Skip to content

Commit

Permalink
chg: [ransomware] updated to the latest version
Browse files Browse the repository at this point in the history
  • Loading branch information
@adulau
adulau committed Mar 4, 2025
1 parent e05bb5c commit bfb4174
Showing 1 changed file with 190 additions and 17 deletions.
207 changes: 190 additions & 17 deletions clusters/ransomware.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9397,6 +9397,10 @@
"description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe",
"meta": {
"encryption": "Modified Salsa20",
"links": [
"http://petya37h5tbhyvki.onion",
"http://petya5koahtsf7sv.onion"
],
"payment-method": "Bitcoin - Website (onion)",
"ransomnotes-filenames": [
"YOUR_FILES_ARE_ENCRYPTED.TXT"
Expand All @@ -9405,7 +9409,8 @@
"http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator",
"https://www.youtube.com/watch?v=mSqxFjZq_z4",
"https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/",
"https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/"
"https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/",
"https://www.ransomlook.io/group/petya"
],
"synonyms": [
"Goldeneye"
Expand Down Expand Up @@ -11001,6 +11006,9 @@
".xort",
".trun"
],
"links": [
"http://restoredz4xpmuqr.onion"
],
"payment-method": "Bitcoin",
"price": "0.438",
"ransomnotes-filenames": [
Expand All @@ -11010,7 +11018,8 @@
"<random>.hta | VAULT.hta"
],
"refs": [
"http://www.nyxbone.com/malware/russianRansom.html"
"http://www.nyxbone.com/malware/russianRansom.html",
"https://www.ransomlook.io/group/vaultcrypt"
],
"synonyms": [
"CrypVault",
Expand Down Expand Up @@ -14744,7 +14753,8 @@
"http://npkoxkuygikbkpuf5yxte66um727wmdo2jtpg2djhb2e224i4r25v7ad.onion",
"http://6v4q5w7di74grj2vtmikzgx2tnq5eagyg2cubpcnqrvvee2ijpmprzqd.onion/remote0/",
"http://l4rdimrqyonulqjttebry4t6wuzgjv5m62rnpjho3q22a6maf6d5evyd.onion/",
"http://frgp3f3u2ddafv4ny7tqn6tc674m6fyymyywoaxot7xskbjmiyhhsyqd.onion/"
"http://frgp3f3u2ddafv4ny7tqn6tc674m6fyymyywoaxot7xskbjmiyhhsyqd.onion/",
"http://htmxyptur5wfjrd7uvg23snupub2pbtlfelk45n37b3augl2w4eearid.onion/remote0/"
],
"ransomnotes-filenames": [
"ClopReadMe.txt",
Expand Down Expand Up @@ -25422,6 +25432,12 @@
},
{
"description": "ransomware",
"meta": {
"links": [],
"refs": [
"https://www.ransomlook.io/group/zeppelin"
]
},
"uuid": "bc62429c-1bf7-42c0-997d-d8c2f80355de",
"value": "Zeppelin"
},
Expand Down Expand Up @@ -27681,7 +27697,9 @@
"http://databasebb3.top/",
"http://l6zxfn3u2s4bl4vt3nvpve6uibqn3he3tgwdpkeeplhwlfwy3ifbt5id.onion/",
"http://onlylegalstuff6.top/",
"https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/"
"https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/",
"http://bpeln2aqs66qqfuex2cvcyjiy5ggcwbyh5nbmxzxt6daamkmpmufv4qd.onion/",
"http://ond5arqab77n6tykvi4aqp7oqegqdfgqfyf7fzyhfyhmbp7iafpzdtad.onion/"
],
"ransomnotes": [
"Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
Expand Down Expand Up @@ -29609,7 +29627,8 @@
"http://myosbja7hixkkjqihsjh6yvmqplz62gr3r4isctjjtu2vm5jg6hsv2ad.onion/chat",
"http://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion",
"http://monti5o7lvyrpyk26lqofnfvajtyqruwatlfaazgm3zskt3xiktudwid.onion",
"http://il6jcce6f5htppc3smu4olpt5pz3akdg5h7k7tb4n45jixxu2o2oxlid.onion/"
"http://il6jcce6f5htppc3smu4olpt5pz3akdg5h7k7tb4n45jixxu2o2oxlid.onion/",
"http://cls2wzky5vxgu54fg4fqdj4q4olyvmwt6rinmtgqsq5d3vubv7bdzgqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/monti"
Expand Down Expand Up @@ -29863,7 +29882,9 @@
"ftp://dataShare:[email protected]",
"https://31.41.244.100/",
"http://ijzn3sicrcy7quixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvad.onion",
"http://kbsqoiyihadmwczmxkbovk7ss2dcynitwhhfu5yw725dbogo5kthfaad.onion"
"http://kbsqoiyihadmwczmxkbovk7ss2dcynitwhhfu5yw725dbogo5kthfaad.onion",
"http://ftp://dataShare:[email protected]",
"http://ftp://dataShare:[email protected]"
],
"refs": [
"https://www.ransomlook.io/group/qilin"
Expand Down Expand Up @@ -30040,7 +30061,8 @@
"http://zv7u2tclxajbgae6ba4jkisnkfkts3lk7lxlypmuqktrk42qmo2c7hqd.onion/",
"http://secxrosqawaefsio3biv2dmi2c5yunf3t7ilwf54czq3v4bi7w6mbfad.onion/",
"http://cqwdv5rxut5l3blbeg74ddfo6ya65xsxqan7vawffdng6ynd2kulfkqd.onion/",
"http://nlqnxzqixcwazwyib4bft2m6ikjrtihh4qgdtnmpmbi3meio5jj2xsad.onion/"
"http://nlqnxzqixcwazwyib4bft2m6ikjrtihh4qgdtnmpmbi3meio5jj2xsad.onion/",
"http://naurcsrhvsnxotv5awcsmddlcwgv447fvolmkyo6gfgszvtofijd6oid.onion/"
],
"refs": [
"https://www.ransomlook.io/group/ransomhouse"
Expand Down Expand Up @@ -31191,7 +31213,8 @@
"http://d2wqt4kek62s35hjeankc75nis4zn4e5i6zdtmfkyeevr7fygpf2iiid.onion",
"http://sclj2rax5ljisew3v4msecylzo7iieqw25kcl7io4szei4qcujxixaid.onion",
"http://xyy2fymbdytltylyuicasuvw7vw3gtgm3cvvjskh4jnzfg3gp7dqgnqd.onion",
"http://heac3upmfv33scnkeek64dqdx2cblv7z256aezluyvgtwsxi2o3coiid.onion/"
"http://heac3upmfv33scnkeek64dqdx2cblv7z256aezluyvgtwsxi2o3coiid.onion/",
"http://uss2a5zyeth7sop57zhgqcyafmnbkmoknps3i7anusze77zppp4bf5yd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/cloak"
Expand Down Expand Up @@ -32072,6 +32095,7 @@
"value": "c3rb3r"
},
{
"description": "",
"meta": {
"links": [
"http://6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion",
Expand Down Expand Up @@ -32170,7 +32194,8 @@
"http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion",
"http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion",
"http://medusakxxtp3uo7vusntvubnytaph4d3amxivbgg13hnhpk2nmus34yd.onion/227098164ef1fdb119ef537986bbdf24",
"http://hm2hlugduzuxiya5bgrsewfxmrzxbmslvg3t42zdzsorcn2nyfbrh6qd.onion/"
"http://hm2hlugduzuxiya5bgrsewfxmrzxbmslvg3t42zdzsorcn2nyfbrh6qd.onion/",
"http://7aqabivkwmpvjkyefonf3gpy5gsubopqni7kcirsrq3pflckxq5zz4id.onion/"
],
"ransomnotes-filenames": [
"!!!READ_ME_MEDUSA!!!.txt"
Expand Down Expand Up @@ -32757,7 +32782,28 @@
"http://brclvwefzszko5xrlan7pebyliqdkv5cw75xksrxp772urjytkko5fyd.onion",
"http://rmr2kgq6vzifnyoaz7jaxdx5t6gsxurbakah5bafatsqldtt2mwneyid.onion",
"http://xdg53hbpwshgtbfbm6m7nv3ckkduo3dfdwdearcsvybfb3qaf4v7suyd.onion",
"http://toq7bk6abkr6lapwj3k22ffu4ud5jpox7jbfgzetpz7lxb427katstid.onion"
"http://toq7bk6abkr6lapwj3k22ffu4ud5jpox7jbfgzetpz7lxb427katstid.onion",
"http://tjnt7x2xodhthwrfnabhloogoo66jrgohgzpta22uwbqznsvrm5tu4id.onion/",
"http://fvixrjsdk2adazfnz4mrdvr4eznm346fk33y7nos65bdrtmfvw7f5vid.onion/",
"http://vhxbjx4iaeqgna22kqt5ajlqi72vbm6qcjev3efgr5oiklgptvjvjhqd.onion/",
"http://yszafmehxkoa7hrcay7cnyogfrmjqc4grds6innadspii5oz6fneyzyd.onion/",
"http://i4xita2momkw2jitqohbqgomjxqp53pyvgv5gbogvendbx3ucnynekyd.onion/",
"http://3ysbtsnhldlijvfdv7hwkr2gl3op2d56puspeo4whs6p272sde6fq5id.onion/",
"http://bd3atkmicmcif6mliquqdxltjq6mxvagw44gealayp34awtcx3ywlxid.onion/",
"http://biurt7anlhkncf2t3dvvtlszpnnyg3oiksyapcikxostz6zfrh4csvid.onion/",
"http://bzfp6qfir7bfqjxnpgofwvfzoyca7kmcsfliot5zzfsas6oofwo7zoad.onion/",
"http://fmcrlb2t524cpiiqiudbvdjmgvaczix2o5y5uc3zvi57niiyl467qgyd.onion/",
"http://gsqxzyynjegp73imth5p3ug4etgbehd3pb72e4zmiro4st3s2nlkmgyd.onion/",
"http://hjs27fuzq4j4gzshhbakt274eewxv2qdwmeugjx5eepwoaecczdkiiyd.onion/",
"http://i2agsvbyoy3viwel7ucjqtzcq3ocsj3jqqew5wlwpxty6uxd455qkoqd.onion/",
"http://kfvsqtlnfa5iiweywpubtqk4c2omc2vu4hvy26mhanaahtvpifzuxlid.onion/",
"http://l5hzzorh57w4wp5va4ouye77x5f2apqd6rvvh3tb2a7vcenn6c5a2fad.onion/",
"http://ljxmkfr6kl3ovwgkxycdrvvdf6tk7qdhgowcjkpsiocg7j5uuhmszyyd.onion/",
"http://red46f427ed4ogc76gscsqrytpdh4gy5reh2g6dzjpbm24k3ns2t27qd.onion/",
"http://xznhtihjpaz3rwcgwqrv3jipbbivlg5ttsdqoet55xe5a3nbxi47jwqd.onion/",
"http://y2hkrrb7aba2pgyvpfzqj3vlhbw7e2wj2t2wvtlmkr54yqz7p5ghnfid.onion/",
"http://yvst24dvz66unqqes6se3p3flxyzbtohaz6faknu5ne3zzeq2jumpiid.onion",
"http://sres5y2sze7lqkk5s4ahns5lhvc7nr5hqy5lchbxcvhaty2hnivdacqd.onion"
],
"refs": [
"https://www.ransomlook.io/group/ransomhub"
Expand Down Expand Up @@ -33728,7 +33774,9 @@
"http://4q5tsu5o3msmv4am4dfhupwhzlyg7wv3lpswbvbhcrknr4ega7xetxad.onion/",
"http://z2b75lk7xf6kme3zfvlmdmpwiaansnkcuhsojd23dgub5md24fhogcyd.onion/",
"http://7lxwbzlkpjyuahuvngwwkc4mycj2a4flh45ksqjo2ezfdbkmxmlxikad.onion/",
"http://7watkqnnuwxvlpgy5gaosgqy67nve3jgpy37xobqngmswz3vuvde56yd.onion/"
"http://7watkqnnuwxvlpgy5gaosgqy67nve3jgpy37xobqngmswz3vuvde56yd.onion/",
"http://5dw7bszmidrhpoltqbqmpixpz6mvgez3mr6xc7ktval2glrmbxkwopad.onion/",
"http://a3kvb22nuhfgaluy6uzufrjn3azzsu7tylszdbyne3kiextdmxz4nnyd.onion"
],
"refs": [
"https://www.ransomlook.io/group/embargo"
Expand Down Expand Up @@ -33903,7 +33951,10 @@
"http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion/",
"http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion/",
"http://cuuhrxbg52c5agytmtjpwfu7mrs4xtaitc4mukkiy2kqdxeqbcmuhaid.onion/",
"http://p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion"
"http://p6wmotxzvg34tdmpwm4beqgrcyp5iys43snkccsahnw74la3k3xx6pad.onion",
"http://brain4zoadgr6clxecixffvxjsw43cflyprnpfeak72nfh664kqqriyd.onion/",
"http://4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion/c/lgc2Yxua65agt4XMOMkQKJjsdrV2IzYk",
"http://4ldgw2wuidqu5ef3rzx4byonf3y7rdnh43jiw2z4sbtjiwic6gkov7yd.onion/"
],
"ransomnotes-filenames": [
"added_extension.README.txt",
Expand Down Expand Up @@ -34318,6 +34369,7 @@
"value": "orca"
},
{
"description": "",
"meta": {
"links": [
"http://hackerosyolorz77y7vwj57zobwdeuzydhctz3kuuzr52ylzayvxuqyd.onion"
Expand Down Expand Up @@ -34363,7 +34415,8 @@
"http://bf7dw4n6zne6rbgjlpcsidphpk753nkyubipkym5t4pntgfyb6clw2qd.onion/login",
"http://nxarphaf35qp2uuosaq54m3a2s5kt4svpcv56mvz6r7xy6na7uo5ypyd.onion/",
"http://bxi2cepk57dy3uhgwqd6dri6jtuqe7btay225rn6xkvvgnp2cvjvowqd.onion/",
"http://2idvzxbwvzbxhuniw7kfaimcvtqazmn7nmuw7codg65cshwwsvnpz7id.onion/"
"http://2idvzxbwvzbxhuniw7kfaimcvtqazmn7nmuw7codg65cshwwsvnpz7id.onion/",
"http://xqsdbtrtmufdyiqnkrkvosec4gqappf2egcptzqppjtqdevsoadakyqd.onion"
],
"refs": [
"https://www.ransomlook.io/group/nitrogen"
Expand Down Expand Up @@ -34473,7 +34526,9 @@
"http://zmdmlidqqrxbkyqkqttbsbticjbofjs5uzwecqvdxfadvsjw7mp5kjyd.onion",
"http://tyrvuuh5tvrvk4x6lfxrvgabqmzpnxehelmdqztu3vekujcknvl2ufad.onion/",
"http://k5pmfzuqwxr2uhnskktjicbnzr633zejupe54yginljj3mgoysfwe4id.onion/",
"http://65bhkrfbqnfjgcsr7456luzjauw5nikuwxradlysivy5wbttjikdhxid.onion/"
"http://65bhkrfbqnfjgcsr7456luzjauw5nikuwxradlysivy5wbttjikdhxid.onion/",
"http://k6oor2g5bfvdxhxr2g6fczu3iqldbzyavydk56lh6z7ex7n7wqg4eryd.onion/",
"http://tpwgxrocjvlonhrfjm4jx3dore2u4brxfj4ikt7iba36c23svthhf7ad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/interlock"
Expand Down Expand Up @@ -34502,7 +34557,8 @@
"http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion",
"http://r7i4vprxr2vznmhnnxj36264ofwx6extopdz535f5v357nqacifymbad.onion/",
"http://hellcat.rw",
"http://hcatxn4ppkgmakaatrq6bsbhqk5ouhviygyx57gljjt5iseul5nvpayd.onion"
"http://hcatxn4ppkgmakaatrq6bsbhqk5ouhviygyx57gljjt5iseul5nvpayd.onion",
"http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion/api2.php?action=victims"
],
"refs": [
"https://www.ransomlook.io/group/hellcat"
Expand Down Expand Up @@ -35691,7 +35747,10 @@
"description": "Kraken leak blog (hellokitty)",
"meta": {
"links": [
"http://krakenccj3wr23452a4ibkbkuph4d6soyx2xgjoogtuamc3m7u7wemad.onion/"
"http://krakenccj3wr23452a4ibkbkuph4d6soyx2xgjoogtuamc3m7u7wemad.onion/",
"http://zq3k4odlfpbzc5y4sxqgolivelxepceaakru3xqo4ll2czmvvtek2ryd.onion/",
"http://t3uouzfvsaqurb2rzoe2mkpetp54d7lgtl45ply34v5lugsnzysmkhid.onion/",
"http://xbupelqsy7lubogl6kdtdqguxoleehbxnuuqm2dos6bbmdwablpqckad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/kraken"
Expand Down Expand Up @@ -36482,6 +36541,7 @@
"value": "late.lol"
},
{
"description": "",
"meta": {
"links": [
"http://fdevb3qh24ak7wujqsf7co4z6fstm5qxvnkkgs62fayztjfjjtqqgsad.onion/"
Expand All @@ -36505,7 +36565,120 @@
},
"uuid": "a88c7ffe-a9e1-5961-bbfa-22725789fd86",
"value": "tooda"
},
{
"description": "",
"meta": {
"links": [
"http://fonektibq4fbgergrorw43yawhz3qslkonrwc74j2h2kftcidmf6g6id.onion/"
],
"refs": [
"https://www.ransomlook.io/group/robbing hood"
]
},
"uuid": "0c442cbf-7466-5847-b1fa-58f9acc24aa2",
"value": "robbing hood"
},
{
"description": "",
"meta": {
"links": [
"http://afiocd14efgh5hu8ijkl9012m.onion"
],
"refs": [
"https://www.ransomlook.io/group/darkhav0c"
]
},
"uuid": "8141f0e6-4914-54a6-a01e-b4ee77836954",
"value": "darkhav0c"
},
{
"description": "",
"meta": {
"links": [
"http://rnsmwareartse3m4hjsumjf222pnka6gad26cqxqmbjvevhbnym5p6ad.onion/",
"http://nidzkoszg57upoq7wcalm2xxeh4i6uumh36axsnqnj3i7lep5uhkehyd.onion/",
"http://oow7rehrxlzpy6vh3hezl2khstkpa6s7wx3iit74tr6xbjibupld5iad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/run some wares"
]
},
"uuid": "f4f89742-15c5-5b77-8669-06c2a1eaacd5",
"value": "run some wares"
},
{
"description": "",
"meta": {
"links": [
"http://iywqjjaf2zioehzzauys3sktbcdmuzm2fsjkqsblnm7dt6axjfpoxwid.onion/",
"http://xs4psqhvekjle3qwyiav7dzccuo4ylw2eylvd3peuqrld74kzzjzhcyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/linkc"
]
},
"uuid": "39d97d49-fe9d-5af3-95f4-b9f3fdf8e60a",
"value": "linkc"
},
{
"meta": {
"links": [],
"refs": [
"https://www.ransomlook.io/group/encrypthub"
]
},
"uuid": "5d268413-4eee-5d8c-b8b3-63eee4ce4531",
"value": "encrypthub"
},
{
"description": "aka Cring / Ghost (Cring)\r<br/>\r<br/>Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.\r<br/>\r<br/>Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.\r<br/>\r<br/>https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a",
"meta": {
"links": [],
"refs": [
"https://www.ransomlook.io/group/ghost"
]
},
"uuid": "ef9769e4-067c-5e45-b80f-36f6d5a52a82",
"value": "ghost"
},
{
"description": "",
"meta": {
"links": [
"http://oxthiefsvzp3qifmkrpwcllwscyu7jvmdxmd2coz2rxpem6ohut6x5qd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/ox thief"
]
},
"uuid": "2a4b653c-f94a-5d41-b33e-b7380d07db66",
"value": "ox thief"
},
{
"description": "Mimic v.10 Ransomware-as-a-Service (RaaS). The malware is designed to target various operating systems (Windows, ESXi, NAS, FreeBSD) and features network-wide deployment, file obfuscation, backup destruction, UAC bypass, and multithreaded encryption. The service offers additional tools like NTLM password decryption and call-based extortion. They prohibit attacks on CIS countries and require active participation, with decryption tools available for a fee currently 800USD.",
"meta": {
"links": [],
"refs": [
"https://www.ransomlook.io/group/mimic-guram"
]
},
"uuid": "65cba1a3-f165-5ff6-96c0-fe15981b92eb",
"value": "mimic-guram"
},
{
"description": "",
"meta": {
"links": [
"http://om6q4a6cyipxvt7ioudxt24cw4oqu4yodmqzl25mqd2hgllymrgu4aqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/anubis"
]
},
"uuid": "99b9665b-4d05-513e-a01d-7790da1f52ee",
"value": "anubis"
}
],
"version": 145
"version": 146
}

0 comments on commit bfb4174

Please sign in to comment.