Skip to main content

Posts

Showing posts from August, 2017

Guster Ransomware - IOC

1) Ransomware Name - Guster

2) Encrypted Extensions - .locked

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
nucklearsupport@yandex.ru
xxxx://goolserver.ultimatefreehost.in/proxy.php?idnt - C2


8) File Details -
MD5 ec2a8d8f7853397f86a4c96fdbe01b19
SHA1 daaeb314219acb7f10268512c8358a6941d53da3
SHA256 0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507
Ssdeep49152: yKRy / NLHsvdoewagi6rndXTrKdRRzsdydWLToel51txKRy / N: yKRshsdo / PrndXTrKdRRwZLJl3KRs
Authentihash  Cc50a78ceb39227eb2c4439c5d6256ac10953d3a0bb5ba35699b2e4794bdc9f0
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The file size is 2.9 MB (3065344 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

Gremit Ransomware - IOC

1) Ransomware Name - Gremit

2) Encrypted Extensions - .rnsmwr

3) Ransom Note File - NA

4) Encrypted Algorithm - AES

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
https://bitcoin.org/en/getting-started
http://pastebin.com/raw/hH9hnfxY


8) File Details -
MD5 d09783a4ced997c23916ae71d52492f8
SHA1 f98e845d7cd04fdad5355be58b930be2ad1daad7
SHA256 5fd942544cbbbdb779918e53d6dad82a24ab23e571ff2d056b95363a28091624
Ssdeep768: ztY1EegyGQL01lRdeA + ois1NE / srv3BHdlV06E6Kuqx + / 5: ztY1EeX01lRHiSNE / srv3LPiNuqE
Authentihash  6d648c27a96696d316689808ffb6d10ce95f6f5ab9b43dc7a6fc91042fb63bd6
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 35.0 KB (35840 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly

Gopher Ransomware - IOC

1) Ransomware Name - Gopher

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

Goopic Ransomware - IOC

1) Ransomware Name - Goopic

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

Gomasom Ransomware - IOC

1) Ransomware Name - Gomasom

2) Encrypted Extensions - .crypt

3) Ransom Note File -
originalfilename.extension
!___*email*@gmail.com__.crypt

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://decrypter.emsisoft.com/&sa=D&ust=1503482082983000&usg=AFQjCNHxZ2SXa5dm1Cp_WHswtfj9gqWuMw


6) Screenshots -


7) Indicators of Compromise -
crydhellsek@gmail.com
cryphelp963@gmail.com
helpsend369@gmail.com
panerai794@gmail.com
prosschiff@gmail.com


8) File Details - NA

GOG Ransomware - IOC

1) Ransomware Name - GOG

2) Encrypted Extensions - .L0CKED

3) Ransom Note File -
DecryptFile.txt
random.jpg

4) Encrypted Algorithm - RZA4096

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
xxxx://y6wb5h3ksb6hppeh.onion/service.html
xxxx://y6wb5h3ksb6hppeh.onion.to/service.html
xxxx://81.4.122.134/p4y5k3y5/h4hn5b67lf3dxc1ff0g44/createkeys.php
xxxx://81.4.122.134/p4y5k3y5/h4hn5b67lf3dxc1ff0g44/savekey.php
xxxx://81.4.122.134/imagini/xok.jpg - загрузка изображения на обои

8) File Details -

MD5 d4157f61cfeca15eb2ed2b40dd1f1b53
SHA1 d671129778c58b4120a96d60b10dc952971656bf
SHA256 5a793ac3cc4dd99475cc991c226a107ec04ce6806235c9ae780ae48d169922d2
Ssdeep3072: T / M + lmsolAIrRuw + mqv9j1MWLQ3DKCOM + lmsolAIrRuw + mqv9j1MWLQ: Tk + lDAAku6 + lDAA
Authentihash  68187216f02634f17e25f60e5f4ee9f27747712f77f961fd1515d0928cc1964f
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 216.0 KB (221184 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows…

GNL Locker Ransomware - IOC

1) Ransomware Name - GNL Locker

2) Encrypted Extensions - .locked

3) Ransom Note File -
UNLOCK_FILES_INSTRUCTIONS.html
UNLOCK_FILES_INSTRUCTIONS.txt

4) Encrypted Algorithm - AES (256)

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - NA


8) File Details - NA

Globe v3 Ransomware - IOC

1) Ransomware Name - Globe v3

2) Encrypted Extensions -
.[random].blt
.[random].encrypted
.[random].raid10
.[mia.kokers@aol.com]
.[random].globe
.unlockvt@india.com
.rescuers@india.com.3392cYAn548QZeUf.lock
.locked
.decrypt2017
.hnumkhotep

3) Ransom Note File - NA

4) Encrypted Algorithm - RC4 and AES(256)

5) Decryptor Link - https://www.google.com/url?
q=https://decrypter.emsisoft.com/globe3&sa=D&ust=1503482082982000&usg=AFQjCNGKXa-BZ6xyg1GoLzWwHd9kDMNn7Q


6) Screenshots - https://www.google.com/url?q=https://www.google.de/search?tbm%3Disch%26q%3DRansomware%2BGlobe%2Bv3&sa=D&ust=1503482082982000&usg=AFQjCNGHUyp9B7b7KsydjnJE9gRpd_BqOw


7) Indicators of Compromise - NA

8) File Details - NA

Globe v2 Ransomware - IOC

1) Ransomware Name - Globe v2

2) Encrypted Extensions -
.lovewindows
.openforyou@india.com

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://success.trendmicro.com/portal_kb_articledetail?solutionid%3D1114221&sa=D&ust=1503482082981000&usg=AFQjCNGABkF9rGtsmRihwUiVZoB_5x9MlQ


6) Screenshots -


7) Indicators of Compromise - NA


8) File Details - NA

Globe v1 Ransomware - IOC

1) Ransomware Name - Globe v1

2) Encrypted Extensions -
.purge
.DARKCRY

3) Ransom Note File - How to restore files.hta

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://success.trendmicro.com/portal_kb_articledetail?solutionid%3D1114221&sa=D&ust=1503482082980000&usg=AFQjCNElRJ_wXzPT51p6Le3ld2NB4i8Pwg


6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

Gingerbread Ransomware - IOC

1) Ransomware Name - Gingerbread

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

GhostCrypt Ransomware - IOC

1) Ransomware Name - GhostCrypt

2) Encrypted Extensions - .Z81928819

3) Ransom Note File - READ_THIS_FILE.txt

4) Encrypted Algorithm - AES(256)

5) Decryptor Link - https://www.google.com/url?
q=https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip&sa=D&ust=1503482082979000&usg=AFQjCNHk6Ko6U6Ed_d2GYu9M5ZZTkIbN3g


6) Screenshots -


7) Indicators of Compromise - NA


8) File Details - NA

Fury Ransomware - IOC

1) Ransomware Name - Fury

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://support.kaspersky.com/viruses/disinfection/8547&sa=D&ust=1503412226252000&usg=AFQjCNEnunGgvv8OrJBttNBMO__SHmvVEg



6) Screenshots -


7) Indicators of Compromise - NA

8) File Details - NA

FSociety Ransomware - IOC

1) Ransomware Name - FSociety

2) Encrypted Extensions -
.fs0ciety
.dll

3) Ransom Note File -
fs0ciety.html
DECRYPT_YOUR_FILES.HTML

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/&sa=D&ust=1503412226251000&usg=AFQjCNFX3qaL4cvL73krmFB295h0ztHFzw


6) Screenshots -

7) Indicators of Compromise -
eda2.exe
filedata.exewww.archem.hol.es
error.hostinger.eu
хттп://i.imgur.com/PNZaSrX.jpg
185.28.20.87:80
31.170.160.61:80


8) File Details -
MD5 1441b0704b07d6e8f798f6684faf0f79
SHA1 a5f0b838f67e0ca575a3d1b27d4a64dec8fac2fc
SHA256 5eba311d64e4daa055d1bc2bca220e8128079238f786a516255268a7cb7af2a1
Ssdeep3072: BM + lmsolAIrRuw + mqv9j1MWLQ7bTM8M + lmsolAIrRuw + mqv9j1MWLQ: 6 + lDAAqP6 + lDAA
Authentihash  13bb30d4f9b6502f479ad3dc95a0874d7a9fef34655159314055e77f7fbadeef
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 208.0 KB (212992 bytes)
Win3…

Free-Freedom Ransomware - IOC

1) Ransomware Name - Free-Freedom

2) Encrypted Extensions - .madebyadam

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - http://www.i-m.mx/epicbet/freefreedom/

8) File Details -
MD5 1b2fedadc6c80dc4b80e33de9a4aee88
SHA1 eeb2faad3694dca7a8ed9baf6e606a0be6cda140
SHA256 e1bc3d93383ffb9540f20a1b58e4b3bb77ba24d247a1177030be6fe93d912136
Ssdeep24576: 7 + hUeaHWqsD00k0vbw9 / iiwy2L29f9 / 4vodCUDK2Qn8PF6OQnFLy: 769a2qsD00k0vbw9 / iiwy2L29fB4vlUH
Authentihash  C1590911361b81bfdd66776798fec2bda3901801089a8ab5ee77cfecaee51174
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The file size is 995.5 KB (1019392 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

FortuneCookie Ransomware - IOC

1) Ransomware Name - FortuneCookie

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details - NA

Fonco Ransomware - IOC

1) Ransomware Name - Fonco

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - NA


8) File Details - NA

Flyper Ransomware - IOC

1) Ransomware Name - Flyper

2) Encrypted Extensions - .locked

3) Ransom Note File -
instruction.txt
 instruction.html

4) Encrypted Algorithm - AES

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - flyper01@sigaint.org



8) File Details -
MD5 e7fe0668a6544b659294337a9eaf3f5a
SHA1 cc6a21b828d66a1e65410689939f841a7d17ddfb
SHA256 9bc81280113473de9ebfe54f689b4440287c37fff562e070d3a28f5269cadcf0
Ssdeep3072: 3M + lmsolAIrRuw + mqv9j1MWLQthQz6LyZMhM + lmsolAIrRuw + mqv9j1MWLQlD: c + lDAA0hg6Ly9 + lDAAmD
Authentihash  8c89b15d82565d836c37dc14632a5fa31a9859d2bdaf66905673280fab42fba3
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 214.0 KB (219136 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (console) Intel 80386 32-bit Mono / .Net assembly

FireCrypt Ransomware - IOC

1) Ransomware Name - FireCrypt

2) Encrypted Extensions - .firecrypt

3) Ransom Note File - [random_chars]-READ_ME.html

4) Encrypted Algorithm - AES(256)

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
xxxx://lmgtfy.com/?q=how+to+buy+bitcoins
xxxx://www.pta.gov.pk/index.php (Пакистан)
gravityz3r0@sigaint.org


8) File Details -

MD5 ae2fd3a11e561b2268d9fc3bf06c4bff
SHA1 0925b45ae001d396d0344bd3d1efb1d3972201b2
SHA256 5fb67af49105402b2a87b1f7516559d61bd460e617fdf512934778b00541425c
Ssdeep1536: IDsz + ovqnKFTnkoJK1YNTGxteEvGvs / g1YGp / L17Z: ID9ovqqK1 + CEs + Lp / L19
The size of the file is 58.7 KB (60130 bytes)
RAR File Type
DescriptionRAR archive data, v1d, os: Win32

MD5 4193cb08824dbe0ab8fc90eb8576b819
SHA1 de9fa53d1efcc15324c909ff1377d6a1c372286a
SHA256 6016615bf641eb73e4ae33dc8ec73d0bfd7d5022ecdeb980dbd16215cd72841c
Ssdeep384: Jd7uKRCKISmeSIjkx3SJP1bYKHLTwbZxssimw8g7ywHluY: KNKoezjkxMyFxW8g7ywHluY
Authentihash  735d521cfef69101b3f978fc98a8b5b14d7850718dd1a661ece…

FileLocker Ransomware - IOC

1) Ransomware Name - FileLocker

2) Encrypted Extensions - .ENCR

3) Ransom Note File - NA

4) Encrypted Algorithm - AES-256 and RSA-2048

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - babis@mfcr.cz


8) File Details -
MD5 05950b038b5781d940c939a3af3ecd32
SHA1 751f9aa46df83c5ce987528ddbfe10699fe84fd2
SHA256 f5bfa92c3c68779254f3efbe87f05b077d04d76273b54299fdcd204064752005
Ssdeep3072: LFSq2Rnsobb0 / UccpM0 + Kq22MkBzECcaCdUfHxaEyKOtE: hSv / bwv0222MqMaNx2KX
Authentihash  36f0da7de31b496eda1ebc77c752b18660282d94f225a9eaac57404bb962b8c4
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 123.9 KB (126872 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

FILE FROZR Ransomware - IOC

1) Ransomware Name - FILE FROZR

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - AES-256 and RSA-4096

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
Tox Id: C216445DDE28F475A725941F75D3FBA52F83D8C7EA774F03161C90ABA3F16768D4B4ADE77817
E-mail support: filefrozr@protonmail.com
frozrlockqqxz7a2.onion
frozrlockqqxz7a2.tor2web.cf
frozrlockqqxz7a2.onion2web.gq
frozrlockqqxz7a2.onion2web.tk
frozrlockqqxz7a2.onion.link
filefrozr@protonmail.com


8) File Details - NA

FenixLocker Ransomware - IOC

1) Ransomware Name - FenixLocker

2) Encrypted Extensions - .FenixIloveyou!!

3) Ransom Note File -
Help to decrypt.txt
CryptoLocker.txt

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://decrypter.emsisoft.com/fenixlocker&sa=D&ust=1503414573975000&usg=AFQjCNHJ_K2cHzctyzTjalAjlpodUeJS_g


6) Screenshots -


7) Indicators of Compromise -
centrumfr@india.comthedon78@mail.com


8) File Details -

MD5 e428317a9d22460f7c034f2302a10768
SHA1 6626d26899d272d8166f02032af535f4e9a616fa
SHA256 8a84651d5c1c2d98452d27244a426649d198db31f52e5ac595d50f7c910d6b56
Ssdeep6144: VbM4HSRXMvdyBOj1 + XSqTwAogl3Bgim9Ve8Xrn8QtfYOzvD9HHUaIIMZv8o6Ezef: NMnRXYxEZoskVslorLIlBmEKH /
Authentihash  E18d725d16fb579c877af3e13e08e7917328638fece69411f470d7af18c80646
Imphash  748a61bb2c137db6c403ddbb1b11891b
The size of the file is 380.7 KB (389858 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit

Fantom Ransomware - IOC

1) Ransomware Name - Fantom

2) Encrypted Extensions -
.fantom
.comrade

3) Ransom Note File -
DECRYPT_YOUR_FILES.HTML
RESTORE-FILES![id]

4) Encrypted Algorithm - AES(128) , RSA-4096 and AES-25

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
fantomd12@yandex.ru
fantom12@techemail.com
http://powertoolsforyou.com/themes/prestashop/cache/stats.php
http://templatesupdates.dlinkddns.com/falssk/fksgieksi.php
fixfiles@protonmail.ch


8) File Details - NA

FakeCryptoLocker Ransomware - IOC

1) Ransomware Name - FakeCryptoLocker

2) Encrypted Extensions - .cryptolocker

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

FakeGlobe Ransomware - IOC

1) Ransomware Name - FakeGlobe

2) Encrypted Extensions - .crypt

3) Ransom Note File - HOW_OPEN_FILES.hta

4) Encrypted Algprithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://decrypter.emsisoft.com/globeimposter&sa=D&ust=1503414573974000&usg=AFQjCNFoMSGLxdPWI5C6VDHWpUrLIY09cQ


6) Screenshots -

7) Indicators of Comromise - NA


8) File Details - NA

Fakben Ransomware - IOC

1) Ransomware Name - Fakben

2) Encrypted Extensions - .locked

3) Ransom Note File - READ ME FOR DECRYPT.txt

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - NA


8) File Details - NA

Fairware Ransomware - IOC

1) Ransom Note File - Fairware

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

Fadesoft Ransomware - IOC

1) Ransomware Name - Fadesoft

2) Encrypted Extensions - NA

3) Ransom Note File - <random>.exe

4) Encypted Alorithm - AES-256 + RSA-2048

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA



8) File Details -

MD5 4dde80332568b82241d60217234859fb
SHA1 e9de64c3cf66b7fa45a0cc32e05055a30bcd3a78
SHA256 56d2fea98405756eb32f93335871be0a18647e7d4c62bae153a34fc6f2bcdc1c
Ssdeep6144: bT0rdHFu3GhfWdXD6k7uWfH2goC33VrXXMp782yUP7c68fXKchuKOlNf1VCApsew: X0pHBQWSP2gowspNVKdhTSNGcsepa
Authentihash  59b950418ab104be9af24d670cfffab782040dfba6c9fcebac35648ff324dcf4
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The file size is 325.5 KB (333312 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly

FabSysCrypto Ransomware - IOC

1) Ransomware Name - FabSysCrypto

2) Encrypted Extensions - .locked

3) Ransom Note File -
_HELP_instructions.txt
fabsyscrypto.exe

4) Encrypted Algorithm - RSA-2048 and AES-128

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -

xxxxs://www.torproject.org/download/download-easy.html
1. xxxx://32kl2rwsjvqjeul7.tor2web.org/56D592DC7A9DDlDB
2. xxxx://32kl2rwsjvqjeul7.onion.to/56D592DC7A9DDlDB
3. xxxx://32kl2rwsjvqjeul7.onlon.cab/56D592DC7A9DDlDB





8) File Details -

MD5 ddcd198ef8d39196a515f9ba27ebfdea
SHA1 bc35e9ca0a01696c4ae7fd7fbe63114d6b12ae5b
SHA256 99beefe151f73494d923e40c1b43d8f525441eb88df303d0a13c293c309c2f62
Ssdeep1536: syJpWAMFfumsolagIrRuw + mqbz9j1MWLQsg: jTM1umsol3IrRuw + mqv9j1MWLQr
Authentihash  9f721a272cd773454883e6f417c7f91c8f3a030e3b809bb49352428d9b9d4a5b
Imphash  F34d5f2d4577ed6d9ceec516c1f5a744
The size of the file is 116.0 KB (118784 bytes)
Win32 EXE file type
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly



MD5 340eab…

Exotic Ransomware - IOC

1) Ransomware Name - Exotic

2) Encrypted Extensions - .exotic

3) Ransom Note File - NA

4) Encrypted Algorithm - AES(128)

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
mitteoderso.de/image.png
exotic-squad.de


8) File Details -
the MD5 00d1e1f6af06d66c8173b7bfea7bb0b5
the SHA1 88dc482ae91594561d67d63a0731411a8a0686fc
the SHA256 607fccededdad66c01d5b255de7e293ca2484614597eec94fe1bf47d9a7edd06
ssdeep6144: XcPMtlidSjBwgDNChr / jmtwoXv0VewqK4g / msDUMPov9ov7JVqdO9n0pghB1BdIt: MvdSj6gDNHwivZw54gOsYMPo1ojWpIX
authentihash  a4700a6c097d13ade62f6d79821cfb5ffadfdc54de87311b7b29329c68a6f018
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 517.0 KB (529,408 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

Evil Ransomware - IOC

1) Ransomware Name - Evil

2) Encrypted Extensions -
.file0locked
.evillock

3) Ransom Note File - NA

4) Encrypted Algorithm - AES

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - r6789986@mail.kz


8) File Details -
the MD5 c2ed5b0eea4e4bf833e1a5549bde2024
the SHA1 5b24af2e9802b503c7f41c17b561b0b6b38914d7
the SHA256 b75b3ff65632b65d1d641075bd2f5ed0ede93da3a35d7f50068b9371ee5c4552
ssdeep6144: 5ji4E09S / t71Pnk0vlg6D59mkwxpCkiesHjAqk55e5BT: Ji4E09qLnrbt9mCeujAJ55e5BT
authentihash  22226d8aa9230a6f168095f4d7367dbc04bd5ffe444f2391bbcfe85751c2b09e
imphash  6523c8144ea079696ffc809d9eb219fc
File size 414.0 KB (423,936 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit

the MD5 b9d81c51c10abd64107edc5e73a26aea
the SHA1 714a422876768ed423df93af419de0f37c4ea46c
the SHA256 1817853fdaf2d35988ca22a6db2c939e0f56664576593d325cfd67d24e8fb75c
ssdeep384: ctxC55 + UC + CGCwTWi5Jb6P3JOnuqOM / k1irbIUiVXCKI8KSfoKhaaVtgpVsid: KXLzg5IQD / sirzn…

Erebus Ransomware - IOC

1) Ransomware Name - Erebus

2) Encrypted Extensions - NA

3) Ransom Note File - README.HTML

4) Encrypted Algorithm - AES

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
xxxx://erebus5743lnq6db.onion
xxxx://torproject.ip-connect.vn.ua (91.218.89.74 - Украина)
xxxx://ipecho.net/plain
xxxx://ipinfo.io/country


8) File Details -
the MD5 0ced87772881b63caf95f1d828ba40c5
the SHA1 6e5fca51a018272d1b1003b16dce6ee9e836908c
the SHA256 ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791
ssdeep24576: DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA + GdctrOvpk5P4TB5tP9P6F: Dnqqo5PzA + Gda4TB5tFP6F
authentihash  08ac66454d9cd3116a78f2d399840c286da8243dffbad987287dc6288fa3dabb
imphash  528498246e893d454b0afdebdb745c46
File size 1.2 MB (1249280 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit

EnkripsiPC Ransomware - IOC

1) Ransomware Name - EnkripsiPC

2) Encrypted Extensions - .fucked

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://twitter.com/demonslay335/status/811343914712100872&sa=D&ust=1500466598643000&usg=AFQjCNGMHEwVDzbnZovW9DlpSocHGdji_Q


6) Screenshots -

7) Indicators of Compromise -
LINE: manusiapartGS
Facebook: muhammad.f.nazeeh
Youtube: humanpuff69
email: fulldoang@gmail.com
mgfakhri@gmail.com
muhlubaid69@gmail .com
ID KOMPUTER = WMMT/RM


8) File Details -
the MD5 25847c1160184f20bd72e99fe0aa45af
the SHA1 1b3d1be9f3fe9237b38df4bb399417b430a55fba
the SHA256 d09d242ee69980b0d63119ea6c37551336244a8fc57b3f528572d833dc25dd69
ssdeep24576: DW5r8XKFsKyezFujabHFq9f + qsN9ohyAffZjk9GGvAVi1Pn2M8: vKyexqiFm + fSoAffZjk90Y1P2M8
authentihash  29bd198a3d5fa31e0be921f04be761fc2ffb91eb109ae98cc645e8f9cb531829
imphash  dd643fe47127e173d2302c8f84c76bad
File size 1.1 MB (1105853 bytes)
Type of file Win32 EXE
DescriptionPE32 executable f…

Enjey Ransomware - IOC

1) Ransomware Name - Enjey

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
.encrypted.contact_here_me@india.com.enjey
.encrypted.frogobigens@india.com.enjey


8) File Details -
the MD5 0b4cc40299df1e43519ba48f99c61596
the SHA1 15606360ed8ad458656a249afc68e9514d0882cf
the SHA256 8f51ce5e3b3ad1ee8c98e843177711a7759c55c96a9e9becaf77f54f811c69e3
ssdeep192: QCIxxopDVaiKcoUheXjepaR7nQuz / rMUNzFTaIo1cKP: FAxoKiKRUUTeQM4BFTaX1cK
authentihash  2d33e815795ab55c62d59f14c0a383123a03076aaf156b5a4f7f828ff52b80fb
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 13.0 KB (13312 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 Mono / .Net assembly

the MD5 054da0ab42fe6bfb974b89f9baa9a3f7
the SHA1 e0e7b6cc9cb0986291e1d4b4cb28f27b58c12303
the SHA256 30cb2bc30582498bbe682091bb548591670c29b57d5e8e1142947980dc405445
ssdeep384: PHINV1FrkSTL7dtZZUrLtcK / ujYcV6SUw…

Enigma Ransomware - IOC

1) Ransomware Name - Enigma

2) Encrypted Extensions -
.enigma
.1txt

3) Ransom Note File -
enigma.hta
enigma_encr.txt
enigma_info.txt

4) Encrypted Algorithm - AES(128)

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - http://kf2uimw5omtgveu6.onion


8) File Details -
the MD5 229b639878c9e932ef8028d2875526b9
the SHA1 64f8759690068aa1d0d96ffb0848f51c01df5ba4
the SHA256 c4b38d19a54d44e8c2e0d4e6a457c864787a78f2d2428e94d6a43169bd3e5d55
ssdeep6144: jBiEI81DRSE7E7iVgQKbVI3t5jSAuL0 / NX6fktuG: cEI8XxFe9ZI3t5jSAuL0 / NX6fM
authentihash  dd3b5b5547a831bf2e2b03a6ce6747f129e5df1061272bca4c6175efe2d3a820
imphash  faf06c4f559676c0e370e4f92cb30d43
File size 254.5 KB (260,608 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (console) Intel 80386 32-bit

encryptoJJS Ransomware - IOC

1) Ransomware Name - encryptoJJS

2) Encrypted Extensions - .enc

3) Ransom Note File - How to recover.enc

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise -
www.mymalicioussite. ru
хттп://ioussite.ru/


8) File Details -
the MD5 0094f931121b4047ee8c22a04f005d7f
the SHA1 36c641e9803593af2d05e1e147c13b1219a7146d
the SHA256 5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e
ssdeep96: fk + 1m1B538 + 8xvpLXppvYExBrwbfLbnstTDhv0dWAwCzNt: ckmvCHpLXDvYExBrworKWfk
authentihash  682055c0b8f77397b43f8a48ea5e6677a883cc3914f9942eef190d0103ca9d5e
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 7.0 KB (7168 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (console) Intel 80386 32-bit Mono / .Net assembly

Encoder.xxxx Ransomware - IOC

1) Ransomware Name - Encoder.xxxx

2) Encrypted Extensions - .ranrans

3) Ransom Note File - Instructions.html

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
xxxx://ranrans.000webhostapp.com/*** (145.14.145.49:443, Нидерланды)
xxxx://pp.com/***
xxxx://copyexitodelvalle.tk/wp-login.php***
xxxx://member-daumchk.netai.net/ ***
xxxxs://lancelvoice.000webhostapp.com/new-messages/new-office-note/***
xxxx://voiceandfax.000webhostapp.com/ ***
xxxxs://byhakdad.000webhostapp.com/***
xxxx://bit.lv/2pSvhaO
xxxx://bit.ly/2pSGjvO
xxxx://bit.ly/2qtVk8B
BTC: 1EkL3c68MYv5MvchU4FHRYCjEj4DKAerG9


8) File Details -
the MD5 7774a30be28a49f293bba343f3b3409c
the SHA1 64db7165ea9966535c9f445ebbf869da17222c91
the SHA256 6ec8a3ff951bc68972f1affc929b35b86943a3caef1b7287da311ee41f0316a3
ssdeep3072: fksmtrYTEdh7xOhZ1JeYhNoENe1Auuztp + H57JsM + lmsolAIrRuw + mqv9j1MWLQi: Msmth8hZSYhNoehzP + H1l + lDAA
authentihash  f4e761b5402cd473a8545a5e059f60f2676092ace5ef9cd59d8…

El-Polocker Ransomware - IOC

1) Ransomware Name - El-Polocker

2) Encrypted Extensions - .ha3

3) Ransom Note File -
qwer.html
qwer2.html
locked.bmp

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - theonewhoknocks6969@mailinator.com


8) File Details - NA

EiTest Ransomware - IOC

1) Ransomware Name - EiTest

2) Encrypted Extensions - .crypted

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise -
.[RES_SUP@INDIA.COM].ID[2D64A0776C78A9C3].CRYPTOSHIELD
res_sup@india.com - SUPPORT;
res_sup@computer4u.com - SUPPORT RESERVE FIRST;
res_reserve@india.com - SUPPORT RESERVE SECOND;
ID (PERSONAL IDENTIFICATION): 9694E***
***stephanemalka.com
***new.theagingbusiness.com
107.191.62.136:80 (США)


8) File Details -
the MD5 bbef5dfa20459447fd71ea3eaac82ca0
the SHA1 293264a77bf83a1e69d3b38428b4c76f0d54780f
the SHA256 2b658da052076ae93ffd1ffa967aaa2663f0d91bdfdc3dd617557e9a4607daa4
ssdeep1536: aGPvrp8P / sVfkJf5 / 5mu4Tw + FGcAYkxQZAaDU + tlCUHdL: Z2sVfkJf5 / 554cE2pQCqQmdL
authentihash  9e1776e90ee887a4aac1737f60229172692ebf32bff11662db4841ab4f729bb3
imphash  b92e835e324afb433b56a8ce8cb49361
File size 93.5 KB (95744 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bi…

EduCrypt Ransomware - IOC

1) Ransomware Name - EduCrypt

2) Encrypted Extensions -
.isis
.locked

3) Ransom Note File - README.txt

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=http://www.filedropper.com/decrypter_1&sa=D&ust=1500466598641000&usg=AFQjCNH82ZoRpOBUC4hvdKi4vAQVCuNfrA


6) Screenshots -


7) Indicators of Compromise - http://www.filedropper.com/decrypter_1 Don't


8) File Details - NA

EdgeLocker Ransomware - IOC

1) Ransomware Name - EdgeLocker

2) Encrypted Extensions - .edgel

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA

8) File Details -
the MD5 99c28ccc3ad71f209aeab165265d7863
the SHA1 47be10a573ae7cf922d3d5d119785e648d6fccda
the SHA256 746e29bee87182696177dfd55ce576c2099cb05eefc38cf7786ef60c027aef9f
ssdeep6144: LESFyIa0a9FlQrdoVLagQmgdspLoNam7n1rBIWOdKSFBDqv0AD35fxjESC / oG + Nj: GF0KaglgT5pBOdvFBDE0u355vC / hhS
authentihash  1e826476ec3bc20ce2de85c0c36fbe6151cb710054ed6aa10f43c3b3bf4e39b0
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 579.5 KB (593,408 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

EDA2 / HiddenTear Ransomware - IOC

1) Ransomware Name - EDA2 / HiddenTear

2) Encrypted Extensions - .locked

3) Ransom Note File - NA

4) Encrypted Algorithm - AES(256)

5) Decryptor Link - NA

6) Screenshots -
7) Indicators of Compromise - NA


8) File Details - NA

DynA-Crypt Ransomware - IOC

1) Ransomware Name - DynA-Crypt

2) Encrypted Extensions - .crypt

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details -
the MD5 638333b0fcbc8258cfc89204ada035d8
the SHA1 ef38984f08fc335d44d33654729d274defa20e86
the SHA256 644230b74727226bdbf6a65cb9dddc3d7557755c26fe64729cd6e834f5a005d5
ssdeep24576: ak5kaKVt4MhEa58mMTvKhExv + LAtfEf4HCzuELn + zt4DPtg6Ew + KZ34D / sD: akcpD58mMvygG6ftH2uCnYtwFg7YtB
authentihash  004203a295cd0aa11fddec1d4728bf42168509f28fc76e261cb62e858e4e5f8f
imphash  7045005ef4130348fa4cbfc30a6f9d04
File size 1.6 MB (1706496 bytes)
Type of file Win32 EXE
DescriptionPE32 + executable for MS Windows (GUI)

DXXD Ransomware - IOC

1) Ransomware Name - DXXD

2) Encrypted Extensions - .dxxd

3) Ransom Note File - ReadMe.TxT

4) Encrypted Algorithm - NA

5) Decryptor Link - https://www.google.com/url?q=https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/&sa=D&ust=1500466598639000&usg=AFQjCNHNwmLW3vMwROZGJNnnNiTyrEBQ1w

6) Screenshots -


7) Indicators of Co,promise -
shellexec@protonmail.com
null_ptr@tutanota.de
xxxx://www.howtogeek.com
Programm : xxxxs://pidgin.im/download/
Register account : xxxxs://www.xmpp.jp or xxxxs://rows.io/ or your custom.
Add me : [one_weaJc@rows.io]


8) File Details - NA

DummyLocker Ransomware - IOC

1) Ransomware Name - DummyLocker

2) Encrypted Extensions - .dCrypt

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details - NA

DoNotChange Ransomware - IOC

1) Ransomware Name - DoNotChange

2) Encrypted Extensions -
.id-7ES642406.cry
.Do_not_change_the_filename

3) Ransom Note File -
HOW TO DECODE FILES!!!.txt
КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt

4) Encrypted Algorithm - AES(128)

5) Decryptor Link - https://www.google.com/url?q=https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/&sa=D&ust=1500466598639000&usg=AFQjCNE43KjhzplN0oW7OCnaQI2Wn2nc1A


6) Screenshots -


7) Indicators of Compromise -
email address tom.anderson@india.com
DE_coDER@mail2tor.com
scryptx@meta.ua
http://5akvz3kp6qbqmpoo.onion
robert.swat@qip.ru


8) File Details -
the MD5 1d1d7920ca66e454a9489000b25898a5
the SHA1 4815f8511cbf245ce23303c0da7e1a4bec7cd06d
the SHA256 1ee580d60a43a847140136874f2b8646a2de700457114c4df0e16170029cdb43
ssdeep12288: hozGdX0M4ornOmZIzfMwHHQmRROXK + 1O3c + jSX8U48zR41eWEPhlBAQyITTU3k: h4GHnhIzOaHjxUhRDWEPjBL7w3k
authentihash  f1e1de00ba0ab319881b7650f995f4f6d60531e54fdab52a158fb7…

Donald Trump Ransomware - IOC

1) Ransomware Name - Donald Trump

2) Encrypted Extensions - .ENCRYPTED

3) Ransom Note File - NA

4) Encrypted Algorithm - AES

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - NA


8) File Details -
the MD5 e4d1951b179a1de9d22f83227f1026a6
the SHA1 53fd14f3aebe3d253af2d505967fd8c6a6c9352c
the SHA256 4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4
ssdeep1536: MC72xHik2cxK0E + dB / ZkzZJbgq2gpkiKX9eVTS2foxtT6: MCqhq82HgfgCFX92u2wq
authentihash  1848d73529e7fe3ff1133f54e6e0a26b03350f2b3d1cfecf4b4cbe9fddd7c6a8
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 90.0 KB (92160 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

Domino Ransomware - IOC

1) Ransomware Name - Domino

2) Encrypted Extensions - .domino

3) Ransom Note File - README_TO_RECURE_YOUR_FILES.txt

4) Encrypted Algorithm - AES(256)

5) Decryptor Link - NA

6) Screenshots -


7) Indicators of Compromise - 61f1e8055af3f6a672959e6b0493a2@gmail.com


8) File Details - NA

DNRansomware -IOC

1) Ransomware Name - DNRansomware

2) Encrypted Extensions -
.fucked
.killedXXX

3) Ransom Note File - NA

4) Encrypted Algorithm - NA

5) Decryptor Link - NA

6) Screenshots -

7) Indicators of Compromise - NA


8) File Details -
the MD5 a8632444b721e3039b93c9049a8f2e04
the SHA1 77193808aa822bc12d74cf6ba9f857bb8c86a788
the SHA256 8a99ecc9eabcc665dd9a94e591620458eb922449ab81528713fe8f505ca8f998
ssdeep3072: Vp / sDy / o6a6RRg351fw / xr + VBFaI1YIYiheeeeeeeeefYDeOiClppeppOpplppeh: VtL / + AZrMBgkSOG9iO2RK
authentihash  d45443dfdb1513d588dc8c608a236a76839dbf012baf52f437fa5b724eb4c968
imphash  f34d5f2d4577ed6d9ceec516c1f5a744
File size 242.0 KB (247,808 bytes)
Type of file Win32 EXE
DescriptionPE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono / .Net assembly

the MD5 23059246fe68e9907e858815bd213576
the SHA1 5ab0c15cc5718eb0bf05855cdb2f0ca9c984b1c6
the SHA256 1c5b0ca5d36f819e9af29e99640f15805fb9f36eabc324860d2b290e50b31967
ssdeep12288: Y + Qq6eMgPT6VHxhnEPYqHHzQjnNO + Qq6eMgkSwYxIrl7Iu…

DMALocker 3.0 Ransomware - IOC

1) Ransomware Name - DMALocker 3.0

2) Encrypted Extensions - NA

3) Ransom Note File - NA

4) Encrypted Algorithm -
AES(256)
XPTLOCK5.0

5) Decryptor Link - https://www.google.com/url?q=https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg&sa=D&ust=1500466598637000&usg=AFQjCNG_n943m-EhMS8QCiG1nCRv-FYQUg


6) Screenshots -


7) Indicators of Compromise - NA


8) File Details - NA

DMALocker Ransomware - IOC

1) Ransomware Name - DMALocker

2) Encrypted Extensions - NA

3) Ransom Note File -
cryptinfo.txt
decrypting.txt
start.txt

4) Encrypted Algorithm -
AES(256) in ECB mode,
Version 2-4 also RSA

5) Decryptor Link -
https://decrypter.emsisoft.com/
https://github.com/hasherezade/dma_unlocker
https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg
https://decrypter.emsisoft.com/
https://github.com/hasherezade/dma_unlocker
https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg

6) Screenshots -


7) Indicators of Compromise -
e-mail: crypt302@gmx.com


8) File Details -
the MD5 745ae41840a3be2ed1732c2b6307a63f
the SHA1 a5d03bfb37b10b17c2922bd215f04b498b888176
the SHA256 9827c04d1170ed7b278185eb16610c74591b7769f88ed509fc4128845baaf20a
ssdeep1536: 9kR7Hlwjb5lBNHi + q3AotK9qdqeZ0Vd7ZskJizNfQKhJRCKjPc / bNsWh0Gu: 6RLWjbBNCTAdeCJJ8XJRdw / BJh0Gu
authentihash  e9214495f98efe9620b90e7fae4b55d7fa427fd8eefb572f8eeb7e1a6304d1e5
imphash  1faa1f41ff65fec472802847d7ad22ce
File size 201.…