Skip to main content

Posts

Showing posts from July, 2017

CoinVault Ransomware - IOC

1) Ransomware Name - CoinVault

2) Encrypted Extensions - .clf

3) Ransom Note File - wallpaper.jpg

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://noransom.kaspersky.com/&sa=D&ust=1499261274474000&usg=AFQjCNH_MsUx0mkeOhofLqAnIrn-HeUwAw

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

Cockblocker Ransomware - IOC

1) Ransomware Name - Cockblocker

2) Encrypted Extensions - .hannah

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
vboxsvr.ovh.net
collabvm.xyz (146.198.249.193, США)


8) File Details -
the MD5 e2982778434438cce87e6f43493d63ce
the SHA1 1927c6f73714a3d06d379d2bc4693e7a970d5cea
the SHA256 100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48
ssdeep6144: j09jZMz / y1rekkCkVg + AW93YVfhZR3MM + SYRQlsQc0EJroJ: AXC / FkdkVg9WlufR3MM + PRQvcZ
authentihash  dedc831235704356b90c79481837ecb7ae854a86aa70ba80a696a017826d1468
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 308.5 KB (315904 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (console) Intel 80386 32-bit Mono / .Net assembly

CloudSword Ransomware - IOC

1) Ransomware Name - CloudSword

2) Encrypted Extensions - NA

3) Ransom Note File - Warning警告.html

4) Encrypted Algprithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
***dw2dzfkwejxaskxr.onion.to
***renerenbit.com
***www.coinbase.com
103.208.86.18:80 - Новая Зеландия
См. ниже результаты анализов.


8) File Details -
the MD5 9b4ce929b851356ad3117109cc5cc719
the SHA1 025035293fab465922df917a9dbaf6bc98ee3308
the SHA256 3863e74c4140691871a382425e92795895f0f21edf0eaed7a62ba8c474ab2a02
ssdeep1536: D3eVMZb2nIkq + Wtbe4f6HnRWJ1coJcpmN8E + zD390wCqDRc1eKuO5Ypd6JtWakNf: DeIzRXbe4 + OBtaWbY
authentihash  ab7db9e19270660ecad4e2922f8dd7be5e39d5d65190dbf6aeae395b69e84664
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 109.5 KB (112128 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly

Clock Ransomware - IOC

1) Ransomware Name - Clock

2) Encrypted Extensions - .VisionCrypt

3) Ransom Note File - NA

4) Encryptrd Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of File - Email: VisionDep@sigaint.org


8) File Details -
the MD5 04cfe97e7130b28ead7b5906596ab468
the SHA1 3ff993d4680d5748060870e42af6413215ea9c56
the SHA256 d99243d4704792a2df497e89a7ee71a1a90953fbd58b030d7054f58419658872
ssdeep3072: 95bUQZDt4QvCWqdvNFTRMJK / j9zOwhwHS9qlGuDUJ0fK9XL7ub3SIz: XzR4Q6Wq5NFTR / b9XVuoJ0zCI
authentihash  0bdb0b12f209619a24a618675ee7a64ca3fe2d09ac460ecf6985d995abf145d8
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 164.0 KB (167936 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

Click Me Game Ransomware - IOC

1) Ransomware Name - Click Me Game

2) Encrypted Extensions - .hacked

3) Ransom Note File -
ransom.exe
ranson-flag.png

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

CHIP Ransomware - IOC

1) Ransomware Name - CHIP

2) Encrypted Extensions -
.CHIP
.DALE

3) Ransom Note File -
CHIP_FILES.txt
DALE_FILES.TXT

4) Encrypted Algprithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
http://mm6x57ri2coivya6.onion
rad46480.tmp.exe
checkip.dyndns.org (216.146.43.70:80) (США)
cavallinomotorsport.com (27.121.64.183) (Австралия)
imomfs.e89mfe.top (185.153.198.107:80)
mm6x57ri2coivya6.onion
109.236.82.8:80 (Нидерланды)


8) File Details -
the MD5 35f68acc0c3d5761a61975ec77b49cbc
the SHA1 f6d03e713bc9b47265141d9f9b83ae634d43d204
the SHA256 aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1
ssdeep3072: HfVD9B1hzRAjEdJNCQ4woDZD57Wr3FKajQNR9MiYbuWjqgdcnfKvdHmN5b3SM: / jlVEEbNtoPajxu85cfAG3
authentihash  eda4103b8445b2a0fe8358e781eb60758450d5a071a4d4e047867b8f07687284
imphash  50a39d8c933b48792bb6a3fa1490d04e
File size 218.5 KB (223744 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit

Chimera Ransomware - IOC

1) Ransomware Name - Chimera

2) Encrypted Extensions - .crypt 4 random characters, e.g., .PzZs, .MKJL

3) Ransom Note File -
YOUR_FILES_ARE_ENCRYPTED.HTML
YOUR_FILES_ARE_ENCRYPTED.TXT
<random>.gif

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/&sa=D&ust=1499261274473000&usg=AFQjCNF5YuDKhOu4GUtVhVC2uwi-Nuz50g

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details -
the MD5 60fabd1a2509b59831876d5e2aa71a6b
the SHA1 8b91f3c4f721cb04cc4974fc91056f397ae78faa
the SHA256 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
ssdeep3072: BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD: BMh5H7j5g54YZKXoxOuEEl64HZAi
authentihash  fb5ffe1c8728afdfc57cff739567ad0ecf39a3a0ae79109b2ddf497e902232f5
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 232.0 KB (237568 bytes)
Type of file Win32 EXE
DescriptionPE32 executa…

CerberTear Ransomware - IOC

1) Ransomware Name - CerberTear

2) Encrypted Extensions - .cerber

3) Ransom Note File - HOW_TO_RESTORE_YOUR_DATA.html

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
paket.pw
coincafe.com
104.27.154.158:80 (США)


8) File Details -
the MD5 7d181574893ec9cb2795166623f8e531
the SHA1 79440d8b1e4b8fa222f1be78435f43f86796f6dc
the SHA256 a098c20dd46c6afa031bb653cd6d6eede4260a5a6244cf8c1dffcb4d8565b404
ssdeep12288: fN4XnlsewZadw / WDImKa9X8Lnpy6UG5MZXHEZ6Utif + M4lYklAo: V41NwZadw / WQWyyCMlE8SifgJ
authentihash  ffc39959aa60fa70d82e5ad981476fe04851ac3ed29f7abeef6dcc7ea1e8753b
imphash  e160ef8e55bb9d162da4e266afd9eef3
File size 463.3 KB (474,400 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit

Cerber Ransomware - IOC

1) Ransomware Name - Cerber

2) Encrypted Extensions -
.cerber
.cerber2
.cerber3

3) Ransom Note File -
# DECRYPT MY FILES #.html
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.vbs
# README.hta
_{RAND}_README.jpg
_{RAND}_README.hta
_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg
_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta
_HELP_HELP_HELP_%random%.jpg
_HELP_HELP_HELP_%random%.hta
_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg
_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta

4) Encrypted Algorithm - AES

5) Decrptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
GU18zL2P7Y5bq8EPFBSo2tnvCd9ZEBi3E
paket.pw
coincafe.com
104.27.154.158:80 (США)


8) File Details -
the MD5 7d181574893ec9cb2795166623f8e531
the SHA1 79440d8b1e4b8fa222f1be78435f43f86796f6dc
the SHA256 a098c20dd46c6afa031bb653cd6d6eede4260a5a6244cf8c1dffcb4d8565b404
ssdeep12288: fN4XnlsewZadw / WDImKa9X8Lnpy6UG5MZXHEZ6Utif + M4lYklAo: V41NwZadw / WQWyyCMlE8SifgJ
authentihash  ffc39959aa60fa70d82e5ad981476fe04851ac3ed29f7abeef6dcc7ea1e8753b
imphash  e160ef8e55bb9d162da4e266af…

Central Security Treatment Organization Ransomware - IOC

1) Ransomware Name - Central Security Treatment Organization

2) Encrypted Extensions - .cry

3) Ransom Note File -
!Recovery_[random_chars].html
!Recovery_[random_chars].txt

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -



7) Indicators of Compromise -
http://imgur.com
https://pastee.org/
https://maps.googleapis.com
UDP Traffic to ip addresses in the 37.x.x.x range



8) File Details - NA

BuyUnlockCode Ransomware - IOC

1) Ransomware Name - BuyUnlockCode

2) Encrypted Extensions - NA

3) Ransom Note File - BUYUNLOCKCODE.txt

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
nick.jameson@expressmail.dk
ChiuKhan@tom.com

8) File Details - NA

Bucbi Ransomware - IOC

1) Ransomware Name - Bucbi

2) Encrypted Extensions - NA

3) Ransom Note File - README.txt

4) Encrypted Algorithm - GOST

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
dopomoga.rs@gmail.com
bbb.bth.in.ua
shalunishka12.org
ceckiforeftukreksyxomoa.org
87.249.215.196
chultolsylrytseewooketh.biz


8) File Details -
https://virustotal.com/en/file/26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe/analysis/1459806155/
https://www.virustotal.com/en/file/b561b91cce444e9dc768bd93e0404e67f79900598ef03f175a10887c7b94c30c/analysis/
https://www.virustotal.com/en/file/4c698f5a005a74570a10a69a82317b0c87207934fe82907ee7df3348096cd66c/analysis/
https://www.virustotal.com/en/file/26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe/analysis/

BTCWare Ransomware - IOC

1) Ransomware Name - BTCWare

2) Encrypted Extensions - .btcware

3) Ransom Note File - #_HOW_TO_FIX_!.hta

4) Encrypted Algorithm - NA

5) Decrypted Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

Browlock Ransomware - IOC

1) Ransomware Name - Browlock

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decrypted Link - NA

6) Screenshots -


7) Indicators of Compromise - NA

8) File Details - NA

BrLock Ransomware - IOC

1) Ransomware Name - BrLock

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - AES

5) Decrypted Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

Brazilian Globe Ransomware - IOC

1) Ransomware Name - Brazilian Globe

2) Encrypted Extensions - NA

3) Ransom Note File - HOW_OPEN_FILES.html

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

Brazilian Ransomware - IOC

1) Ransomware Name - Brazilian

2) Encrypted Extensions - .lock

3) Ransom Note File - MENSAGEM.txt

4) Encrypted Algorithm - AES(256)

5) Decryptor Link - NA

6) Screenshots -



7) Indicators of Compromise - NA

8) File Details - NA

Booyah Ransomware - IOC

1) Ransomware Name - Booyah

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - Salam!

8) File Details - NA

Blocatto Ransomware - IOC

1) Ransomware Name -Blocatto

2) Encrypted Extensions - .blocatto

3) Ransom Note File - NA

4) Encrypted Algorithm - AES(256)

5) Decryptor Link - https://www.google.com/url?q=http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/&sa=D&ust=1498736225508000&usg=AFQjCNHX515KxLFHX7qrAbrVGSRNcs2FAw

6) Screenshots -


7) Indicators of Compromise - NA

8) File Details - NA

BlackShades Crypter Ransomware - IOC

1) Ransomware Name - BlackShades Crypter

2) Encrypted Extensions - .Silent

3) Ransom Note File -
Hacked_Read_me_to_decrypt_files.html
YourID.txt

4) Encrypted Algorithm - AES (256)

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - silentshades@protonmail.com  

8) File Details - NA

BitStak Ransomware - IOC

1) Ransomware Name - BitStak

2) Encrypted Extensions - .bitstak

3) Ransom Note File - NA

4_ Encrypted Algorithm - Base64 + String Replacement

5) Decryptor Link - https://www.google.com/url?q=https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip&sa=D&ust=1498736225508000&usg=AFQjCNHZfY-LNZKBbeyxonpqiuaHS-rZSA

6) Screenshots -

7) Indicators of Compromise - john.perezzka@gmail.com

8) File Details - NA

BitCryptor Ransomware - IOC

1) Ransomware Name - BitCryptor

2) Encrypted Extensions -
.clf
bclock.exe

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://noransom.kaspersky.com/&sa=D&ust=1498736225507000&usg=AFQjCNHovkF3TgOtAJfAz33UTDdoMRl-1A

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

Bart Ransomware - IOC

1) Ransomware Name - Bart

2) Encrypted Extensions -
.bart.zip
.bart
.perl

3) Ransom Note File -
recover.txt
recover.bmp

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=http://now.avg.com/barts-shenanigans-are-no-match-for-avg/&sa=D&ust=1498736225507000&usg=AFQjCNGgok4p1tVmE5blTzis1l-mG3afkA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

BarRax Ransomware - IOC

1) Ransomware Name - BarRax
2) Encrypted Extensions -
.BarRax
BarraxCrpt.exe
hidden-tear.exe
3) Ransom Note File - NA
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -


7) Indicators of Compromise -
xxxx://rens.5v.pl - C2
xxxx://barrax.tk - forum


8) File Details -
MD5 b9383394aa2b224f717fc62433c50d2a
SHA1 2ef6f9b3a8decb71d5619b07a4f07eb13a33366d
SHA256 2a06283e193c119fefb130e25a6e0c30f4b7675b6c27b33d2b7c6560bad7d3c8
ssdeep3072:gM+lmsolAIrRuw+mqv9j1MWLQ7MTmmsolNIrRuw+mqv9j1MWLQA:z+lDAAxTmDAN
authentihash  31d2df44e0f3798a4b34a0b87ed28a90929ea13470a6f213dfdb729e1f6b4b27
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 207.5 KБ ( 212480 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly

Bandarchor Ransomware - IOC

) Ransomware Name - Bandarchor
2) Encrypted Extensions -
.id-1235240425_help@
.id-[ID]_[email_address]
3) Ransom Note File - HOW TO DECRYPT.txt
4) Encrypted Algorithm - AES(256)
5) Decryptor Link - NA
6) Screenshots -


7) Indicators of Compromise -
fud@india.com
fudx@lycos.com fud@lycos.com
fudx@lycos.com          
decode@india.com
decrypt@india.com
europay@india.com
info@cryptedfiles.biz и salutem@protonmail.com
bingo@opensourcemail.org
doctor@freelinuxmail.org
johndoe@weekendwarrior55.com
sos@encryption.guru
av666@weekendwarrior55.com
email_info@cryptedfiles.biz
email1_info@cryptedfiles.biz
milarepa.lotos@aol.com


8) File Details -
MD5 02dd13752abc64e586df130b913cde22
SHA1 f2c668f8c16186f2e16c3fa745a27c64124993fe
SHA256 6d845f8acf5eacd8cbe23b88a425c88b43400cfd9ca89767bc3972998b8393db
ssdeep6144:QsQs+hy0sTTJU/XS99wy/F5kCiLeVjDtc0W/Zp4SQx5gRSNlX:tJJviS935wLejDtcvD4LWRSNN
authentihash  ca00dde6dafba1f6cafc943bed85d8174b767db18b540deabf260690236e06e2
imphash  7ee67e23eb01a8b764afee727df…

BaksoCrypt Ransomware - IOC

1) Ransomware Name - BaksoCrypt
2) Encrypted Extensions - .adr
3) Ransom Note File - NA
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -



7) Indicators of Compromise -  ***@163.com




8) File Deatails -
MD5 22d59b765369e1d1f9daeee88fc8e06b
SHA1 e62e7b91ea732abf83f7190ee132231644b2638e
SHA256 8bffbc4fd5b94ba3e1ea31291f2ae7ba5967b9b7411a028a7de16c5089bcd3df
ssdeep3072:rjrZiKB/1xqpqFeAaBaIe9PDcjKxAEHjoGkz1OQHlotvQ7SPwjPm/hDbzQB+Q:zsGaBLe9LcjYjoGkJOQHlKvnYDAfz7Q
authentihash  532ec08f422f7687ccd397f46a76b2af40f3c4e76088339aa70d42af1b99a650
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size  234.5 KБ ( 240128 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly


BadEncript Ransomware - IOC

1) Ransomware Name - BadEncript
2) Encrypted Extensions - .bript
3) Ransom Note File - More.html
BadEncript.exe
HappyBadEncript.exe
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -


7) Indicators of Compromise - NA


8) File Details -
MD5 e7818e26919dc4f84c6ac683f78eba88
SHA1 47456d3f78c33e67b6d366bbff5c3896e5925527
SHA256 6e5678ebd457353b7c095af806f92b5f54341bbfa2c8d3f5ab03b84483013271
ssdeep6144:ZVKpftK2A7ey6z20IJH4tsqtHJWj7pLoNam7nxDrMQW3dLG5wCNcKR4ce4NLfHxH:9R7eVI4tscJWC5Bq3d65wC8TO
authentihash  6832a5461b51faabf10250b6206042a3aa8ccc73eb8d709f3b01ef2ec0287995
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 578.5 KБ ( 592384 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

BadBlock Ransomware - IOC

1) Ransomware Name - BadBlock
2) Encrypted Extensions - NA
3) Ransom Note File -
Help Decrypt.html
Help_Decrypt.txt
4) Encrypted Algorithm - NA
5) Decryptor Link - https://www.google.com/url?q=https://decrypter.emsisoft.com/badblock&sa=D&ust=1498736225505000&usg=AFQjCNG9ldzIUDUU5GEdrSwVFT7UB29B4g
6) Screenshots -
7) Indicators of Compromise - NA
8) File Details - NA

AutoLocky Ransomware - IOC

1) Ransomware Name - AutoLocky
2) Encrypted Extensions - .locky
3) Ransom Note File -
info.txt
info.html
4) Encrypted Algorithm - NA
5) Decryptor Link - https://www.google.com/url?q=https://decrypter.emsisoft.com/autolocky&sa=D&ust=1498736225504000&usg=AFQjCNGikQknlxphU-OJnXJcuykJPNrYdw
6) Screenshots -
7) Indicators of Compromise - NA
8) File Details - NA

ASN1 Ransomware - IOC

1) Ransomware Name - ASN1
2) Encrypted Extensions - NA
3) Ransom Note File - !!!!!readme!!!!!.html
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -

7) Indicators of Compromise -
dxostywsduvmn6ra.onion
dxostywsduvmn6ra.onion.cab


8) File Details -
MD5 5682be2d6efed420f6e15424e5ca0d98
SHA1 2981d2d36066259532dff83a3f5ce96e97aa8628
SHA256 8cc61a0b4bf981da5c079c744408709b113ed3183bbd415500444d7cc707566f
ssdeep6144:DwHysTtgckgbRt6To3mLiUwn9riDcUDA/OjF:YTtgckgb6U70QH/OZ
authentihash  ca48f1883e058cb06b7cada22a1dbc302e77cb3552da94209e7ac0913827b5f8
imphash  e160ef8e55bb9d162da4e266afd9eef3
File size 214.3 KБ ( 219424 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit

ApocalypseVM Ransomware - IOC

1) Ransomware Name -  ApocalypseVM
2) Encrypted Extensions -
.encrypted
.locked
3) Ransom Note File - *.How_To_Get_Back.txt
4) Encrypted Algorithm - NA
5) Decryptor Link - https://www.google.com/url?q=http://decrypter.emsisoft.com/download/apocalypsevm&sa=D&ust=1498736225504000&usg=AFQjCNFT2SWV9PMYUg7EFvFhcTY2v922rQ
6) Screenshots -
7) Indicators of Compromise -
decryptionservice@mail.ru
ransomware.attack@list.ru
8) File Details - NA

Apocalypse Ransomware - IOC

1) Ransomware Name - Apocalypse
2) Encrypted Extensions -
.encrypted
.SecureCrypted
.FuckYourData
.unavailable
.bleepYourFiles
.Where_my_files.txt
3) Ransom Note File - Decryption Instructions.tyt
4) Encrypted Algorithm - AES(256)
5) Decryptor Link - NA
6) Screenshots -

7) Indicators of Compromise -
decryptionservice@mail.ru
decryptservice@inbox.ru
recoveryhelp@bk.ru
ransomware.attack@list.ru
esmeraldaencryption@mail.ru
dr.compress@bk.ru

8) File Details -
MD5 e5369ac309f1be6d77afeeb3edab0ed8
SHA1 b7afd3c57b074109bf576b77b33d641fd8e87871
SHA256 478383fb588665c254d416b7c50a124f82291124b002d9bad9fd758a59fd728f
ssdeep384:iX8Obeab6xAraECxkJ7PfXXqHbiqZZK09QmY1fTgT01p1MN/9bZYVJCrZWMMF:i3lvaEcktUic5imoYC0Z3OF
authentihash  5d764ee2d6355e2437a87a38510a6e83ddb52d976976d9e28300e2124583786c
imphash  a2cd52cf31250cbc8e01c8c970423a4b
File size 18.0 KБ ( 18432 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit

Anubis Ransomware - IOC

1) Ransomware Name - Anubis
2) Encrypted Extensions - .coded
3) Ransom Note File - Decryption Instructions.txt
4) Encrypted Algorithm - AES(256)
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise -
support.code@aol.com
support.code@india.com
8)File Details - NA

Anony - Ransomware - IOC

1) Ransomware Name - Anony
2) Encrypted Extensions - NA
3) Ransom Note File - NA
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise - NA
8) File Details - NA

Angry Duck - Ransomware - IOC

1) Ransomware Name - Angry Duck
2) Encrypted Extensions - .adk
3) Ransom Note File - NA
4) Encrypted Algorithm - AES- 512 With RSA-64 FIPS
5) Decryptor Link - NA
6) Sreenshots -
7) Indicators of Compromise - NA
8) File Details - NA

AngleWare - Ransomware - IOC

1) Ransomware Name - AngleWare
2) Encrypted Extensions - .AngleWare
3) Ransom Note File - READ_ME.txt
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots - NA
7) Indicators of Compromise - angledarknet@gmail.com  ;
8) File Details -
MD5 256508fe74af8aa9d474ed162d849b17
SHA1 c0c4b37b4d014ab9e41730d7df1a4bdf36eeac29
SHA256 2fecdfd9ddfc78c5ff724e9c1dfbdf1ef6c81d5a9467ed28fb3d071c9caad84e
ssdeep3072:RM+lmsolAIrRuw+mqv9j1MWLQjMTmmsolNIrRuw+mqv9j1MWLQz:K+lDAApTmDAN
authentihash  bde424b13aefe6fcc9abc534ae13002581f8d61e717063db56e1035e494e2468
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 207.0 KB ( 211968 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly

Angela Merkel - Ransomware - IOC

1) Ransomware Name - Angela Merkel
2) Encrypted Extensions - .angelamerkel
3) Ransom Note File - NA
4) Encrypted Algorithm - AES
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise - NA
8) File Details -
MD5 09180c7dccacffdf04ab67cf8909b5f2
SHA1 ebcd05145f771a48ba3f50bcef46121344817575
SHA256 0ddef96bc1cd9fae381e6f228639c145341e10197cc690a70dc0c8acb46d4c2c
ssdeep3072:+TDshiWfaoizdfUICi9IyFiD2vEOAaZ/xr+VBFaI1YIYiheeeeeeeeefYDeOiClE:tfaDzdg0IsAwZrMBgkSOG9iO2RK
authentihash  14e9f862eb9a22bf862965479e54286e64ea0647a626e2bf588eb374dff8af97
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 278.5 KB ( 285184 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

AMBA - Ransomware - IOC

1) Ransomware Name - AMBA
2) Encrypted Extensions - .amba  (New extension found .RROD)
3) Ransom Note File - READ_ME.txt
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise - amba@riseup.net

Alphabet -Ransomware IOC

1) Ransomware Name -
Alphabet
2) Encrypted extensions -
Alphabet.exe
<ransom>.exe
3) Ransom Note File - NA
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise - NA
8) File Details -
MD5 dbe78231174b03239eb262cc2d2d0900
SHA1 fc472223cd9aee3cf912fc401bd47774569d07ac
SHA256 4e60f3c8eaa0441d4ffdced18aa04153bb91b5470bc5441ba5878f7760ca9b5b
ssdeep1536:rBUzOE+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNcl:wOE1+l+kcJF1+l+kctphpG
authentihash  8af156e623456c213e9b0a6012646fec6280274e422417f04c6fed9e7cc1a72f
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 168.0 KБ ( 172032 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly

Alpha Ransomware - IOC

1) Ransomware Name - Alpha Ransomware
2) Encrypted Extensions - .encrypt
3) Ransom Note File - Read Me (How Decrypt) !!!!.txt
4) Encrypted Algorithm - AES(2556)
5) Decryptor Link - https://www.google.com/url?q=http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip&sa=D&ust=1498658228075000&usg=AFQjCNH3XCzyMCfkhtRQG7f42H4ngvXUEg
6) Screenshots -
7) Indicators of Compromise - Bitcoin wallet- Blockchain.info

Alma Ransomware - IOC

1) Ransomware Details -Alma Ransomware
2) Encrypted Extensions - random
3) Ransom Note File - Unlock_files_randomx5.html
4) Encrypted Algorithm - AES(128)
5) Decryptor Link - https://www.google.com/url?q=https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid%3Dd4173312-989b-4721-ad00-8308fff353b3%26placement_guid%3D22f2fe97-c748-4d6a-9e1e-ba3fb1060abe%26portal_id%3D326665%26redirect_url%3DAPefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM%26hsutk%3D34612af1cd87864cf7162095872571d1%26utm_referrer%3Dhttps%253A%252F%252Finfo.phishlabs.com%252Fblog%252Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter%26canon%3Dhttps%253A%252F%252Finfo.phishlabs.com%252Fblog%252Falma-ransomware-analysis-of-a-new-ransom…

ALFA Ransomware - IOC

1) Ransomware Name - ALFA Ransomware
2) Encrypted Extensions - .bin
3) Ransom Note File - README HOW TO DECRYPT YOUR FILES.HTML   ;  README HOW TO DECRYPT YOUR FILES.TXT
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Cpmromise - Blockchain.info (Bitcoin wallet)

Alcatraz Locker - Ransomware - IOC

1) Ransomware Name - Alcatraz Locker
2) Encrypted Extensions - .Alcatraz
3) Ransom Note File - ransomed.html
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -

Al-Namrood Ransomware - IOC

1) Ransomware Name - Al-Namrood
2) Encrypted Extensions -
.unavailable
.disappeared
3) Ranson Note File - Read_Me.txt
4) Encrypted Algorithm - NA
5) Decryptor link - https://www.google.com/url?q=https://decrypter.emsisoft.com/al-namrood&sa=D&ust=1498658228073000&usg=AFQjCNFFYKA3TUfUOa-NLvOptaQm_trU6w
6) Screenshots -
7) Indicators of Compromise -
decryptioncompany@inbox.ru
fabianwosar@inbox.ru
cryptservice@inbox.ru
cryptsvc@mail.ru
cryptservice@jabber.ua  
crypt64@mail.ru
crypt32@jabber.ua    
cryptcorp@inbox.ru
ransomware.attack@list.ru

AiraCrop Ransomware_IOC

1) Ransomware Name - AiraCrop
2) Encrypted Extensions - ._AiraCropEncrypted
3) Ransom Note File - How to decrypt your files.txt
4) Encrypted Algorithm - NA
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise -
http: //6kaqkavhpu5dln6x.onion
http: //mvy3kbqc4adhosdy.onion
8) File Details -
MD5 7d27a5f7b39222e2f29e25a3db52e60f
SHA1 198ad2c5945aad98245fec33f120d751939d24be
SHA256 43c3f9c3f8798f21a6aea01efb5d6d7c1501482fecaad976f9825320261c90b4
ssdeep6144:x1+GlPY/151Utu4WARP8/HJFWV2IDfovIbw7ZhkxkN8LXp:xNlI1HYuoRk/fWV2M4IbYkxkN
authentihash  b207eb80cbe1fe1238f7cf3ddc00f703bb910441251863b7e79825401ff5f39d
imphash  6cde44b21731a639177b87620192993f
File size 289.5 KB ( 296448 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit

8lock8_Ransomware_IOC

1) Ransomware Name - 8lock8
2) Encryted Extensions - .8lock8
3) Ransom Note File - READ_IT.txt
4) Encrypted Algorithm - AES (256)
5) Decyrptor Link - https://www.google.com/url?q=http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/&sa=D&ust=1498658228072000&usg=AFQjCNHghRSinV_lFv99wtm2wqS5Z-mMrg
6) Screenshots -

777 Ransomware - IOC

1) Ransomware Name - 777
2) Encrypted Extensions - .777
3) Ransom Note File - read_this_file.txt
4) Encrypted Algorithm - XOR
5) Decryptor Link - https://www.google.com/url?q=https://decrypter.emsisoft.com/777&sa=D&ust=1498658228071000&usg=AFQjCNFX-iuX0cY30r4mvTIEJmOrIdxFsA
6 Screenshots -
7) Indicators of Compromise -
ninja.gaiver@aol.com
kaligula.caesar@aol.com
seven_legion@india.com

.CryptoHasYou Ransomware - IOC

1)Ransomware Name - .CryptoHasYou.
2)Encrypted Extensions - .enc
3)Ransom Note File - YOUR_FILES_ARE_LOCKED.txt
4)Encrypted Algorithm - AES(256)
5)Decryptor Link:- NA
6)Screenshots:-
7)Indicators of Compromise:- locked@visitomail.com

7ev3n Ransomware - IOC - File Info

1) Ransomware Name - 7h9r
2) Encrypted Extensions - .7h9r
3) Ransom Note File - README_.TXT
4) Encrypted Algorithm - AES
5) Decryptor Link - NA
6) Screenshots -
7) Indicators of Compromise -
8) File Details -
MD5 c0b834f87051efead202bcec26501444
SHA1 f9d66a4a56e62d1cb7d3591c8510aa115ed2b44d
SHA256 7b2c27d373172f400dc0aa7a3ee07172529614b4db2d2f7ca3c40f3856e7f0e0
ssdeep384:4nEjrHUp23tB8XbS2fQDoeKZ5N8WhQ6nacTQNinM:p/Hm23eb7sKZ5N8WhQkQSM
authentihash  e5ba97ef4feb481b8580661896d0fdcea0a3c80d328cbfcbe6ab966e6214c14e
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 19.0 KB ( 19456 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly