n\n--------------------------------------\n\nAdditional information:\n\nYou will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files.\n\nThe instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files.\n\nRemember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.']
ransomnotes-refs	['https://www.cyfirma.com/media/2021/10/Fig-2.png', 'https://www.cyfirma.com/media/2021/10/Fig-2-B.png', 'https://www.pcrisk.com/images/stories/screenshots202109/atomsilo-ransomware-ransom-note-in-gif-image.gif']

Avaddon

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

Internal MISP references

UUID fdfbe721-abd1-4760-8e52-f23306f6cb80 which can be used as unique global reference for Avaddon in MISP communities and other software using the MISP galaxy

External references

• https://heimdalsecurity.com/blog/avaddon-ransomware/ - webarchive
• https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis - webarchive

Associated metadata

Metadata key	Value
links	[' http://avaddongun7rngel.onion ']

Avos

Internal MISP references

UUID ba42ab03-9d29-40c3-b3d4-c2045e47dc07 which can be used as unique global reference for Avos in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://avos2fuj6olp6x36.onion']

Related clusters

To see the related clusters, click here.

Aztroteam

Internal MISP references

UUID 9850bffb-8cc6-45c7-9e6a-4c77fd5093c3 which can be used as unique global reference for Aztroteam in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion']

Babuk-Locker

Internal MISP references

UUID 05be1a86-92a9-48e1-8be1-9c1014dfd1cd which can be used as unique global reference for Babuk-Locker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion/#section-3']

Related clusters

To see the related clusters, click here.

Babyduck

Internal MISP references

UUID 18e67723-a0de-4adf-aa28-f3e0b0d6d8ab which can be used as unique global reference for Babyduck in MISP communities and other software using the MISP galaxy

External references

• https://twitter.com/PolarToffee/status/1445873002801889280/photo/3 - webarchive

Associated metadata

Metadata key	Value
extension	['.babyduck']
links	['http://babydovegkmhbontykziyq7qivwzy33mu4ukqefe4mqpiiwd3wibnjqd.onion']
ransomnotes	["Ducky has got your flies encrypted!\n\nThis happened because you were not paying attention to your security.\n\nDucky will give you your files back if you pay him a bit of crypto.\n\nUse TOR browser (https://www.torproject.org/download/) apnd follow this link \n\n\nDon't worry, if you behave and pay - you'll get your files back;)\n\nYOUR KEY IS "]
ransomnotes-files	['#README.babyduck']
ransomnotes-refs	['https://digitalrecovery.com/wp-content/uploads/2022/12/Ransomware-Baby-Duck.webp']

Bianlian

BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations. The group has displayed signs of being new to the practical business aspects of ransomware and associated logistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of criminal extortion.

Infrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have been under active development since then. Finally, we have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bianlian.

Known Synonyms
Hydra

Internal MISP references

UUID 2019d150-6073-4e3f-b6a5-64b919a87ce9 which can be used as unique global reference for Bianlian in MISP communities and other software using the MISP galaxy

External references

• https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/ - webarchive
• https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye - webarchive
• https://cryptax.medium.com/android-bianlian-payload-61febabed00a - webarchive
• https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221 - webarchive
• https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5 - webarchive
• https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56 - webarchive
• https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726 - webarchive
• https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ - webarchive
• https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/ - webarchive
• https://twitter.com/malwrhunterteam/status/1558548947584548865 - webarchive
• https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware - webarchive
• https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html - webarchive
• https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Hunting-the-Android-BianLian-botnet.pdf - webarchive
• https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Hunting-the-Android-BianLian-botnet.pdf - webarchive
• https://www.youtube.com/watch?v=DPFcvSy4OZk - webarchive

Associated metadata

Metadata key	Value
links	['http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/']
ransomnotes	['Your network systems were attacked and encrypted. Contact us in order to restore your data. Don\'t make any changes in your file structure: touch no files, don\'t try to recover by yourself, that may lead to it\'s complete loss.\n\nTo contact us you have to download "tox" messenger: https://qtox.github.io/\n\nAdd user with the following ID to get your instructions: \nA4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC\n\nAlternative way: swikipedia@onionmail.org\n\nYour ID: wU1VC460GC \n\nYou should know that we have been downloading data from your network for a significant time before the attack: financial, client, business, post, technical and personal files.\nIn 10 days — it will be posted at our site http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion with links send to your clients, partners, competitors and news agencies, that will lead to a negative impact on your company: potential financial, business and reputational loses.']
ransomnotes-files	['Look at this instruction.txt']
ransomnotes-refs	['https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/v8_screenshot.png', 'https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/v28_screenshot.png', 'https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2022/10/bianlian-fig05.png']

Related clusters

To see the related clusters, click here.

Blackshadow

Internal MISP references

UUID d9561bfc-08a0-4e9f-9189-d079bae4f9b7 which can be used as unique global reference for Blackshadow in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://544corkfh5hwhtn4.onion', 'http://blackshadow.cc']

Blacktor

Internal MISP references

UUID 25bd46bf-b4f5-4c34-b451-90a7809fa03a which can be used as unique global reference for Blacktor in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://bl%40ckt0r:bl%40ckt0r@bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion/0x00/data-breach.html']

Bluesky

Internal MISP references

UUID 1f369229-a68d-4e08-aee4-f251111fa186 which can be used as unique global reference for Bluesky in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion']

Bonacigroup

Internal MISP references

UUID ef47092c-d86e-4db5-b0bf-e7676e85873f which can be used as unique global reference for Bonacigroup in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion']

Cheers

Internal MISP references

UUID eac9a5d5-509b-421a-a2d2-d91f7b27383a which can be used as unique global reference for Cheers in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion/']

Cooming

Internal MISP references

UUID 4ecf9aa9-69c8-4347-a9c6-cb4a5481ac8c which can be used as unique global reference for Cooming in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://z6mikrtphid5fmn52nbcbg25tj57sowlm3oc25g563yvsfmygkcxqbyd.onion', 'http://teo7aj5mfgzxyeme.onion']

Crylock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Crylock.

Known Synonyms
Cryakl

Internal MISP references

UUID e7b3c590-78a7-4318-8607-69d53dc7dfbf which can be used as unique global reference for Crylock in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://d57uremugxjrafyg.onion']

Cuba

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cuba.

Known Synonyms
COLDDRAW

Internal MISP references

UUID 82ed1669-89ba-4432-bc97-148a25c15fdf which can be used as unique global reference for Cuba in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://cuba4mp6ximo2zlo.onion', 'http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion/']

Related clusters

To see the related clusters, click here.

Daixin

Internal MISP references

UUID a1a445c4-708e-42f2-afdf-6d904328dafb which can be used as unique global reference for Daixin in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion/']

Dark Power

Internal MISP references

UUID 64d155a9-8e33-4c3f-8f58-0a483475c65d which can be used as unique global reference for Dark Power in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://powerj7kmpzkdhjg4szvcxxgktgk36ezpjxvtosylrpey7svpmrjyuyd.onion/']

Darkangel

Internal MISP references

UUID 5276ed20-c9fa-4028-9272-3f5c0e4bc9b6 which can be used as unique global reference for Darkangel in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://wemo2ysyeq6km2nqhcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onion/']

Darkbit01

Internal MISP references

UUID 69e2ce57-67bb-4d53-a8c4-00b3501f45a3 which can be used as unique global reference for Darkbit01 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion', 'http://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion/support/']

Dataleak

Internal MISP references

UUID 80a634ae-519f-46e3-8e24-8eb733dfd22f which can be used as unique global reference for Dataleak in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion/', 'http://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion/atom.xml']

Diavol

Internal MISP references

UUID 6c4b88a4-64d6-4fa2-a552-99974794de16 which can be used as unique global reference for Diavol in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion']

Donutleaks

Internal MISP references

UUID 50fdc311-e6c5-4843-9b91-24d66afbdb8d which can be used as unique global reference for Donutleaks in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onion/', 'https://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion']

Endurance

Internal MISP references

UUID 14658178-6fea-43bb-ae11-4ae5c2f14560 which can be used as unique global reference for Endurance in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/']

Entropy

Internal MISP references

UUID 11a458b9-df9c-486f-8556-2ae662df2802 which can be used as unique global reference for Entropy in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion/posts']

Ep918

Internal MISP references

UUID 3a074223-6c97-48ca-b019-50a16a37e956 which can be used as unique global reference for Ep918 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion']

Everest

Internal MISP references

UUID 3c2835b1-53de-4755-ac0f-48dff1e53745 which can be used as unique global reference for Everest in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/']

Freecivilian

Internal MISP references

UUID 34c540d5-70ad-44cc-b5a2-cd8ec7e2efd6 which can be used as unique global reference for Freecivilian in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion/']

Fsteam

Internal MISP references

UUID 29408532-b5d3-47ab-9b31-1ea63a084e45 which can be used as unique global reference for Fsteam in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://hkk62og3s2tce2gipcdxg3m27z4b62mrmml6ugctzdxs25o26q3a4mid.onion/']

Grief

Internal MISP references

UUID 506716cf-7e60-46e5-a853-c8a67fe696f9 which can be used as unique global reference for Grief in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion/']

Groove

Internal MISP references

UUID 267b7b61-ed82-4809-aafe-9d2487c56f19 which can be used as unique global reference for Groove in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion/']

Haron

Internal MISP references

UUID 949fe61d-6df6-4f36-996b-c58bbbc5140f which can be used as unique global reference for Haron in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion/login.php', 'http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php']

Hotarus

Internal MISP references

UUID 3c5832ae-3961-423e-8331-218a7aa6e5db which can be used as unique global reference for Hotarus in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.onion']

Icefire

Internal MISP references

UUID deea56de-1237-46bf-9ea7-4e1a3b3acd10 which can be used as unique global reference for Icefire in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion/board/leak_list/', 'http://7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd.onion/board/victim_list/']

Justice_Blade

Internal MISP references

UUID 71a6edfe-9764-4c9b-b528-e0ee7b73c110 which can be used as unique global reference for Justice_Blade in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://justice-blade.io']

Kelvin Security

Internal MISP references

UUID 3c61d677-a2a6-40fb-aadd-72974f68e62c which can be used as unique global reference for Kelvin Security in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://kelvinsecteamcyber.wixsite.com/my-site/items']

Lapsus$

Internal MISP references

UUID e2e035aa-eb95-48af-98a7-f18ddfcc347b which can be used as unique global reference for Lapsus$ in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://t.me/minsaudebr']

Lilith

Internal MISP references

UUID 7dea3669-5ec4-4bdf-898f-c3a9f796365e which can be used as unique global reference for Lilith in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion/']

Lockbit3

Internal MISP references

UUID c09f73fd-c3c3-42b1-b355-b03ca4941110 which can be used as unique global reference for Lockbit3 in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key

Value

links

['http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion/', 'http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion', 'http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion', 'http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion', 'http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion', 'http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion', 'http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion', 'http://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onion', 'http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion', 'http://lockbitapt.uz', 'http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion', 'http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion', 'http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion', 'http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion', 'http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion', 'http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion', 'http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion', 'http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion']

Related clusters

To see the related clusters, click here.

Lolnek

Internal MISP references

UUID 9886732d-76a2-4fbb-86b7-9e6a80669fb5 which can be used as unique global reference for Lolnek in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion', 'http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion', 'http://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion']

Lv

Internal MISP references

UUID 46d56775-5f8c-411e-adbe-2acd07bf99ac which can be used as unique global reference for Lv in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion/', 'http://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion/']

Mallox

Internal MISP references

UUID 95891bae-09a4-4d02-990e-2477cb09b9c2 which can be used as unique global reference for Mallox in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion']

Mbc

Internal MISP references

UUID 7ecd6452-d521-4095-8fd7-eecdeb6c8d96 which can be used as unique global reference for Mbc in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onion']

Midas

Internal MISP references

UUID c0ce34c6-13b9-41ef-847c-840b090f2bfc which can be used as unique global reference for Midas in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion/blog.php']

Moisha

Internal MISP references

UUID b2e44cc2-2df9-4210-a0ee-9ae913278c00 which can be used as unique global reference for Moisha in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://moishddxqnpdxpababec6exozpl2yr7idfhdldiz5525ao25bmasxhid.onion']

Monte

Internal MISP references

UUID 814f656d-7107-41d3-a934-1667e427ad8a which can be used as unique global reference for Monte in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/', 'http://monteoamwxlutyovf7oxeviwjlbu3vbgdmkncecl2ydteqncrmcv67yd.onion/catalog/']

Monti

Internal MISP references

UUID 0ea4daa9-0b83-4acb-bc54-420635b7bfea which can be used as unique global reference for Monti in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion/', 'http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion/']

Mydecryptor

Internal MISP references

UUID 8b726e6a-ed85-4a5b-a501-6bc06dab288d which can be used as unique global reference for Mydecryptor in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://58b87e60649ccc808ac8mstiejnj.5s4ixqul2enwxrqv.onion']

N3Tworm

Internal MISP references

UUID 815b13b2-2b94-4ea9-adc2-8193936a1c61 which can be used as unique global reference for N3Tworm in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onion']

Netwalker

Internal MISP references

UUID a449e5a4-a835-419e-af3e-d223c74d0536 which can be used as unique global reference for Netwalker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion']

Nevada

Internal MISP references

UUID 9c517547-8002-4a9a-a360-8d836d2fe3e3 which can be used as unique global reference for Nevada in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion/', 'http://nevbackvzwfu5yu3gszap77bg66koadds6eln37gxdhdk4jdsbkayrid.onion/', 'http://nevaffcwswjosddmw55qhn4u4secw42wlppzvf26k5onrlxjevm6avad.onion/']

Nightsky

Internal MISP references

UUID 886a2d59-2e8d-4357-b70f-a6dd3d034dfd which can be used as unique global reference for Nightsky in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion']

Nokoyawa

Internal MISP references

UUID 2b2f2e07-f764-4cc2-86ac-cc087a953cbb which can be used as unique global reference for Nokoyawa in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion', 'http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion/', 'http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion/']

Onepercent

Internal MISP references

UUID e9e810e3-a919-4417-85d0-fcab700e45de which can be used as unique global reference for Onepercent in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion']

Payloadbin

Internal MISP references

UUID fd2161a9-cd88-4d12-94d9-52b93b28eb5b which can be used as unique global reference for Payloadbin in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion/']

Prometheus

Internal MISP references

UUID bcf0a9da-dca3-42c0-b875-59d434564fbb which can be used as unique global reference for Prometheus in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://promethw27cbrcot.onion/blog/']

Qilin

Internal MISP references

UUID d5b3ce3d-59e2-4e56-a29a-42fb8b733a51 which can be used as unique global reference for Qilin in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/', 'http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion', 'http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog', 'http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/']

Qlocker

Internal MISP references

UUID 065110c5-574a-4466-a336-e6c5f3ef86c4 which can be used as unique global reference for Qlocker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion', 'http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion/']

Ramp

Internal MISP references

UUID 824f225c-7cd9-47e3-9f5b-c3194e4a26ea which can be used as unique global reference for Ramp in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion', 'http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion', 'http://ramp4u5iz4xx75vmt6nk5xfrs5mrmtokzszqxhhkjqlk7pbwykaz7zid.onion']

Ransomcartel

Internal MISP references

UUID 62e56597-01c8-4721-abd2-c7efa37fb566 which can be used as unique global reference for Ransomcartel in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onion/']

Ransomhouse

Internal MISP references

UUID 00a6fc79-8a29-417b-a298-adc8e17d8aba which can be used as unique global reference for Ransomhouse in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion', 'http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion/']

Ranzy

Internal MISP references

UUID 840d5e7b-e96f-426d-8cf0-a5a10f5e4a46 which can be used as unique global reference for Ranzy in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion']

Relic

Internal MISP references

UUID f4340cdb-ed0c-411e-ae11-b14ee151886a which can be used as unique global reference for Relic in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onion']

Royal

Internal MISP references

UUID 9a970739-24e3-4eb5-9154-d0ac6b2c378d which can be used as unique global reference for Royal in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion', 'http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion']

Rransom

Internal MISP references

UUID 470306b5-5a3b-4b63-9c02-0dc917584e72 which can be used as unique global reference for Rransom in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion']

Sabbath

Internal MISP references

UUID efdf315c-e85c-4d87-b816-ec29dbea67b5 which can be used as unique global reference for Sabbath in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion/blog', 'http://54bb47h.blog']

Solidbit

Internal MISP references

UUID 70719914-dc82-4ab0-b925-da837b337c89 which can be used as unique global reference for Solidbit in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion/login']

Sparta

Internal MISP references

UUID ce4eb745-e341-4f5d-be93-2af23b9ad756 which can be used as unique global reference for Sparta in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion']

Spook

Internal MISP references

UUID 0d4a8359-d607-4e5a-b85c-c8248cfa520a which can be used as unique global reference for Spook in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/blog/']

Stormous

Internal MISP references

UUID 6e20bdd2-31ac-4429-8aa7-4ce8cb7dc7b5 which can be used as unique global reference for Stormous in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion']

Unknown

Internal MISP references

UUID 0e2d3ead-3de9-4089-b7a3-10790b6f70f2 which can be used as unique global reference for Unknown in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion']

Unsafe

Internal MISP references

UUID df2b1358-b3f1-4af4-8153-02f4fc018b03 which can be used as unique global reference for Unsafe in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://unsafeipw6wbkzzmj7yqp7bz6j7ivzynggmwxsm6u2wwfmfqrxqrrhyd.onion/']

V Is Vendetta

Internal MISP references

UUID f4b870cb-8c61-40ab-865b-b8304a120ba5 which can be used as unique global reference for V Is Vendetta in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion']

Related clusters

To see the related clusters, click here.

Vfokx

Internal MISP references

UUID 465828ea-6e81-4851-b02c-458d696629c1 which can be used as unique global reference for Vfokx in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onion', 'http://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion']

Vicesociety

Internal MISP references

UUID 41979767-bfb8-4633-af1f-3946a599f922 which can be used as unique global reference for Vicesociety in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://4hzyuotli6maqa4u.onion', 'http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion', 'http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion/', 'http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion/', 'http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion']

Vsop

Internal MISP references

UUID 8b2e6391-05b4-439e-b318-1c3ace388c2d which can be used as unique global reference for Vsop in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion/']

Xinglocker

Internal MISP references

UUID e92d5c00-81ae-4909-9994-74bf48180f22 which can be used as unique global reference for Xinglocker in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion/']

Xinof

Internal MISP references

UUID 64b7dc11-a627-43b2-91cd-38608784c53f which can be used as unique global reference for Xinof in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion']

Yanluowang

Internal MISP references

UUID 476de1fe-d9b7-441a-8cb9-e6648189be3b which can be used as unique global reference for Yanluowang in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion/']

Akira

Internal MISP references

UUID 74f4aa81-d494-41b0-90dd-b5958fa4a822 which can be used as unique global reference for Akira in MISP communities and other software using the MISP galaxy

Associated metadata

Metadata key	Value
links	['https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/', 'https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/n', 'https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/']