Guia Ransom Ware

Name
Extensions
Extension Pattern
Ransom Note Filename(s
.CryptoHasYou.
.enc
777
.777
._[timestamp]_$[email]$.777
e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777
7ev3n
.R4A
FILES_BACK.txt
.R5A
8lock8
.8lock8
Alpha Ransomware.encrypt
AutoLocky
.locky
BadBlock
Bandarchor
.id-[ID]_[EMAIL_ADDRESS]
BitCryptor
.clf
BlackShades Crypt.Silent
Hacked_Read_me_to_decrypt_files.html
YourID.txt
Blocatto
.blocatto
Booyah
Brazilian
.lock
BrLock
Browlock
Bucbi
BuyUnlockCode
(.*).encoded.([A-Z0-9]{9BUYUNLOCKCODE.txt
Cerber
.cerber
# DECRYPT MY FILES #.html
#
DECRYPT MY FILES #.txt
Chimera
.crypt
YOUR_FILES_ARE_ENCRYPTED.HTML
CoinVault
.clf
Coverton
.coverton
.enigma
Cryaki
.{CRYPTENDBLACKDC}
Crybola
Crypren
.ENCRYPTED
READ_THIS_TO_DECRYPT.html
Cryptear
CryptFIle2
.scl
id[_ID]email_xerx@usa.com.scl
CryptInfinite
.crinf
CryptoBit
CryptoDefense
HOW_DECRYPT.TXT
CryptoHitman
.porno
.pornoransom
CryptoHost
CryptoJoker
.crjoker
CryptoLocker
.encrypted
CryptoMix
.code
.id_(ID_MACHINE)_email_xoomx@dr.com_.code
.id_*_email_zeta@dr.com
CryptoTorLocker20.CryptoTorLocker2015!
CryptoWall
(random)
CryptXXX
.crypt
CryptXXX 2.0
.crypt
CryptXXX 3.0
.crypt
.cryp1
CTB-Locker
.ctbl
.([a-z]{6,7})
CTB-Locker WEB
DeCrypt Protect .html
DMALocker
DMALocker 3.0
EDA2 / HiddenTear.locked
El-Polocker
.ha3
Enigma
.enigma
Fakben
.locked
Fury
GhostCrypt
.Z81928819
GNL Locker
.locked
Gomasom
.crypt
!___[EMAILADDRESS]_.crypt
Gopher
Harasom
.html
Hi Buddy!
.cry
HydraCrypt
hydracrypt_ID_[\w]{8}
iLock
.crime
iLockLight
.crime
Jeiphoos
Jigsaw
.btc
.kkk
Job Crypter
.locked
KeRanger
.encrypted
KeyBTC
.keybtc@inbox_com
KEYHolder
KimcilWare
.kimcilware
.locked
KryptoLocker
LeChiffre
Linux.Encoder
Locker
Locky
Lortok
LowLevel04
Mabouia
.LeChiffre
Magic
MaktubLocker
MireWare
Mischa
MM Locker
.magic
.locky
.crime
oor.
([A-F0-9]{32}).locky
[a-z]{4,6}
.fucked
.([a-zA-Z0-9]{4})
Mobef
.KEYZ
.KEYH0LES
NanoLocker
Nemucod
.crypted
ODCODC
.odcodc
C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc
Offline ransomwar .cbf
email-[params].cbf
OMG! Ransomware.LOL!
.OMG!
Operation Global II.EXE
PClock
Petya
PowerWare
PRISM
Radamant
.RDM
.RRK
Rakhni
.locked
.coderksu@gmail_com_id[0-9]{2,3}
.kraken
.crypt@india.com.[\w]{4,12}
Rannoh
locked-<original name>.[a-zA-Z]{4}
Ransom32
Rector
.vscrypt
.infected
RemindMe
.remind
Rokku
.rokku
Samas-Samsam .encryptedAES
.encryptedRSA
Sanction
.sanction
Scraper
Shujin
SilentShade
.Silent
SkidLocker / Pomp .locked
SNSLocker
.RSNSlocked
Sport
.sport
Strictor
.locked
Surprise
.surprise
SynoLocker
TeslaCrypt 0.x - 2. .vvv
HELP_TO_SAVE_FILES.txt
.ecc
TeslaCrypt 3.0+ .micro
.xxx
TeslaCrypt 4.1A
TeslaCrypt 4.2
TorrentLocker
.Encrypted
Troldesh
.better_call_saul
.xtbl
TrueCrypter
.enc
UmbreCrypt
umbrecrypt_ID_[VICTIMID]
VaultCrypt
.vault
.xort
Virus-Encoder
.CrySiS
Xorist
.EnCiPhErEd
.73i87A
XRTN
.xrtn
Zcrypt
Zlader / Russian
Zyklon
.zcrypt
.vault
.zyklon
Comment
Encryption
Algorithm
AES(256)
XOR
ver@aol.com$.777
Based on
HiddenTear
Also known as
Decryptor
Sevleg
7ev3n-HONE$T
https://decrypter.emsisoft.com/777
https://github.com/hasherezade/malware
http://www.bleepingcomputer.com/forums
http://download.bleepingcomputer.com/d
https://decrypter.emsisoft.com/autolocky
https://decrypter.emsisoft.com/badblock
AES (256)
AES(256)
AlphaLocker
AES(256)
Rakhni
https://noransom.kaspersky.com/
AES (256)
me_to_decrypt_files.html
Based on
AES (256)
HiddenTear
EXE
was replaced
to
neutralize
threat AES(256)
Based on EDA2
AES
no local
encryption,
GOST
no file name
change,
no
Does not delete
Shadow Copies
Y FILES #.html
AES
YRE_ENCRYPTED.HTML
FILES #.txt
SilentShade
Salam!
https://noransom.kaspersky.com/
AES(256)
O_DECRYPT.html
AES(256)
RSA
Hidden Tear
https://support.kaspersky.com/viruses/dis
https://github.com/pekeinfo/DecryptCrypr
http://www.utkusen.com/blog/dealing-with
https://decrypter.emsisoft.com/
OKSOWATHAPPEND AES and RSA

TOYOURFILES.TXT,
no extension
change
Jigsaw variant
AES (256)
RAR's victim's files AES(256) (RAR
implementation)
Manamecrypt,
Telograph, ROI
no longer relevant
https://download.bleepingcomputer.com/d
http://www.bleepingcomputer.com/news/s
https://www.fireeye.com/blog/executive-p
Zeta
CryptProjectXXX
CryptProjectXXX
UltraDeCrypter
Locks screen.
Ransom note
RSA(2048)
websites only
no extension
change
no extension
change
Open sourced C#
AES(256)
AES(256)
AES(256)
AES(256)
AES (128)
http://www.malwareremovalguides.info/d
https://github.com/hasherezade/dma_unl
Cryptear
Los Pollos
Hermanos
Based on Hidden
Tear
Based on Hidden
Tear encrypts DE
Only
or NL country
AES (256)
AES (256)
https://download.bleepingcomputer.com/d
UNLOCK_FILES_INS
TRUCTIONS
OS X ransomware
(PoC)
Based on
HiddenTear
CrypBoss Family
AES(256)
Ransomware as a
Service
RaaS, Sarento
AES(256)
Based on
TripleDES
HiddenTear,
but
OS X Ransomware AES
websites only
Based on
HiddenTear
https://blog.fortinet.com/post/kimcilware-
http://news.drweb.com/show/?i=9877&ln
AES
AES(256)
Linux Ransomware
no extension
change
AES(128)
Linux.Encoder.
{0,3}
Prepends filenames
OS X ransomware
(PoC)
Based on EDA2
Based on
HiddenTear
Packaged with
Petya
Based on EDA2
AES(256)
AES(256)
AES(256)
AES(256)
"Petya's little
brother"
Booyah
https://decrypter.emsisoft.com/lechiffre
https://labs.bitdefender.com/2015/11/linu
Yakes
no extension
change
7zip (a0.exe)
variant cannot be
E_ARCHIVO.ext).odcodc
http://github.com/Cyberclues/nanolockerhttps://decrypter.emsisoft.com/
https://github.com/Antelox/NemucodFR
XOR(255)
7zip
XOR
Vipasana, Cryakl
GPCode
CryptoLocker
Copycat
encrypts disk
partitions
Open-sourced
PowerShell
http://news.thewindowsclub.com/operatio
http://www.thewindowsclub.com/petya-ra
https://www.youtube.com/watch?v=mSqx
XOR
Modified Salsa20
AES(256)
Agent.iih
Aura
no extension
change, Javascript
possibly related
with
Chimera
Targeted
attacks
-Jexboss
Based on
HiddenTear,
no extensionbut
change
Based on EDA2
Based on EDA2
Based on EDA2
Based on EDA2
Exploited Synology
NAS
firmware
Factorization
4.0+ has no
extension
no special
extension
https://support.kaspersky.com/us/viruses/
Curve25519 + ChaCha
AES(256) +
samsam.exe
RSA(2096)
MIKOPONI.exe
AES(256) +
RSA(2096)
AES(256)
AES(256)
AES(256)
http://securelist.com/blog/research/69481
KinCrypt
BlackShades
AES(256)
AES(256)
AlphaCrypt
AES(256) + ECHD
+
SHA1 + ECHD
AES(256)
+ SHA1
Newer variants not

decryptable
AES(256)
AES(256)
CrypBoss Family
AES
uses gpg.exe
AES(256)
Crypt0L0cker
CryptoFortress
Shade
XTBL
http://www.talosintel.com/teslacrypt_tool/
http://www.welivesecurity.com/2016/05/1
http://www.thewindowsclub.com/emsisoft
CrypVault
Zlader
VaultCrypt family
VaultCrypt family
RSA
VaultCrypt
CrypVault
Info 1
Info 2
Screenshots
http://www.nyxbone.com/malware/CryptoHasYou.html
https://www.google.de/search?tbm=isch&q=Ransomware+.Cr
crypter.emsisoft.com/777
http://www.nyxbone.com/malware/7ev3n-HONE$T.html
https://www.google.de/search?tbm=isch&q=Ransomware+7e
w.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/
http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-o
#NAME?
crypter.emsisoft.com/autolocky
#NAME?
http://www.nyxbone.com/malware/BadBlock.html
http://www.nyxbone.com/images/articulos/malware/badblock/
https://reaqta.com/2016/03/bandarchor-ransomware-still-active/
#NAME?
ransom.kaspersky.com/
#NAME?
http://nyxbone.com/malware/BlackShades.html
w.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/
https://www.google.de/search?tbm=isch&q=Ransomware+Bo
http://www.nyxbone.com/malware/brazilianRansom.html
http://www.nyxbone.com/images/articulos/malware/brazilianR
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock#NAME?
#NAME?
http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukraini
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
#NAME?
https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingwa
#NAME?
ransom.kaspersky.com/
#NAME?
http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your#NAME?
pport.kaspersky.com/viruses/disinfection/8547
#NAME?
#NAME?
http://www.nyxbone.com/malware/Crypren.html
http://www.nyxbone.com/images/articulos/malware/crypren/0.
w.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html
#NAME?
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock#NAME?
crypter.emsisoft.com/
#NAME?
http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/
http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable
https://www.google.de/search?tbm=isch&q=Ransomware+Cry
http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-becomes-cryptohitman-with-por
w.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/
#NAME?
#NAME?
https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/
#NAME?
http://www.nyxbone.com/malware/CryptoMix.html
http://www.nyxbone.com/images/articulos/malware/cryptomix
w.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypt
#NAME?
#NAME?
#NAME?
https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against
#NAME?
http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-long
#NAME?
https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/
https://github.com/eyecatchup/Critroni-php
#NAME?
w.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/
#NAME?
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-u
#NAME?
https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code
#NAME?
#NAME?
http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-th
http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unl
#NAME?
#NAME?
#NAME?
http://www.nyxbone.com/malware/hibuddy.html #NAME?
http://www.malware-traffic-analysis.net/2016/02/03/index2.html
#NAME?
#NAME?
#NAME?
http://www.nyxbone.com/malware/RaaS.html
http://encryptor3awk6px.onion/
#NAME?
https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/
#NAME?
http://www.nyxbone.com/malware/jobcrypter.htmlhttp://forum.malekal.com/jobcrypter-geniesanstrava
#NAME?
http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transm
#NAME?
#NAME?
http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-ho
http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-runni
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/
#NAME?
bs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
#NAME?
w.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-rans
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlockhttps://www.google.de/search?tbm=isch&q=Ransomware+MM
http://nyxbone.com/malware/Mobef.html
http://nyxbone.com/images/articulos/malware/mobef/0.png
hub.com/Cyberclues/nanolocker-decryptor
#NAME?
#NAME?
hub.com/Antelox/NemucodFR
http://www.nyxbone.com/malware/odcodc.html
http://www.nyxbone.com/images/articulos/malware/odcodc/1c
http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html
#NAME?
#NAME?
ws.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/
#NAME?
#NAME?
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/
#NAME?
http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension#NAME?
http://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/
pport.kaspersky.com/us/viruses/disinfection/10556
#NAME?
https://www.google.de/search?tbm=isch&q=Ransomware+Ra
http://i.imgur.com/gV6i5SN.jpg
https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/
#NAME?
http://blog.talosintel.com/2016/03/samsam-ransomware.html
#NAME?
#NAME?
urelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
#NAME?
http://www.nyxbone.com/malware/chineseRansom.html
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ranso
#NAME?
http://www.bleepingcomputer.com/forums/t/616160/silentshade-ransomware-silent-help-support-topic
http://www.nyxbone.com/malware/SkidLocker.html
https://www.google.de/search?tbm=isch&q=Ransomware+Sk
http://nyxbone.com/malware/SNSLocker.html
http://nyxbone.com/images/articulos/malware/snslocker/16.pn
#NAME?
http://www.nyxbone.com/malware/Strictor.html
#NAME?
#NAME?
#NAME?
w.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-tesl
#NAME?
w.talosintel.com/teslacrypt_tool/
w.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-tesl
#NAME?
w.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-m
#NAME?
http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modificatio
#NAME?
w.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/
#NAME?
http://www.nyxbone.com/malware/Troldesh.html #NAME?
http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoin
http://www.bleepstatic.com/images/news/ransomware/t/truecr
w.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware
#NAME?
http://www.nyxbone.com/malware/russianRansom.html
#NAME?
http://www.nyxbone.com/malware/virus-encoder.html
#NAME?
pport.kaspersky.com/viruses/disinfection/2911https://decrypter.emsisoft.com/xorist
#NAME?
#NAME?
https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
http://www.nyxbone.com/malware/russianRansom.html
https://www.google.de/search?tbm=isch&q=Ransomware+Zla
ch?tbm=isch&q=Ransomware+.CryptoHasYou.
ch?tbm=isch&q=Ransomware+7ev3n
mages/articulos/malware/badblock/5.png
lp-support-leggi-questo-filetxt/
ch?tbm=isch&q=Ransomware+Booyah
mages/articulos/malware/brazilianRansom/0.png
mages/articulos/malware/crypren/0.png
ransomware-could-be-decryptable-503239.shtml
ch?tbm=isch&q=Ransomware+CryptoDefense
re-becomes-cryptohitman-with-porno-extension/
mages/articulos/malware/cryptomix/r2.png
d-to-version-3-0-decryptors-no-longer-work/
1928819-help-support-topic-read-this-filetxt/
port-and-help-topic-locked-and-unlock-files-instructionshtml/
somware-support-and-help-topic-how-decryptgifhow-decrypthtml
d-with-a-friend-named-mischa-ransomware/
ch?tbm=isch&q=Ransomware+MM+Locker
/articulos/malware/mobef/0.png
mages/articulos/malware/odcodc/1c.png
ch?tbm=isch&q=Ransomware+Ransom32
nsomware-silent-help-support-topic-hackedtxt-youridtxt/
ch?tbm=isch&q=Ransomware+SkidLocker+/+Pompous
/articulos/malware/snslocker/16.png
/images/news/ransomware/t/truecrypter/truecrypter.png
ch?tbm=isch&q=Ransomware+Zlader+/+Russian
Proposed Name
RemindMe
WonderCrypter
?
?
?
?
PLAUGE17?
?
WHAT IS SQ
?
?
Protected?
?
AxCrypt
?
Extensions
.remind
.h3ll
.crypttt
.neitrino
.xcrypt
Extension Pattern
MESSAGE.TXT
FILES_BACK.TXT
PLAGUE17.txt
.PLAUGE17
sq_ (prepends file)
.locked
.protected
.encrypted
.axx
.7h9r
PoC
decrypt_your_files.html
SECRETISHIDINGHEREI
NSIDE.KEY,
4252016XYLITOL.KEY66
WHAT IS SQ_.txt
PLEASE READ.txt
UNLOCK_FILES_INSTRU
CTIONS.txt
HOW_TO_RESTORE_YO
UR_DATA.html
(original
file).How_To_Decrypt.tx
Comment
Status
http://www.bleepingcomputer.com/forums/t/611740/remind-ransomware/
Hunting for sample, potential HiddenTear variant
Submitted to IDR
Need analysed
(7f76dd15545a6bf1804bed893e5e8214feb2f0368d3
Submitted to IDR
Needs identified
Needs identified
Submitted to IDR, ransom
email:
Submitted to IDR
Needs identified
Submitted to IDR, note:
Needs identified
http://pastebin.com/Wvw7m
Needs identified
http://pastebin.com/zc4zMNp
Submitted to BC, Mobef?
Needs identified
http://www.bleepingcomputer.com/forums/t/583610/how-to-decrypt-ransomware-name-what-is-sq/
Hunting for sample
Hunting for sample
http://pastebin.com/6J4g33F
Submitted to IDR and BC,
Hunting for sample
note:
Submitted to IDR and BC,
Hunting for sample
note:
Needs analyzed:
5ab8ea80d1c1a9500c60739a29cf9c280ff1040ebd50
Abuses legit AxCrypt
Hunting for sample
software
Hunting for sample
http://pastebin.com/PzGKJ6u
Name
.CryptoHasYou.
777
7ev3n
8lock8
Alpha Ransomware
AutoLocky
BadBlock
Bandarchor
BitCryptor
Blocatto
Booyah
Brazilian
BrLock
Browlock
Bucbi
BuyUnlockCode
Cerber
Chimera
CoinVault
Coverton
Cryaki
Crybola
Crypren
Cryptear
CryptFIle2
CryptoBit
CryptoHitman
CryptoHost
CryptoJoker
CryptoMix
CryptoTorLocker2015
CryptoWall
CryptXXX
CryptXXX 2.0
CTB-Locker
CTB-Locker WEB
DeCrypt Protect
DMALocker
DMALocker 3.0
EDA2 / HiddenTear
Microsoft Detection Name

Trojan:Win32/Dynamer!ac
Ransom:Win32/Empercrypt.A
Microsoft Info
https://www.microsoft.com/security/portal/thre
Win32/Cribit
Ransom:JS/Brolo
www.microsoft.com/security/portal/threat/ency
Ransom: Win32/Cendode.A
Win32/Cerber
Win32/Chicrypt
Ransom: MSIL/Vaultlock.A
Ransom: Win32/Crowti
Win32/Fortrypt
Ransom: Win32/Crilock.A
Win32/Fortrypt
Ransom: MSIL/Nojocrypt.A
Ransom:
Ransom:
Ransom:
Ransom:
Win32/DMALocker
Win32/DMALocker.A
MSIL/Ryzerlo
PowerShell/Polock.A
El-Polocker
Enigma
Fury
GhostCrypt
GNL Locker
Gomasom
Gopher
Harasom
Hi Buddy!
HydraCrypt
iLock
iLockLight
Jeiphoos
Jigsaw
Job Crypter
KeRanger
KeyBTC
KEYHolder
KimcilWare
KryptoLocker
LeChiffre
Linux.Encoder
Locker
LowLevel04
Mabouia
Magic
MaktubLocker
MireWare
Mischa
MM Locker
Nemucod
Offline ransomware
OMG! Ransomware
Operation Global III
PClock
Petya
PowerWare
PRISM
Radamant
RemindMe
Rakhni
Trojan: Win32/Harasom.A
Ransom: Win32/Tobfy.X
Ransom:MSIL/JigsawLocker.A
Ransom: MacOS_X/KeRanger.A https://www.microsoft.com/security/portal/thre

Ransom: Win32/Isda
Ransom: BAT/Xibow
Ransom: Win32/Locky
TrojanDownloader: JS/Locky
Win32/Takabum
JS/Nemucod
Rannoh
Ransom32
Rector
RemindMe
Samas-Samsam
Sanction
SkidLocker / Pompous
SNSLocker
Sport
Strictor
Surprise
SynoLocker
TeslaCrypt 0.x - 2.2.0
TeslaCrypt 3.0+
TeslaCrypt 4.1A
TeslaCrypt 4.2
Troldesh
TrueCrypter
UmbreCrypt
VaultCrypt
Virus-Encoder
Xorist
XRTN
Win32/Tescrypt
Ransom: Win32/Teerac
Win32/Fortrypt
Win32/Troldesh
Ransom: BAT/Xibow
Win32/ZCryptor.A
https://blogs.technet.microsoft.com/mmpc/201
Sandbox
IOCs
Snort
https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c05
https://otx.alienvault.com/pulse/57180b18c1492d015c14bed8/
https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58
https://otx.alienvault.com/pulse/573b02701116a040ceccdd85/
https://otx.alienvault.com/pulse/57180dbf0ebaa4015af21166/
https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3
https://www.hybrid-analysis.com/sample/d572a7d7254846adb73aebc3f7891398e
https://otx.alienvault.com/browse?q=Alpha+Ransomware
https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921
https://otx.alienvault.com/pulse/57166d65c1492d015c14bcc4/
https://otx.alienvault.com/pulse/56eac97aaef9214b1550b37e/
osoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolo
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.A
https://otx.alienvault.com/pulse/5721628cce2199015fb2b101/
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e
https://otx.alienvault.com/browse?q=Browlock
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e
https://otx.alienvault.com/pulse/572df3997740f10160c78d5c/
https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a14
https://otx.alienvault.com/pulse/55fabc314637f26df7745efc/
https://otx.alienvault.com/browse?q=Cerber
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bc
#NAME?
#NAME? https://www.snort.org/search?query=cryptolocker&submit_sea
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt
#NAME?
https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bc
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=ctb-locker
https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf684
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.A
#NAME?
https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.A
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a14
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Isda
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME?
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky
#NAME? https://www.snort.org/rule_docs/1-37844
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Locky
https://www.hybrid-analysis.com/sample/b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056
#NAME?
#NAME?
#NAME? http://pastebin.com/0604rgUnhttp://pastebin.com/F6Pyqiqg
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabum
#NAME?
#NAME?
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=Petya&submit_search=
#NAME?
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-r
http://seclists.org/snort/2013/q3/900
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=samsam&submit_search=
https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c46
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32%2fTeerac
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt
ww.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh
https://otx.alienvault.com/browse?q=Sport
#NAME?
ww.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME? https://www.snort.org/search?query=teslacrypt&submit_searc
#NAME? https://www.snort.org/search?query=torrentlocker&submit_se
ogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
6adb73aebc3f7891398e513bdac9aac06231991e07e7b55fac8?environmentId=4
ryptolocker&submit_search=
stebin.com/F6Pyqiqg
etya&submit_search=
amsam&submit_search=
eslacrypt&submit_search=
orrentlocker&submit_search=
No
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Measure
Type
Backup and
Recovery
Restore
Process
Block Macros
GPO
Disable WSH
GPO
Filter Attachments Mail Gateway
Level
1
Filter Attachments
Mail Gateway
Level
2
Restrict program GPO
execution
Show File
User
Extensions
Assistence
Enforce UAC
GPO
Prompt
Remove Admin
Best Practice
Privileged
Best Practice
Restrict
Workstation
Sandboxing Email Advanced
Input
Malware
Execution
3rd
Party
Prevention
Tools
GPO
Change Default
"Open
With"
to
File Screening
Monitoring
Footnotes
Complexity
Effectiveness
Impact
The complexity of implementation also includes the costs of implementation (

Do not overrate a 'high' in this column as it is a relative effectiveness in comp
The effects on business processes, administration or user experience
Description
Complexity*Effectiveness*
Make sure to have adequate backup processes on
Medium
High
place
and
frequently
test
a
restore
of
these
backups
Disable macros in Office files downloaded from the
Low
High
Internet.
This
can
be
configured
to
work
in
two
Disable Windows Script Host
Low
Medium
Filter the following attachments on your mail gateway: Low
Medium
.ade,
.adp,
.ani,
.bas,
.bat,
.chm,
.cmd,
.com,
.cpl,
Filter the following attachments on your mail gateway: Low
High
(Filter
expression
of
Level
1
plus)
.doc,
.xls,
.rtf,
.docm,
Block all program executions from the %LocalAppData Medium
Medium
%
and
%AppData%
folder
Set the registry key "HideFileExt" to 0 in order to show Low
Low
all
file
extensions,
even
of
known
file
types.
This
helps
Enforce administrative users to confirm an action that Low
Medium
requires and
elevated
rights
Remove
restrict
administrative rights whenever
Medium
Medium
possible.the
Malware
can Firewall
only modify
files that
users have
Activate
Windows
to restrict
workstation
to Medium
Low
workstation
communication
Using
sandbox
that opens email attachments and
Medium
High
removes attachments
onthe
behavior
analysis
Software
that allows tobased
control
execution
of
Medium
Medium
processes
- sometimes
integrated
Antivirus to
software
Force extensions
primarily
used forininfections
open Low
Medium
up
in
Notepad
rather
than
Windows
Script
Host
or
Server-side file screening with the help of File Server
Low
Medium
Resource Manager
complexity of implementation also includes the costs of implementation (e.g. simple to implement but costly)
not overrate a 'high' in this column as it is a relative effectiveness in comparison to other measures
effects on business processes, administration or user experience
Impact*
Low
Low
Medium
Low
High
Medium
Low
Low
Medium
Low
Medium
Low
Possible Issues
Administrative VBS scripts on

Workstations
Link 1
Link 2
http://windows.microsoft.com/en-us/windows/back-up-res
https://www.404techsupport.com/2016/04/office2016-ma
https://support.office.com/en-us/ar
http://www.windowsnetworking.com/kbase/WindowsTips/
Office Communication with old

versions
of Microsoft
Office
Web embedded
software
http://www.fatdex.net/php/2014/06/01/disable-exes-fromhttps://community.spiceworks.com
installers
http://www.sevenforums.com/tutorials/10570-file-extensi
administrator resentment
https://technet.microsoft.com/en-us/library/dd835564(WS
Higher administrative costs
Some extensions will have

legitimate uses, e.g., .vbs for
ple to implement but costly)

o other measures
https://bluesoul.me/2016/05/12/use-gpo-to-change-the-d
http://jpelectron.com/sample/Info%20and%20Documents
/windows/back-up-restore-faq#1TC=windows-7
rt.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=
/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html
unity.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated
als/10570-file-extensions-hide-show.html
/library/dd835564(WS.10).aspx
-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/
20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-R
-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
stWSH.html
20day/1-PreventCrypto-Readme.htm
Infographics
Hint: if you can't see the graphics in the HTML version try to download this document as XLS
Source:
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41
Source: Symantec, Via: @certbund
e "Download" section
-malware-attack-chain
Download Links
XLSX Download
ODS Download
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?ou
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?ou
0Y0Hvmc5g/pub?output=xlsx
0Y0Hvmc5g/pub?output=ods
Composition
This initial list has been composed by Mosh @nyxbone

and transformed into this Google Docs format by
https://twitter.com/nyxbone/status/715675420159508480/photo/1
Contributors
Florian Roth @cyb3rops

Bart @bartblaze
Michael Gillespie @demonslay335
Marcelo Rivero @MarceloRivero
Daniel Gallagher @DanielGallagher
Mosh @nyxbone
Katja Hahn @hahn_katja
Support
If you are a security researcher and want to support

us, please contact me on Twitter, tell me a bit about
Ransomware Overview is licensed under a Creative
Commons Attribution-NonCommercial-ShareAlike 4.0
https://creativecommons.org/licenses/by-nc-sa/4.0/
License
Sources
https://id-ransomware.malwarehunterteam.com/
https://bartblaze.blogspot.com
http://www.malekal.com/
http://www.bleepingcomputer.com/
https://blog.malwarebytes.org/
http://www.nyxbone.com/
http://www.tripwire.com/state-of-security/security-data-protection/ransom
http://www.thewindowsclub.com/list-ransomware-decryptor-tools
https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-o
0159508480/photo/1
Identify ransomware by ransom note or encrypted file sample
rity-data-protection/ransomware-happy-ending-10-known-decryption-cases/
are-decryptor-tools
16/05/18/the-5ws-and-1h-of-ransomware/

Guia Ransom Ware

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Guia Ransom Ware

Caricato da

Copyright:

Formati disponibili

Name

OKSOWATHAPPEND AES and RSA

Newer variants not

Microsoft Detection Name

Ransom: MacOS_X/KeRanger.A https://www.microsoft.com/security/portal/thre

The complexity of implementation also includes the costs of implementation (

Administrative VBS scripts on

Office Communication with old

Some extensions will have

ple to implement but costly)

Source: Symantec, Via: @certbund

This initial list has been composed by Mosh @nyxbone

Florian Roth @cyb3rops

If you are a security researcher and want to support

Identify ransomware by ransom note or encrypted file sample

Potrebbero piacerti anche