Ransomware
Ransomware galaxy based on different sources and maintained by the MISP Project.
Authors
Authors and/or Contributors |
---|
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml |
http://pastebin.com/raw/GHgpWjar |
MISP Project |
https://id-ransomware.blogspot.com/2016/07/ransomware-list.html |
ransomlook.io |
Nhtnwcuf Ransomware (Fake)
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 81b4e3ac-aa83-4616-9899-8e19ee3bb78b
which can be used as unique global reference for Nhtnwcuf Ransomware (Fake)
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['RANDOM 3 LETTERS ARE ADDED'] |
payment-method | Bitcoin |
price | 1(300$) |
ransomnotes-refs | ['https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif'] |
CryptoJacky Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID a8187609-329a-4de0-bda7-7823314e7db9
which can be used as unique global reference for CryptoJacky Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['RANDOM 3 LETTERS ARE ADDED'] |
payment-method | Bitcoin |
price | 250 € |
ransomnotes-refs | ['https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png'] |
Kaenlupuf Ransomware
About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID b97f07c4-136a-488a-9fa0-35ab45fbfe36
which can be used as unique global reference for Kaenlupuf Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
payment-method | Bitcoin |
price | 1 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg'] |
EnjeyCrypter Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID e98e6b50-00fd-484e-a5c1-4b2363579447
which can be used as unique global reference for EnjeyCrypter Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/ - webarchive
- https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-256 |
extensions | ['example:.encrypted.contact_here_me@india.com.enjey'] |
payment-method | Bitcoin |
ransomnotes-refs | ['https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png'] |
Dangerous Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 7dbdb949-a53b-4ebe-bc9a-7f49a7c5fd78
which can be used as unique global reference for Dangerous Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
ransomnotes | ['DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com'] |
Vortex Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vortex Ransomware.
Known Synonyms |
---|
Ŧl๏tєгค гคภร๏๓ฬคгє |
Internal MISP references
UUID 04a5889d-b97d-4653-8a0f-d2df85f93430
which can be used as unique global reference for Vortex Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
extensions | ['.aes'] |
payment-method | Dollars |
price | 199 |
ransomnotes | ['Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID ='] |
GC47 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 2069c483-4701-4a3b-bd51-3850c7aa59d2
which can be used as unique global reference for GC47 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
extensions | ['.fuck_you'] |
payment-method | Bitcoin |
price | 0,0361312 (50$) |
ransomnotes-refs | ['https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg'] |
RozaLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RozaLocker Ransomware.
Known Synonyms |
---|
Roza |
Internal MISP references
UUID f158ea74-c8ba-4e5a-b07f-52bd8fe30888
which can be used as unique global reference for RozaLocker Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
extensions | ['.enc', '.ENC'] |
payment-method | Bitcoin |
price | 10000 Rubles (135€) |
ransomnotes | ["OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru"] |
CryptoMeister Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 4c76c845-c5eb-472c-93a1-4178f86c319b
which can be used as unique global reference for CryptoMeister Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
extensions | ['.enc'] |
payment-method | Bitcoin |
price | 0.1 |
ransomnotes | ['Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the "Buy Bitcoins" section and then buy Bitcoin Step 4: Go to the "Send" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear \'Check\' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites.'] |
GG Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016
Internal MISP references
UUID f62eb881-c6b5-470c-907d-072485cd5860
which can be used as unique global reference for GG Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
extensions | ['.GG'] |
Project34 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 4af0d2bd-46da-44da-b17e-987f86957c1d
which can be used as unique global reference for Project34 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
extensions | ['.Project34'] |
payment-method | MoneyPak |
price | 300$ |
ransomnotes | ['(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU'] |
ransomnotes-filenames | ['ПАРОЛЬ.txt'] |
PetrWrap Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID e11da570-e38d-4290-8a2c-8a31ae832ffb
which can be used as unique global reference for PetrWrap Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html - webarchive
- https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/ - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ - webarchive
- https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
payment-method | Bitcoin |
price | 300$ |
ransomnotes-refs | ['https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png'] |
Karmen Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear
Internal MISP references
UUID da7de60e-0725-498d-9a35-303ddb5bf60a
which can be used as unique global reference for Karmen Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-128 |
extensions | ['.grt'] |
payment-method | Bitcoin |
price | 1.2683 |
ransomnotes-refs | ['https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg'] |
Revenge Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant
Internal MISP references
UUID 987d36d5-6ba8-484d-9e0b-7324cc886b0e
which can be used as unique global reference for Revenge Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES-256 + RSA-1024 |
extensions | ['.REVENGE'] |
ransomnotes | ['===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.'] |
ransomnotes-filenames | ['# !!!HELP_FILE!!! #.txt'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg'] |
Turkish FileEncryptor Ransomware
his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turkish FileEncryptor Ransomware.
Known Synonyms |
---|
Fake CTB-Locker |
Internal MISP references
UUID a291ac4c-7851-480f-b317-e977a616ac9d
which can be used as unique global reference for Turkish FileEncryptor Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.encrypted'] |
payment-method | Bitcoin |
price | 150$ |
ransomnotes | ['FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the "My Documents" folder for more information in the file "Beni Oku.txt". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.'] |
ransomnotes-filenames | ['Beni Oku.txt'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg'] |
Kirk Ransomware & Spock Decryptor
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kirk Ransomware & Spock Decryptor.
Known Synonyms |
---|
Kirk & Spock Decryptor |
Internal MISP references
UUID 6e442a2e-97db-4a7b-b4a1-9abb4a7472d8
which can be used as unique global reference for Kirk Ransomware & Spock Decryptor
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/ - webarchive
- https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/ - webarchive
- http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html - webarchive
- http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges - webarchive
- https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/ - webarchive
- https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES+RSA |
extensions | ['.kirked', '.Kirked'] |
payment-method | Monero |
price | 1100 roupies (14€) |
ransomnotes | ['!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don\'t work. This may have broken some software, including games, office suites etc. Here\'s a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension \'.kirked\n\', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named \'pwd\' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n"Logic, motherfucker." ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you\'re still unsure, google\' bitcoin exchange\'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called \'Spock\'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don\'t fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER'] |
ransomnotes-filenames | ['RANSOM_NOTE.txt'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png'] |
ZinoCrypt Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 719c8ba7-598e-4511-a851-34e651e301fa
which can be used as unique global reference for ZinoCrypt Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.ZINO'] |
payment-method | Bitcoin |
ransomnotes-filenames | ['ZINO_NOTE.TXT'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg'] |
Crptxxx Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass
Internal MISP references
UUID 786ca8b3-6915-4846-8f0f-9865fbc295f5
which can be used as unique global reference for Crptxxx Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html - webarchive
- https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84 - webarchive
- http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc - webarchive
- https://twitter.com/malwrhunterteam/status/839467168760725508 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.crptxxx'] |
ransomnotes-filenames | ['HOW_TO_FIX_!.txt'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png'] |
MOTD Ransomware
About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 5d1a3631-165c-4091-ba55-ac8da62efadf
which can be used as unique global reference for MOTD Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
extensions | ['.enc'] |
payment-method | Bitcoin |
price | 2 |
ransomnotes-filenames | ['motd.txt'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png'] |
CryptoDevil Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID f3ead274-6c98-4532-b922-03d5ce4e7cfc
which can be used as unique global reference for CryptoDevil Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.devil'] |
payment-method | Dollars |
price | 20 - 100 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg', 'https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg'] |
FabSysCrypto Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Internal MISP references
UUID e4d36930-2e00-4583-b5f5-d8f83736d3ce
which can be used as unique global reference for FabSysCrypto Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-256+RSA |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 0.5 |
ransomnotes-refs | ['https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png'] |
Lock2017 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID cf47a853-bc1d-42ae-8542-8a7433f6c9c2
which can be used as unique global reference for Lock2017 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES+RSA |
extensions | ['[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png'] |
RedAnts Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID dd3601f1-df0a-4e67-8a20-82e7ba0ed13c
which can be used as unique global reference for RedAnts Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.Horas-Bah'] |
payment-method | Bitcoin |
price | 0.5 |
ConsoleApplication1 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 4c3788d6-30a9-4cad-af33-81f9ce3a0d4f
which can be used as unique global reference for ConsoleApplication1 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 0.5 |
KRider Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7
which can be used as unique global reference for KRider Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | March 2017 |
encryption | AES |
extensions | ['.kr3'] |
payment-method | no ransom |
CYR-Locker Ransomware (FAKE)
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg
Internal MISP references
UUID 44f6d489-f376-4416-9ba4-e153472f75fc
which can be used as unique global reference for CYR-Locker Ransomware (FAKE)
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
payment-method | Bitcoin |
price | 0.5 (300$) |
DotRansomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 0570e09d-10b9-448c-87fd-c1c4063e6592
which can be used as unique global reference for DotRansomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 0.1 |
ransomnotes | ["DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR |
ransomnotes-refs | ['https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png'] |
Unlock26 Ransomware
About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 37b9a28d-8554-4233-b130-efad4be97bc0
which can be used as unique global reference for Unlock26 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.locked-[3_random_chars]'] |
payment-method | Bitcoin |
price | 0.01 - 0.06 |
ransomnotes-filenames | ['ReadMe-[3_random_chars].html'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png', 'https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png'] |
PicklesRansomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PicklesRansomware.
Known Synonyms |
---|
Pickles |
Internal MISP references
UUID 87171865-9fc9-42a9-9bd4-a453f556f20c
which can be used as unique global reference for PicklesRansomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.EnCrYpTeD'] |
payment-method | Bitcoin |
price | 1 |
ransomnotes-filenames | ['READ_ME_TO_DECRYPT.txt'] |
Vanguard Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware
Internal MISP references
UUID 6a6eed70-3f90-420b-9e4a-5cce9428dc06
which can be used as unique global reference for Vanguard Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | ChaCha20 and Poly1305 |
payment-method | Bitcoin |
price | 1 |
ransomnotes | ['NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety.'] |
PyL33T Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 305cb1fb-d43e-4477-8edc-90b34aaf227f
which can be used as unique global reference for PyL33T Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | ChaCha20 and Poly1305 |
extensions | ['.d4nk'] |
ransomnotes | ['ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** '] |
TrumpLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg
Internal MISP references
UUID 63bd845c-94f6-49dc-8f0c-22e6f67820f7
which can be used as unique global reference for TrumpLocker Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/ - webarchive
- https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-128 |
extensions | ['.trumplockerf', '.TheTrumpLockerf', '.TheTrumpLockerfp'] |
payment-method | Bitcoin |
price | 1(50 - 165$) |
ransomnotes-filenames | ['What happen to my files.txt'] |
ransomnotes-refs | ['https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg'] |
Damage Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi
Internal MISP references
UUID fbcb6a4f-1d31-4e31-bef5-e162e35649de
which can be used as unique global reference for Damage Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-128 OR Combination of SHA-1 and Blowfish |
extensions | ['.damage'] |
ransomnotes | ['TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com'] |
XYZWare Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Internal MISP references
UUID f0652feb-a104-44e8-91c7-b0435253352b
which can be used as unique global reference for XYZWare Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-128 |
extensions | ['your files get marked with: “youarefucked”'] |
payment-method | Bitcoin |
price | 0.1 - 0.2 |
ransomnotes | ["All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id"] |
YouAreFucked Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YouAreFucked Ransomware.
Known Synonyms |
---|
FortuneCrypt |
Internal MISP references
UUID 912af0ef-2d78-4a90-a884-41f3c37c723b
which can be used as unique global reference for YouAreFucked Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-128 |
extensions | ['your files get marked with: “youarefucked”'] |
payment-method | Bitcoin |
price | 0.1 (250$) |
ransomnotes-refs | ['https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png'] |
CryptConsole 2.0 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 7343da8f-fe18-46c9-8cda-5b04fb48e97d
which can be used as unique global reference for CryptConsole 2.0 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
payment-method | Bitcoin |
price | 0.5 - 0.7 |
ransomnotes-filenames | ['How decrypt files.hta'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png'] |
BarRax Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BarRax Ransomware.
Known Synonyms |
---|
BarRaxCrypt Ransomware |
Internal MISP references
UUID c0ee166e-273f-4940-859c-ba6f8666247c
which can be used as unique global reference for BarRax Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.barRex', '.BarRax'] |
payment-method | Bitcoin |
price | 0.5 |
CryptoLocker by NTK Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 51bcbbc6-d8e0-4d2b-b5ce-79f26d669567
which can be used as unique global reference for CryptoLocker by NTK Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
ransomnotes-refs | ['https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg'] |
UserFilesLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UserFilesLocker Ransomware.
Known Synonyms |
---|
CzechoSlovak Ransomware |
Internal MISP references
UUID c9e29151-7eda-4192-9c34-f9a81b2ef743
which can be used as unique global reference for UserFilesLocker Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-256+RSA |
extensions | ['.ENCR'] |
payment-method | Bitcoin |
price | 0.8 - 2 |
ransomnotes | ['All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg'] |
AvastVirusinfo Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!
Internal MISP references
UUID 78649172-cf5b-4e8a-950b-a967ff700acf
which can be used as unique global reference for AvastVirusinfo Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-256+RSA |
extensions | ['.A9v9Ahu4-000'] |
payment-method | Bitcoin |
price | 6 |
SuchSecurity Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SuchSecurity Ransomware.
Known Synonyms |
---|
Such Security |
Internal MISP references
UUID 22481dfd-8284-4071-a76f-c9a4a5f43f00
which can be used as unique global reference for SuchSecurity Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
ransomnotes-refs | ['https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png'] |
PleaseRead Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PleaseRead Ransomware.
Known Synonyms |
---|
VHDLocker Ransomware |
Internal MISP references
UUID 9de7a1f2-cc21-40cf-b44e-c67f0262fbce
which can be used as unique global reference for PleaseRead Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-256 |
payment-method | Bitcoin |
price | 0.5 |
ransomnotes-refs | ['https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png'] |
Kasiski Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 59b537dc-3764-42fc-a416-92d2950aaff1
which can be used as unique global reference for Kasiski Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html - webarchive
- https://twitter.com/MarceloRivero/status/832302976744173570 - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
extensions | ['[KASISKI]'] |
payment-method | Dollars |
price | 500 |
ransomnotes-filenames | ['INSTRUCCIONES.txt'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg'] |
Fake Locky Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fake Locky Ransomware.
Known Synonyms |
---|
Locky Impersonator Ransomware |
Internal MISP references
UUID 26a34763-a70c-4877-b99f-ae39decd2107
which can be used as unique global reference for Fake Locky Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/ - webarchive
- https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html - webarchive
- https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 1 |
ransomnotes | ['Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys'] |
CryptoShield 1.0 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.
Internal MISP references
UUID 1f915f16-2e2f-4681-a1e8-e146a0a4fcdf
which can be used as unique global reference for CryptoShield 1.0 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES(256)/ROT-13 |
extensions | ['.CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)'] |
payment-method | |
ransomnotes-filenames | ['# RESTORING FILES #.txt', '# RESTORING FILES #.html'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png'] |
Hermes Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: "HERMES"
Internal MISP references
UUID b7102922-8aad-4b29-8518-6d87c3ba45bb
which can be used as unique global reference for Hermes Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/ - webarchive
- https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/ - webarchive
- https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Email - Bitcoin |
ransomnotes | ['UNIQUE_ID_DO_NOT_REMOVE'] |
ransomnotes-filenames | ['DECRYPT_INFORMATION.html'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png', 'https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png'] |
Related clusters
To see the related clusters, click here.
LoveLock Ransomware or Love2Lock Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LoveLock Ransomware or Love2Lock Ransomware.
Known Synonyms |
---|
Love2Lock |
LoveLock |
Internal MISP references
UUID 0785bdda-7cd8-4529-b28e-787367c50298
which can be used as unique global reference for LoveLock Ransomware or Love2Lock Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.hasp'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg'] |
Wcry Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 0983bdda-c637-4ad9-a56f-615b2b052740
which can be used as unique global reference for Wcry Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.wcry'] |
payment-method | Bitcoin |
price | 0.1 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg'] |
DUMB Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 27feba66-e9c7-4414-a560-1e5b7da74d08
which can be used as unique global reference for DUMB Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
payment-method | Bitcoin |
price | 0,3169 |
ransomnotes-refs | ['https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png', 'https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg'] |
X-Files
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID c24f48ca-060b-4164-aafe-df7b3f43f40e
which can be used as unique global reference for X-Files
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES |
extensions | ['.b0C', '.b0C.x'] |
payment-method | Bitcoin |
price | 0,2 |
Polski Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.
Internal MISP references
UUID b50265ac-ee45-4f5a-aca1-fabe3157fc14
which can be used as unique global reference for Polski Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
encryption | AES-256 |
extensions | ['.aes'] |
payment-method | Dollars |
price | 249 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg'] |
YourRansom Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)
Internal MISP references
UUID 908b914b-6744-4e16-b014-121cf2106b5f
which can be used as unique global reference for YourRansom Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2016 |
encryption | AES-256 |
extensions | ['.yourransom'] |
payment-method | |
ransomnotes-filenames | ['README.txt'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png'] |
Ranion RaasRansomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service
Internal MISP references
UUID b4de724f-add4-4095-aa5a-e4d039322b59
which can be used as unique global reference for Ranion RaasRansomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2016 |
encryption | AES-256 |
payment-method | Bitcoin |
price | 0.6 - 0.95 |
ransomnotes-refs | ['https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png'] |
Potato Ransomware
Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.
Internal MISP references
UUID 378cb77c-bb89-4d32-bef9-1b132343f3fe
which can be used as unique global reference for Potato Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 |
extensions | ['.potato'] |
payment-method | |
ransomnotes-filenames | ['How to recover my files.txt', 'README.png', 'README.html'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg'] |
of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)
This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.
Internal MISP references
UUID e290fa29-6fc1-4fb5-ac98-44350e508bc1
which can be used as unique global reference for of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016/January 2017 |
encryption | RC4 |
extensions | ['.-opentoyou@india.com'] |
payment-method | |
ransomnotes | ['Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884'] |
ransomnotes-filenames | ['!!!.txt', '1.bmp', '1.jpg'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg'] |
RansomPlus
Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.
Internal MISP references
UUID c039a50b-f5f9-4ad0-8b66-e1d8cc86717b
which can be used as unique global reference for RansomPlus
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.encrypted'] |
payment-method | Bitcoin |
price | 0.25 |
ransomnotes | ['YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool.'] |
ransomnotes-filenames | ['YOUR FILES ARE ENCRYPTED!!!.txt'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png'] |
CryptConsole
This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files
Internal MISP references
UUID 42508fd8-3c2d-44b2-9b74-33c5d82b297d
which can be used as unique global reference for CryptConsole
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html - webarchive
- https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/ - webarchive
- https://twitter.com/PolarToffee/status/824705553201057794 - webarchive
- https://twitter.com/demonslay335/status/1004351990493741057 - webarchive
- https://twitter.com/demonslay335/status/1004803373747572736 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ', '.decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters'] |
payment-method | Bitcoin |
price | 0.2 |
ransomnotes | ["Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key"] |
ransomnotes-filenames | ['How decrypt files.hta'] |
ZXZ Ramsomware
Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A
Internal MISP references
UUID e4932d1c-2f97-474d-957e-c7df87f9591e
which can be used as unique global reference for ZXZ Ramsomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
extensions | ['.zxz'] |
payment-method |
VxLock Ransomware
Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc
Internal MISP references
UUID 14deb95c-7af3-4fb1-b2c1-71087e1bb156
which can be used as unique global reference for VxLock Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES+RSA |
extensions | ['.vxlock'] |
FunFact Ransomware
Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.
Internal MISP references
UUID 2bfac605-a2c5-4742-92a2-279a08a4c575
which can be used as unique global reference for FunFact Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES+RSA |
payment-method | Bitcoin |
price | 0,65806 |
ransomnotes | ['Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061\nBTC Address: 1AQrj\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******\n-----END PGP PUBLIC KEY BLOCK-----'] |
ransomnotes-filenames | ['note.iti'] |
ZekwaCrypt Ransomware
First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.
Internal MISP references
UUID 89d5a541-ef9a-4b18-ac04-2e1384031a2d
which can be used as unique global reference for ZekwaCrypt Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES+RSA |
extensions | ['.<7_random_letters>'] |
payment-method | |
ransomnotes | ['WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com'] |
ransomnotes-filenames | ['encrypted_readme.txt', '_ |
ransomnotes-refs | ['https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png'] |
Sage 2.0 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker
Internal MISP references
UUID 9174eef3-65f7-4ab5-9b55-b323b36fb962
which can be used as unique global reference for Sage 2.0 Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html - webarchive
- https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/ - webarchive
- http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom - webarchive
- https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/ - webarchive
- https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.sage'] |
payment-method | Bitcoin |
price | 2,15555 (2000$) |
ransomnotes-filenames | ['!Recovery_[3_random_chars].html'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png', 'https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png'] |
CloudSword Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Internal MISP references
UUID a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4
which can be used as unique global reference for CloudSword Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
payment-method | Bitcoin |
ransomnotes-filenames | ['Warning警告.html'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg'] |
DN
It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DN.
Known Synonyms |
---|
Fake |
Internal MISP references
UUID 327eb8b4-5793-42f0-96c0-7f651a0debdc
which can be used as unique global reference for DN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.killedXXX'] |
payment-method | Bitcoin |
price | 0.5 |
ransomnotes-refs | ['https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg', 'https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg'] |
GarryWeber Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, etc..
Internal MISP references
UUID b6e6da33-bf23-4586-81cf-dcfe10e13a81
which can be used as unique global reference for GarryWeber Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.id- |
payment-method | Bitcoin |
price | 1 |
ransomnotes-filenames | ['HOW_OPEN_FILES.html'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg'] |
Satan Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS
Internal MISP references
UUID 61d8bba8-7b22-493f-b023-97ffe7f17caf
which can be used as unique global reference for Satan Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html - webarchive
- https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/ - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/ - webarchive
- https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/ - webarchive
- https://twitter.com/Xylit0l/status/821757718885236740 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 + RSA-2048 |
extensions | ['.stn'] |
payment-method | Bitcoin |
price | 0.1 - your choice |
ransomnotes-filenames | ['HELP_DECRYPT_FILES.html'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png'] |
Related clusters
To see the related clusters, click here.
Havoc
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Havoc.
Known Synonyms |
---|
HavocCrypt Ransomware |
Internal MISP references
UUID c6bef9c8-becb-4bee-bd97-c1c655133396
which can be used as unique global reference for Havoc
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.HavocCrypt'] |
payment-method | Bitcoin |
price | 150 $ |
ransomnotes-refs | ['https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg'] |
CryptoSweetTooth Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.
Internal MISP references
UUID ca831782-fcbf-4984-b04e-d79b14e48a71
which can be used as unique global reference for CryptoSweetTooth Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 0.5 |
ransomnotes-filenames | ['IMPORTANTE_LEER.html', 'RECUPERAR_ARCHIVOS.html'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg'] |
Kaandsona Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaandsona Ransomware.
Known Synonyms |
---|
Käändsõna Ransomware |
RansomTroll Ransomware |
Internal MISP references
UUID aed61a0a-dc48-43ac-9c33-27e5a286899e
which can be used as unique global reference for Kaandsona Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.kencf'] |
payment-method | Bitcoin |
price | 1 |
ransomnotes | ["You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'"] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png'] |
LambdaLocker Ransomware
It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware
Internal MISP references
UUID 0d1b35e9-c87a-4972-8c27-a11c13e351d7
which can be used as unique global reference for LambdaLocker Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 |
extensions | ['.lambda_l0cked'] |
payment-method | Bitcoin |
price | 0.5 - 1 |
ransomnotes-filenames | ['READ_IT.hTmL'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif'] |
NMoreia 2.0 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NMoreia 2.0 Ransomware.
Known Synonyms |
---|
HakunaMatataRansomware |
Internal MISP references
UUID 0645cae2-bda9-4d68-8bc3-c3c1eb9d1801
which can be used as unique global reference for NMoreia 2.0 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.HakunaMatata'] |
payment-method | Website (onion) |
ransomnotes-filenames | ['Recovers files yako.html'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png'] |
Marlboro Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)
Internal MISP references
UUID 4ae98da3-c667-4c6e-b0fb-5b52c667637c
which can be used as unique global reference for Marlboro Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | XOR |
extensions | ['.oops'] |
payment-method | Bitcoin |
price | 0.2 |
ransomnotes-filenames | ['HELP_Recover_Files.html'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png', 'https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png'] |
Spora Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png
Internal MISP references
UUID 46601172-d938-47af-8cf5-c5a796ab68ab
which can be used as unique global reference for Spora Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES+RSA |
payment-method | Bitcoin |
price | 79$ |
ransomnotes-filenames | ['[Infection-ID].HTML'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png'] |
CryptoKill Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.
Internal MISP references
UUID 7ae2f594-8a72-4ba8-a37a-32457d1d3fe8
which can be used as unique global reference for CryptoKill Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES+RSA |
extensions | ['.crypto'] |
payment-method | Bitcoin |
All_Your_Documents Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 62120e20-21f6-474b-9dc1-fc871d25c798
which can be used as unique global reference for All_Your_Documents Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
extensions | ['AES+RSA'] |
payment-method | Bitcoin |
price | 0.35 |
ransomnotes-refs | ['https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png'] |
SerbRansom 2017 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.
Internal MISP references
UUID fb1e99cb-73fa-4961-a052-c90b3f383542
which can be used as unique global reference for SerbRansom 2017 Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html - webarchive
- https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/ - webarchive
- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/ - webarchive
- https://twitter.com/malwrhunterteam/status/830116190873849856 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.velikasrbija'] |
payment-method | Bitcoin |
price | 500$ |
ransomnotes-refs | ['https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg', 'https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg'] |
Fadesoft Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.
Internal MISP references
UUID ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37
which can be used as unique global reference for Fadesoft Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
payment-method | Bitcoin |
price | 0.33 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg'] |
HugeMe Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 681ad7cc-fda0-40dc-83b3-91fdfdec81e1
which can be used as unique global reference for HugeMe Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 + RSA-2048 |
extensions | ['.encypted'] |
payment-method | Bitcoin |
price | 1 |
ransomnotes-refs | ['https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png'] |
DynA-Crypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DynA-Crypt Ransomware.
Known Synonyms |
---|
DynA CryptoLocker Ransomware |
Internal MISP references
UUID 9979ae53-98f7-49a2-aa1e-276973c2b44f
which can be used as unique global reference for DynA-Crypt Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 + RSA-2048 |
extensions | ['.crypt'] |
payment-method | Bitcoin |
price | 50$ |
ransomnotes-refs | ['https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg'] |
Serpent 2017 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Serpent 2017 Ransomware.
Known Synonyms |
---|
Serpent Danish Ransomware |
Internal MISP references
UUID 3b472aac-085b-409e-89f1-e8c766f7c401
which can be used as unique global reference for Serpent 2017 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 + RSA-2048 |
extensions | ['.crypt'] |
payment-method | Bitcoin |
price | 0.75 (787.09$) - 2.25 (2366.55$ after 7 days) |
ransomnotes | ["==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================"] |
Erebus 2017 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID c21e637c-6611-47e1-a191-571409b6669a
which can be used as unique global reference for Erebus 2017 Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | ROT-23 |
payment-method | Bitcoin |
price | 0.085 |
ransomnotes-filenames | ['README.HTML'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg'] |
Cyber Drill Exercise
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber Drill Exercise .
Known Synonyms |
---|
Ransomuhahawhere |
Internal MISP references
UUID dcb183d1-11b5-464c-893a-21e132cb7b51
which can be used as unique global reference for Cyber Drill Exercise
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 0.085 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png'] |
Cancer Ransomware FAKE
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.
Internal MISP references
UUID ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f
which can be used as unique global reference for Cancer Ransomware FAKE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | February 2017 |
extensions | ['.cancer'] |
payment-method | no ransom |
ransomnotes-refs | ['https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg'] |
UpdateHost Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.
Internal MISP references
UUID ed5b30b0-2949-410a-bc4c-3d90de93d033
which can be used as unique global reference for UpdateHost Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Email - Bitcoin |
ransomnotes-refs | ['https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png'] |
Nemesis Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.
Internal MISP references
UUID b5942085-c9f2-4d1a-aadf-1061ad38fb1d
which can be used as unique global reference for Nemesis Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.v8dp'] |
payment-method | Bitcoin |
price | 10 |
ransomnotes-refs | ['https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg'] |
Evil Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evil Ransomware.
Known Synonyms |
---|
File0Locked KZ Ransomware |
Internal MISP references
UUID 57933295-4a0e-4f6a-b06b-36807ff150cd
which can be used as unique global reference for Evil Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html - webarchive
- http://www.enigmasoftware.com/evilransomware-removal/ - webarchive
- http://usproins.com/evil-ransomware-is-lurking/ - webarchive
- https://twitter.com/jiriatvirlab/status/818443491713884161 - webarchive
- https://twitter.com/PolarToffee/status/826508611878793219 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.file0locked', '.evillock'] |
payment-method | |
ransomnotes-filenames | ['HOW_TO_DECRYPT_YOUR_FILES.TXT', 'HOW_TO_DECRYPT_YOUR_FILES.HTML'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png', 'https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png'] |
Ocelot Ransomware (FAKE RANSOMWARE)
It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ocelot Ransomware (FAKE RANSOMWARE).
Known Synonyms |
---|
Ocelot Locker Ransomware |
Internal MISP references
UUID 054b9fbd-72fa-464f-a683-a69ab3936d69
which can be used as unique global reference for Ocelot Ransomware (FAKE RANSOMWARE)
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
payment-method | Bitcoin |
price | 0.03 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg', 'https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg'] |
SkyName Ransomware
It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SkyName Ransomware.
Known Synonyms |
---|
Blablabla Ransomware |
Internal MISP references
UUID 00b8ff33-1504-49a4-a025-b761738eed68
which can be used as unique global reference for SkyName Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
payment-method | Bitcoin |
price | 1000 CZK |
ransomnotes-filenames | ['INFOK1.txt'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png', 'https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg'] |
MafiaWare Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MafiaWare Ransomware.
Known Synonyms |
---|
Depsex Ransomware |
Internal MISP references
UUID e5a60429-ae5d-46f4-a731-da9e2fcf8b92
which can be used as unique global reference for MafiaWare Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.locked-by-mafia'] |
payment-method | Bitcoin |
price | 155$ |
ransomnotes-filenames | ['READ_ME.txt'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png'] |
Globe3 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Globe3 Ransomware.
Known Synonyms |
---|
Purge Ransomware |
Internal MISP references
UUID fe16edbe-3050-4276-bac3-c7ff5fd4174a
which can be used as unique global reference for Globe3 Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html - webarchive
- https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/ - webarchive
- https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/ - webarchive
- https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html - webarchive
- https://decrypter.emsisoft.com/globe3 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256+RSA or RC4 |
extensions | ['.badnews', '.globe', '.[random].bit', '.[random].encrypted', '.[random].raid10', '.[random].globe', '.[mia.kokers@aol.com]', '.unlockv@india.com', '.rescuers@india.com.3392cYAn548QZeUf.lock', '.locked', '.decrypt2017', '.hnumkhotep'] |
payment-method | Bitcoin |
price | 3 |
ransomnotes-filenames | ['How To Recover Encrypted Files.hta'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png', 'https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png'] |
Related clusters
To see the related clusters, click here.
BleedGreen Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BleedGreen Ransomware.
Known Synonyms |
---|
FireCrypt Ransomware |
Internal MISP references
UUID fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08
which can be used as unique global reference for BleedGreen Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 |
extensions | ['.firecrypt'] |
payment-method | Bitcoin |
price | 500$ |
ransomnotes-refs | ['https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg'] |
BTCamant Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)
Internal MISP references
UUID a5826bd3-b457-4aa9-a2e7-f0044ad9992f
which can be used as unique global reference for BTCamant Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.BTC'] |
payment-method | |
ransomnotes-filenames | ['BTC_DECRYPT_FILES.txt', 'BTC_DECRYPT_FILES.html'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png'] |
X3M Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.
Internal MISP references
UUID 192bc3e8-ace8-4229-aa88-37034a11ef5b
which can be used as unique global reference for X3M Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['_x3m', '_r9oj', '_locked'] |
payment-method | Bitcoin |
price | 700$ |
ransomnotes-refs | ['https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png'] |
GOG Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID c3ef2acd-cc5d-4240-80e7-47e85b46db96
which can be used as unique global reference for GOG Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.LOCKED'] |
payment-method | Bitcoin - WebSite (onion) |
ransomnotes-filenames | ['DecryptFile.txt'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png', 'https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png'] |
RegretLocker
RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.
Internal MISP references
UUID 9479d372-605e-408e-a2a3-ea971ad4ad78
which can be used as unique global reference for RegretLocker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | November 2020 |
encryption | AES |
extensions | ['.mouse'] |
EdgeLocker
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.
Internal MISP references
UUID ecfa106d-0aff-4f7e-a259-f00eb14fc245
which can be used as unique global reference for EdgeLocker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.edgel'] |
payment-method | Bitcoin |
price | 0.1 |
ransomnotes-refs | ['https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg'] |
Red Alert
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear
Internal MISP references
UUID f762860a-5e7a-43bf-bef4-06bd27e0b023
which can be used as unique global reference for Red Alert
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Website |
ransomnotes-filenames | ['MESSAGE.txt'] |
ransomnotes-refs | ['https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg'] |
Related clusters
To see the related clusters, click here.
First
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID ed26fcf3-47fb-45cc-b5f9-de18f6491934
which can be used as unique global reference for First
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.locked'] |
payment-method | Bitcoin |
price | 1.5 |
ransomnotes-refs | ['https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg'] |
XCrypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XCrypt Ransomware.
Known Synonyms |
---|
XCrypt |
Internal MISP references
UUID fd5bb71f-80dc-4a6d-ba8e-ed74999700d3
which can be used as unique global reference for XCrypt Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | Twofish |
payment-method | |
ransomnotes-filenames | ['Xhelp.jpg'] |
ransomnotes-refs | ['https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg'] |
7Zipper Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID d8ec9e54-a4a4-451e-9f29-e7503174c16e
which can be used as unique global reference for 7Zipper Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | Twofish |
extensions | ['.7zipper'] |
payment-method | |
ransomnotes-refs | ['https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png'] |
Zyka Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.
Internal MISP references
UUID 7b7c8124-c679-4201-b5a5-5e66e6d52b70
which can be used as unique global reference for Zyka Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html - webarchive
- https://www.pcrisk.com/removal-guides/10899-zyka-ransomware - webarchive
- https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip - webarchive
- https://twitter.com/GrujaRS/status/826153382557712385 - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES |
extensions | ['.lock', '.locked'] |
payment-method | Bitcoin |
price | 170€/$ |
ransomnotes-refs | ['https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png'] |
SureRansom Ransomeware (Fake)
It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.
Internal MISP references
UUID a9365b55-acd8-4b70-adac-c86d121b80b3
which can be used as unique global reference for SureRansom Ransomeware (Fake)
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 (fake) |
payment-method | Bitcoin |
price | 50£ |
ransomnotes-refs | ['https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif'] |
Netflix Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.
Internal MISP references
UUID 1317351f-ec8f-4c76-afab-334e1384d3d3
which can be used as unique global reference for Netflix Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html - webarchive
- http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/ - webarchive
- https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/ - webarchive
- http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012 - webarchive
- https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg - webarchive
- https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | January 2017 |
encryption | AES-256 |
extensions | ['.se'] |
payment-method | Bitcoin |
price | 0.18 (100$) |
ransomnotes-refs | ['https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg', 'https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad'] |
Merry Christmas
It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Merry Christmas.
Known Synonyms |
---|
MRCR |
Merry X-Mas |
Internal MISP references
UUID 72cbed4e-b26a-46a1-82be-3d0154fdd2e5
which can be used as unique global reference for Merry Christmas
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html - webarchive
- https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/ - webarchive
- http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/ - webarchive
- https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/ - webarchive
- https://decrypter.emsisoft.com/mrcr - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES-256 |
extensions | ['.MRCR1', '.PEGS1', '.RARE1', '.RMCM1', '.MERRY'] |
payment-method | |
ransomnotes-filenames | ['YOUR_FILES_ARE_DEAD.HTA', 'MERRY_I_LOVE_YOU_BRUCE.HTA'] |
ransomnotes-refs | ['https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png', 'https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png'] |
Seoirse Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.
Internal MISP references
UUID bdf807c2-74ec-4802-9907-a89b1d910296
which can be used as unique global reference for Seoirse Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.seoire'] |
payment-method | Bitcoin |
price | 0.5 |
KillDisk Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.
Internal MISP references
UUID 8e067af6-d1f7-478a-8a8e-5154d2685bd1
which can be used as unique global reference for KillDisk Ransomware
in MISP communities and other software using the MISP galaxy
External references
- https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html - webarchive
- https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/ - webarchive
- https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/ - webarchive
- http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/ - webarchive
- http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware - webarchive
- http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ - webarchive
- https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | November/December 2016 |
encryption | AES-256+RSA |
payment-method | Bitcoin |
price | 222 (200 000$) |
ransomnotes-refs | ['https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png'] |
DeriaLock Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.
Internal MISP references
UUID c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3
which can be used as unique global reference for DeriaLock Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.deria'] |
payment-method | Bitcoin |
price | 20 - 30$ |
ransomnotes-filenames | ['unlock-everybody.txt'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif'] |
BadEncript Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Internal MISP references
UUID 43bfbb2a-9416-44da-81ef-03d6d3a3923f
which can be used as unique global reference for BadEncript Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.bript'] |
payment-method | Email - Bitcoin |
ransomnotes-filenames | ['More.html'] |
ransomnotes-refs | ['https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png'] |
AdamLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.
Internal MISP references
UUID 5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc
which can be used as unique global reference for AdamLocker Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.adam'] |
payment-method | Website |
ransomnotes-refs | ['https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg'] |
Alphabet Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.
Internal MISP references
UUID dd356ed3-42b8-4587-ae53-95f933517612
which can be used as unique global reference for Alphabet Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.alphabet'] |
payment-method | Bitcoin |
price | 1 |
ransomnotes-refs | ['https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg'] |
Related clusters
To see the related clusters, click here.
KoKoKrypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KoKoKrypt Ransomware.
Known Synonyms |
---|
KokoLocker Ransomware |
Internal MISP references
UUID d672fe4f-4561-488e-bca6-20385b53d77f
which can be used as unique global reference for KoKoKrypt Ransomware
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | December 2016 |
encryption | AES |
extensions | ['.kokolocker'] |
payment-method | Bitcoin |
price | 0.1 |
ransomnotes-refs | ['https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAA |