Download - Ransomware Overview List
-
7/25/2019 Ransomware Overview List
1/28
Name Extensions Extension Pattern Comment
.CryptoHasYou. .enc
7ev3n
Alpha Ransomware .encrypt
AutoLocy .locy
!an"archor .i"#$%&'($E)A%L(A&&RE**'
!itCryptor .cl+
!ooyah
!ra,ilian .loc !ase" on E&A-
!rLoc
!rowloc
!uci
!uy/nlocCo"e 0.12.enco"e".0$A#4#5'
Cerer .cerer
Chimera .crypt
Chinese Ransom .txt
Coinault .cl+
Coverton
Cryai .6CRYP8EN&!LAC9&C:
Cryola
Cryptear
Crypt;%le- .scl i"$(%&'email(xerxs victim>s +ilesCrypto?oer .cr@oer
CryptoLocer .encrypte" no lon=er relevant
Crypto)ix .co"e .i"(0%&()ACH%NE2(email(xoomx
-
7/25/2019 Ransomware Overview List
2/28
;ury
omasom .crypt ((($E)A%LA&&RE**'(.crypt
opher J* ransomware 0PoC2
Harasom .html
Hi !u""y .cry !ase" on Hi""en8ear
Hy"raCrypt hy"racrypt(%&($Mw'6: Cryp!oss ;amily
iLoc .crime
iLocLi=ht .crime
?i=saw
?o Crypter .loce"
?oCrypter .loce"
9eRan=er .encrypte" J* Ransomware
9ey!8C .eytc
-
7/25/2019 Ransomware Overview List
3/28
Rahni
Rannoh loce"#Oori=inal name.$a#,A#'6I:
Ransom3-
Rector
Remin")e .remin"
Rou .rou
*amas#*amsam
*anction .sanction
*craper no extension chan=e
*i"Locer Pompous .loce" !ase" on E&A-
*port .sport
*trictor .loce" !ase" on E&A-
*urprise .surprise !ase" on E&A-
*ynoLocer
8eslaCrypt 4.x # -.-.4 ;actori,ation
8eslaCrypt 3.4Q I.4Q has no extension
8eslaCrypt I.A no special extension
8eslaCrypt I.-
8orrentLocer .Encrypte"
8rol"esh
8rueCrypter .enc
/mreCrypt umrecrypt(%&($%C8% Cryp!oss ;amily
aultCrypt
irus#Enco"er .Cry*i*
oristR8N .xrtn aultCrypt +amily
la"er Russian .vault aultCrypt +amily
.loce"
.raen.co"ersu
-
7/25/2019 Ransomware Overview List
4/28
Encryption Al=orithm Also nown as &ecryptor %n+o *creenshots
AE*0-BF2 KNA)E
7ev3n#HJNES8 KNA)E
AE*0-BF2 AlphaLocer KNA)E
KNA)E
AE*0-BF2 Rahni KNA)E
KNA)E
*alam KNA)E
AE*0-BF2
AE* KNA)E
KNA)E
J*8 KNA)E
KNA)E
AE* KNA)E
KNA)E
9inCrypt
KNA)E
AE*0-BF2 KNA)E
KNA)E
KNA)E
AE*0-BF2 Hi""en 8ear KNA)E
R*A KNA)E
KNA)E
KNA)E
KNA)EKNA)E
KNA)E
eta
KNA)E
KNA)E
CryptPro@ect KNA)E
CryptPro@ect KNA)E
R*A0-4I2 KNA)E
AE*0-BF2 KNA)E
KNA)EAE*0-BF2 KNA)E
AE*0-BF2 KNA)E
AE*0-BF2 Cryptear KNA)E
Los Pollos Hermanos KNA)E
AE* 0-2 KNA)E
KNA)E
httpTwww.nyxo
httpsT=ithu.co httpTwww.nyxo
httpT"ownloa".httpTwww.leepi
httpsT"ecrypter.emsiso+t.comauto
httpsTreaUta.co
httpsTnoransom.aspersy.com
httpTwww.nyxohttpTwww.nyxo
httpsTwww.proo
httpTresearchce
httpsTlo=.malw
httpsTlo=.malw
httpTwww.nyxone.commalware
httpsTnoransom.aspersy.com
httpTwww.leepi
httpsTsupport.aspersy.comvirus
httpsTsupport.aspersy.comvirus
httpTwww.utusen.comlo="eali
httpsTwww.proo
httpsT"ecrypter.emsiso+t.com
httpsT"ecrypter.emsiso+t.com
AE*0-BF2 0RARimplementation2
)anamecryptG8elo=raphG RJ%
httpTwww.leepin=computer.com
httpsTwww.+ireehttpsTreaUta.co
httpTwww.nyxohttpTwww.nyxo
httpTwww.leepin=computer.com
httpsTsupport.aspersy.comvirus
httpsTwww.proo
httpsTthisissecur
httpTwww.malwareremoval=ui"es.ihttpsT"ecrypter.httpsTlo=.malw
httpsTlo=.malw
httpTwww.leepi
httpsTlo=.+ortin
http://www.nyxbone.com/malware/CryptoHasYou.htmlhttp://www.nyxbone.com/malware/7ev3n-HONE$T.htmlhttp://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/https://reaqta.com/2016/03/bandarchor-ransomware-still-active/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/8547http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.htmlhttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/https://support.kaspersky.com/viruses/disinfection/8547https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-toolhttps://thisissecurity.net/2016/02/26/a-lockpicking-exercise/http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-codehttp://www.nyxbone.com/malware/CryptoHasYou.htmlhttps://github.com/hasherezade/malware_analysis/tree/master/7ev3nhttp://www.nyxbone.com/malware/7ev3n-HONE$T.htmlhttp://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.ziphttp://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/https://decrypter.emsisoft.com/autolockyhttps://reaqta.com/2016/03/bandarchor-ransomware-still-active/https://noransom.kaspersky.com/http://www.nyxbone.com/malware/brazilianRansom.htmlhttp://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.pnghttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/http://www.nyxbone.com/malware/chineseRansom.htmlhttps://noransom.kaspersky.com/http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/8547http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.htmlhttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttps://decrypter.emsisoft.com/https://decrypter.emsisoft.com/http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.htmlhttps://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/http://www.nyxbone.com/malware/CryptoMix.htmlhttp://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/https://support.kaspersky.com/viruses/disinfection/8547https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-toolhttps://thisissecurity.net/2016/02/26/a-lockpicking-exercise/http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-codehttps://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-codehttp://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-toolhttps://support.kaspersky.com/viruses/disinfection/8547http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/http://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.nyxbone.com/malware/CryptoMix.htmlhttps://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.htmlhttp://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/https://decrypter.emsisoft.com/https://decrypter.emsisoft.com/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.htmlhttps://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/8547http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/https://noransom.kaspersky.com/http://www.nyxbone.com/malware/chineseRansom.htmlhttps://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.pnghttp://www.nyxbone.com/malware/brazilianRansom.htmlhttps://noransom.kaspersky.com/https://reaqta.com/2016/03/bandarchor-ransomware-still-active/https://decrypter.emsisoft.com/autolockyhttp://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.ziphttp://www.nyxbone.com/malware/7ev3n-HONE$T.htmlhttps://github.com/hasherezade/malware_analysis/tree/master/7ev3nhttp://www.nyxbone.com/malware/CryptoHasYou.html -
7/25/2019 Ransomware Overview List
5/28
KNA)E
KNA)E
KNA)E
KNA)E
AE*0-BF2 KNA)E
KNA)E
KNA)E
KNA)E
AE*0-BF2 KNA)E
8riple&E* KNA)E
8riple&E* KNA)E
AE* KNA)E
KNA)E
AE* KNA)E
AE*0-BF2 KNA)E
KNA)E
Linux.Enco"er.64G3: KNA)E
KNA)E
AE*0-2 KNA)E
KNA)E
KNA)E
KNA)E
AE*0-BF2 KNA)E
AE*0-BF2 KNA)EAE*0-BF2 KNA)E
AE*0-BF2 !ooyah KNA)E
Yaes
KNA)E
KNA)E
ipasana KNA)E
PCo"e KNA)EKNA)E
JR KNA)E
)o"i+ie" *alsa-4 KNA)E
KNA)E
*arento
AE*0-BF2 KNA)E
httpsTsupport.aspersy.comvirus
httpsT"ecrypter.emsiso+t.com
httpsT"ecrypter.emsiso+t.com
httpTwww.nyxo
httpsT"ecrypter.httpTwww.malw
httpTwww.leepihttpsTwww.help
httpTwww.nyxo
httpT+orum.male
httpTnews."rwehttpTwww.welive
httpsT"ecrypter.emsiso+t.com
httpTwww.leepin=computer.com
httpsTlo=.+ortinhttpTwww.leepi
httpsT"ecrypter.httpsTlo=.malw
httpsTlas.it"e+en"er.com-4B
httpTwww.leepin=computer.com
httpsTlo=.malw
httpsTwww.proo
httpTnyxone.cohttpTnyxone.co
httpT=ithu.comCyercluesnanol
JR0-BB27,ip
httpsT"ecrypter.emsiso+t.comhttpsT=ithu.comAnteloxNemuco
httpTartla,e.l
httpTnews.thewin"owsclu.comop
httpsT"ecrypter.emsiso+t.com
httpTwww.thewihttpsTlo=.malw
httpTwww.nyxone.commalware
httpsT"ecrypter.httpTwww.leepi
https://support.kaspersky.com/viruses/disinfection/8547http://www.nyxbone.com/malware/hibuddy.htmlhttp://www.malware-traffic-analysis.net/2016/02/03/index2.htmlhttps://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/http://www.nyxbone.com/malware/jobcrypter.htmlhttp://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.htmlhttp://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://github.com/Cyberclues/nanolocker-decryptorhttp://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.htmlhttp://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/https://support.kaspersky.com/viruses/disinfection/8547https://decrypter.emsisoft.com/https://decrypter.emsisoft.com/http://www.nyxbone.com/malware/hibuddy.htmlhttps://decrypter.emsisoft.com/http://www.malware-traffic-analysis.net/2016/02/03/index2.htmlhttp://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/http://www.nyxbone.com/malware/jobcrypter.htmlhttp://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.htmlhttp://news.drweb.com/show/?i=9877&lng=en&c=5http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/https://decrypter.emsisoft.com/http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtmlhttps://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-ithttp://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/https://decrypter.emsisoft.com/lechiffrehttps://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://nyxbone.com/malware/Mobef.htmlhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://github.com/Cyberclues/nanolocker-decryptorhttp://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.htmlhttp://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/https://decrypter.emsisoft.com/https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/http://www.nyxbone.com/malware/RaaS.htmlhttps://decrypter.emsisoft.com/https://decrypter.emsisoft.com/https://decrypter.emsisoft.com/http://www.nyxbone.com/malware/RaaS.htmlhttps://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/https://decrypter.emsisoft.com/http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.htmlhttp://github.com/Cyberclues/nanolocker-decryptorhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://nyxbone.com/malware/Mobef.htmlhttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttps://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/https://decrypter.emsisoft.com/lechiffrehttp://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-ithttp://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtmlhttps://decrypter.emsisoft.com/http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/http://news.drweb.com/show/?i=9877&lng=en&c=5http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.htmlhttp://www.nyxbone.com/malware/jobcrypter.htmlhttps://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/http://www.malware-traffic-analysis.net/2016/02/03/index2.htmlhttps://decrypter.emsisoft.com/http://www.nyxbone.com/malware/hibuddy.htmlhttps://decrypter.emsisoft.com/https://decrypter.emsisoft.com/https://support.kaspersky.com/viruses/disinfection/8547 -
7/25/2019 Ransomware Overview List
6/28
KNA)E
httpsTwww.=oo=l
Curve25519 + ChaCha KNA)E
AE*0-BF2 Q R*A0-45F2 KNA)E
AE*0-BF2 Q R*A0-45F2 KNA)E
KNA)E
AE*0-BF2 KNA)E
KNA)E
AE*0-BF2 KNA)E
AE*0-BF2 KNA)E
KNA)E
AlphaCrypt KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
AE*0-BF2 KNA)E
AE*0-BF2
AE* KNA)E
uses =p=.exe KNA)E
AE*0-BF2 KNA)E
KNA)EKNA)E
R*A KNA)E
A=ent.iihAura
httpsTsupport.aspersy.comusvi
httpsTsupport.aspersy.comviruses"isin+ectionB
httpsTsupport.aspersy.comviruses"isin+ectionI-
httpTi.im=ur.com
httpsTlo=.malw
samsam.exe)%9JPJN%.exe
httpTlo=.talosin
httpTsecurelist.comlo=research
httpTwww.leepihttpTwww.nyxo
httpTwww.nyxo
httpTwww.leepin=computer.com
AE*0-BF2 Q ECH& Q*HAAE*0-BF2 Q ECH& Q*HA
httpsTwww.en"=
httpTwww.leepi
Crypt4L4cerCrypto;ortress
httpTwww.leepin=computer.com
*ha"e8!L
httpTwww.nyxo
httpTwww.leepihttpTwww.leep
httpTwww.thewin"owsclu.come
Crypaultla"er
httpTwww.nyxo
httpTwww.nyxo
httpsTsupport.aspersy.comvirus
aultCryptCrypault
httpTwww.nyxo
https://support.kaspersky.com/us/viruses/disinfection/10556https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/http://blog.talosintel.com/2016/03/samsam-ransomware.htmlhttp://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/http://www.nyxbone.com/malware/SkidLocker.htmlhttp://www.nyxbone.com/malware/Strictor.htmlhttps://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttp://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/http://www.nyxbone.com/malware/Troldesh.htmlhttp://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomwarehttp://www.nyxbone.com/malware/russianRansom.htmlhttp://www.nyxbone.com/malware/virus-encoder.htmlhttps://support.kaspersky.com/viruses/disinfection/2911http://www.nyxbone.com/malware/russianRansom.htmlhttps://support.kaspersky.com/us/viruses/disinfection/10556https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/4264http://i.imgur.com/gV6i5SN.jpghttps://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/http://blog.talosintel.com/2016/03/samsam-ransomware.htmlhttp://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/http://www.nyxbone.com/malware/SkidLocker.htmlhttp://www.nyxbone.com/malware/Strictor.htmlhttps://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttp://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/http://www.nyxbone.com/malware/Troldesh.htmlhttp://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/http://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomwarehttp://www.nyxbone.com/malware/russianRansom.htmlhttp://www.nyxbone.com/malware/virus-encoder.htmlhttps://support.kaspersky.com/viruses/disinfection/2911http://www.nyxbone.com/malware/russianRansom.htmlhttp://www.nyxbone.com/malware/russianRansom.htmlhttps://support.kaspersky.com/viruses/disinfection/2911http://www.nyxbone.com/malware/virus-encoder.htmlhttp://www.nyxbone.com/malware/russianRansom.htmlhttp://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomwarehttp://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/http://www.nyxbone.com/malware/Troldesh.htmlhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttp://www.nyxbone.com/malware/Strictor.htmlhttp://www.nyxbone.com/malware/SkidLocker.htmlhttp://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/http://blog.talosintel.com/2016/03/samsam-ransomware.htmlhttps://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/http://i.imgur.com/gV6i5SN.jpghttps://support.kaspersky.com/viruses/disinfection/4264https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/us/viruses/disinfection/10556 -
7/25/2019 Ransomware Overview List
7/28
ne.comima=esarticulosmalwarera,ilianRansom4.pn=
hineseRansom.html
ne.comima=esarticulosmalwarecryptomixr-.pn=
http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.pnghttp://www.nyxbone.com/malware/chineseRansom.htmlhttp://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.nyxbone.com/malware/chineseRansom.htmlhttp://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png -
7/25/2019 Ransomware Overview List
8/28
orumstBB5IF3eyhol"er#ransomware#support#an"#help#topic#how#"ecrypt=i+how#"ecrypthtml
ima=esarticulosmalwaremoe+4.pn=
aa*.html
http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtmlhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://www.nyxbone.com/malware/RaaS.htmlhttp://www.nyxbone.com/malware/RaaS.htmlhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml -
7/25/2019 Ransomware Overview List
9/28
e."esearchtmVischWUVRansomwareQRansom3-
7
I
=FiB*N.@p=
tatic.comima=esnewsransomwarettruecryptertruecrypter.pn=
https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/4264http://i.imgur.com/gV6i5SN.jpghttp://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://i.imgur.com/gV6i5SN.jpghttps://support.kaspersky.com/viruses/disinfection/4264https://support.kaspersky.com/viruses/disinfection/8547 -
7/25/2019 Ransomware Overview List
10/28
Propose" Name Extensions Extension Pattern PoC
Remin")e .remin" "ecrypt(your(+iles.html
Don"erCrypter .h3ll
.crypttt
.loc
.neitrino )E**AE.88
.xcrypt
ort .xort xort.txt
eta .i"(1(email(,eta
-
7/25/2019 Ransomware Overview List
11/28
Comment *tatus
Huntin= +or sample
*umitte" to %&R Nee" analyse" 07+7F""BBIBaF+4Ie"53eBe-I+
*umitte" to %&R Nee"s i"enti+ie"
*umitte" to %&R Nee"s i"enti+ie"
Nee"s i"enti+ie"
*umitte" to %&R Nee"s i"enti+ie"
*umitte" to %&R Nee"s con+irme"
CJN;%R)E& as Crypto)ix
Nee"s i"enti+ie"
Nee"s i"enti+ie"
*umitte" to !CG )oe+ Nee"s i"enti+ie"
Huntin= +or sample
Huntin= +or sample
Nee"s i"enti+ie" Chinese ransomware
Huntin= +or sample
httpTwww.leepin=computer.co
*umitte" to %&RG ransom emailT"anny.walswen
-
7/25/2019 Ransomware Overview List
12/28
-+43F"3cFaFcc+""aF47BcFF"2
-
7/25/2019 Ransomware Overview List
13/28
Name )icroso+t &etection Name )icroso+t %n+o
.CryptoHasYou. 8ro@anTDin3-&ynamerac
7ev3n RansomTDin3-Empercrypt.A
AutoLocy
!an"archor
!itCryptor Din3-Criit
!ooyah
!ra,ilian
!rowloc RansomT?*!rolo
!uy/nlocCo"e RansomT Din3-Cen"o"e.A
Cerer Din3-Cerer
Chimera Din3-Chicrypt
Coinault RansomT )*%Laultloc.A
Coverton
Cryai
Cryola
Cryptear RansomT Din3-Crowti
Crypt%n+inite
Crypto&e+ense
CryptoHost
Crypto?oer
CryptoLocer RansomT Din3-Criloc.A
Crypto8orLocer-4B
CryptoDall
CryptC8!#Locer RansomT )*%[email protected]
C8!#Locer DE!
&eCrypt Protect
&)ALocer RansomT Din3-&)ALocer
&)ALocer 3.4 RansomT Din3-&)ALocer.A
E&A- Hi""en8ear RansomT )*%LRy,erlo
El#Pololocer RansomT Power*hellPoloc.A
;ury
omasom
opherHarasom 8ro@anT Din3-Harasom.A
Hi !u""y
Hy"raCrypt RansomT Din3-8o+y.
iLoc
iLocLi=ht
?i=saw RansomT)*%L?i=sawLocer.A
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
www.microso+t.coms
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
RansomT Din3-CrowtiDin3-;ortrypt
httpsTwww.microso+
httpsTwww.microso+
RansomT Din3-Crowti
Din3-;ortrypt
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FDynamer!achttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Empercrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cribithttp://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Cerberhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Chicrypthttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Vaultlock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3AWin32%2FCrilock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Nojocrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALockerhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Ryzerlohttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Tobfy.Xhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:MSIL/JigsawLocker.Ahttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:MSIL/JigsawLocker.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Tobfy.Xhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Ryzerlohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALockerhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Nojocrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3AWin32%2FCrilock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Vaultlock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Chicrypthttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Cerberhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttp://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cribithttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Empercrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FDynamer!ac -
7/25/2019 Ransomware Overview List
14/28
?o Crypter
?oCrypter
9eRan=er RansomT )acJ*(9eRan=er.A
9ey!8C
9EYHol"er
9imcilDare
9ryptoLocer
LeChi++re
Linux.Enco"er
Locer
Locy
Lorto
LowLevel4I
)aouia
)a=ic Din3-8aaum
)atuLocer
)oe+
NanoLocer ?*Nemuco"
Nemuco"
J++line ransomware
J) Ransomware
Jperation loal %%%
PCloc
Petya
Raa*Raa*
Ra"amant
Rannoh
Rannoh
Remin")e
Rector
Remin")e
Rou
*amas#*amsam
*anction*craper
*i"Locer Pompous
*port
*trictor
*urprise
*ynoLocer Din3-8escrypt
httpsTwww.microso+
RansomT Din3-%s"aRansomT !A8iow
httpsTwww.microso+
RansomT Din3-Locy8ro@an&ownloa"erT ?*Locy
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2FTescrypthttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2FTescrypthttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A -
7/25/2019 Ransomware Overview List
15/28
8eslaCrypt 3.4Q
8eslaCrypt I.A
8eslaCrypt I.-
8orrentLocer Din3-8rol"esh
8rueCrypter
/mreCrypt RansomT !A8iow
aultCrypt
irus#Enco"er
orist
R8N
Alpha Ransomware
4
RansomT Din3-8eeracDin3-;ortrypt
httpsTwww.microso+
httpsTwww.microso+
httpsTwww.microso+
https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldeshhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh -
7/25/2019 Ransomware Overview List
16/28
*an"ox %JCs *nort
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)EKNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)EKNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
httpsTwww.hyri"#a
httpsTwww.hyri"#a
httpsTwww.hyri"#a
httpsTwww.hyri"#a
httpsTwww.hyri"#a
ecurityportalthreat
.comsecurityportal
httpsTwww.hyri"#a
httpsTwww.hyri"#a
httpsTwww.hyri"#a
.comsecurityportal
httpsTwww.hyri"#a
httpsTwww.hyri"#a
.comsecurityportal
httpsTwww.hyri"#a
httpsTwww.hyri"#a
.comsecurityportal
httpsTwww.hyri"#a
.comsecurityportal
.comsecurityportal
httpsTwww.hyri"#a
httpsTwww.hyri"#a
https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttps://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environmentId=4https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environmentId=1https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environmentId=5https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environmentId=4https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environmentId=4https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttps://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environmentId=4https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environmentId=1https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environmentId=5https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environmentId=4https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environmentId=4https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environmentId=4https://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environmentId=4https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environmentId=5https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environmentId=1https://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttp://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4 -
7/25/2019 Ransomware Overview List
17/28
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
httpsTotx.alienvault.comrowseUVRannoh
KNA)E
KNA)E
KNA)E
KNA)EKNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
.comsecurityportal
.comsecurityportal
.comsecurityportal
.comsecurityportal
.comsecurityportal
httpsTwww.hyri"#a
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A -
7/25/2019 Ransomware Overview List
18/28
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
KNA)E
.comsecurityportal
.comsecurityportal
.comsecurityportal
https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldeshhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldeshhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh -
7/25/2019 Ransomware Overview List
19/28
)easure 8ype &escription
Recovery
!loc )acros PJ
&isale D*H PJ &isale Din"ows *cript Host
)ail ateway
)ail ateway
PJ
En+orce /AC Prompt PJ
!est Practice
!est Practice
3r" Party 8ools
;ootnotes
Complexity 8he complexity o+ implementation also inclu"es the costs o+ implementation 0
E++ectiveness &o not overrate a >hi=h> in this column as it is a relative e++ectiveness in compa
%mpact 8he e++ects on usiness processesG a"ministration or user experience
!acup an" RestoreProcess
)ae sure to have a"eUuate acup processes on place an"+reUuently test a restore o+ these acups&isale macros in J++ice +iles "ownloa"e" +rom the %nternet.8his can e con+i=ure" to wor in two "i++erent mo"esT
;ilter Attachments
Level
;ilter the +ollowin= attachments on your mail =atewayT
.exeG .atG .psG .@sG .@seG .scrG .comG .ocxG .@arG .vG .vsG .veG;ilter AttachmentsLevel -
;ilter the +ollowin= attachments on your mail =atewayT0;ilter Level plus2 ."ocG .xlsG .rt+Restrict pro=ram
execution!loc all pro=ram executions +rom the ZLocalApp&ataZ an"ZApp&ataZ +ol"er*how ;ile
Extensions/serAssistence
*et the re=istry ey [Hi"e;ileExt[ to 4 in or"er to show all +ileextensionsG even o+ nown +ile types. 8his helps avoi"in=En+orce a"ministrative users to con+irm an action thatreUuires elevate" ri=htsRemove A"min
Privile=e"Remove an" restrict a"ministrative ri=hts whenever possile.)alware can only mo"i+y +iles that users have write access to.Restrict Dorstation
CommunicationActivate the Din"ows ;irewall to restrict worstation toworstation communication*an"oxin= Email
%nputA"vance")alware
/sin= san"ox that opens email attachments an" removesattachments ase" on ehavior analysisExecution
Prevention*o+tware that allows to control the execution o+ processes #sometimes inte=rate" in Antivirus so+tware
-
7/25/2019 Ransomware Overview List
20/28
Complexity1 E++ectiveness1 %mpact1 Possile %ssues
Medium High Low
Low High Low
Low Medium Medium
Low Medium Low
Low High High
Medium Medium Medium De eme""e" so+tware installers
Low Low Low
Low Medium Low a"ministrator resentment
Medium Medium Medium Hi=her a"ministrative costs
Medium Low Low
Medium High -
Medium Medium -
.=. simple to implement ut costly2
rison to other measures
A"ministrative !* scripts onDorstations
J++ice Communication with ol"versions o+ )icroso+t J++ice +iles
-
7/25/2019 Ransomware Overview List
21/28
Lin Lin -
httpTwin"ows.microso+t.comen#uswin"owsac#up#restore#+aUK8CVwin"ows#7
httpsTwww.I4Itechsup httpsTsupport.o++ice.comen#usarticleEnale#or#"isale#macros#in#J++ic
httpTwww.win"owsnetworin=.comaseDin"ows8ipsDin"owsPA"min8ipsCustomi,ation&is
httpTwww.+at"ex.netphttpsTcommunity.spicewors.comtopic35F43#cryptolocer#prevention#
httpTwww.seven+orums.comtutorials4B74#+ile#extensions#hi"e#show.html
httpsTtechnet.microso+t.comen#uslirary""3BBFI0D*.42.aspx
http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitterhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=UShttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttp://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttp://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htmlhttps://technet.microsoft.com/en-us/library/dd835564(WS.10).aspxhttps://technet.microsoft.com/en-us/library/dd835564(WS.10).aspxhttp://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htmlhttps://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttp://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=UShttps://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitterhttp://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7 -
7/25/2019 Ransomware Overview List
22/28
#+iles#-43F+"#"I4#Ie7I#IBe#F+e"a7eBcFuiVen#/*WrsVen#/*Wa"V/*
aleDin"ows*criptin=HostD*H.html
it#up"ate"
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=UShttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttps://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttps://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US -
7/25/2019 Ransomware Overview List
23/28
*ourceT
httpsTwww.en"=ame.comlo=your#paca=e#has#een#success+ully#encrypte"#teslacrypt#Ia#a
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttps://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain -
7/25/2019 Ransomware Overview List
24/28
-
7/25/2019 Ransomware Overview List
25/28
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain -
7/25/2019 Ransomware Overview List
26/28
-
7/25/2019 Ransomware Overview List
27/28
Composition 8his initial list has een compose" y )osh
-
7/25/2019 Ransomware Overview List
28/28
%"enti+y ransomware y ransom note or encrypte" +ile sample
photo
tectionransomware#happy#en"in=#4#nown#"ecryption#cases
r#tools
https://twitter.com/nyxbone/status/715675420159508480/photo/1http://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/http://www.thewindowsclub.com/list-ransomware-decryptor-toolshttp://www.thewindowsclub.com/list-ransomware-decryptor-toolshttp://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/https://twitter.com/nyxbone/status/715675420159508480/photo/1