Ransomware Overview List

7/25/2019 Ransomware Overview List

1/28

Name Extensions Extension Pattern Comment

.CryptoHasYou. .enc

7ev3n

Alpha Ransomware .encrypt

AutoLocy .locy

!an"archor .i"#$%&'($E)A%L(A&&RE**'

!itCryptor .cl+

!ooyah

!ra,ilian .loc !ase" on E&A-

!rLoc

!rowloc

!uci

!uy/nlocCo"e 0.12.enco"e".0$A#4#5'

Cerer .cerer

Chimera .crypt

Chinese Ransom .txt

Coinault .cl+

Coverton

Cryai .6CRYP8EN&!LAC9&C:

Cryola

Cryptear

Crypt;%le- .scl i"$(%&'email(xerxs victim>s +ilesCrypto?oer .cr@oer

CryptoLocer .encrypte" no lon=er relevant

Crypto)ix .co"e .i"(0%&()ACH%NE2(email(xoomx


2/28

;ury

omasom .crypt ((($E)A%LA&&RE**'(.crypt

opher J* ransomware 0PoC2

Harasom .html

Hi !u""y .cry !ase" on Hi""en8ear

Hy"raCrypt hy"racrypt(%&($Mw'6: Cryp!oss ;amily

iLoc .crime

iLocLi=ht .crime

?i=saw

?o Crypter .loce"

?oCrypter .loce"

9eRan=er .encrypte" J* Ransomware

9ey!8C .eytc


3/28

Rahni

Rannoh loce"#Oori=inal name.$a#,A#'6I:

Ransom3-

Rector

Remin")e .remin"

Rou .rou

*amas#*amsam

*anction .sanction

*craper no extension chan=e

*i"Locer Pompous .loce" !ase" on E&A-

*port .sport

*trictor .loce" !ase" on E&A-

*urprise .surprise !ase" on E&A-

*ynoLocer

8eslaCrypt 4.x # -.-.4 ;actori,ation

8eslaCrypt 3.4Q I.4Q has no extension

8eslaCrypt I.A no special extension

8eslaCrypt I.-

8orrentLocer .Encrypte"

8rol"esh

8rueCrypter .enc

/mreCrypt umrecrypt(%&($%C8% Cryp!oss ;amily

aultCrypt

irus#Enco"er .Cry*i*

oristR8N .xrtn aultCrypt +amily

la"er Russian .vault aultCrypt +amily

.loce"

.raen.co"ersu


4/28

Encryption Al=orithm Also nown as &ecryptor %n+o *creenshots

AE*0-BF2 KNA)E

7ev3n#HJNES8 KNA)E

AE*0-BF2 AlphaLocer KNA)E

KNA)E

AE*0-BF2 Rahni KNA)E

KNA)E

*alam KNA)E

AE*0-BF2

AE* KNA)E

KNA)E

J*8 KNA)E

KNA)E

AE* KNA)E

KNA)E

9inCrypt

KNA)E

AE*0-BF2 KNA)E

KNA)E

KNA)E

AE*0-BF2 Hi""en 8ear KNA)E

R*A KNA)E

KNA)E

KNA)E

KNA)EKNA)E

KNA)E

eta

KNA)E

KNA)E

CryptPro@ect KNA)E

CryptPro@ect KNA)E

R*A0-4I2 KNA)E

AE*0-BF2 KNA)E

KNA)EAE*0-BF2 KNA)E

AE*0-BF2 KNA)E

AE*0-BF2 Cryptear KNA)E

Los Pollos Hermanos KNA)E

AE* 0-2 KNA)E

KNA)E

httpTwww.nyxo

httpsT=ithu.co httpTwww.nyxo

httpT"ownloa".httpTwww.leepi

httpsT"ecrypter.emsiso+t.comauto

httpsTreaUta.co

httpsTnoransom.aspersy.com

httpTwww.nyxohttpTwww.nyxo

httpsTwww.proo

httpTresearchce

httpsTlo=.malw

httpsTlo=.malw

httpTwww.nyxone.commalware

httpsTnoransom.aspersy.com

httpTwww.leepi

httpsTsupport.aspersy.comvirus


httpTwww.utusen.comlo="eali

httpsTwww.proo

httpsT"ecrypter.emsiso+t.com


AE*0-BF2 0RARimplementation2

)anamecryptG8elo=raphG RJ%

httpTwww.leepin=computer.com

httpsTwww.+ireehttpsTreaUta.co

httpTwww.nyxohttpTwww.nyxo



httpsTwww.proo

httpsTthisissecur

httpTwww.malwareremoval=ui"es.ihttpsT"ecrypter.httpsTlo=.malw

httpsTlo=.malw

httpTwww.leepi

httpsTlo=.+ortin
http://www.nyxbone.com/malware/CryptoHasYou.htmlhttp://www.nyxbone.com/malware/7ev3n-HONE$T.htmlhttp://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/https://reaqta.com/2016/03/bandarchor-ransomware-still-active/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/8547http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.htmlhttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/https://support.kaspersky.com/viruses/disinfection/8547https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-toolhttps://thisissecurity.net/2016/02/26/a-lockpicking-exercise/http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-codehttp://www.nyxbone.com/malware/CryptoHasYou.htmlhttps://github.com/hasherezade/malware_analysis/tree/master/7ev3nhttp://www.nyxbone.com/malware/7ev3n-HONE$T.htmlhttp://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.ziphttp://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/https://decrypter.emsisoft.com/autolockyhttps://reaqta.com/2016/03/bandarchor-ransomware-still-active/https://noransom.kaspersky.com/http://www.nyxbone.com/malware/brazilianRansom.htmlhttp://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.pnghttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/http://www.nyxbone.com/malware/chineseRansom.htmlhttps://noransom.kaspersky.com/http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/8547http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.htmlhttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttps://decrypter.emsisoft.com/https://decrypter.emsisoft.com/http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.htmlhttps://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/http://www.nyxbone.com/malware/CryptoMix.htmlhttp://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/https://support.kaspersky.com/viruses/disinfection/8547https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-toolhttps://thisissecurity.net/2016/02/26/a-lockpicking-exercise/http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-codehttps://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-codehttp://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-toolhttps://support.kaspersky.com/viruses/disinfection/8547http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/http://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.nyxbone.com/malware/CryptoMix.htmlhttps://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.htmlhttp://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/https://decrypter.emsisoft.com/https://decrypter.emsisoft.com/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.htmlhttps://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/8547http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/https://noransom.kaspersky.com/http://www.nyxbone.com/malware/chineseRansom.htmlhttps://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.pnghttp://www.nyxbone.com/malware/brazilianRansom.htmlhttps://noransom.kaspersky.com/https://reaqta.com/2016/03/bandarchor-ransomware-still-active/https://decrypter.emsisoft.com/autolockyhttp://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.ziphttp://www.nyxbone.com/malware/7ev3n-HONE$T.htmlhttps://github.com/hasherezade/malware_analysis/tree/master/7ev3nhttp://www.nyxbone.com/malware/CryptoHasYou.html


5/28

KNA)E

KNA)E

KNA)E

KNA)E

AE*0-BF2 KNA)E

KNA)E

KNA)E

KNA)E

AE*0-BF2 KNA)E

8riple&E* KNA)E

8riple&E* KNA)E

AE* KNA)E

KNA)E

AE* KNA)E

AE*0-BF2 KNA)E

KNA)E

Linux.Enco"er.64G3: KNA)E

KNA)E

AE*0-2 KNA)E

KNA)E

KNA)E

KNA)E

AE*0-BF2 KNA)E

AE*0-BF2 KNA)EAE*0-BF2 KNA)E

AE*0-BF2 !ooyah KNA)E

Yaes

KNA)E

KNA)E

ipasana KNA)E

PCo"e KNA)EKNA)E

JR KNA)E

)o"i+ie" *alsa-4 KNA)E

KNA)E

*arento

AE*0-BF2 KNA)E




httpTwww.nyxo

httpsT"ecrypter.httpTwww.malw

httpTwww.leepihttpsTwww.help

httpTwww.nyxo

httpT+orum.male

httpTnews."rwehttpTwww.welive



httpsTlo=.+ortinhttpTwww.leepi

httpsT"ecrypter.httpsTlo=.malw

httpsTlas.it"e+en"er.com-4B


httpsTlo=.malw

httpsTwww.proo

httpTnyxone.cohttpTnyxone.co

httpT=ithu.comCyercluesnanol

JR0-BB27,ip

httpsT"ecrypter.emsiso+t.comhttpsT=ithu.comAnteloxNemuco

httpTartla,e.l

httpTnews.thewin"owsclu.comop


httpTwww.thewihttpsTlo=.malw

httpTwww.nyxone.commalware

httpsT"ecrypter.httpTwww.leepi
https://support.kaspersky.com/viruses/disinfection/8547http://www.nyxbone.com/malware/hibuddy.htmlhttp://www.malware-traffic-analysis.net/2016/02/03/index2.htmlhttps://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/http://www.nyxbone.com/malware/jobcrypter.htmlhttp://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.htmlhttp://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://github.com/Cyberclues/nanolocker-decryptorhttp://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.htmlhttp://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/https://support.kaspersky.com/viruses/disinfection/8547https://decrypter.emsisoft.com/https://decrypter.emsisoft.com/http://www.nyxbone.com/malware/hibuddy.htmlhttps://decrypter.emsisoft.com/http://www.malware-traffic-analysis.net/2016/02/03/index2.htmlhttp://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/http://www.nyxbone.com/malware/jobcrypter.htmlhttp://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.htmlhttp://news.drweb.com/show/?i=9877&lng=en&c=5http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/https://decrypter.emsisoft.com/http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtmlhttps://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-ithttp://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/https://decrypter.emsisoft.com/lechiffrehttps://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttp://nyxbone.com/malware/Mobef.htmlhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://github.com/Cyberclues/nanolocker-decryptorhttp://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.htmlhttp://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/https://decrypter.emsisoft.com/https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/http://www.nyxbone.com/malware/RaaS.htmlhttps://decrypter.emsisoft.com/https://decrypter.emsisoft.com/https://decrypter.emsisoft.com/http://www.nyxbone.com/malware/RaaS.htmlhttps://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/https://decrypter.emsisoft.com/http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.htmlhttp://github.com/Cyberclues/nanolocker-decryptorhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://nyxbone.com/malware/Mobef.htmlhttps://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discoveredhttps://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/https://decrypter.emsisoft.com/lechiffrehttp://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-ithttp://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtmlhttps://decrypter.emsisoft.com/http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/http://news.drweb.com/show/?i=9877&lng=en&c=5http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.htmlhttp://www.nyxbone.com/malware/jobcrypter.htmlhttps://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/http://www.malware-traffic-analysis.net/2016/02/03/index2.htmlhttps://decrypter.emsisoft.com/http://www.nyxbone.com/malware/hibuddy.htmlhttps://decrypter.emsisoft.com/https://decrypter.emsisoft.com/https://support.kaspersky.com/viruses/disinfection/8547


6/28

KNA)E

httpsTwww.=oo=l

Curve25519 + ChaCha KNA)E

AE*0-BF2 Q R*A0-45F2 KNA)E

AE*0-BF2 Q R*A0-45F2 KNA)E

KNA)E

AE*0-BF2 KNA)E

KNA)E

AE*0-BF2 KNA)E

AE*0-BF2 KNA)E

KNA)E

AlphaCrypt KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

AE*0-BF2 KNA)E

AE*0-BF2

AE* KNA)E

uses =p=.exe KNA)E

AE*0-BF2 KNA)E

KNA)EKNA)E

R*A KNA)E

A=ent.iihAura

httpsTsupport.aspersy.comusvi

httpsTsupport.aspersy.comviruses"isin+ectionB

httpsTsupport.aspersy.comviruses"isin+ectionI-

httpTi.im=ur.com

httpsTlo=.malw

samsam.exe)%9JPJN%.exe

httpTlo=.talosin

httpTsecurelist.comlo=research

httpTwww.leepihttpTwww.nyxo

httpTwww.nyxo


AE*0-BF2 Q ECH& Q*HAAE*0-BF2 Q ECH& Q*HA

httpsTwww.en"=

httpTwww.leepi

Crypt4L4cerCrypto;ortress


*ha"e8!L

httpTwww.nyxo

httpTwww.leepihttpTwww.leep

httpTwww.thewin"owsclu.come

Crypaultla"er

httpTwww.nyxo

httpTwww.nyxo


aultCryptCrypault

httpTwww.nyxo
https://support.kaspersky.com/us/viruses/disinfection/10556https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/http://blog.talosintel.com/2016/03/samsam-ransomware.htmlhttp://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/http://www.nyxbone.com/malware/SkidLocker.htmlhttp://www.nyxbone.com/malware/Strictor.htmlhttps://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttp://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/http://www.nyxbone.com/malware/Troldesh.htmlhttp://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomwarehttp://www.nyxbone.com/malware/russianRansom.htmlhttp://www.nyxbone.com/malware/virus-encoder.htmlhttps://support.kaspersky.com/viruses/disinfection/2911http://www.nyxbone.com/malware/russianRansom.htmlhttps://support.kaspersky.com/us/viruses/disinfection/10556https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/4264http://i.imgur.com/gV6i5SN.jpghttps://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/http://blog.talosintel.com/2016/03/samsam-ransomware.htmlhttp://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/http://www.nyxbone.com/malware/SkidLocker.htmlhttp://www.nyxbone.com/malware/Strictor.htmlhttps://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttp://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/http://www.nyxbone.com/malware/Troldesh.htmlhttp://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/http://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomwarehttp://www.nyxbone.com/malware/russianRansom.htmlhttp://www.nyxbone.com/malware/virus-encoder.htmlhttps://support.kaspersky.com/viruses/disinfection/2911http://www.nyxbone.com/malware/russianRansom.htmlhttp://www.nyxbone.com/malware/russianRansom.htmlhttps://support.kaspersky.com/viruses/disinfection/2911http://www.nyxbone.com/malware/virus-encoder.htmlhttp://www.nyxbone.com/malware/russianRansom.htmlhttp://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomwarehttp://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/http://www.nyxbone.com/malware/Troldesh.htmlhttp://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttp://www.nyxbone.com/malware/Strictor.htmlhttp://www.nyxbone.com/malware/SkidLocker.htmlhttp://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/http://blog.talosintel.com/2016/03/samsam-ransomware.htmlhttps://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/http://i.imgur.com/gV6i5SN.jpghttps://support.kaspersky.com/viruses/disinfection/4264https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/us/viruses/disinfection/10556


7/28

ne.comima=esarticulosmalwarera,ilianRansom4.pn=

hineseRansom.html

ne.comima=esarticulosmalwarecryptomixr-.pn=
http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.pnghttp://www.nyxbone.com/malware/chineseRansom.htmlhttp://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.nyxbone.com/images/articulos/malware/cryptomix/r2.pnghttp://www.nyxbone.com/malware/chineseRansom.htmlhttp://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png


8/28

orumstBB5IF3eyhol"er#ransomware#support#an"#help#topic#how#"ecrypt=i+how#"ecrypthtml

ima=esarticulosmalwaremoe+4.pn=

aa*.html
http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtmlhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://www.nyxbone.com/malware/RaaS.htmlhttp://www.nyxbone.com/malware/RaaS.htmlhttp://nyxbone.com/images/articulos/malware/mobef/0.pnghttp://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml


9/28

e."esearchtmVischWUVRansomwareQRansom3-

7

I

=FiB*N.@p=

tatic.comima=esnewsransomwarettruecryptertruecrypter.pn=
https://support.kaspersky.com/viruses/disinfection/8547https://support.kaspersky.com/viruses/disinfection/4264http://i.imgur.com/gV6i5SN.jpghttp://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.pnghttp://i.imgur.com/gV6i5SN.jpghttps://support.kaspersky.com/viruses/disinfection/4264https://support.kaspersky.com/viruses/disinfection/8547


10/28

Propose" Name Extensions Extension Pattern PoC

Remin")e .remin" "ecrypt(your(+iles.html

Don"erCrypter .h3ll

.crypttt

.loc

.neitrino )E**AE.88

.xcrypt

ort .xort xort.txt

eta .i"(1(email(,eta


11/28

Comment *tatus

Huntin= +or sample

*umitte" to %&R Nee" analyse" 07+7F""BBIBaF+4Ie"53eBe-I+

*umitte" to %&R Nee"s i"enti+ie"


Nee"s i"enti+ie"


*umitte" to %&R Nee"s con+irme"

CJN;%R)E& as Crypto)ix

Nee"s i"enti+ie"

Nee"s i"enti+ie"

*umitte" to !CG )oe+ Nee"s i"enti+ie"

Huntin= +or sample

Huntin= +or sample

Nee"s i"enti+ie" Chinese ransomware

Huntin= +or sample

httpTwww.leepin=computer.co

*umitte" to %&RG ransom emailT"anny.walswen


12/28

-+43F"3cFaFcc+""aF47BcFF"2


13/28

Name )icroso+t &etection Name )icroso+t %n+o

.CryptoHasYou. 8ro@anTDin3-&ynamerac

7ev3n RansomTDin3-Empercrypt.A

AutoLocy

!an"archor

!itCryptor Din3-Criit

!ooyah

!ra,ilian

!rowloc RansomT?*!rolo

!uy/nlocCo"e RansomT Din3-Cen"o"e.A

Cerer Din3-Cerer

Chimera Din3-Chicrypt

Coinault RansomT )*%Laultloc.A

Coverton

Cryai

Cryola

Cryptear RansomT Din3-Crowti

Crypt%n+inite

Crypto&e+ense

CryptoHost

Crypto?oer

CryptoLocer RansomT Din3-Criloc.A

Crypto8orLocer-4B

CryptoDall

CryptC8!#Locer RansomT )*%[email protected]

C8!#Locer DE!

&eCrypt Protect

&)ALocer RansomT Din3-&)ALocer

&)ALocer 3.4 RansomT Din3-&)ALocer.A

E&A- Hi""en8ear RansomT )*%LRy,erlo

El#Pololocer RansomT Power*hellPoloc.A

;ury

omasom

opherHarasom 8ro@anT Din3-Harasom.A

Hi !u""y

Hy"raCrypt RansomT Din3-8o+y.

iLoc

iLocLi=ht

?i=saw RansomT)*%L?i=sawLocer.A

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

www.microso+t.coms

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

RansomT Din3-CrowtiDin3-;ortrypt

httpsTwww.microso+

httpsTwww.microso+

RansomT Din3-Crowti

Din3-;ortrypt

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FDynamer!achttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Empercrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cribithttp://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Cerberhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Chicrypthttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Vaultlock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3AWin32%2FCrilock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Nojocrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALockerhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Ryzerlohttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Tobfy.Xhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:MSIL/JigsawLocker.Ahttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:MSIL/JigsawLocker.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Tobfy.Xhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Ryzerlohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALockerhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Nojocrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3AWin32%2FCrilock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MSIL/Vaultlock.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Chicrypthttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Cerberhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttp://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cribithttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Empercrypt.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FDynamer!ac


14/28

?o Crypter

?oCrypter

9eRan=er RansomT )acJ*(9eRan=er.A

9ey!8C

9EYHol"er

9imcilDare

9ryptoLocer

LeChi++re

Linux.Enco"er

Locer

Locy

Lorto

LowLevel4I

)aouia

)a=ic Din3-8aaum

)atuLocer

)oe+

NanoLocer ?*Nemuco"

Nemuco"

J++line ransomware

J) Ransomware

Jperation loal %%%

PCloc

Petya

Raa*Raa*

Ra"amant

Rannoh

Rannoh

Remin")e

Rector

Remin")e

Rou

*amas#*amsam

*anction*craper

*i"Locer Pompous

*port

*trictor

*urprise

*ynoLocer Din3-8escrypt

httpsTwww.microso+

RansomT Din3-%s"aRansomT !A8iow

httpsTwww.microso+

RansomT Din3-Locy8ro@an&ownloa"erT ?*Locy

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2FTescrypthttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2FTescrypthttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A


15/28

8eslaCrypt 3.4Q

8eslaCrypt I.A

8eslaCrypt I.-

8orrentLocer Din3-8rol"esh

8rueCrypter

/mreCrypt RansomT !A8iow

aultCrypt

irus#Enco"er

orist

R8N

Alpha Ransomware

4

RansomT Din3-8eeracDin3-;ortrypt

httpsTwww.microso+

httpsTwww.microso+

httpsTwww.microso+
https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldeshhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh


16/28

*an"ox %JCs *nort

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)EKNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)EKNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

httpsTwww.hyri"#a

httpsTwww.hyri"#a

httpsTwww.hyri"#a

httpsTwww.hyri"#a

httpsTwww.hyri"#a

ecurityportalthreat

.comsecurityportal

httpsTwww.hyri"#a

httpsTwww.hyri"#a

httpsTwww.hyri"#a

.comsecurityportal

httpsTwww.hyri"#a

httpsTwww.hyri"#a

.comsecurityportal

httpsTwww.hyri"#a

httpsTwww.hyri"#a

.comsecurityportal

httpsTwww.hyri"#a

.comsecurityportal

.comsecurityportal

httpsTwww.hyri"#a

httpsTwww.hyri"#a
https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttps://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environmentId=4https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environmentId=1https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environmentId=5https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environmentId=4https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environmentId=4https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttps://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environmentId=4https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environmentId=1https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environmentId=5https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environmentId=4https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environmentId=4https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environmentId=4https://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.Ahttps://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environmentId=4https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environmentId=5https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environmentId=1https://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowtihttps://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.Ahttp://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolohttps://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environmentId=4https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environmentId=4https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environmentId=4https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environmentId=4


17/28

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

httpsTotx.alienvault.comrowseUVRannoh

KNA)E

KNA)E

KNA)E

KNA)EKNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

.comsecurityportal

.comsecurityportal

.comsecurityportal

.comsecurityportal

.comsecurityportal

httpsTwww.hyri"#a
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.Ahttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environmentId=4https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucodhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabumhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A


18/28

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

KNA)E

.comsecurityportal

.comsecurityportal

.comsecurityportal
https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldeshhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldeshhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibowhttps://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh


19/28

)easure 8ype &escription

Recovery

!loc )acros PJ

&isale D*H PJ &isale Din"ows *cript Host

)ail ateway

)ail ateway

PJ

En+orce /AC Prompt PJ

!est Practice

!est Practice

3r" Party 8ools

;ootnotes

Complexity 8he complexity o+ implementation also inclu"es the costs o+ implementation 0

E++ectiveness &o not overrate a >hi=h> in this column as it is a relative e++ectiveness in compa

%mpact 8he e++ects on usiness processesG a"ministration or user experience

!acup an" RestoreProcess

)ae sure to have a"eUuate acup processes on place an"+reUuently test a restore o+ these acups&isale macros in J++ice +iles "ownloa"e" +rom the %nternet.8his can e con+i=ure" to wor in two "i++erent mo"esT

;ilter Attachments

Level

;ilter the +ollowin= attachments on your mail =atewayT

.exeG .atG .psG .@sG .@seG .scrG .comG .ocxG .@arG .vG .vsG .veG;ilter AttachmentsLevel -

;ilter the +ollowin= attachments on your mail =atewayT0;ilter Level plus2 ."ocG .xlsG .rt+Restrict pro=ram

execution!loc all pro=ram executions +rom the ZLocalApp&ataZ an"ZApp&ataZ +ol"er*how ;ile

Extensions/serAssistence

*et the re=istry ey [Hi"e;ileExt[ to 4 in or"er to show all +ileextensionsG even o+ nown +ile types. 8his helps avoi"in=En+orce a"ministrative users to con+irm an action thatreUuires elevate" ri=htsRemove A"min

Privile=e"Remove an" restrict a"ministrative ri=hts whenever possile.)alware can only mo"i+y +iles that users have write access to.Restrict Dorstation

CommunicationActivate the Din"ows ;irewall to restrict worstation toworstation communication*an"oxin= Email

%nputA"vance")alware

/sin= san"ox that opens email attachments an" removesattachments ase" on ehavior analysisExecution

Prevention*o+tware that allows to control the execution o+ processes #sometimes inte=rate" in Antivirus so+tware


20/28

Complexity1 E++ectiveness1 %mpact1 Possile %ssues

Medium High Low

Low High Low

Low Medium Medium

Low Medium Low

Low High High

Medium Medium Medium De eme""e" so+tware installers

Low Low Low

Low Medium Low a"ministrator resentment

Medium Medium Medium Hi=her a"ministrative costs

Medium Low Low

Medium High -

Medium Medium -

.=. simple to implement ut costly2

rison to other measures

A"ministrative !* scripts onDorstations

J++ice Communication with ol"versions o+ )icroso+t J++ice +iles


21/28

Lin Lin -

httpTwin"ows.microso+t.comen#uswin"owsac#up#restore#+aUK8CVwin"ows#7

httpsTwww.I4Itechsup httpsTsupport.o++ice.comen#usarticleEnale#or#"isale#macros#in#J++ic

httpTwww.win"owsnetworin=.comaseDin"ows8ipsDin"owsPA"min8ipsCustomi,ation&is

httpTwww.+at"ex.netphttpsTcommunity.spicewors.comtopic35F43#cryptolocer#prevention#

httpTwww.seven+orums.comtutorials4B74#+ile#extensions#hi"e#show.html

httpsTtechnet.microso+t.comen#uslirary""3BBFI0D*.42.aspx
http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitterhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=UShttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttp://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttp://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htmlhttps://technet.microsoft.com/en-us/library/dd835564(WS.10).aspxhttps://technet.microsoft.com/en-us/library/dd835564(WS.10).aspxhttp://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htmlhttps://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttp://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=UShttps://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitterhttp://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7


22/28

#+iles#-43F+"#"I4#Ie7I#IBe#F+e"a7eBcFuiVen#/*WrsVen#/*Wa"V/*

aleDin"ows*criptin=HostD*H.html

it#up"ate"
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=UShttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttps://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttps://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updatedhttp://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.htmlhttps://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US


23/28

*ourceT

httpsTwww.en"=ame.comlo=your#paca=e#has#een#success+ully#encrypte"#teslacrypt#Ia#a
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chainhttps://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain


24/28


25/28
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain


26/28


27/28

Composition 8his initial list has een compose" y )osh


28/28

%"enti+y ransomware y ransom note or encrypte" +ile sample

photo

tectionransomware#happy#en"in=#4#nown#"ecryption#cases

r#tools
https://twitter.com/nyxbone/status/715675420159508480/photo/1http://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/http://www.thewindowsclub.com/list-ransomware-decryptor-toolshttp://www.thewindowsclub.com/list-ransomware-decryptor-toolshttp://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/https://twitter.com/nyxbone/status/715675420159508480/photo/1

Date post:	28-Feb-2018
Category:	Documents
Upload:	brittadams
View:	219 times
Download:	0 times

Ransomware Overview List

Documents