[ { "name": [ ".CryptoHasYou." ], "extensions": ".enc", "extensionPattern": "", "ransomNoteFilenames": " YOUR_FILES_ARE_LOCKED.txt", "comment": "", "encryptionAlgorithm": "AES(256)", "decryptor": "", "resources": [ "http://www.nyxbone.com/malware/CryptoHasYou.html" ], "screenshots": "", "microsoftDetectionName": "Trojan:Win32/Dynamer!ac", "microsoftInfo": "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FDynamer!ac", "sandbox": "https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4", "iocs": "https://otx.alienvault.com/pulse/57180b18c1492d015c14bed8/", "snort": "" }, { "name": [ "777", "Sevleg" ], "extensions": ".777", "extensionPattern": "._[timestamp]_$[email]$.777\ne.g. [email protected]$.777", "ransomNoteFilenames": "read_this_file.txt", "comment": "", "encryptionAlgorithm": "XOR", "decryptor": "", "resources": [ "https://decrypter.emsisoft.com/777" ], "screenshots": "", "microsoftDetectionName": "Ransom:Win32/Empercrypt.A", "microsoftInfo": "https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Empercrypt.A", "sandbox": "https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4", "iocs": "https://otx.alienvault.com/pulse/573b02701116a040ceccdd85/", "snort": "" }, { "name": [ "7ev3n", "7ev3n-HONE$T" ], "extensions": ".R4A\n.R5A", "extensionPattern": "", "ransomNoteFilenames": "FILES_BACK.txt", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://github.com/hasherezade/malware_analysis/tree/master/7ev3n\nhttps://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", "http://www.nyxbone.com/malware/7ev3n-HONE$T.html\n" ], "screenshots": "", "microsoftDetectionName": "", "microsoftInfo": "", "sandbox": "", "iocs": "https://otx.alienvault.com/pulse/57180dbf0ebaa4015af21166/", "snort": "" }, { "name": [ "7h9r" ], "extensions": ".7h9r", "extensionPattern": "", "ransomNoteFilenames": "README_.TXT", "comment": "", "encryptionAlgorithm": "AES", "decryptor": "", "resources": [ "http://www.nyxbone.com/malware/7h9r.html" ], "screenshots": "" }, { "name": [ "8lock8" ], "extensions": ".8lock8", "extensionPattern": "", "ransomNoteFilenames": "READ_IT.txt", "comment": "Based on HiddenTear", "encryptionAlgorithm": "AES(256)", "decryptor": "", "resources": [ "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" ], "screenshots": "", "microsoftDetectionName": "", "microsoftInfo": "", "sandbox": "https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4", "iocs": "https://www.hybrid-analysis.com/sample/d572a7d7254846adb73aebc3f7891398e513bdac9aac06231991e07e7b55fac8?environmentId=4", "snort": "" }, { "name": [ "AiraCrop" ], "extensions": "._AiraCropEncrypted", "extensionPattern": "", "ransomNoteFilenames": "How to decrypt your files.txt", "comment": "related to TeamXRat", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/PolarToffee/status/796079699478900736" ], "screenshots": "" }, { "name": [ "Al-Namrood" ], "extensions": ".unavailable\n.disappeared", "extensionPattern": "", "ransomNoteFilenames": "Read_Me.Txt", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://decrypter.emsisoft.com/al-namrood" ], "screenshots": "" }, { "name": [ "Alcatraz Locker" ], "extensions": ".Alcatraz", "extensionPattern": "", "ransomNoteFilenames": "ransomed.html", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/PolarToffee/status/792796055020642304" ], "screenshots": "" }, { "name": [ "ALFA Ransomware" ], "extensions": ".bin", "extensionPattern": "", "ransomNoteFilenames": "README HOW TO DECRYPT YOUR FILES.HTML", "comment": "Made by creators of Cerber", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" ], "screenshots": "" }, { "name": [ "Alma Ransomware" ], "extensions": "random", "extensionPattern": "random(x5)", "ransomNoteFilenames": "Unlock_files_randomx5.html", "comment": "", "encryptionAlgorithm": "AES(128)", "decryptor": "", "resources": [ "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter" ], "screenshots": "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/", "microsoftDetectionName": "", "microsoftInfo": "", "sandbox": "", "iocs": "https://otx.alienvault.com/browse?q=Alma+Ransomware", "snort": "" }, { "name": [ "Alpha Ransomware", "AlphaLocker" ], "extensions": ".encrypt", "extensionPattern": "", "ransomNoteFilenames": "Read Me (How Decrypt) !!!!.txt", "comment": "", "encryptionAlgorithm": "AES(256)", "decryptor": "", "resources": [ "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/" ], "screenshots": "https://twitter.com/malwarebread/status/804714048499621888" }, { "name": [ "Alphabet" ], "extensions": "", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "Doesn't encrypt any files / provides you the key", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/PolarToffee/status/812331918633172992" ], "screenshots": "" }, { "name": [ "AMBA" ], "extensions": ".amba", "extensionPattern": "", "ransomNoteFilenames": "\u041f\u0420\u041e\u0427\u0422\u0418_\u041c\u0415\u041d\u042f.txt\nREAD_ME.txt", "comment": "Websites only\[email protected]", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/benkow_/status/747813034006020096" ], "screenshots": "" }, { "name": [ "Angela Merkel" ], "extensions": ".angelamerkel", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/malwrhunterteam/status/798268218364358656" ], "screenshots": "" }, { "name": [ "AngleWare" ], "extensions": ".AngleWare", "extensionPattern": "", "ransomNoteFilenames": "READ_ME.txt", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/BleepinComputer/status/844531418474708993" ], "screenshots": "" }, { "name": [ "Angry Duck" ], "extensions": ".adk", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "Demands 10 BTC", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/demonslay335/status/790334746488365057" ], "screenshots": "" }, { "name": [ "Anony", "Based on HiddenTear\nngocanh" ], "extensions": "", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/struppigel/status/842047409446387714" ], "screenshots": "" }, { "name": [ "Anubis" ], "extensions": ".coded", "extensionPattern": "", "ransomNoteFilenames": "Decryption Instructions.txt", "comment": "EDA2", "encryptionAlgorithm": "AES(256)", "decryptor": "", "resources": [ "http://nyxbone.com/malware/Anubis.html" ], "screenshots": "" }, { "name": [ "Apocalypse", "Fabiansomeware" ], "extensions": ".encrypted\n.SecureCrypted\n.FuckYourData\n.unavailable\n.bleepYourFiles\n.Where_my_files.txt", "extensionPattern": "[filename].ID-*8characters+countrycode[[email protected]].[random7characters]\n*filename*.ID-[A-F0-9]{8}+countrycode[[email protected]].[a-z0-9]{13}", "ransomNoteFilenames": "*.How_To_Decrypt.txt\n*.Contact_Here_To_Recover_Your_Files.txt\n*.Where_my_files.txt\n*.Read_Me.Txt\n*md5*.txt", "comment": "[email protected]\[email protected]\[email protected]\[email protected]\[email protected]", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://decrypter.emsisoft.com/apocalypse", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ], "screenshots": "" }, { "name": [ "ApocalypseVM" ], "extensions": ".encrypted\n.locked", "extensionPattern": "", "ransomNoteFilenames": "*.How_To_Get_Back.txt ", "comment": "Apocalypse ransomware version which uses VMprotect", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "http://decrypter.emsisoft.com/download/apocalypsevm" ], "screenshots": "", "microsoftDetectionName": "Win32/Cribit", "microsoftInfo": "https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cribit", "sandbox": "https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4", "iocs": "https://otx.alienvault.com/pulse/57166d65c1492d015c14bcc4/", "snort": "" }, { "name": [ "ASN1" ], "extensions": "", "extensionPattern": "", "ransomNoteFilenames": "!!!!!readme!!!!!.htm", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" ], "screenshots": "" }, { "name": [ "AutoLocky" ], "extensions": ".locky", "extensionPattern": "", "ransomNoteFilenames": "info.txt\ninfo.html", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://decrypter.emsisoft.com/autolocky" ], "screenshots": "", "microsoftDetectionName": "", "microsoftInfo": "", "sandbox": "", "iocs": "", "snort": "" }, { "name": [ "Aw3s0m3Sc0t7" ], "extensions": ".enc", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/struppigel/status/828902907668000770" ], "screenshots": "" }, { "name": [ "BadBlock" ], "extensions": "", "extensionPattern": "", "ransomNoteFilenames": "Help Decrypt.html", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://decrypter.emsisoft.com/badblock", "http://www.nyxbone.com/malware/BadBlock.html" ], "screenshots": "", "microsoftDetectionName": "", "microsoftInfo": "", "sandbox": "", "iocs": "https://otx.alienvault.com/pulse/56eac97aaef9214b1550b37e/", "snort": "" }, { "name": [ "BadEncript" ], "extensions": ".bript", "extensionPattern": "", "ransomNoteFilenames": "More.html", "comment": "", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/demonslay335/status/813064189719805952" ], "screenshots": "" }, { "name": [ "BaksoCrypt" ], "extensions": ".adr", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "Based on my-Little-Ransomware", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/JakubKroustek/status/760482299007922176" ], "screenshots": "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" }, { "name": [ "Bandarchor", "Rakhni" ], "extensions": "[email protected]", "extensionPattern": ".id-[ID]_[EMAIL_ADDRESS]", "ransomNoteFilenames": "HOW TO DECRYPT.txt", "comment": "Files might be partially encrypted", "encryptionAlgorithm": "AES(256)", "decryptor": "", "resources": [ "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/" ], "screenshots": "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" }, { "name": [ "BarRax" ], "extensions": ".BarRax", "extensionPattern": "", "ransomNoteFilenames": "", "comment": "Based on HiddenTear", "encryptionAlgorithm": "", "decryptor": "", "resources": [ "https://twitter.com/demonslay335/status/835668540367777792" ], "screenshots": ""