Skip to content

Commit

Permalink
Merge pull request #227 from Delta-Sierra/master
Browse files Browse the repository at this point in the history 
Ransomwares and Olympic Destroyer
  • Loading branch information
@iglocska
iglocska committed Jun 19, 2018
2 parents 4631916 + dcd159f commit 7a51f55
Show file tree
Hide file tree
Showing 2 changed files with 143 additions and 9 deletions.
139 changes: 131 additions & 8 deletions clusters/ransomware.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3673,7 +3673,9 @@
"encryption": "RSA",
"extensions": [
".c400",
".c300"
".c300",
"!@!@!@_contact mail___boroznsalyuda@gmail.com___!@!@.psd",
"!@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR"
],
"date": "October 2016"
},
Expand Down Expand Up @@ -7720,7 +7722,8 @@
".enc",
".hb15",
".coderksu@gmail_com_id[0-9]{2,3}",
".crypt@india.com.[\\w]{4,12}"
".crypt@india.com.[\\w]{4,12}",
"!@#$%___________%$#@.mail"
],
"ransomnotes": [
"<startup folder>\\fud.bmp",
Expand Down Expand Up @@ -8818,15 +8821,19 @@
".fileiscryptedhard",
".encoderpass",
".zc3791",
".antihacker2017"
".antihacker2017",
"....PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE_you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT"
],
"encryption": "XOR or TEA",
"ransomnotes": [
"HOW TO DECRYPT FILES.TXT"
"HOW TO DECRYPT FILES.TXT",
"https://pbs.twimg.com/media/Dfj9G_2XkAE0ZS2.jpg",
"https://pbs.twimg.com/media/Dfj9H66WkAEHazN.jpg"
],
"refs": [
"https://support.kaspersky.com/viruses/disinfection/2911",
"https://decrypter.emsisoft.com/xorist"
"https://decrypter.emsisoft.com/xorist",
"https://twitter.com/siri_urz/status/1006833669447839745"
]
},
"uuid": "0a15a920-9876-4985-9d3d-bb0794722258"
Expand Down Expand Up @@ -9203,15 +9210,25 @@
"https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/",
"https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware",
"https://twitter.com/malwrhunterteam/status/933643147766321152",
"https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/"
"https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/",
"https://twitter.com/demonslay335/status/1006222754385924096",
"https://twitter.com/demonslay335/status/1006908267862396928",
"https://twitter.com/demonslay335/status/1007694117449682945"
],
"extensions": [
".scarab",
".scorpio",
".[suupport@protonmail.com].scarab"
".[suupport@protonmail.com].scarab",
".fastrecovery@airmail.cc",
".files-xmail@cock.li.TXT",
".leen"
],
"ransomnotes": [
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT"
"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT",
"HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT",
"Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!",
"INSTRUCTIONS FOR RESTORING FILES.TXT",
"Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam."
]
},
"uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4"
Expand Down Expand Up @@ -9866,6 +9883,112 @@
]
},
"uuid": "3ac0f41e-72e0-11e8-85a8-f7ae254ab629"
},
{
"value": "Paradise Ransomware",
"description": "MalwareHunterTeam discovered a new Paradise Ransomware variant that uses the extension _V.0.0.0.1{paradise@all-ransomware.info}.prt and drops a ransom note named PARADISE_README_paradise@all-ransomware.info.txt.",
"meta": {
"refs": [
"https://twitter.com/malwrhunterteam/status/1005420103415017472",
"https://twitter.com/malwrhunterteam/status/993499349199056897"
],
"extensions": [
"_V.0.0.0.1{paradise@all-ransomware.info}.prt"
],
"ransomnotes": [
"PARADISE_README_paradise@all-ransomware.info.txt"
]
},
"uuid": "db06d2e0-72f9-11e8-9413-73999e1a9373"
},
{
"value": "B2DR Ransomware",
"description": "uses the .reycarnasi1983@protonmail.com.gw3w amd a ransom note named ScrewYou.txt",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1006220895302705154"
],
"extensions": [
".reycarnasi1983@protonmail.com.gw3w",
".ssananunak1987@protonmail.com.b2fr"
],
"ransomnotes": [
"Your files were encrypted with AES-256.\n\nAsk how to restore your files by email reycarnasi1983@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: reycarnasi1983@torbox3uiot6wchz.onion\nATTENTION: e-mail (reycarnasi1983@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]-----END KEY-----",
"ScrewYou.txt",
"Readme.txt",
"Your files were encrypted with AES-256.\n\nAsk how to restore your files by email ssananunak1987@protonmail.com\n\nUse only gmail.com, yahoo.com, protonmail.com.\nMessages written from other mail services we can not get.\n\nWe always respond to messages. If there is no answer within 24 hours, then write us with another email service.\n\n[OR]\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: ssananunak1987@torbox3uiot6wchz.onion\nATTENTION: e-mail (ssananunak1987@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n################################\n\nAny actions on your part over encrypted files can damage them. Be sure to make backups!\n\n################################\n\nIn the message write us this ID:\n[redacted base64]"
]
},
"uuid": "4a341cf4-72ff-11e8-8371-b74902a1dff3"
},
{
"value": "YYTO Ransomware",
"description": "uses the extension .codyprince92@mail.com.ovgm and drops a ransom note named Readme.txt",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1006237353474756610"
],
"extensions": [
".codyprince92@mail.com.ovgm"
],
"ransomnotes": [
"Readme.txt",
"Hello. Your files have been encrypted.\n\nFor help, write to this e-mail: codyprince92@mail.com\nAttach to the letter 1-2 files (no more than 3 MB) and your personal key.\n\n\nIf within 24 hours you have not received a response, you need to follow the following instructions:\n\n\na) Download and install TOR browser: https://www.torproject.org/download/download-easy.html.en\nb) From the TOR browser, follow the link: torbox3uiot6wchz.onion\nc) Register your e-mail (Sign Up)\nd) Write us on e-mail: codyprince@torbox3uiot6wchz.onion\n\n\nATTENTION: e-mail (codyprince@torbox3uiot6wchz.onion) accepts emails, only with e-mail registered in the TOR browser at torbox3uiot6wchz.onion\n\n\n\nYour personal key:\n\n[redacted hex]"
]
},
"uuid": "ef38d8b4-7392-11e8-ba1e-cfb37f0b9c73"
},
{
"value": "Unnamed ramsomware 2",
"meta": {
"refs": [
"https://twitter.com/demonslay335/status/1007334654918250496"
],
"ransomnotes": [
"Notice.txt",
"Your files was encrypted using AES-256 algorithm. Write me to e-mail: qnbqwqe@protonmail.com to get your decryption key.\nYour USERKEY: [redacted 1024 bytes in base64]"
],
"extensions": [
".qnbqw"
]
},
"uuid": "53e6e068-739c-11e8-aae4-df58f7f27ee5"
},
{
"value": "Everbe Ransomware",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/"
],
"extensions": [
".[everbe@airmail.cc].everbe",
".embrace",
"pain"
],
"ransomnotes": [
"!=How_recovery_files=!.txt",
"Hi !\nIf you want restore your files write on email - everbe@airmail.cc\nIn the subject write - id-de9bcb"
]
},
"uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2"
},
{
"value": "DBGer Ransomware",
"description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/"
],
"extensions": [
"image.png -- > [dbger@protonmail.com]image.png.dbger"
],
"ransomnotes": [
"_How_to_decrypt_files.txt",
"Some files have been encrypted\nPlease send ( 1 ) bitcoins to my wallet address\nIf you paid, send the machine code to my email\nI will give you the key\nIf there is no payment within three days,\nwe will no longer support decryption\nIf you exceed the payment time, your data will be open to the public download\nWe support decrypting the test file.\nSend three small than 3 MB files to the email address\n\nBTC Wallet : [redacted]\nEmail: dbger@protonmail.com\nYour HardwareID:",
"https://www.bleepstatic.com/images/news/u/986406/Ransomware/DBGer/DBGer-ransom-note.png"
]
},
"uuid": "541a479c-73a5-11e8-9d70-47736508231f"
}
],
"source": "Various",
Expand Down
13 changes: 12 additions & 1 deletion clusters/tool.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"name": "Tool",
"source": "MISP Project",
"version": 76,
"version": 77,
"values": [
{
"meta": {
Expand Down Expand Up @@ -4333,6 +4333,17 @@
]
},
"uuid": "8981aaca-72dc-11e8-8649-838c1b2613c5"
},
{
"value": "Olympic Destroyer",
"description": "The Winter Olympics this year is being held in Pyeongchang, South Korea. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. Sunday 11th February the Olympic games officials confirmed a cyber attack occurred but did not comment or speculate further.\nTalos have identified the samples, with moderate confidence, used in this attack. The infection vector is currently unknown as we continue to investigate. The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analysed appear to perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2018/02/olympic-destroyer.html",
"https://www.bleepingcomputer.com/news/security/malware-that-hit-pyeongchang-olympics-deployed-in-new-attacks/"
]
},
"uuid": "76d5c7a2-73c3-11e8-bd92-db4d715af093"
}
],
"authors": [
Expand Down

0 comments on commit 7a51f55

Please sign in to comment.