Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Extensions
Extension Pattern
Ransom Note Filename(s
.CryptoHasYou.
.enc
777
.777
._[timestamp]_$[email]$.777
e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777
7ev3n
.R4A
FILES_BACK.txt
.R5A
8lock8
.8lock8
Alpha Ransomware.encrypt
AutoLocky
.locky
BadBlock
Bandarchor
.id-[ID]_[EMAIL_ADDRESS]
BitCryptor
.clf
BlackShades Crypt.Silent
Hacked_Read_me_to_decrypt_files.html
YourID.txt
Blocatto
.blocatto
Booyah
Brazilian
.lock
BrLock
Browlock
Bucbi
BuyUnlockCode
(.*).encoded.([A-Z0-9]{9BUYUNLOCKCODE.txt
Cerber
.cerber
# DECRYPT MY FILES #.html
#
DECRYPT MY FILES #.txt
Chimera
.crypt
YOUR_FILES_ARE_ENCRYPTED.HTML
CoinVault
.clf
Coverton
.coverton
.enigma
Cryaki
.{CRYPTENDBLACKDC}
Crybola
Crypren
.ENCRYPTED
READ_THIS_TO_DECRYPT.html
Cryptear
CryptFIle2
.scl
id[_ID]email_xerx@usa.com.scl
CryptInfinite
.crinf
CryptoBit
CryptoDefense
HOW_DECRYPT.TXT
CryptoHitman
.porno
.pornoransom
CryptoHost
CryptoJoker
.crjoker
CryptoLocker
.encrypted
CryptoMix
.code
.id_(ID_MACHINE)_email_xoomx@dr.com_.code
.id_*_email_zeta@dr.com
CryptoTorLocker20.CryptoTorLocker2015!
CryptoWall
(random)
CryptXXX
.crypt
CryptXXX 2.0
.crypt
CryptXXX 3.0
.crypt
.cryp1
CTB-Locker
.ctbl
.([a-z]{6,7})
CTB-Locker WEB
DeCrypt Protect .html
DMALocker
DMALocker 3.0
EDA2 / HiddenTear.locked
El-Polocker
.ha3
Enigma
.enigma
Fakben
.locked
Fury
GhostCrypt
.Z81928819
GNL Locker
.locked
Gomasom
.crypt
!___[EMAILADDRESS]_.crypt
Gopher
Harasom
.html
Hi Buddy!
.cry
HydraCrypt
hydracrypt_ID_[\w]{8}
iLock
.crime
iLockLight
.crime
Jeiphoos
Jigsaw
.btc
.kkk
Job Crypter
.locked
KeRanger
.encrypted
KeyBTC
.keybtc@inbox_com
KEYHolder
KimcilWare
.kimcilware
.locked
KryptoLocker
LeChiffre
Linux.Encoder
Locker
Locky
Lortok
LowLevel04
Mabouia
.LeChiffre
Magic
MaktubLocker
MireWare
Mischa
MM Locker
.magic
.locky
.crime
oor.
([A-F0-9]{32}).locky
[a-z]{4,6}
.fucked
.([a-zA-Z0-9]{4})
Mobef
.KEYZ
.KEYH0LES
NanoLocker
Nemucod
.crypted
ODCODC
.odcodc
C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc
Offline ransomwar .cbf
email-[params].cbf
OMG! Ransomware.LOL!
.OMG!
Operation Global II.EXE
PClock
Petya
PowerWare
PRISM
Radamant
.RDM
.RRK
Rakhni
.locked
.coderksu@gmail_com_id[0-9]{2,3}
.kraken
.crypt@india.com.[\w]{4,12}
Rannoh
locked-<original name>.[a-zA-Z]{4}
Ransom32
Rector
.vscrypt
.infected
RemindMe
.remind
Rokku
.rokku
Samas-Samsam .encryptedAES
.encryptedRSA
Sanction
.sanction
Scraper
Shujin
SilentShade
.Silent
SkidLocker / Pomp .locked
SNSLocker
.RSNSlocked
Sport
.sport
Strictor
.locked
Surprise
.surprise
SynoLocker
TeslaCrypt 0.x - 2. .vvv
HELP_TO_SAVE_FILES.txt
.ecc
TeslaCrypt 3.0+ .micro
.xxx
TeslaCrypt 4.1A
TeslaCrypt 4.2
TorrentLocker
.Encrypted
Troldesh
.better_call_saul
.xtbl
TrueCrypter
.enc
UmbreCrypt
umbrecrypt_ID_[VICTIMID]
VaultCrypt
.vault
.xort
Virus-Encoder
.CrySiS
Xorist
.EnCiPhErEd
.73i87A
XRTN
.xrtn
Zcrypt
Zlader / Russian
Zyklon
.zcrypt
.vault
.zyklon
Comment
Encryption
Algorithm
AES(256)
XOR
ver@aol.com$.777
Based on
HiddenTear
Also known as
Decryptor
Sevleg
7ev3n-HONE$T
https://decrypter.emsisoft.com/777
https://github.com/hasherezade/malware
http://www.bleepingcomputer.com/forums
http://download.bleepingcomputer.com/d
https://decrypter.emsisoft.com/autolocky
https://decrypter.emsisoft.com/badblock
AES (256)
AES(256)
AlphaLocker
AES(256)
Rakhni
https://noransom.kaspersky.com/
AES (256)
me_to_decrypt_files.html
Based on
AES (256)
HiddenTear
EXE
was replaced
to
neutralize
threat AES(256)
Based on EDA2
AES
no local
encryption,
GOST
no file name
change,
no
Does not delete
Shadow Copies
Y FILES #.html
AES
YRE_ENCRYPTED.HTML
FILES #.txt
SilentShade
http://www.bleepingcomputer.com/forums
Salam!
https://noransom.kaspersky.com/
AES(256)
O_DECRYPT.html
AES(256)
RSA
Hidden Tear
https://support.kaspersky.com/viruses/dis
https://support.kaspersky.com/viruses/dis
https://github.com/pekeinfo/DecryptCrypr
http://www.utkusen.com/blog/dealing-with
https://decrypter.emsisoft.com/
Manamecrypt,
Telograph, ROI
no longer relevant
https://decrypter.emsisoft.com/
https://download.bleepingcomputer.com/d
http://www.bleepingcomputer.com/news/s
https://www.fireeye.com/blog/executive-p
Zeta
http://www.bleepingcomputer.com/forums
CryptProjectXXX
CryptProjectXXX
UltraDeCrypter
Locks screen.
Ransom note
RSA(2048)
https://support.kaspersky.com/viruses/dis
websites only
no extension
change
no extension
change
Open sourced C#
AES(256)
AES(256)
AES(256)
AES(256)
AES (128)
http://www.malwareremovalguides.info/d
https://decrypter.emsisoft.com/
https://github.com/hasherezade/dma_unl
Cryptear
Los Pollos
Hermanos
Based on Hidden
Tear
Based on Hidden
Tear encrypts DE
Only
or NL country
AES (256)
AES (256)
https://support.kaspersky.com/viruses/dis
https://download.bleepingcomputer.com/d
UNLOCK_FILES_INS
TRUCTIONS
https://decrypter.emsisoft.com/
OS X ransomware
(PoC)
Based on
HiddenTear
CrypBoss Family
https://decrypter.emsisoft.com/
AES(256)
https://decrypter.emsisoft.com/
Ransomware as a
Service
RaaS, Sarento
AES(256)
Based on
TripleDES
HiddenTear,
but
OS X Ransomware AES
http://www.bleepingcomputer.com/news/s
websites only
Based on
HiddenTear
https://blog.fortinet.com/post/kimcilware-
http://news.drweb.com/show/?i=9877&ln
https://decrypter.emsisoft.com/
AES
AES(256)
Linux Ransomware
no extension
change
AES(128)
Linux.Encoder.
{0,3}
Prepends filenames
OS X ransomware
(PoC)
Based on EDA2
Based on
HiddenTear
Packaged with
Petya
Based on EDA2
AES(256)
AES(256)
AES(256)
AES(256)
"Petya's little
brother"
Booyah
https://decrypter.emsisoft.com/lechiffre
https://labs.bitdefender.com/2015/11/linu
http://www.bleepingcomputer.com/forums
Yakes
no extension
change
7zip (a0.exe)
variant cannot be
E_ARCHIVO.ext).odcodc
http://github.com/Cyberclues/nanolockerhttps://decrypter.emsisoft.com/
https://github.com/Antelox/NemucodFR
XOR(255)
7zip
XOR
Vipasana, Cryakl
GPCode
CryptoLocker
Copycat
encrypts disk
partitions
Open-sourced
PowerShell
http://news.thewindowsclub.com/operatio
https://decrypter.emsisoft.com/
http://www.thewindowsclub.com/petya-ra
https://www.youtube.com/watch?v=mSqx
XOR
Modified Salsa20
AES(256)
Agent.iih
Aura
no extension
change, Javascript
possibly related
with
Chimera
Targeted
attacks
-Jexboss
Based on
HiddenTear,
no extensionbut
change
Based on EDA2
Based on EDA2
Based on EDA2
Based on EDA2
Exploited Synology
NAS
firmware
Factorization
4.0+ has no
extension
no special
extension
https://decrypter.emsisoft.com/
https://support.kaspersky.com/us/viruses/
https://support.kaspersky.com/viruses/dis
https://support.kaspersky.com/viruses/dis
Curve25519 + ChaCha
AES(256) +
samsam.exe
RSA(2096)
MIKOPONI.exe
AES(256) +
RSA(2096)
AES(256)
AES(256)
AES(256)
http://securelist.com/blog/research/69481
KinCrypt
BlackShades
http://www.bleepingcomputer.com/news/s
AES(256)
AES(256)
AlphaCrypt
AES(256) + ECHD
+
SHA1 + ECHD
AES(256)
+ SHA1
Crypt0L0cker
CryptoFortress
Shade
XTBL
http://www.bleepingcomputer.com/forums
http://www.talosintel.com/teslacrypt_tool/
http://www.bleepingcomputer.com/forums
http://www.welivesecurity.com/2016/05/1
http://www.bleepingcomputer.com/forums
http://www.welivesecurity.com/2016/05/1
http://www.bleepingcomputer.com/forums
http://www.welivesecurity.com/2016/05/1
http://www.bleepingcomputer.com/forums
http://www.thewindowsclub.com/emsisoft
CrypVault
Zlader
https://support.kaspersky.com/viruses/dis
VaultCrypt family
VaultCrypt family
RSA
VaultCrypt
CrypVault
Info 1
Info 2
Screenshots
http://www.nyxbone.com/malware/CryptoHasYou.html
https://www.google.de/search?tbm=isch&q=Ransomware+.Cr
crypter.emsisoft.com/777
http://www.nyxbone.com/malware/7ev3n-HONE$T.html
https://www.google.de/search?tbm=isch&q=Ransomware+7e
w.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/
http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-o
#NAME?
crypter.emsisoft.com/autolocky
#NAME?
http://www.nyxbone.com/malware/BadBlock.html
http://www.nyxbone.com/images/articulos/malware/badblock/
https://reaqta.com/2016/03/bandarchor-ransomware-still-active/
#NAME?
ransom.kaspersky.com/
#NAME?
http://nyxbone.com/malware/BlackShades.html
w.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/
https://www.google.de/search?tbm=isch&q=Ransomware+Bo
http://www.nyxbone.com/malware/brazilianRansom.html
http://www.nyxbone.com/images/articulos/malware/brazilianR
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock#NAME?
#NAME?
http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukraini
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
#NAME?
https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingwa
#NAME?
ransom.kaspersky.com/
#NAME?
http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your#NAME?
pport.kaspersky.com/viruses/disinfection/8547
#NAME?
pport.kaspersky.com/viruses/disinfection/8547
#NAME?
http://www.nyxbone.com/malware/Crypren.html
http://www.nyxbone.com/images/articulos/malware/crypren/0.
w.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html
#NAME?
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock#NAME?
crypter.emsisoft.com/
#NAME?
http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/
http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable
crypter.emsisoft.com/
https://www.google.de/search?tbm=isch&q=Ransomware+Cry
http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-becomes-cryptohitman-with-por
w.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/
#NAME?
#NAME?
https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/
#NAME?
http://www.nyxbone.com/malware/CryptoMix.html
http://www.nyxbone.com/images/articulos/malware/cryptomix
w.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypt
#NAME?
#NAME?
pport.kaspersky.com/viruses/disinfection/8547
#NAME?
https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against
#NAME?
http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-long
#NAME?
https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/
https://github.com/eyecatchup/Critroni-php
#NAME?
w.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/
#NAME?
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-u
#NAME?
https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code
#NAME?
pport.kaspersky.com/viruses/disinfection/8547
#NAME?
http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-th
http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unl
crypter.emsisoft.com/
#NAME?
#NAME?
crypter.emsisoft.com/
#NAME?
http://www.nyxbone.com/malware/hibuddy.html #NAME?
http://www.malware-traffic-analysis.net/2016/02/03/index2.html
#NAME?
#NAME?
#NAME?
http://www.nyxbone.com/malware/RaaS.html
http://encryptor3awk6px.onion/
#NAME?
https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/
#NAME?
http://www.nyxbone.com/malware/jobcrypter.htmlhttp://forum.malekal.com/jobcrypter-geniesanstrava
#NAME?
http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transm
#NAME?
crypter.emsisoft.com/
#NAME?
http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-ho
http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-runni
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/
#NAME?
bs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
#NAME?
w.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-rans
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlockhttps://www.google.de/search?tbm=isch&q=Ransomware+MM
http://nyxbone.com/malware/Mobef.html
http://nyxbone.com/images/articulos/malware/mobef/0.png
hub.com/Cyberclues/nanolocker-decryptor
#NAME?
crypter.emsisoft.com/
#NAME?
hub.com/Antelox/NemucodFR
http://www.nyxbone.com/malware/odcodc.html
http://www.nyxbone.com/images/articulos/malware/odcodc/1c
http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html
#NAME?
#NAME?
ws.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/
#NAME?
crypter.emsisoft.com/
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/
#NAME?
#NAME?
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/
#NAME?
http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension#NAME?
http://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/
pport.kaspersky.com/us/viruses/disinfection/10556
#NAME?
pport.kaspersky.com/viruses/disinfection/8547
https://www.google.de/search?tbm=isch&q=Ransomware+Ra
pport.kaspersky.com/viruses/disinfection/4264
http://i.imgur.com/gV6i5SN.jpg
https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/
#NAME?
http://blog.talosintel.com/2016/03/samsam-ransomware.html
#NAME?
#NAME?
urelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
#NAME?
http://www.nyxbone.com/malware/chineseRansom.html
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ranso
#NAME?
http://www.bleepingcomputer.com/forums/t/616160/silentshade-ransomware-silent-help-support-topic
http://www.nyxbone.com/malware/SkidLocker.html
https://www.google.de/search?tbm=isch&q=Ransomware+Sk
http://nyxbone.com/malware/SNSLocker.html
http://nyxbone.com/images/articulos/malware/snslocker/16.pn
#NAME?
http://www.nyxbone.com/malware/Strictor.html
#NAME?
#NAME?
#NAME?
w.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-tesl
#NAME?
w.talosintel.com/teslacrypt_tool/
w.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-tesl
#NAME?
w.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-m
#NAME?
http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modificatio
#NAME?
w.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/
#NAME?
http://www.nyxbone.com/malware/Troldesh.html #NAME?
http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoin
http://www.bleepstatic.com/images/news/ransomware/t/truecr
w.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware
#NAME?
http://www.nyxbone.com/malware/russianRansom.html
#NAME?
http://www.nyxbone.com/malware/virus-encoder.html
#NAME?
pport.kaspersky.com/viruses/disinfection/2911https://decrypter.emsisoft.com/xorist
#NAME?
#NAME?
https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
http://www.nyxbone.com/malware/russianRansom.html
https://www.google.de/search?tbm=isch&q=Ransomware+Zla
ch?tbm=isch&q=Ransomware+.CryptoHasYou.
ch?tbm=isch&q=Ransomware+7ev3n
mages/articulos/malware/badblock/5.png
lp-support-leggi-questo-filetxt/
ch?tbm=isch&q=Ransomware+Booyah
mages/articulos/malware/brazilianRansom/0.png
mages/articulos/malware/crypren/0.png
ransomware-could-be-decryptable-503239.shtml
ch?tbm=isch&q=Ransomware+CryptoDefense
re-becomes-cryptohitman-with-porno-extension/
mages/articulos/malware/cryptomix/r2.png
d-to-version-3-0-decryptors-no-longer-work/
1928819-help-support-topic-read-this-filetxt/
port-and-help-topic-locked-and-unlock-files-instructionshtml/
somware-support-and-help-topic-how-decryptgifhow-decrypthtml
d-with-a-friend-named-mischa-ransomware/
ch?tbm=isch&q=Ransomware+MM+Locker
/articulos/malware/mobef/0.png
mages/articulos/malware/odcodc/1c.png
ch?tbm=isch&q=Ransomware+Ransom32
nsomware-silent-help-support-topic-hackedtxt-youridtxt/
ch?tbm=isch&q=Ransomware+SkidLocker+/+Pompous
/articulos/malware/snslocker/16.png
/images/news/ransomware/t/truecrypter/truecrypter.png
ch?tbm=isch&q=Ransomware+Zlader+/+Russian
Proposed Name
RemindMe
WonderCrypter
?
?
?
?
PLAUGE17?
?
WHAT IS SQ
?
?
Protected?
?
AxCrypt
?
Extensions
.remind
.h3ll
.crypttt
.neitrino
.xcrypt
Extension Pattern
MESSAGE.TXT
FILES_BACK.TXT
PLAGUE17.txt
.PLAUGE17
sq_ (prepends file)
.locked
.protected
.encrypted
.axx
.7h9r
PoC
decrypt_your_files.html
SECRETISHIDINGHEREI
NSIDE.KEY,
4252016XYLITOL.KEY66
WHAT IS SQ_.txt
PLEASE READ.txt
UNLOCK_FILES_INSTRU
CTIONS.txt
HOW_TO_RESTORE_YO
UR_DATA.html
(original
file).How_To_Decrypt.tx
Comment
Status
http://www.bleepingcomputer.com/forums/t/611740/remind-ransomware/
Hunting for sample, potential HiddenTear variant
Submitted to IDR
Need analysed
(7f76dd15545a6bf1804bed893e5e8214feb2f0368d3
Submitted to IDR
Needs identified
Needs identified
Submitted to IDR, ransom
email:
Submitted to IDR
Needs identified
Submitted to IDR, note:
Needs identified
http://pastebin.com/Wvw7m
Needs identified
Submitted to IDR, note:
http://pastebin.com/zc4zMNp
Submitted to BC, Mobef?
Needs identified
http://www.bleepingcomputer.com/forums/t/583610/how-to-decrypt-ransomware-name-what-is-sq/
Hunting for sample
Hunting for sample
Submitted to IDR, note:
http://pastebin.com/6J4g33F
Submitted to IDR and BC,
Hunting for sample
note:
Submitted to IDR and BC,
Hunting for sample
note:
Needs analyzed:
5ab8ea80d1c1a9500c60739a29cf9c280ff1040ebd50
Abuses legit AxCrypt
Hunting for sample
software
Submitted to IDR, note:
Hunting for sample
http://pastebin.com/PzGKJ6u
Name
.CryptoHasYou.
777
7ev3n
8lock8
Alpha Ransomware
AutoLocky
BadBlock
Bandarchor
BitCryptor
Blocatto
Booyah
Brazilian
BrLock
Browlock
Bucbi
BuyUnlockCode
Cerber
Chimera
CoinVault
Coverton
Cryaki
Crybola
Crypren
Cryptear
CryptFIle2
CryptoBit
CryptoHitman
CryptoHost
CryptoJoker
CryptoMix
CryptoTorLocker2015
CryptoWall
CryptXXX
CryptXXX 2.0
CTB-Locker
CTB-Locker WEB
DeCrypt Protect
DMALocker
DMALocker 3.0
EDA2 / HiddenTear
Microsoft Info
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Win32/Cribit
https://www.microsoft.com/security/portal/thre
Ransom:JS/Brolo
www.microsoft.com/security/portal/threat/ency
Ransom: Win32/Cendode.A
Win32/Cerber
Win32/Chicrypt
Ransom: MSIL/Vaultlock.A
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Ransom: Win32/Crowti
https://www.microsoft.com/security/portal/thre
Ransom: Win32/Crowti
Win32/Fortrypt
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Ransom: Win32/Crilock.A
https://www.microsoft.com/security/portal/thre
Ransom: Win32/Crowti
Win32/Fortrypt
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Ransom: MSIL/Nojocrypt.A
https://www.microsoft.com/security/portal/thre
Ransom:
Ransom:
Ransom:
Ransom:
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Win32/DMALocker
Win32/DMALocker.A
MSIL/Ryzerlo
PowerShell/Polock.A
El-Polocker
Enigma
Fury
GhostCrypt
GNL Locker
Gomasom
Gopher
Harasom
Hi Buddy!
HydraCrypt
iLock
iLockLight
Jeiphoos
Jigsaw
Job Crypter
KeRanger
KeyBTC
KEYHolder
KimcilWare
KryptoLocker
LeChiffre
Linux.Encoder
Locker
LowLevel04
Mabouia
Magic
MaktubLocker
MireWare
Mischa
MM Locker
Nemucod
Offline ransomware
OMG! Ransomware
Operation Global III
PClock
Petya
PowerWare
PRISM
Radamant
RemindMe
Rakhni
Trojan: Win32/Harasom.A
https://www.microsoft.com/security/portal/thre
Ransom: Win32/Tobfy.X
https://www.microsoft.com/security/portal/thre
Ransom:MSIL/JigsawLocker.A
https://www.microsoft.com/security/portal/thre
Ransom: Win32/Locky
TrojanDownloader: JS/Locky
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Win32/Takabum
https://www.microsoft.com/security/portal/thre
JS/Nemucod
https://www.microsoft.com/security/portal/thre
Rannoh
Ransom32
Rector
RemindMe
Samas-Samsam
Sanction
SkidLocker / Pompous
SNSLocker
Sport
Strictor
Surprise
SynoLocker
TeslaCrypt 0.x - 2.2.0
TeslaCrypt 3.0+
TeslaCrypt 4.1A
TeslaCrypt 4.2
Troldesh
TrueCrypter
UmbreCrypt
VaultCrypt
Virus-Encoder
Xorist
XRTN
Win32/Tescrypt
Ransom: Win32/Teerac
Win32/Fortrypt
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
https://www.microsoft.com/security/portal/thre
Win32/Troldesh
https://www.microsoft.com/security/portal/thre
Ransom: BAT/Xibow
https://www.microsoft.com/security/portal/thre
Win32/ZCryptor.A
https://blogs.technet.microsoft.com/mmpc/201
Sandbox
IOCs
Snort
https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c05
https://otx.alienvault.com/pulse/57180b18c1492d015c14bed8/
https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58
https://otx.alienvault.com/pulse/573b02701116a040ceccdd85/
https://otx.alienvault.com/pulse/57180dbf0ebaa4015af21166/
https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3
https://www.hybrid-analysis.com/sample/d572a7d7254846adb73aebc3f7891398e
https://otx.alienvault.com/browse?q=Alpha+Ransomware
https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921
https://otx.alienvault.com/pulse/57166d65c1492d015c14bcc4/
https://otx.alienvault.com/pulse/56eac97aaef9214b1550b37e/
osoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolo
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.A
https://otx.alienvault.com/pulse/5721628cce2199015fb2b101/
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e
https://otx.alienvault.com/browse?q=Browlock
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e
https://otx.alienvault.com/pulse/572df3997740f10160c78d5c/
https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a14
https://otx.alienvault.com/pulse/55fabc314637f26df7745efc/
https://otx.alienvault.com/browse?q=Cerber
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bc
#NAME?
#NAME? https://www.snort.org/search?query=cryptolocker&submit_sea
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt
#NAME?
https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bc
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=ctb-locker
https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf684
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.A
#NAME?
https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.A
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a14
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Isda
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME?
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky
#NAME? https://www.snort.org/rule_docs/1-37844
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Locky
https://www.hybrid-analysis.com/sample/b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056
#NAME?
#NAME?
#NAME? http://pastebin.com/0604rgUnhttp://pastebin.com/F6Pyqiqg
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabum
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=Petya&submit_search=
#NAME?
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-r
http://seclists.org/snort/2013/q3/900
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=samsam&submit_search=
https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c46
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32%2fTeerac
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt
ww.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh
https://otx.alienvault.com/browse?q=Sport
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME? https://www.snort.org/search?query=teslacrypt&submit_searc
#NAME? https://www.snort.org/search?query=teslacrypt&submit_searc
#NAME? https://www.snort.org/search?query=teslacrypt&submit_searc
#NAME? https://www.snort.org/search?query=teslacrypt&submit_searc
#NAME? https://www.snort.org/search?query=torrentlocker&submit_se
ogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
6adb73aebc3f7891398e513bdac9aac06231991e07e7b55fac8?environmentId=4
ryptolocker&submit_search=
stebin.com/F6Pyqiqg
etya&submit_search=
amsam&submit_search=
eslacrypt&submit_search=
eslacrypt&submit_search=
eslacrypt&submit_search=
eslacrypt&submit_search=
orrentlocker&submit_search=
No
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Measure
Type
Backup and
Recovery
Restore
Process
Block Macros
GPO
Disable WSH
GPO
Filter Attachments Mail Gateway
Level
1
Filter Attachments
Mail Gateway
Level
2
Restrict program GPO
execution
Show File
User
Extensions
Assistence
Enforce UAC
GPO
Prompt
Remove Admin
Best Practice
Privileged
Best Practice
Restrict
Workstation
Sandboxing Email Advanced
Input
Malware
Execution
3rd
Party
Prevention
Tools
GPO
Change Default
"Open
With"
to
File Screening
Monitoring
Footnotes
Complexity
Effectiveness
Impact
Description
Complexity*Effectiveness*
Make sure to have adequate backup processes on
Medium
High
place
and
frequently
test
a
restore
of
these
backups
Disable macros in Office files downloaded from the
Low
High
Internet.
This
can
be
configured
to
work
in
two
Disable Windows Script Host
Low
Medium
Filter the following attachments on your mail gateway: Low
Medium
.ade,
.adp,
.ani,
.bas,
.bat,
.chm,
.cmd,
.com,
.cpl,
Filter the following attachments on your mail gateway: Low
High
(Filter
expression
of
Level
1
plus)
.doc,
.xls,
.rtf,
.docm,
Block all program executions from the %LocalAppData Medium
Medium
%
and
%AppData%
folder
Set the registry key "HideFileExt" to 0 in order to show Low
Low
all
file
extensions,
even
of
known
file
types.
This
helps
Enforce administrative users to confirm an action that Low
Medium
requires and
elevated
rights
Remove
restrict
administrative rights whenever
Medium
Medium
possible.the
Malware
can Firewall
only modify
files that
users have
Activate
Windows
to restrict
workstation
to Medium
Low
workstation
communication
Using
sandbox
that opens email attachments and
Medium
High
removes attachments
onthe
behavior
analysis
Software
that allows tobased
control
execution
of
Medium
Medium
processes
- sometimes
integrated
Antivirus to
software
Force extensions
primarily
used forininfections
open Low
Medium
up
in
Notepad
rather
than
Windows
Script
Host
or
Server-side file screening with the help of File Server
Low
Medium
Resource Manager
complexity of implementation also includes the costs of implementation (e.g. simple to implement but costly)
not overrate a 'high' in this column as it is a relative effectiveness in comparison to other measures
effects on business processes, administration or user experience
Impact*
Low
Low
Medium
Low
High
Medium
Low
Low
Medium
Low
Medium
Low
Possible Issues
Link 1
Link 2
http://windows.microsoft.com/en-us/windows/back-up-res
https://www.404techsupport.com/2016/04/office2016-ma
https://support.office.com/en-us/ar
http://www.windowsnetworking.com/kbase/WindowsTips/
https://bluesoul.me/2016/05/12/use-gpo-to-change-the-d
http://jpelectron.com/sample/Info%20and%20Documents
/windows/back-up-restore-faq#1TC=windows-7
rt.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=
/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html
unity.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated
als/10570-file-extensions-hide-show.html
/library/dd835564(WS.10).aspx
-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/
20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-R
-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
stWSH.html
20day/1-PreventCrypto-Readme.htm
Infographics
Hint: if you can't see the graphics in the HTML version try to download this document as XLS
Source:
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41
e "Download" section
-malware-attack-chain
Download Links
XLSX Download
ODS Download
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?ou
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?ou
0Y0Hvmc5g/pub?output=xlsx
0Y0Hvmc5g/pub?output=ods
Composition
Contributors
Support
License
Sources
https://id-ransomware.malwarehunterteam.com/
https://bartblaze.blogspot.com
http://www.malekal.com/
http://www.bleepingcomputer.com/
https://blog.malwarebytes.org/
http://www.nyxbone.com/
http://www.tripwire.com/state-of-security/security-data-protection/ransom
http://www.thewindowsclub.com/list-ransomware-decryptor-tools
https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-o
0159508480/photo/1
rity-data-protection/ransomware-happy-ending-10-known-decryption-cases/
are-decryptor-tools
16/05/18/the-5ws-and-1h-of-ransomware/