Skip to content

Hide Navigation Hide TOC

Edit

Ransomware

Ransomware galaxy based on different sources and maintained by the MISP Project.

Authors
Authors and/or Contributors
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
http://pastebin.com/raw/GHgpWjar
MISP Project
https://id-ransomware.blogspot.com/2016/07/ransomware-list.html
ransomlook.io

Nhtnwcuf Ransomware (Fake)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 81b4e3ac-aa83-4616-9899-8e19ee3bb78b which can be used as unique global reference for Nhtnwcuf Ransomware (Fake) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['RANDOM 3 LETTERS ARE ADDED']
payment-method Bitcoin
price 1(300$)
ransomnotes-refs ['https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif']

CryptoJacky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID a8187609-329a-4de0-bda7-7823314e7db9 which can be used as unique global reference for CryptoJacky Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['RANDOM 3 LETTERS ARE ADDED']
payment-method Bitcoin
price 250 €
ransomnotes-refs ['https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png']

Kaenlupuf Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID b97f07c4-136a-488a-9fa0-35ab45fbfe36 which can be used as unique global reference for Kaenlupuf Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
payment-method Bitcoin
price 1
ransomnotes-refs ['https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg']

EnjeyCrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e98e6b50-00fd-484e-a5c1-4b2363579447 which can be used as unique global reference for EnjeyCrypter Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-256
extensions ['example:.encrypted.contact_here_me@india.com.enjey']
payment-method Bitcoin
ransomnotes-refs ['https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png']

Dangerous Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 7dbdb949-a53b-4ebe-bc9a-7f49a7c5fd78 which can be used as unique global reference for Dangerous Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
ransomnotes ['DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com']

Vortex Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vortex Ransomware.

Known Synonyms
Ŧl๏tєгค гคภร๏๓ฬคгє
Internal MISP references

UUID 04a5889d-b97d-4653-8a0f-d2df85f93430 which can be used as unique global reference for Vortex Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
extensions ['.aes']
payment-method Dollars
price 199
ransomnotes ['Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =']

GC47 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 2069c483-4701-4a3b-bd51-3850c7aa59d2 which can be used as unique global reference for GC47 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
extensions ['.fuck_you']
payment-method Bitcoin
price 0,0361312 (50$)
ransomnotes-refs ['https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg']

RozaLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RozaLocker Ransomware.

Known Synonyms
Roza
Internal MISP references

UUID f158ea74-c8ba-4e5a-b07f-52bd8fe30888 which can be used as unique global reference for RozaLocker Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
extensions ['.enc', '.ENC']
payment-method Bitcoin
price 10000 Rubles (135€)
ransomnotes ["OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru"]

CryptoMeister Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4c76c845-c5eb-472c-93a1-4178f86c319b which can be used as unique global reference for CryptoMeister Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
extensions ['.enc']
payment-method Bitcoin
price 0.1
ransomnotes ['Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the "Buy Bitcoins" section and then buy Bitcoin Step 4: Go to the "Send" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear \'Check\' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites.']

GG Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016

Internal MISP references

UUID f62eb881-c6b5-470c-907d-072485cd5860 which can be used as unique global reference for GG Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
extensions ['.GG']

Project34 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4af0d2bd-46da-44da-b17e-987f86957c1d which can be used as unique global reference for Project34 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
extensions ['.Project34']
payment-method MoneyPak
price 300$
ransomnotes ['(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU']
ransomnotes-filenames ['ПАРОЛЬ.txt']

PetrWrap Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID e11da570-e38d-4290-8a2c-8a31ae832ffb which can be used as unique global reference for PetrWrap Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
payment-method Bitcoin
price 300$
ransomnotes-refs ['https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png']

Karmen Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear

Internal MISP references

UUID da7de60e-0725-498d-9a35-303ddb5bf60a which can be used as unique global reference for Karmen Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-128
extensions ['.grt']
payment-method Bitcoin
price 1.2683
ransomnotes-refs ['https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg']

Revenge Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant

Internal MISP references

UUID 987d36d5-6ba8-484d-9e0b-7324cc886b0e which can be used as unique global reference for Revenge Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES-256 + RSA-1024
extensions ['.REVENGE']
ransomnotes ['===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.']
ransomnotes-filenames ['# !!!HELP_FILE!!! #.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg']

Turkish FileEncryptor Ransomware

his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turkish FileEncryptor Ransomware.

Known Synonyms
Fake CTB-Locker
Internal MISP references

UUID a291ac4c-7851-480f-b317-e977a616ac9d which can be used as unique global reference for Turkish FileEncryptor Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.encrypted']
payment-method Bitcoin
price 150$
ransomnotes ['FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the "My Documents" folder for more information in the file "Beni Oku.txt". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.']
ransomnotes-filenames ['Beni Oku.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg']

Kirk Ransomware & Spock Decryptor

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kirk Ransomware & Spock Decryptor.

Known Synonyms
Kirk & Spock Decryptor
Internal MISP references

UUID 6e442a2e-97db-4a7b-b4a1-9abb4a7472d8 which can be used as unique global reference for Kirk Ransomware & Spock Decryptor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES+RSA
extensions ['.kirked', '.Kirked']
payment-method Monero
price 1100 roupies (14€)
ransomnotes ['!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don\'t work. This may have broken some software, including games, office suites etc. Here\'s a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension \'.kirked\n\', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named \'pwd\' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n"Logic, motherfucker." ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you\'re still unsure, google\' bitcoin exchange\'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called \'Spock\'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don\'t fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER']
ransomnotes-filenames ['RANSOM_NOTE.txt']
ransomnotes-refs ['https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png']

ZinoCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 719c8ba7-598e-4511-a851-34e651e301fa which can be used as unique global reference for ZinoCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.ZINO']
payment-method Bitcoin
ransomnotes-filenames ['ZINO_NOTE.TXT']
ransomnotes-refs ['https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg']

Crptxxx Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass

Internal MISP references

UUID 786ca8b3-6915-4846-8f0f-9865fbc295f5 which can be used as unique global reference for Crptxxx Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.crptxxx']
ransomnotes-filenames ['HOW_TO_FIX_!.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png']

MOTD Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 5d1a3631-165c-4091-ba55-ac8da62efadf which can be used as unique global reference for MOTD Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
extensions ['.enc']
payment-method Bitcoin
price 2
ransomnotes-filenames ['motd.txt']
ransomnotes-refs ['https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png']

CryptoDevil Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID f3ead274-6c98-4532-b922-03d5ce4e7cfc which can be used as unique global reference for CryptoDevil Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.devil']
payment-method Dollars
price 20 - 100
ransomnotes-refs ['https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg', 'https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg']

FabSysCrypto Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Internal MISP references

UUID e4d36930-2e00-4583-b5f5-d8f83736d3ce which can be used as unique global reference for FabSysCrypto Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-256+RSA
extensions ['.locked']
payment-method Bitcoin
price 0.5
ransomnotes-refs ['https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png']

Lock2017 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID cf47a853-bc1d-42ae-8542-8a7433f6c9c2 which can be used as unique global reference for Lock2017 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES+RSA
extensions ['[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is']
ransomnotes-refs ['https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png']

RedAnts Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID dd3601f1-df0a-4e67-8a20-82e7ba0ed13c which can be used as unique global reference for RedAnts Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.Horas-Bah']
payment-method Bitcoin
price 0.5

ConsoleApplication1 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 4c3788d6-30a9-4cad-af33-81f9ce3a0d4f which can be used as unique global reference for ConsoleApplication1 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.locked']
payment-method Bitcoin
price 0.5

KRider Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7 which can be used as unique global reference for KRider Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date March 2017
encryption AES
extensions ['.kr3']
payment-method no ransom

CYR-Locker Ransomware (FAKE)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg

Internal MISP references

UUID 44f6d489-f376-4416-9ba4-e153472f75fc which can be used as unique global reference for CYR-Locker Ransomware (FAKE) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
payment-method Bitcoin
price 0.5 (300$)

DotRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 0570e09d-10b9-448c-87fd-c1c4063e6592 which can be used as unique global reference for DotRansomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.locked']
payment-method Bitcoin
price 0.1
ransomnotes ["DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR
ransomnotes-refs ['https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png']

Unlock26 Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 37b9a28d-8554-4233-b130-efad4be97bc0 which can be used as unique global reference for Unlock26 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.locked-[3_random_chars]']
payment-method Bitcoin
price 0.01 - 0.06
ransomnotes-filenames ['ReadMe-[3_random_chars].html']
ransomnotes-refs ['https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png', 'https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png']

PicklesRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PicklesRansomware.

Known Synonyms
Pickles
Internal MISP references

UUID 87171865-9fc9-42a9-9bd4-a453f556f20c which can be used as unique global reference for PicklesRansomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.EnCrYpTeD']
payment-method Bitcoin
price 1
ransomnotes-filenames ['READ_ME_TO_DECRYPT.txt']

Vanguard Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware

Internal MISP references

UUID 6a6eed70-3f90-420b-9e4a-5cce9428dc06 which can be used as unique global reference for Vanguard Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption ChaCha20 and Poly1305
payment-method Bitcoin
price 1
ransomnotes ['NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety.']

PyL33T Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 305cb1fb-d43e-4477-8edc-90b34aaf227f which can be used as unique global reference for PyL33T Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption ChaCha20 and Poly1305
extensions ['.d4nk']
ransomnotes ['ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** ']

TrumpLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg

Internal MISP references

UUID 63bd845c-94f6-49dc-8f0c-22e6f67820f7 which can be used as unique global reference for TrumpLocker Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-128
extensions ['.trumplockerf', '.TheTrumpLockerf', '.TheTrumpLockerfp']
payment-method Bitcoin
price 1(50 - 165$)
ransomnotes-filenames ['What happen to my files.txt']
ransomnotes-refs ['https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg']

Damage Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi

Internal MISP references

UUID fbcb6a4f-1d31-4e31-bef5-e162e35649de which can be used as unique global reference for Damage Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-128 OR Combination of SHA-1 and Blowfish
extensions ['.damage']
ransomnotes ['TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com']

XYZWare Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Internal MISP references

UUID f0652feb-a104-44e8-91c7-b0435253352b which can be used as unique global reference for XYZWare Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-128
extensions ['your files get marked with: “youarefucked”']
payment-method Bitcoin
price 0.1 - 0.2
ransomnotes ["All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id"]

YouAreFucked Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YouAreFucked Ransomware.

Known Synonyms
FortuneCrypt
Internal MISP references

UUID 912af0ef-2d78-4a90-a884-41f3c37c723b which can be used as unique global reference for YouAreFucked Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-128
extensions ['your files get marked with: “youarefucked”']
payment-method Bitcoin
price 0.1 (250$)
ransomnotes-refs ['https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png']

CryptConsole 2.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 7343da8f-fe18-46c9-8cda-5b04fb48e97d which can be used as unique global reference for CryptConsole 2.0 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
payment-method Bitcoin
price 0.5 - 0.7
ransomnotes-filenames ['How decrypt files.hta']
ransomnotes-refs ['https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png']

BarRax Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BarRax Ransomware.

Known Synonyms
BarRaxCrypt Ransomware
Internal MISP references

UUID c0ee166e-273f-4940-859c-ba6f8666247c which can be used as unique global reference for BarRax Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.barRex', '.BarRax']
payment-method Bitcoin
price 0.5

CryptoLocker by NTK Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 51bcbbc6-d8e0-4d2b-b5ce-79f26d669567 which can be used as unique global reference for CryptoLocker by NTK Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
ransomnotes-refs ['https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg']

UserFilesLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UserFilesLocker Ransomware.

Known Synonyms
CzechoSlovak Ransomware
Internal MISP references

UUID c9e29151-7eda-4192-9c34-f9a81b2ef743 which can be used as unique global reference for UserFilesLocker Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-256+RSA
extensions ['.ENCR']
payment-method Bitcoin
price 0.8 - 2
ransomnotes ['All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)']
ransomnotes-refs ['https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg']

AvastVirusinfo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!

Internal MISP references

UUID 78649172-cf5b-4e8a-950b-a967ff700acf which can be used as unique global reference for AvastVirusinfo Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-256+RSA
extensions ['.A9v9Ahu4-000']
payment-method Bitcoin
price 6

SuchSecurity Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SuchSecurity Ransomware.

Known Synonyms
Such Security
Internal MISP references

UUID 22481dfd-8284-4071-a76f-c9a4a5f43f00 which can be used as unique global reference for SuchSecurity Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
ransomnotes-refs ['https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png']

PleaseRead Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PleaseRead Ransomware.

Known Synonyms
VHDLocker Ransomware
Internal MISP references

UUID 9de7a1f2-cc21-40cf-b44e-c67f0262fbce which can be used as unique global reference for PleaseRead Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-256
payment-method Bitcoin
price 0.5
ransomnotes-refs ['https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png']

Kasiski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 59b537dc-3764-42fc-a416-92d2950aaff1 which can be used as unique global reference for Kasiski Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
extensions ['[KASISKI]']
payment-method Dollars
price 500
ransomnotes-filenames ['INSTRUCCIONES.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg']

Fake Locky Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fake Locky Ransomware.

Known Synonyms
Locky Impersonator Ransomware
Internal MISP references

UUID 26a34763-a70c-4877-b99f-ae39decd2107 which can be used as unique global reference for Fake Locky Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.locked']
payment-method Bitcoin
price 1
ransomnotes ['Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys']

CryptoShield 1.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.

Internal MISP references

UUID 1f915f16-2e2f-4681-a1e8-e146a0a4fcdf which can be used as unique global reference for CryptoShield 1.0 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES(256)/ROT-13
extensions ['.CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)']
payment-method Email
ransomnotes-filenames ['# RESTORING FILES #.txt', '# RESTORING FILES #.html']
ransomnotes-refs ['https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png']

Hermes Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: "HERMES"

Internal MISP references

UUID b7102922-8aad-4b29-8518-6d87c3ba45bb which can be used as unique global reference for Hermes Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.locked']
payment-method Email - Bitcoin
ransomnotes ['UNIQUE_ID_DO_NOT_REMOVE']
ransomnotes-filenames ['DECRYPT_INFORMATION.html']
ransomnotes-refs ['https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png', 'https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png']
Related clusters

To see the related clusters, click here.

LoveLock Ransomware or Love2Lock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LoveLock Ransomware or Love2Lock Ransomware.

Known Synonyms
Love2Lock
LoveLock
Internal MISP references

UUID 0785bdda-7cd8-4529-b28e-787367c50298 which can be used as unique global reference for LoveLock Ransomware or Love2Lock Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.hasp']
ransomnotes-refs ['https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg']

Wcry Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 0983bdda-c637-4ad9-a56f-615b2b052740 which can be used as unique global reference for Wcry Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.wcry']
payment-method Bitcoin
price 0.1
ransomnotes-refs ['https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg']

DUMB Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 27feba66-e9c7-4414-a560-1e5b7da74d08 which can be used as unique global reference for DUMB Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
payment-method Bitcoin
price 0,3169
ransomnotes-refs ['https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png', 'https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg']

X-Files

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID c24f48ca-060b-4164-aafe-df7b3f43f40e which can be used as unique global reference for X-Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES
extensions ['.b0C', '.b0C.x']
payment-method Bitcoin
price 0,2

Polski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.

Internal MISP references

UUID b50265ac-ee45-4f5a-aca1-fabe3157fc14 which can be used as unique global reference for Polski Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
encryption AES-256
extensions ['.aes']
payment-method Dollars
price 249
ransomnotes-refs ['https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg']

YourRansom Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)

Internal MISP references

UUID 908b914b-6744-4e16-b014-121cf2106b5f which can be used as unique global reference for YourRansom Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2016
encryption AES-256
extensions ['.yourransom']
payment-method Email
ransomnotes-filenames ['README.txt']
ransomnotes-refs ['https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png']

Ranion RaasRansomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service

Internal MISP references

UUID b4de724f-add4-4095-aa5a-e4d039322b59 which can be used as unique global reference for Ranion RaasRansomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2016
encryption AES-256
payment-method Bitcoin
price 0.6 - 0.95
ransomnotes-refs ['https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png']

Potato Ransomware

Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.

Internal MISP references

UUID 378cb77c-bb89-4d32-bef9-1b132343f3fe which can be used as unique global reference for Potato Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256
extensions ['.potato']
payment-method Email
ransomnotes-filenames ['How to recover my files.txt', 'README.png', 'README.html']
ransomnotes-refs ['https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg']

of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)

This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Internal MISP references

UUID e290fa29-6fc1-4fb5-ac98-44350e508bc1 which can be used as unique global reference for of Ransomware: OpenToYou (Formerly known as OpenToDecrypt) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016/January 2017
encryption RC4
extensions ['.-opentoyou@india.com']
payment-method Email
ransomnotes ['Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884']
ransomnotes-filenames ['!!!.txt', '1.bmp', '1.jpg']
ransomnotes-refs ['https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg']

RansomPlus

Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Internal MISP references

UUID c039a50b-f5f9-4ad0-8b66-e1d8cc86717b which can be used as unique global reference for RansomPlus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.encrypted']
payment-method Bitcoin
price 0.25
ransomnotes ['YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool.']
ransomnotes-filenames ['YOUR FILES ARE ENCRYPTED!!!.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png']

CryptConsole

This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files

Internal MISP references

UUID 42508fd8-3c2d-44b2-9b74-33c5d82b297d which can be used as unique global reference for CryptConsole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ', '.decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters']
payment-method Bitcoin
price 0.2
ransomnotes ["Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key"]
ransomnotes-filenames ['How decrypt files.hta']

ZXZ Ramsomware

Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A

Internal MISP references

UUID e4932d1c-2f97-474d-957e-c7df87f9591e which can be used as unique global reference for ZXZ Ramsomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
extensions ['.zxz']
payment-method Email

VxLock Ransomware

Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc

Internal MISP references

UUID 14deb95c-7af3-4fb1-b2c1-71087e1bb156 which can be used as unique global reference for VxLock Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES+RSA
extensions ['.vxlock']

FunFact Ransomware

Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.

Internal MISP references

UUID 2bfac605-a2c5-4742-92a2-279a08a4c575 which can be used as unique global reference for FunFact Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES+RSA
payment-method Bitcoin
price 0,65806
ransomnotes ['Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061\nBTC Address: 1AQrj\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******\n-----END PGP PUBLIC KEY BLOCK-----']
ransomnotes-filenames ['note.iti']

ZekwaCrypt Ransomware

First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Internal MISP references

UUID 89d5a541-ef9a-4b18-ac04-2e1384031a2d which can be used as unique global reference for ZekwaCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES+RSA
extensions ['.<7_random_letters>']
payment-method Email
ransomnotes ['WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com']
ransomnotes-filenames ['encrypted_readme.txt', '__encrypted_readme.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png']

Sage 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker

Internal MISP references

UUID 9174eef3-65f7-4ab5-9b55-b323b36fb962 which can be used as unique global reference for Sage 2.0 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.sage']
payment-method Bitcoin
price 2,15555 (2000$)
ransomnotes-filenames ['!Recovery_[3_random_chars].html']
ransomnotes-refs ['https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png', 'https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png']

CloudSword Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Internal MISP references

UUID a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4 which can be used as unique global reference for CloudSword Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
payment-method Bitcoin
ransomnotes-filenames ['Warning警告.html']
ransomnotes-refs ['https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg']

DN

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DN.

Known Synonyms
Fake
Internal MISP references

UUID 327eb8b4-5793-42f0-96c0-7f651a0debdc which can be used as unique global reference for DN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.killedXXX']
payment-method Bitcoin
price 0.5
ransomnotes-refs ['https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg', 'https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg']

GarryWeber Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, etc..

Internal MISP references

UUID b6e6da33-bf23-4586-81cf-dcfe10e13a81 which can be used as unique global reference for GarryWeber Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.id-_garryweber@protonmail.ch']
payment-method Bitcoin
price 1
ransomnotes-filenames ['HOW_OPEN_FILES.html']
ransomnotes-refs ['https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg']

Satan Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS

Internal MISP references

UUID 61d8bba8-7b22-493f-b023-97ffe7f17caf which can be used as unique global reference for Satan Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256 + RSA-2048
extensions ['.stn']
payment-method Bitcoin
price 0.1 - your choice
ransomnotes-filenames ['HELP_DECRYPT_FILES.html']
ransomnotes-refs ['https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png']
Related clusters

To see the related clusters, click here.

Havoc

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Havoc.

Known Synonyms
HavocCrypt Ransomware
Internal MISP references

UUID c6bef9c8-becb-4bee-bd97-c1c655133396 which can be used as unique global reference for Havoc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.HavocCrypt']
payment-method Bitcoin
price 150 $
ransomnotes-refs ['https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg']

CryptoSweetTooth Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.

Internal MISP references

UUID ca831782-fcbf-4984-b04e-d79b14e48a71 which can be used as unique global reference for CryptoSweetTooth Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.locked']
payment-method Bitcoin
price 0.5
ransomnotes-filenames ['IMPORTANTE_LEER.html', 'RECUPERAR_ARCHIVOS.html']
ransomnotes-refs ['https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg']

Kaandsona Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaandsona Ransomware.

Known Synonyms
Käändsõna Ransomware
RansomTroll Ransomware
Internal MISP references

UUID aed61a0a-dc48-43ac-9c33-27e5a286899e which can be used as unique global reference for Kaandsona Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.kencf']
payment-method Bitcoin
price 1
ransomnotes ["You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'"]
ransomnotes-refs ['https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png']

LambdaLocker Ransomware

It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

Internal MISP references

UUID 0d1b35e9-c87a-4972-8c27-a11c13e351d7 which can be used as unique global reference for LambdaLocker Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256
extensions ['.lambda_l0cked']
payment-method Bitcoin
price 0.5 - 1
ransomnotes-filenames ['READ_IT.hTmL']
ransomnotes-refs ['https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif']

NMoreia 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NMoreia 2.0 Ransomware.

Known Synonyms
HakunaMatataRansomware
Internal MISP references

UUID 0645cae2-bda9-4d68-8bc3-c3c1eb9d1801 which can be used as unique global reference for NMoreia 2.0 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.HakunaMatata']
payment-method Website (onion)
ransomnotes-filenames ['Recovers files yako.html']
ransomnotes-refs ['https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png']

Marlboro Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)

Internal MISP references

UUID 4ae98da3-c667-4c6e-b0fb-5b52c667637c which can be used as unique global reference for Marlboro Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption XOR
extensions ['.oops']
payment-method Bitcoin
price 0.2
ransomnotes-filenames ['HELP_Recover_Files.html']
ransomnotes-refs ['https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png', 'https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png']

Spora Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png

Internal MISP references

UUID 46601172-d938-47af-8cf5-c5a796ab68ab which can be used as unique global reference for Spora Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES+RSA
payment-method Bitcoin
price 79$
ransomnotes-filenames ['[Infection-ID].HTML']
ransomnotes-refs ['https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png']

CryptoKill Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.

Internal MISP references

UUID 7ae2f594-8a72-4ba8-a37a-32457d1d3fe8 which can be used as unique global reference for CryptoKill Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES+RSA
extensions ['.crypto']
payment-method Bitcoin

All_Your_Documents Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 62120e20-21f6-474b-9dc1-fc871d25c798 which can be used as unique global reference for All_Your_Documents Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
extensions ['AES+RSA']
payment-method Bitcoin
price 0.35
ransomnotes-refs ['https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png']

SerbRansom 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.

Internal MISP references

UUID fb1e99cb-73fa-4961-a052-c90b3f383542 which can be used as unique global reference for SerbRansom 2017 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.velikasrbija']
payment-method Bitcoin
price 500$
ransomnotes-refs ['https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg', 'https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg']

Fadesoft Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.

Internal MISP references

UUID ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37 which can be used as unique global reference for Fadesoft Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
payment-method Bitcoin
price 0.33
ransomnotes-refs ['https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg']

HugeMe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 681ad7cc-fda0-40dc-83b3-91fdfdec81e1 which can be used as unique global reference for HugeMe Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256 + RSA-2048
extensions ['.encypted']
payment-method Bitcoin
price 1
ransomnotes-refs ['https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png']

DynA-Crypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DynA-Crypt Ransomware.

Known Synonyms
DynA CryptoLocker Ransomware
Internal MISP references

UUID 9979ae53-98f7-49a2-aa1e-276973c2b44f which can be used as unique global reference for DynA-Crypt Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256 + RSA-2048
extensions ['.crypt']
payment-method Bitcoin
price 50$
ransomnotes-refs ['https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg']

Serpent 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Serpent 2017 Ransomware.

Known Synonyms
Serpent Danish Ransomware
Internal MISP references

UUID 3b472aac-085b-409e-89f1-e8c766f7c401 which can be used as unique global reference for Serpent 2017 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256 + RSA-2048
extensions ['.crypt']
payment-method Bitcoin
price 0.75 (787.09$) - 2.25 (2366.55$ after 7 days)
ransomnotes ["==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================"]

Erebus 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID c21e637c-6611-47e1-a191-571409b6669a which can be used as unique global reference for Erebus 2017 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption ROT-23
payment-method Bitcoin
price 0.085
ransomnotes-filenames ['README.HTML']
ransomnotes-refs ['https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg']

Cyber Drill Exercise

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber Drill Exercise .

Known Synonyms
Ransomuhahawhere
Internal MISP references

UUID dcb183d1-11b5-464c-893a-21e132cb7b51 which can be used as unique global reference for Cyber Drill Exercise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
extensions ['.locked']
payment-method Bitcoin
price 0.085
ransomnotes-refs ['https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png']

Cancer Ransomware FAKE

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.

Internal MISP references

UUID ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f which can be used as unique global reference for Cancer Ransomware FAKE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date February 2017
extensions ['.cancer']
payment-method no ransom
ransomnotes-refs ['https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg']

UpdateHost Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.

Internal MISP references

UUID ed5b30b0-2949-410a-bc4c-3d90de93d033 which can be used as unique global reference for UpdateHost Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.locked']
payment-method Email - Bitcoin
ransomnotes-refs ['https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png']

Nemesis Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.

Internal MISP references

UUID b5942085-c9f2-4d1a-aadf-1061ad38fb1d which can be used as unique global reference for Nemesis Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.v8dp']
payment-method Bitcoin
price 10
ransomnotes-refs ['https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg']

Evil Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evil Ransomware.

Known Synonyms
File0Locked KZ Ransomware
Internal MISP references

UUID 57933295-4a0e-4f6a-b06b-36807ff150cd which can be used as unique global reference for Evil Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.file0locked', '.evillock']
payment-method Email
ransomnotes-filenames ['HOW_TO_DECRYPT_YOUR_FILES.TXT', 'HOW_TO_DECRYPT_YOUR_FILES.HTML']
ransomnotes-refs ['https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png', 'https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png']

Ocelot Ransomware (FAKE RANSOMWARE)

It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ocelot Ransomware (FAKE RANSOMWARE).

Known Synonyms
Ocelot Locker Ransomware
Internal MISP references

UUID 054b9fbd-72fa-464f-a683-a69ab3936d69 which can be used as unique global reference for Ocelot Ransomware (FAKE RANSOMWARE) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
payment-method Bitcoin
price 0.03
ransomnotes-refs ['https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg', 'https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg']

SkyName Ransomware

It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SkyName Ransomware.

Known Synonyms
Blablabla Ransomware
Internal MISP references

UUID 00b8ff33-1504-49a4-a025-b761738eed68 which can be used as unique global reference for SkyName Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
payment-method Bitcoin
price 1000 CZK
ransomnotes-filenames ['INFOK1.txt']
ransomnotes-refs ['https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png', 'https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg']

MafiaWare Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MafiaWare Ransomware.

Known Synonyms
Depsex Ransomware
Internal MISP references

UUID e5a60429-ae5d-46f4-a731-da9e2fcf8b92 which can be used as unique global reference for MafiaWare Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.locked-by-mafia']
payment-method Bitcoin
price 155$
ransomnotes-filenames ['READ_ME.txt']
ransomnotes-refs ['https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png']

Globe3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Globe3 Ransomware.

Known Synonyms
Purge Ransomware
Internal MISP references

UUID fe16edbe-3050-4276-bac3-c7ff5fd4174a which can be used as unique global reference for Globe3 Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256+RSA or RC4
extensions ['.badnews', '.globe', '.[random].bit', '.[random].encrypted', '.[random].raid10', '.[random].globe', '.[mia.kokers@aol.com]', '.unlockv@india.com', '.rescuers@india.com.3392cYAn548QZeUf.lock', '.locked', '.decrypt2017', '.hnumkhotep']
payment-method Bitcoin
price 3
ransomnotes-filenames ['How To Recover Encrypted Files.hta']
ransomnotes-refs ['https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png', 'https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png']
Related clusters

To see the related clusters, click here.

BleedGreen Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BleedGreen Ransomware.

Known Synonyms
FireCrypt Ransomware
Internal MISP references

UUID fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08 which can be used as unique global reference for BleedGreen Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256
extensions ['.firecrypt']
payment-method Bitcoin
price 500$
ransomnotes-refs ['https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg']

BTCamant Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)

Internal MISP references

UUID a5826bd3-b457-4aa9-a2e7-f0044ad9992f which can be used as unique global reference for BTCamant Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.BTC']
payment-method Email
ransomnotes-filenames ['BTC_DECRYPT_FILES.txt', 'BTC_DECRYPT_FILES.html']
ransomnotes-refs ['https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png']

X3M Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.

Internal MISP references

UUID 192bc3e8-ace8-4229-aa88-37034a11ef5b which can be used as unique global reference for X3M Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['_x3m', '_r9oj', '_locked']
payment-method Bitcoin
price 700$
ransomnotes-refs ['https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png']

GOG Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID c3ef2acd-cc5d-4240-80e7-47e85b46db96 which can be used as unique global reference for GOG Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.LOCKED']
payment-method Bitcoin - WebSite (onion)
ransomnotes-filenames ['DecryptFile.txt']
ransomnotes-refs ['https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png', 'https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png']

RegretLocker

RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.

Internal MISP references

UUID 9479d372-605e-408e-a2a3-ea971ad4ad78 which can be used as unique global reference for RegretLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date November 2020
encryption AES
extensions ['.mouse']

EdgeLocker

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.

Internal MISP references

UUID ecfa106d-0aff-4f7e-a259-f00eb14fc245 which can be used as unique global reference for EdgeLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.edgel']
payment-method Bitcoin
price 0.1
ransomnotes-refs ['https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg']

Red Alert

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear

Internal MISP references

UUID f762860a-5e7a-43bf-bef4-06bd27e0b023 which can be used as unique global reference for Red Alert in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.locked']
payment-method Website
ransomnotes-filenames ['MESSAGE.txt']
ransomnotes-refs ['https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg']
Related clusters

To see the related clusters, click here.

First

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID ed26fcf3-47fb-45cc-b5f9-de18f6491934 which can be used as unique global reference for First in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.locked']
payment-method Bitcoin
price 1.5
ransomnotes-refs ['https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg']

XCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XCrypt Ransomware.

Known Synonyms
XCrypt
Internal MISP references

UUID fd5bb71f-80dc-4a6d-ba8e-ed74999700d3 which can be used as unique global reference for XCrypt Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption Twofish
payment-method Email
ransomnotes-filenames ['Xhelp.jpg']
ransomnotes-refs ['https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg']

7Zipper Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID d8ec9e54-a4a4-451e-9f29-e7503174c16e which can be used as unique global reference for 7Zipper Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption Twofish
extensions ['.7zipper']
payment-method Email
ransomnotes-refs ['https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png']

Zyka Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.

Internal MISP references

UUID 7b7c8124-c679-4201-b5a5-5e66e6d52b70 which can be used as unique global reference for Zyka Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES
extensions ['.lock', '.locked']
payment-method Bitcoin
price 170€/$
ransomnotes-refs ['https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png']

SureRansom Ransomeware (Fake)

It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.

Internal MISP references

UUID a9365b55-acd8-4b70-adac-c86d121b80b3 which can be used as unique global reference for SureRansom Ransomeware (Fake) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256 (fake)
payment-method Bitcoin
price 50£
ransomnotes-refs ['https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif']

Netflix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.

Internal MISP references

UUID 1317351f-ec8f-4c76-afab-334e1384d3d3 which can be used as unique global reference for Netflix Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date January 2017
encryption AES-256
extensions ['.se']
payment-method Bitcoin
price 0.18 (100$)
ransomnotes-refs ['https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg', 'https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad']

Merry Christmas

It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Merry Christmas.

Known Synonyms
MRCR
Merry X-Mas
Internal MISP references

UUID 72cbed4e-b26a-46a1-82be-3d0154fdd2e5 which can be used as unique global reference for Merry Christmas in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES-256
extensions ['.MRCR1', '.PEGS1', '.RARE1', '.RMCM1', '.MERRY']
payment-method Email
ransomnotes-filenames ['YOUR_FILES_ARE_DEAD.HTA', 'MERRY_I_LOVE_YOU_BRUCE.HTA']
ransomnotes-refs ['https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png', 'https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png']

Seoirse Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.

Internal MISP references

UUID bdf807c2-74ec-4802-9907-a89b1d910296 which can be used as unique global reference for Seoirse Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.seoire']
payment-method Bitcoin
price 0.5

KillDisk Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.

Internal MISP references

UUID 8e067af6-d1f7-478a-8a8e-5154d2685bd1 which can be used as unique global reference for KillDisk Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date November/December 2016
encryption AES-256+RSA
payment-method Bitcoin
price 222 (200 000$)
ransomnotes-refs ['https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png']

DeriaLock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.

Internal MISP references

UUID c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3 which can be used as unique global reference for DeriaLock Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.deria']
payment-method Bitcoin
price 20 - 30$
ransomnotes-filenames ['unlock-everybody.txt']
ransomnotes-refs ['https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif']

BadEncript Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Internal MISP references

UUID 43bfbb2a-9416-44da-81ef-03d6d3a3923f which can be used as unique global reference for BadEncript Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.bript']
payment-method Email - Bitcoin
ransomnotes-filenames ['More.html']
ransomnotes-refs ['https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png']

AdamLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.

Internal MISP references

UUID 5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc which can be used as unique global reference for AdamLocker Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.adam']
payment-method Website
ransomnotes-refs ['https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg']

Alphabet Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.

Internal MISP references

UUID dd356ed3-42b8-4587-ae53-95f933517612 which can be used as unique global reference for Alphabet Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.alphabet']
payment-method Bitcoin
price 1
ransomnotes-refs ['https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg']
Related clusters

To see the related clusters, click here.

KoKoKrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KoKoKrypt Ransomware.

Known Synonyms
KokoLocker Ransomware
Internal MISP references

UUID d672fe4f-4561-488e-bca6-20385b53d77f which can be used as unique global reference for KoKoKrypt Ransomware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date December 2016
encryption AES
extensions ['.kokolocker']
payment-method Bitcoin
price 0.1
ransomnotes-refs ['https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAA