No Measure Category Type

1 Backup and Resilience Recovery

2 Restore
Windows Process
Defender Protection GPO
3 Ransomware
Block Macros Resistence GPO
4 Block Windows Resistence GPO
5 Binary Access to
Filter Attachments Resistence Mail Gateway
6 Level 1
Filter Attachments Resistence Mail Gateway
7 Level
Use Web2 Proxies Resistence Best Practice
8 Block Executable Resistence Best Practice
9 Downloads
Enforce UAC / Resistence GPO
10 Prompt
Remove Admin Resistence Best Practice
11 Privileges
Restrict Resistence Best Practice
12 Workstation
Sandboxing Email Protection Advanced
13 Input
Execution Resistence Malware
3rd Party
14 Prevention
Change Default Resistence Tools
GPO
15 "Open
RestrictWith" to
program Resistence GPO
16 execution
Sysmon Detection 3rd Party
17 VSSAdmin Resistence Tools
Best Practice
18 Rename
Disable WSH Resistence GPO
19 Folder Redirection Resilience Best Practice
20 Remove Backup Resilience Best Practice
21 Server
MFA from Resistence Best Practice

Footnotes
Complexity The complexity of implementation also includes the costs of implementation (e.g. sim
Effectiveness Do not overrate a 'high' in this column as it is a relative effectiveness in comparison t
Impact The effects on business processes, administration or user experience
 Description Complexity* Effectiveness* Impact*
Make sure to have adequate backup processes on place and Medium High Low
frequently test a restore
Windows Defender of these
includes backups
a security feature called Low High Low
"Ransomware
Disable macros in Office files downloadedtofrom
Protection" that allows you enable
the various
Low High Medium
Internet.
Use Windows This can be configured
Firwall policies totoblock
workbinaries
in two different
Medium
access to High Low
the so called "Remote Scope". These binaries
Filter the following attachments on your mail gateway: includeLow Medium Low
.386,
Filter .ace, .acm, .acv,
the following .ade, .adp, on
attachments .adt, .ani,
your .app,
mail .arc, .arj, .a
gateway:
Medium High High
(Filtermalware
Most expressionisn'tofproxy-aware
Level 1 and tries to connect Low High Medium
directlyusing
When to their
a webC2 proxy,
or webblock
host that holds the
executable next stage.
downloads.
Low High Medium
Alternatively just block executable downloads
Enforce administrative users to confirm an action from all
that
Low Medium Low
requires
Remove elevated rights
and restrict administrative rights whenever Medium Medium Medium
possible. Malware can
Activate the Windows Firewall only modify files that
to restrict users have
workstation to
Medium Low Low
workstation communication. This reduces
Using sandbox that opens email attachments and removes the impact of
Mediuma High -
attachments
Software thatbasedallows ontobehavior
control analysis Medium
the execution of processes - Medium -
sometimes
Force extensions primarily used forsoftware
integrated in Antivirus infections to open up in
Low Medium Medium
Notepad rather than Windows
Block program executions (AppLocker) Script Host or Internet Medium Medium Medium
Detect Ransomware in an early stage with new Sysmon 5 Medium Low Low
File/Registry
Rename vssadminmonitoring
to avoid Ransomware deleting the Medium Medium Medium
volume shadow copies
Disable Windows Script Hoston a drive Low Medium Medium
Redirect e.g. the "Documents" folder to a shared folder on a Medium Low Medium
file server to facilitate
A ransomware backups with domain user rights may Medium
that propagates High Medium
infectprovide
Only and encrypt theaccess
remote backupvia
server as well. Prevent this by Low
Multi-Factor- Medium Low
Authentication (MFA) to avoid brute force and password

e complexity of implementation also includes the costs of implementation (e.g. simple to implement but costly)
not overrate a 'high' in this column as it is a relative effectiveness in comparison to other measures
e effects on business processes, administration or user experience
Possible Issues Link 1 Link 2 Link 3
http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7
https://www.windowscentral.com/how-enable-controlled-folder-access-windows-10-fall-cre
https://docs.microsoft.com/en-us/windows/security/threat-protectio
https://docs.microsoft.com/en-us/window
Critical business processes that https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dl
https://support.office.com/en-us/article/Enable-or-disable-macros-i
depend on macros (they
PowerShell and other scriptedexist, it's https://medium.com/@dimitrismargaritis/prevent-legitimate-windows-executables-to-be-us
tools that pull updates from
Unknown if one of the extensions the
is used Communication
Office by business applications.
with old
versions
It's of Microsoft
a change Office files
in your architecture
that could
This couldlead
be antoissue
all kinds of don't
if you
have a sound software
Administrator's resentment https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx
Higher administrative costs
https://medium.com/@cryps1s/endpoint-isolation-with-the-windows-firewall-462a795f4cfb

Some extensions will have https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-mali

legitimate uses, e.g., .vbs for
Configure & test extensively, https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx
http://social.technet.microsoft.com/wiki/contents/articles/5211.how
white-list or black-list approach? https://twitter.com/JohnLaTwC/status/799792296883388416
1. Unknown what happens after https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-
Microsoft patches
Could affect that involve
administrative VBS http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Custom
scripts on workstations
Makes administration more
difficult
Every as admins
second factorcannot
works,use
it https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-targe
https://www.nytimes.com/wirecutter/reviews/best-two-factor-authe
https://www.privacyidea.org/
doesn't have to be an expensive
 Link 4 Link 5
faq#1TC=windows-7
microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders
/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
ndows-executables-to-be-used-to-gain-initial-foothold-in-your-infrastructure-39771cd6ec90

dows-firewall-462a795f4cfb

behavior-of-potentially-malicious-file-extensions/
ki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

ne-should-disable-vssadmin-exe-now/
dowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html

https://github.com/multiOTP/multiOTPCredentialProvider/blob/master/README.md
https://guacamole.apache.org/doc/gug/totp-auth.html#guac-totp-config
=en-US&ad=US
LIST DOESN'T GET UPDATED ANY
NOTE: We initiated this list back in 2016 when adding a new ransomware occasionally was manageable as a side project.
However, times have shifted,Extensions
and ransomware has Extension
grown intoPattern
a relentless pandemic.
.CryptoHasYou. .enc
777 .777 ._[timestamp]_$[email]$.777
7ev3n .R4A e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777
7h9r .R5A
.7h9r
8lock8 .8lock8
AiraCrop ._AiraCropEncrypted
Al-Namrood .unavailable
Alcatraz Locker .disappeared
.Alcatraz
ALFA Ransomware .bin
Alma Ransomware random random(x5)
Alpha Ransomware .encrypt
Alphabet
AMBA .amba
Angela Merkel .angelamerkel
AngleWare .AngleWare
Angry Duck .adk
Anony
Anubis .coded
Apocalypse .encrypted [filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7
ApocalypseVM .SecureCrypted
.encrypted *filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13
ASN1 .locked
AutoLocky .locky
Aw3s0m3Sc0t7 .enc
BadBlock
BadEncript .bript
BaksoCrypt .adr
Bandarchor .id-1235240425_help@
.id-[ID]_[EMAIL_ADDRES
BarRax .BarRax
Bart .bart.zip
BitCryptor .bart
.clf
BitStak .bitstak
BlackShades Crypter .Silent
Blocatto .blocatto
Booyah
Brazilian .lock
Brazilian Globe .id-%ID%_garryweber@prot
BrLock
Browlock
BTCWare .btcware
Bucbi
BuyUnlockCode (.*).encoded.([A-Z0-9]{9})
Central Security Treatment O.cry
Cerber .cerber
CerberTear .cerber2
Chimera .crypt
CHIP 4.CHIP
random characters, e.g., .PzZs, .MKJL
Click Me Game .DALE
Clock
CloudSword
Cockblocker .hannah
CoinVault .clf
Coverton .coverton
Crptxxx .enigma
.crptxxx
Cryaki .{CRYPTENDBLACKDC}
Crybola
CryFile .criptiko
CryLocker .criptoko
.cry
CrypMIC
Crypren .ENCRYPTED
Crypt38 .crypt38
CryptConsole random decipher_ne@outlook.com_[encrypted_filename]
Cryptear unCrypte@outlook.com_[encrypted_filename]
Crypter
CryptFIle2 .scl id[_ID]email_xerx@usa.com.scl
CryptInfinite .crinf
CryptoBit
CryptoBlock
CryptoDefense
CryptoDevil .devil
CryptoFinancial
CryptoFortress .frtrss
CryptoGraphic Locker .clf
CryptoHost
CryptoJacky
CryptoJoker .crjoker
CryptoLocker .encrypted
CryptoLocker 1.0.0 .ENC
CryptoLocker 5.1
CryptoLuck / YafunnLocker .[victim_id]_luck [A-F0-9]{8}_luck
CryptoMix .code .id_(ID_MACHINE)_email_xoomx@dr.com_.code
CryptON .scl
_crypt .id_*_email_zeta@dr.com
name_crypt..extension
CryptoRansomeware .id-_locked
Cryptorium .ENC
CryptoRoger .crptrgr
CryptoShadow .doomed
CryptoShield .CRYPTOSHIELD grfg.wct.CRYPTOSHIELD
CryptoShocker .locked
CryptoTorLocker2015 .CryptoTorLocker2015!
CryptoTrooper
CryptoWall 1 no filename change
CryptoWall 2 no filename change
CryptoWall 3 no filename change
CryptoWall 4 <random>.<random>, e.g.,
CryptoWire 27p9k967z.x1nep
CryptXXX .crypt
CryptXXX 2.0 .crypt
CryptXXX 3.0 .crypt
CryptXXX 3.1 .cryp1
.cryp1
CryPy .cry
Crysis .bip .id-[id].[email].bip
CTB-Faker
CTB-Locker .ctbl .([a-z]{6,7})
CTB-Locker WEB
CuteRansomware .已加密
Cyber SpLiTTer Vbs
Damage .damage
Dharma .dharma .<email>.(dharma|wallet|zzzzz)
Deadly for a Good Purpose .wallet .id-%ID%.[moneymaker2@india.com].wallet
Death Bitches .locked
DeCrypt Protect .html
DEDCryptor .ded
Demo .encrypted
Depsex .Locked-by-Mafia
DeriaLock .deria
DetoxCrypto
Digisom
DirtyDecrypt
DMALocker
DMALocker 3.0
DNRansomware .fucked
Domino .domino
Donald Trump .ENCRYPTED
DoNotChange .id-7ES642406.cry
DummyLocker .Do_not_change_the_filename
.dCrypt
DXXD .dxxd
DynA-Crypt .crypt
EDA2 / HiddenTear .locked
EdgeLocker .edgel
EduCrypt .isis
EiTest .locked
.crypted
El-Polocker .ha3
Encoder.xxxx
encryptoJJS .enc
Enigma .enigma
Enjey .1txt
EnkripsiPC .fucked
Erebus Encrypt the extension usin
Evil .file0locked
Exotic .evillock
.exotic random.exotic
FabSysCrypto
Fadesoft
Fairware
Fakben .locked
FakeGlobe aka GlobeImposte.crypt
FakeCryptoLocker .cryptolocker
Fantom .fantom
FenixLocker .comrade
.FenixIloveyou!!
FILE FROZR
FileLocker .ENCR
FireCrypt .firecrypt
Flyper .locked
Fonco
FortuneCookie
Free-Freedom .madebyadam
FSociety .fs0ciety
Fury .dll
GhostCrypt .Z81928819
Gingerbread
Globe v1 .purge
Globe v2 .lovewindows .<email>.<random>
Globe v3 .openforyou@india.com
.[random].blt e.g.: .7076.docx.okean-
GNL Locker .[random].encrypted <ID>.locked, e.g.,
.locked
GOG .L0CKED bill.!ID!8MMnF!ID!.locked
Gomasom .crypt !___[EMAILADDRESS]_.crypt
Goopic
Gopher
Gremit .rnsmwr
Guster .locked
Hacked .versiegelt
HappyDayzz .encrypted
Harasom .html
HDDCryptor
Heimdall
Help_dcfile .XXX
Herbst .herbst
Hermes
Hi Buddy! .cry
Hitler removes extensions
HolyCrypt (encrypted)
HTCryptor
Hucky .locky [a-zA-Z0-9+_-]{1,}.[a-z0-9]
HydraCrypt hydracrypt_ID_[\w]{8}
IFN643
iLock .crime
iLockLight .crime
International Police Association <6 random characters>
iRansom .Locked
Jack.Pot
JagerDecryptor !ENC
JapanLocker
Jeiphoos
Jhon Woddy .killedXXX
Jigsaw .btc
Job Crypter .kkk
.locked
JohnyCryptor .css
Kaandsona .kencf
Kangaroo .crypted_file
Karma .karma
Karmen .grt
Kasiski [KASISKI]
KawaiiLocker
KeRanger .encrypted
KeyBTC keybtc@inbox_com
KEYHolder
KillDisk
KillerLocker .rip
KimcilWare .kimcilware
Kirk .locked
.Kirked
Koolova
Korean .암호화됨
Kostya .kostya
Kozy.Jozy .31392E30362E3230 .([0-9A-Z]{20})_([0-9]{2})
Kraken .kraken [base64].kraken
KratosCrypt .kratos
KRider .kr3
KryptoLocker
LambdaLocker .lambda_l0cked
LanRan

LeChiffre .LeChiffre

Lick .Licked
Linux.Encoder
LK Encryption
LLTP Locker .ENCRYPTED_BY_LLTP
LockCrypt .ENCRYPTED_BY_LLTPp
.lock
Locked-In
Locker
LockLock .locklock
Locky .locky ([A-F0-9]{32}).locky
Lock93 .zepto
.lock93 ([A-F0-9]{32}).zepto
Lomix
Lortok .crime
LowLevel04 oor.
M4N1F3STO
Mabouia
MacAndChess
Magic .magic
MaktubLocker [a-z]{4,6}
Marlboro .oops
MarsJoke .a19
MasterBuster .ap19
Matrix
Meister
Merry X-Mas! .PEGS1
Meteoritan .MRCR1
MIRCOP Lock.
MireWare .fucked
Mischa .fuck .([a-zA-Z0-9]{4})
MM Locker .locked
Mobef .KEYZ
Mole .KEYH0LES
.mole
Monument .mole02
MOTD .enc
MSN CryptoLocker
n1n1n1
N-Splitter .кибер разветвитель
Nagini
NanoLocker
Nemucod .crypted
Netix
NETWALKER
Nhtnwcuf
NMoreira .maktub
NoobCrypt .__AiraCropEncrypted!
Nuke .nuclear55
Nullbyte _nullbyte
Ocelot
ODCODC .odcodc C-email-abennaki@india.
Offline ransomware .cbf email-[params].cbf
OMG! Ransomware .LOL!
Onyx .OMG!
Operation Global III .EXE
Owl dummy_file.encryptedummy_file.encrypted.[exte
OzozaLocker .Locked
PadCrypt .padcrypt
Padlock Screenlocker
Patcher .crypt
PayDay .sexy
PayDOS
Paysafecard Generator 2016 .cry_ test.cry_jpg
PClock
PetrWrap
Petya .encrypted
Philadelphia .locked <file_hash>.locked
Phobos .phobos file name[ID-
Phoenix .R.i.P 000QQQ.hacker@AOL.co
Pickles .EnCrYpTeD %random%.EnCrYpTeD
PizzaCrypts .id-[victim_id]-maestro@pizzacrypts.info
PokemonGO .locked
Popcorn Time .filock
Polyglot
Potato .potato
PowerWare .locky
PowerWorm
Princess Locker [a-z]{4,6},[0-9]
PRISM
Project34
ProposalCrypt .crypted
Ps2exe
PyL33T .d4nk
R
R980 .crypt
RAA encryptor .locked
Rabion
Radamant .RDM
Rakhni .RRK
.locked .coderksu@gmail_com_id[0-9]{2,3}
Ramsomeer .kraken .crypt@india.com.[\w]{4,12}
Ranion
Rannoh locked-<original name>.[a-zA-Z]{4}
RanRan .zXz
Ransoc
Ransom32
RansomLock
RansomPlus .encrypted
RarVault
Razy .razy
Rector .fear
.vscrypt
Red Alert .infected
RektLocker .rekt
RemindMe .remind
Revenge .crashed
.REVENGE
Rokku .rokku
RoshaLock
RozaLocker .ENC
Runsomewere
RussianRoulette
SADStory
Sage 2.0 .sage
Sage 2.2 .sage
Samas-Samsam .encryptedAES
Sanction .encryptedRSA
.sanction
Sanctions .wallet
Sardoninir .enc
Satan .stn
Satana Sarah_G@ausi.com___
Saturn
Scarab .scarab
Scraper
SerbRansom .velikasrbija
Serpent .serpent
Serpico
Shark .locked
ShellLocker .L0cked
ShinoLocker .shino
Shujin
Simple_Encoder .~
SkidLocker / Pompous .locked
SkyName
Smash!
Smrss32 .encrypted
Snatch .abcde appending .abcde to the origi
SNSLocker .RSNSlocked
Spora .RSplited
Sport .sport
Stampado .locked
Strictor .locked
Surprise .surprise
Survey .tzu
SynoLocker
SZFLocker .szf
TeamXrat .___xratteamLucked
TeleCrypt .xcri
TeslaCrypt 0.x - 2.2.0 .vvv
TeslaCrypt 3.0+ .ecc
.micro
TeslaCrypt 4.1A .xxx
TeslaCrypt 4.2
Thanksgiving
Threat Finder
TorrentLocker .Encrypted
TowerWeb .enc
Toxcrypt .toxcrypt
Trojan .braincrypt
Troldesh .breaking_bad
TrueCrypter .better_call_saul
.enc
Trump Locker .TheTrumpLockerf
Turkish .TheTrumpLockerfp
.sifreli
Turkish (Fake CTB-Locker) .encrypted
Turkish Ransom .locked
UltraLocker
UmbreCrypt umbrecrypt_ID_[VICTIMID
UnblockUPC
Ungluk .H3LL
Unlock26 .0x0
.locked-[XXX]
Unlock92 .CRRRT
Vanguard .CCCRRRPPP
VapeLauncher
VaultCrypt .vault
VBRANSOM 7 .xort
.VBRANSOM
VenisRansomware
VenusLocker .Venusf
Vindows Locker .Venusp
.vindows
Virlock .exe
Virus-Encoder .CrySiS .id-
Vortex .xtbl
.aes ########.decryptformoney
vxLock .vxLock
WannaCry .wcry
WildFire Locker .wncry
.wflx
Winnix Cryptor .wnx
XCrypt
XData .~xdata~
Xorist .EnCiPhErEd
XRTN .73i87A
.xrtn
XYZWare
You Have Been Hacked!!! .Locked
YourRansom .yourransom
Zcrypt .zcrypt
Zeta .code
Zimbra .scl
.crypto
ZinoCrypt .ZINO
Zlader / Russian .vault
Zorro .zorro
zScreenLocker
Zyka .locked
Zyklon .zyklon
T UPDATED ANYMORE
omware occasionally was manageable as a side project.
entless pandemic.
Ransom Note Filename(s) Comment Encryption Also known as
Algorithm
AES(256)
YOUR_FILES_ARE_LOCKED.tx
read_this_file.txt XOR Sevleg
FILES_BACK.txt 7ev3n-HONE$T
README_.TXT AES
READ_IT.txt Based on HiddenTear AES(256)
How to decrypt your files.txt related to TeamXRat
Read_Me.Txt
ransomed.html
README HOW TO DECRYPT Made by creators of Cerber
YOUR FILES.HTML
Unlock_files_randomx5.html AES(128)
Read Me (How Decrypt) !!!!.txt AES(256) AlphaLocker
Doesn't encrypt any files /
ПРОЧТИ_МЕНЯ.txt provides
Websitesyouonlythe key
READ_ME.txt amba@riseup.net
READ_ME.txt
Demands 10 BTC
Based on
Decryption Instructions.txt EDA2 AES(256) HiddenTear
*.How_To_Decrypt.txt decryptionservice@mail.ru Fabiansomeware
*.Contact_Here_To_Recover_You
*.How_To_Get_Back.txt recoveryhelp@bk.ru
Apocalypse ransomware
!!!!!readme!!!!!.htm version which uses
info.txt
info.html
Help Decrypt.html
More.html
Based on my-Little-
HOW TO DECRYPT.txt Ransomware
Files might be partially AES(256) Rakhni
encrypted
Based on HiddenTear
recover.txt Possible affiliations with BaCrypt
recover.bmp RockLoader,
Has a GUI. Locky and
CryptoGraphic Locker Base64 + String
Hacked_Read_me_to_decrypt_file Replacement
AES(256) SilentShade
s.html Based on HiddenTear AES(256)
EXE was replaced to Salam!
MENSAGEM.txt neutralize threat
Based on EDA2 AES(256)
HOW_OPEN_FILES.html
 AES
no local encryption,
#_HOW_TO_FIX_!.hta browser only
Related to / new version of
CryptXXX
no file name change, no GOST
BUYUNLOCKCODE.txt extension
Does not delete Shadow
!Recovery_[random_chars].html Copies
!Recovery_[random_chars].txt
# DECRYPT MY FILES #.html AES
# DECRYPT MY FILES #.txt
YOUR_FILES_ARE_ENCRYPT
ED.HTML
CHIP_FILES.txt
DALE_FILES.TXT
Does not encrypt anything
Warning警告.html

wallpaper.jpg CryptoGraphic Locker

!!!-WARNING-!!!.html family. AES(256)
!!!-WARNING-!!!.txt
HOW_TO_FIX_!.txt Uses @enigma0x3's UAC
bypass

SHTODELATVAM.txt Moves bytes

Instructionaga.txt
!Recovery_[random_chars].html Identifies victim locations Cry, CSTO,
!Recovery_[random_chars].txt
README.TXT w/Google
CryptXXXMaps API
clone/spinoff AES(256) Central Security
README.HTML
READ_THIS_TO_DECRYPT.ht
ml AES
How decrypt files.hta Impersonates the Globe
Ransomware AES(256) Hidden Tear
Does not actually encrypt
erx@usa.com.scl the files, but simply RSA

OKSOWATHAPPENDTOYOUR sekretzbel0ngt0us.KEY AES and RSA

FILES.TXT do not confuse with
RaaS
HOW_DECRYPT.TXT no extension change
HOW_DECRYPT.HTML
Ranscam
READ IF YOU WANT YOUR Mimics Torrentlocker. AES(256), RSA
FILES BACK.html
wallpaper.jpg Encrypts only 50% of each
Has a GUI. (1024)
Subvariants: CoinVault
RAR's victim's files AES(256) (RAR Manamecrypt,
has a GUI implementation) Telograph, ROI
README!!!.txt AES-256
GetYouFiles.txt no longer relevant RSA
%AppData%\ via RIG EK AES(256)
@WARNING_FILES_ARE_ENC
HELP_YOUR_FILES.html Zeta
(CryptXXX) RSA, AES-256 and Nemesis
SHA-256 X3M
Only renames files and does
!Where_are_my_files!.html not encrypt them AES
LEER_INMEDIATAMENTE.txt
# RESTORING FILES #.HTML CryptoMix Variant AES(256) / ROT-
#ATTENTION.url
RESTORING FILES #.TXT 13
AES
HOW TO DECRYPT FILES.txt
%Temp%\<random>.bmp AES
DECRYPT_INSTRUCTION.HT
ML
HELP_DECRYPT.TXT
HELP_DECRYPT.PNG
HELP_DECRYPT.TXT
HELP_DECRYPT.PNG
HELP_YOUR_FILES.HTML
HELP_YOUR_FILES.PNG AES(256)
de_crypt_readme.bmp, .txt, .html Comes with Bedep CryptProjectXXX
<personal-ID>.txt, .html, .bmp Locks screen. Ransom note CryptProjectXXX
names
Comes are anBedep
with ID. UltraDeCrypter
StilerX credential stealing UltraCrypter
README_FOR_DECRYPT.txt AES
Locks screen. Ransom note
ask to contact
AllFilesAreLocked RSA(2048) Citroni
<user_id>.bmp websites only AES(256)
你的檔案被我們加密啦!!!.txt Based on my-Little- AES(128) my-Little-
Ransomware
Based on HiddenTear Ransomware
CyberSplitter
Written in Delphi Combination of
README.txt CrySiS variant SHA-1 and
README.jpg Encrypts in 2017
READ_IT.txt

Based on EDA2 AES(256)

HELP_YOUR_FILES.txt only encrypts .jpg files
READ_ME.txt Based on HiddenTear MafiaWare
unlock-everybody.txt
AES Based on Detox:
Digisom Readme0.txt (0 to 9) Calipso

cryptinfo.txt no extension change AES(256) in ECB

decrypting.txt Encrypted files have prefix: mode,
 no extension change AES(256)
Code to decrypt: XPTLOCK5.0
README_TO_RECURE_YOUR 83KYG9NW-3K39V-
Based on Hidden Tear AES(256)
_FILES.txt AES
HOW TO DECODE FILES!!!.txt AES(128)
КАК РАСШИФРОВАТЬ
ReadMe.TxT

Open sourced C# AES(256) Cryptear

README.txt Based on Hidden Tear EduCrypter

qwer.html Has a GUI Los Pollos

qwer2.html
Instructions.html Coded in GO Hermanos
Trojan.Encoder.6
How to recover.enc 491
enigma.hta AES(128)
enigma_encr.txt Based on RemindMe
The encryption password is IDRANSOMv3
README.HTML based on the computer AES Manifestus
Coded in Javascript
Also encrypts executables AES(128)
Based on HiddenTear

Target Linux O.S.

READ ME FOR DECRYPT.txt Based on Hidden Tear
HOW_OPEN_FILES.hta

DECRYPT_YOUR_FILES.HTM Based on EDA2 AES(128) Variants:

L
Help to decrypt.txt Comrade Circle
RaaS

[random_chars]-READ_ME.html AES(256)
Based on EDA2 /
help-file-decrypt.enc HiddenTear
contact email
<startupfolder>/pronk.txt safefiles32@mail.ru also as
Unlock code is: adam or Roga
fs0ciety.html adamdude9
Based on EDA2
DECRYPT_YOUR_FILES.HTM Based on RemindMe
Based on Hidden Tear AES(256)

How to restore files.hta Blowfish Purge

 Blowfish Purge
Extesion depends on the RC4 Purge
config file.
UNLOCK_FILES_INSTRUCTIO Only encrypts DE or NL It seems Globe AES(256)
AES (256) Variants, from old
NS.html and .txt
DecryptFile.txt country to latest:
DDRESS]_.crypt no ransom note
Your files have been crypted.html
OS X ransomware (PoC)

Jigsaw Ransomware variant

3DES
AES(128)
Uses https://diskcryptor.net Custom (net Mamba
for full disk encryption shares),
File marker: "Heimdall---" AES-128-CBCXTS-AES
help_dcfile.txt
AES(256)
DECRYPT_INFORMATION.htm Filemarker: "HERMES" AES
l Based on HiddenTear AES(256)
Deletes files
AES
Includes a feature to disable
_Adatok_visszaallitasahoz_utasita the victim's
Based windows
on Locky AES, RSA Hungarian Locky
sok.txt
README_DECRYPT_HYRDA_ CrypBoss Family (hardcoded) (Hucky)
ID_[ID number].txt

%Temp%\<random>.bmp CryptoTorLocker2015
variant

Important_Read_Me.html Prepends filenames

Base64 encoding, shc Ransomware
readme_liesmich_encryptor_raas.t Windows, Linux. Campaign ROT13, and RSA
RC6 (files), top- SyNcryption
Encryptor RaaS,
xt stopped. Actor claimed
Same codebase as he 2048 (RC6 key) Sarento
DNRansomware
Has a GUI AES(256) CryptoHitMan
Comment débloquer mes Based on HiddenTear, but TripleDES (subvariant)
fichiers.txt uses TripleDES, decrypter
Crashes before it encrypts Käändsõna
filename.Instructions_Data_Recov From the developer behind RansomTroll
ery.txt
# DECRYPT MY FILES #.html the Apocalypse
pretends to be a Windows AES
# DECRYPT MY FILES #.txt optimization
RaaS program called
INSTRUCCIONES.txt Based on HiddenTear
How Decrypt Files.txt
OS X Ransomware AES
DECRYPT_YOUR_FILES.txt
READ.txt
how_decrypt.gif via remote attacker.
how_decrypt.html tuyuljahat@hotmail.com AES(256)
Possibly Portuguese dev
websites only AES
RANSOM_NOTE.txt Payments in Monero
With Italian text that only
ReadMe.txt targets
Based ontheHiddenTear
Test folder on AES(256)

w.jpg Potential Kit RSA(2048) QC

_HELP_YOUR_FILES.html selectedkozy.jozy@yahoo.c
README_ALL.html kratosdimetrici@gmail.com

KryptoLocker_README.txt Based on HiddenTear AES(256)

READ_IT.hTmL Python Ransomware AES(256)
@__help__@ Variant of open-source
MyLittleRansomware

How to decrypt LeChiffre Encrypts first 0x2000 and

files.html last 0x2000 bytes.
Via remote attacker

RANSOM_NOTE.txt Variant of Kirk

Linux Ransomware Linux.Encoder.
Based on HiddenTear {0,3}
LEAME.txt Targeting Spanish speaking AES-256
ReadMe.TxT victims
RESTORE_CORUPTED_FILES. Based on RemindMe
HTML no extension change
READ_ME.TXT has GUI AES(256)
_Locky_recover_instructions.txt Affiliations with Dridex and AES(128)
_Locky_recover_instructions.bmp Necurs botnets
Based on the idiotic open-
source ransomware called
Prepends filenames
Does not encrypt
Unlock
OS X ransomware (PoC)
Based on HiddenTear
DECRYPT_ReadMe1.TXT Based on EDA2 AES(256)
DECRYPT_ReadMe.TXT
_DECRYPT_INFO_[extension AES(256), RSA
pattern].html
_HELP_Recover_Files_.html (2048)
XOR
!!! Readme For Decrypt !!!.txt
ReadMeFilesDecrypt!!!.txt
CreatesReadThisFileImportant.txt
[5 numbers]-MATRIX- GnuPG
README.RTF Targeting French victims
YOUR_FILES_ARE_DEAD.HTA Written in Delphi MRCR
MERRY_I_LOVE_YOU_BRUCE
where_are_your_files.txt
readme_your_files_have_been_en Prepends files AES Crypt888
READ_IT.txt Demands 48.48 BTC
Based on HiddenTear AES(256)
YOUR_FILES_ARE_ENCRYPT Packaged with Petya "Petya's little
ED.HTML
READ_IT.txt PDFBewerbungsmappe.exe
Based on EDA2 AES(256) brother"
Booyah
4-14-2016-INFECTION.TXT Yakes
IMPORTANT.README
INSTRUCTION_FOR_HELPING CryptoBit
CryptoMix
_FILE_RECOVERY.TXT Use the DarkLocker 5 porn
motd.txt screenlocker
RESTORE_YOUR_FILES.txt
decrypt explanations.html Filemaker:
"333333333333"
Russian Koolova Variant
Looks for C:\Temp\
ATTENTION.RTF voldemort.horcrux
no extension change AES (256), RSA
Decrypted.txt has a(a0.exe)
7zip GUI variant cannot XOR(255)
be decrypted 7zip
AES(256) RANSOM_NETI
X.A
!_RECOVERY_HELP_!.txt Does not encrypt the files /
HELP_ME_PLEASE.txt
Recupere seus arquivos. Leia- Files
.aac isare
thedestroyed
extension used mix of RSA and XRatTeam
me!.txt by the new version seen in AES-256 XPan
!! AES
_RECOVERY_instructions_!!.htm
Does not encrypt anything
HOW_TO_RESTORE_FILES.txt XOR
desk.bmp email addresses overlap Vipasana, Cryakl
desk.jpg
how to get data.txt with .777 addresses GPCode
Georgian ransomware
Is a file infector (virus)
log.txt CryptoWire
HOW TO DECRYPT YOU
FILES.txt
IMPORTANT READ ME.txt has a live support chat
File Decrypt Help.html Unlock code is: ajVr/G\
README!.txt RJz0R
Targeting macOS users
 !!!!!ATENÇÃO!!!!!.html Based off of Hidden-Tear
Batch file Serpent
Passcode: AES1014DW256
Your files are locked !.txt CryptoLocker Copycat XOR CryptoLocker
Your files are locked !!.txt clone
YOUR_FILES_ARE_ENCRYPT - overwrites MBR Modified Salsa20 Goldeneye
ED.TXT -Coded
encrypts MFT
by "The_Rainmaker" AES(256)
Rebranded Dharma Ransom
Important!.txt Note
Based on HiddenTear
READ_ME_TO_DECRYPT.txt Python Ransomware

Based on Hidden Tear AES(256)

restore_your_files.html AES(256)
restore_your_files.txt Immitates CTB-Locker AES(256)
README.png AES(256)
README.html Open-sourced PowerShell AES(128) PoshCoder
DECRYPT_INSTRUCTION.html no decryption possible AES, but throws
looks
! like CryptoWall 3, but with key away, destroys
_HOW_TO_RESTORE_[extensio
ПАРОЛЬ.txt

Python Ransomware
Ransomware.txt
DECRYPTION
INSTRUCTIONS.txt
!!!README!!![id].rtf Possible affiliation with RAA
Pony
RaaS
YOUR_FILES.url Copy of Ranion RaaS AES(256)
<startup folder>\fud.bmp Files might be partially Agent.iih
<startup folder>\paycrypt.bmp encrypted
Based on the DUMB Aura
ransomware
RaaS service AES(256)
l name>.[a-zA-Z]{4}
VictemKey_0_5
VictemKey_5_30 Doesn't encrypt user files
no extension change,
Javascript Ransomware
Locks the desktop Asymmetric 1024

RarVault.htm
AES(128)

Based on Hidden Tear

Readme.txt AES(256)
decypt_your_files.html
# !!!HELP_FILE!!! #.txt CryptoMix / CryptFile2 AES(256)
README_HOW_TO_UNLOCK. Variant
possibly related with Curve25519 + ChaCha
TXT Chimera
Stores your files in a
password protected RAR
Based on HT/EDA2
Utilizes of
Variant thethe
Jigsaw
Philadelphia
ransomware
Variant of CryPy
! Predecessor CryLocker
Recovery_[3_random_chars].html Sage 2.2 deletes volume
HELP_DECRYPT_YOUR_FILES snapshots through
Targeted attacks AES(256) + samsam.exe
.html
DECRYPT_YOUR_FILES.HTM -JexbossBased on HiddenTear, but RSA(2096)
AES(256) + MIKOPONI.exe
L
RESTORE_ALL_DATA.html heavily modified keygen RSA(2096)
AES(256) +
RSA(2048)
HELP_DECRYPT_FILES.html RaaS AES(256) +
!satana!.txt RSA(2096)
#DECRYPT_MY_FILES#.txt VM aware, deletes volume
#DECRYPT_MY_FILES#.vbs shadow copies, disables
Post encryption, text file is
dropped w/personal
no extension change

HOW_TO_DECRYPT_YOUR_FI Batch file AES(256) PayDOS

LES_[random_3_chars].html Passcode:
DetoxCrypto Variant AES
Readme.txt AES(256) Atom

文件解密帮助.txt KinCrypt
_RECOVER_INSTRUCTIONS.in AES
iREAD_IT.txt Based on EDA2 AES(256)
Based on HiddenTear

_HOW_TO_Decrypt.bmp
README_ABCDE_FILES.txt
DECRYPT_ABCDE_DATA.txt
READ_Me.txt Based on EDA2 AES(256)
[Infection-ID].HTML

Random message includes bitcoin Coded by "The_Rainmaker" AES(256)

wallet address with instructions Randomly
Based deletesshows
on EDA2, a file AES(256)
Guy
DECRYPTION_HOWTO.Notepa Based on EDA2 Fawkes mask AES(256)
dThxForYurTyme.txt Still in development, shows
FileIce
Exploitedsurvey
Synology NAS
firmware directly over
Como descriptografar os seus AES(256)
arquivos.txt
HELP_RESTORE.HTML Telecrypt will generate a Trojan-
RECOVER[5 random
HELP_TO_SAVE_FILES.txt random string to encrypt
Factorization RSA Ransom.Win32.T
AlphaCrypt
Howto_RESTORE_FILES.html 4.0+ has no extension AES
AES(256) + ECHD
RECOVER<5_chars>.html no special extension + SHA1 + ECHD
AES(256)
RECOVER<5_chars>.png
RECOVER<5_chars>.html + SHA1
RECOVER<5_chars>.png
HELP_DECRYPT.HTML Files cannot be decrypted
HOW_TO_RESTORE_FILES.ht Has
Newera GUI
variants not AES(256) CBC for Crypt0L0cker
ml
Payment_Instructions.jpg decryptable. files CryptoFortress
tox.html
!!! HOW TO DECRYPT BrainCrypt
FILES !!!.txt
README<number>.txt May download additional AES(256) Shade
nomoreransom_note_original.txt malware after encryption AES(256) XTBL
What happen to my files.txt

Beni Oku.txt keys in '%name

DOSYALARINIZA ULAŞMAK %.manifest.xml AES(256)
İÇİN AÇINIZ.html Based on the idiotic open- AES(256)
README_DECRYPT_UMBRE_ source ransomware
CrypBoss Family called AES
ID_[victim_id].jpg
Files encrypted.txt
READTHISNOW!!!.txt Ransom note instructs to AES
Hellothere.txt
ReadMe-XXX.html use Bitmessage to get in
READ_ME_!.txt
GO Ransomware
CryptoWire variant
VAULT.txt uses gpg.exe CrypVault
xort.txt Does not actually encrypt Zlader
In dev
ReadMe.txt VenisRansom@protonmail.
Based on EDA2 AES(256)
AES
Polymorphism / Self-
How to decrypt your data.txt replication AES(256) CrySiS
Ŧl๏tєгค
гคภร๏๓ฬคгє
@Please_Read_Me@.txt WannaCrypt
HOW_TO_UNLOCK_FILES_RE Zyklon variant WCry
Hades Locker
ADME_(<ID>).txt
YOUR FILES ARE GPG
ENCRYPTED!.txt
Xhelp.jpg
HOW_CAN_I_DECRYPT_MY_F
ILES.txt
HOW TO DECRYPT FILES.TXT encrypted files will still XOR or TEA
have the original
VaultCrypt family non-
Based on HiddenTear
Attempt to steal passwords
README.txt
Zcryptor
# CryptoMix
HELP_DECRYPT_YOUR_FILES
how.txt mpritsken@priest.com
ZINO_NOTE.TXT
VaultCrypt family RSA VaultCrypt
Take_Seriously (Your saving CrypVault
grace).txt

Hidden Tear family, GNL GNL Locker

Locker variant
Date Decryptor Info 1 Info 2 Screenshots
Added/Modified http://www.nyxbone.com/malware/CryptoHasYou.html #NAME?
https://decrypter.emsisoft.com/777 #NAME?
http://www.nyxbone.com/malware/7ev3n-HONE$T.html
https://github.com/hasherezade/malware_analysis/tree/master/7ev3n #NAME?
https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be
http://www.nyxbone.com/malware/7h9r.html #NAME?
http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/
#NAME?
https://twitter.com/PolarToffee/status/796079699478900736
#NAME?
https://decrypter.emsisoft.com/al-namrood #NAME?
https://twitter.com/PolarToffee/status/792796055020642304
#NAME?
http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-
#NAME?
https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff3
https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threa
http://www.bleepingcomputer.com/news/security/new-alma-locker-ra
#NAME?
http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip
http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continu
https://twitter.com/malwarebread/status/804714048499621888
#NAME?
https://twitter.com/PolarToffee/status/812331918633172992
#NAME?
https://twitter.com/benkow_/status/747813034006020096#NAME?
https://twitter.com/malwrhunterteam/status/798268218364358656
#NAME?
https://twitter.com/BleepinComputer/status/844531418474708993
https://twitter.com/demonslay335/status/790334746488365057
#NAME?
https://twitter.com/struppigel/status/842047409446387714
#NAME?
http://nyxbone.com/malware/Anubis.html #NAME?
https://decrypter.emsisoft.com/apocalypse
http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies
#NAME?
http://decrypter.emsisoft.com/download/apocalypsevm #NAME?
https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransom
https://decrypter.emsisoft.com/autolocky #NAME?
https://twitter.com/struppigel/status/828902907668000770
https://decrypter.emsisoft.com/badblock
http://www.nyxbone.com/malware/BadBlock.html
http://www.nyxbone.com/images/articulos/malware
https://twitter.com/demonslay335/status/813064189719805952
#NAME?
https://twitter.com/JakubKroustek/status/760482299007922176
https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-rans
#NAME?
https://reaqta.com/2016/03/bandarchor-ransomware-still-active/
https://www.bleepingcomputer.com/news/security/new-bandarchor-ra
#NAME?
https://twitter.com/demonslay335/status/835668540367777792
http://now.avg.com/barts-shenanigans-are-no-match-for-avg/
http://phishme.com/rockloader-downloading-new-ransomware-bart/
https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransom
#NAME?
https://noransom.kaspersky.com/ #NAME?
https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip #NAME?
http://nyxbone.com/malware/BlackShades.html #NAME?
http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-qu
#NAME?
#NAME?
http://www.nyxbone.com/malware/brazilianRansom.html
http://www.nyxbone.com/images/articulos/malware
https://twitter.com/JakubKroustek/status/821831437884211201
 https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cry
#NAME?
#NAME?
https://twitter.com/malwrhunterteam/status/845199679340011520
http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-
#NAME?
#NAME?
http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organiza
#NAME?
https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mat
https://community.rsa.com/community/products/netwitness/blog/2016
#NAME?
https://twitter.com/struppigel/status/795630452128227333
#NAME?
http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-pety
https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-
#NAME?
http://malware-traffic-analysis.net/2016/11/17/index.html
https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-no
#NAME?
https://www.youtube.com/watch?v=Xe30kV4ip8w #NAME?
https://twitter.com/JakubKroustek/status/794956809866018816
#NAME?
https://twitter.com/BleepinComputer/status/822653335681593345
#NAME?
https://twitter.com/jiriatvirlab/status/801910919739674624
#NAME?
https://noransom.kaspersky.com/ #NAME?
http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-ma
#NAME?
https://twitter.com/malwrhunterteam/status/839467168760725508
https://support.kaspersky.com/viruses/disinfection/8547 #NAME?
https://support.kaspersky.com/viruses/disinfection/8547 #NAME?
http://virusinfo.info/showthread.php?t=185396 #NAME?
http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communic
#NAME?
http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-
#NAME?
https://github.com/pekeinfo/DecryptCrypren
http://www.nyxbone.com/malware/Crypren.html
http://www.nyxbone.com/images/articulos/malware
https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip
https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-f
#NAME?
https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-ho
https://twitter.com/PolarToffee/status/824705553201057794
http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html
#NAME?
https://twitter.com/jiriatvirlab/status/802554159564062722
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cry
#NAME?
https://decrypter.emsisoft.com/ #NAME?
http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/
http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-
#NAME?
https://twitter.com/drProct0r/status/810500976415281154
https://blog.malwarebytes.com/threat-analysis/2017/03/cryptoblock-a
#NAME?
https://decrypter.emsisoft.com/ #NAME?
https://twitter.com/PolarToffee/status/843527738774507522
http://blog.talosintel.com/2016/07/ranscam.html
https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-deman
#NAME?
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protect
#NAME?
https://twitter.com/jiriatvirlab/status/838779371750031360
#NAME?
https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocke
https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/
#NAME?
https://twitter.com/malwrhunterteam/status/839747940122001408
#NAME?
 https://twitter.com/malwrhunterteam/status/782890104947867649
#NAME?
http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malver
https://twitter.com/malwareforme/status/798258032115322880
https://twitter.com/malwareforme/status/798258032
http://www.nyxbone.com/malware/CryptoMix.html
https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcr
#NAME?
https://decrypter.emsisoft.com/crypton
https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-
https://twitter.com/JakubKroustek/status/829353444632825856
#NAME?
https://twitter.com/malwrhunterteam/status/817672617658347521
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-
#NAME?
https://twitter.com/struppigel/status/821992610164277248
https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshie
http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-a
#NAME?
http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-an
#NAME?
http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-com
#NAME?
#NAME?
https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/
https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f
#NAME?
#NAME?
https://twitter.com/struppigel/status/791554654664552448
https://www.bleepingcomputer.com/news/security/-proof-of-concept-
https://support.kaspersky.com/viruses/disinfection/8547
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-informati
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547
https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strik
http://blogs.cisco.com/security/cryptxxx-technical-deep-dive
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547
http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decr
http://blogs.cisco.com/security/cryptxxx-technical-deep-dive
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547
https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-
#NAME?
#NAME?
https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-varian
https://blog.trendmicro.com/trendlabs-security-intelligence/brute-forc
https://www.dropbox.com/s/2gtk33g6rwlkcfb/Crys
http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-jo
#NAME?
#NAME?
https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/
https://github.com/eyecatchup/Critroni-php
#NAME?
https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool
https://github.com/aaaddress1/my-Little-Ransomware#NAME?
https://twitter.com/struppigel/status/778871886616862720
https://twitter.com/struppigel/status/806758133720698881
#NAME?
https://decrypter.emsisoft.com/damage
https://twitter.com/demonslay335/status/835664067843014656
#NAME?
https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomw
https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-filenameema
#NAME?
https://twitter.com/malwrhunterteam/status/785533373007728640
#NAME?
https://twitter.com/JaromirHorejsi/status/815555258478981121
http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/
#NAME?
http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic
http://www.nyxbone.com/malware/DEDCryptor.html
#NAME?
https://twitter.com/struppigel/status/798573300779745281
https://twitter.com/BleepinComputer/status/817069320937345024
https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includ
https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-o
http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretend
#NAME?
https://twitter.com/PolarToffee/status/829727052316160000
https://twitter.com/demonslay335/status/752586334527709184
#NAME?
https://decrypter.emsisoft.com/
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-b
#NAME?
https://github.com/hasherezade/dma_unlocker
https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/
#NAME?
https://twitter.com/BleepinComputer/status/822500056511213568
#NAME?
http://www.nyxbone.com/malware/Domino.html
http://www.bleepingcomputer.com/news/security/the-curious-case-of
#NAME?
https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-
#NAME?
https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-
https://twitter.com/struppigel/status/794108322932785158
#NAME?
https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/
https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal
#NAME?
https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-f
#NAME?
#NAME?
https://twitter.com/BleepinComputer/status/815392891338194945
http://www.filedropper.com/decrypter_1
https://twitter.com/JakubKroustek/status/747031171347910656
#NAME?
https://twitter.com/BroadAnalysis/status/845688819533930497
https://twitter.com/malwrhunterteam/status/845652520202616832
#NAME?
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-
http://vms.drweb.ru/virus/?_is=1&i=8747343
#NAME?

http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russi
#NAME?
https://twitter.com/malwrhunterteam/status/839022018230112256
#NAME?
https://twitter.com/demonslay335/status/811343914712100872
https://twitter.com/BleepinComputer/status/811264254481494016
https://twitter.com/struppigel/status/811587154983981056
#NAME?
https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-by
#NAME?
https://twitter.com/jiriatvirlab/status/818443491713884161
https://twitter.com/PolarToffee/status/826508611878793219
#NAME?
http://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-
#NAME?
https://twitter.com/struppigel/status/837565766073475072
https://twitter.com/malwrhunterteam/status/829768819031805953
https://twitter.com/malwrhunterteam/status/838700700586684416
http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-l
#NAME?
https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-c
#NAME?
https://decrypter.emsisoft.com/globeimposter
https://twitter.com/malwrhunterteam/status/809795402421641216
#NAME?
https://twitter.com/PolarToffee/status/812312402779836416
#NAME?
http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-fi
#NAME?
https://decrypter.emsisoft.com/fenixlocker
https://twitter.com/fwosar/status/777197255057084416 #NAME?
https://twitter.com/rommeljoven17/status/846973265650335744
https://twitter.com/jiriatvirlab/status/836616468775251968
#NAME?
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-
#NAME?
https://twitter.com/malwrhunterteam/status/773771485643149312
#NAME?
#NAME?
https://twitter.com/struppigel/status/842302481774321664
https://twitter.com/BleepinComputer/status/812135608374226944
https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyh
http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homa
https://twitter.com/siri_urz/status/795969998707720193
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547 #NAME?
https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip
http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-suppo
#NAME?
https://twitter.com/ni_fi_70/status/796353782699425792
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purg
#NAME?
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221 #NAME?
https://decrypter.emsisoft.com/globe3 #NAME?
http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-
#NAME?
https://twitter.com/BleepinComputer/status/816112218815266816
https://decrypter.emsisoft.com/ #NAME?
http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-ne
#NAME?
#NAME?
https://twitter.com/struppigel/status/794444032286060544 #NAME?
https://twitter.com/BleepinComputer/status/812131324979007492
#NAME?
https://twitter.com/demonslay335/status/806878803507101696
https://twitter.com/malwrhunterteam/status/847114064224497666
https://decrypter.emsisoft.com/ #NAME?
https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-m
blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransom
#NAME?
https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomw
#NAME?
#NAME?
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
#NAME?
https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informat
https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-liv
http://www.nyxbone.com/malware/hibuddy.html #NAME?
http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ran
https://twitter.com/jiriatvirlab/status/825310545800740864
#NAME?
http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holyc
#NAME?
https://twitter.com/BleepinComputer/status/803288396814839808
https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe
#NAME?
https://decrypter.emsisoft.com/
http://www.malware-traffic-analysis.net/2016/02/03/index2.html
#NAME?
https://twitter.com/struppigel/status/791576159960072192
https://twitter.com/BleepinComputer/status/817085367144873985
#NAME?
#NAME?
http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe #NAME?
https://twitter.com/demonslay335/status/796134264744083460
#NAME?
https://twitter.com/struppigel/status/791639214152617985 #NAME?
https://twitter.com/JakubKroustek/status/757873976047697920
#NAME?
https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.p
https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots
#NAME?
http://www.nyxbone.com/malware/RaaS.html
http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-an
#NAME?
https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip
https://twitter.com/BleepinComputer/status/822509105487245317
#NAME?
http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-un
https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/
https://twitter.com/demonslay335/status/795819556166139905
#NAME?
http://www.nyxbone.com/malware/jobcrypter.html
https://twitter.com/malwrhunterteam/status/828914052973858816
#NAME?
http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransom
#NAME?
https://twitter.com/BleepinComputer/status/819927858437099520
#NAME?
https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-
#NAME?
https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomw
#NAME?
https://twitter.com/malwrhunterteam/status/841747002438361089
#NAME?
https://twitter.com/MarceloRivero/status/832302976744173570
#NAME?
 https://safezone.cc/resources/kawaii-decryptor.195/ #NAME?
http://news.drweb.com/show/?i=9877&lng=en&c=5
http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-sp
#NAME?
https://decrypter.emsisoft.com/ #NAME?
http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-an
#NAME?
https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industri
http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-lin
https://twitter.com/malwrhunterteam/status/782232299840634881
#NAME?
https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind
http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-w
#NAME?
https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb99
https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-b
#NAME?
https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-fr
#NAME?
http://www.nyxbone.com/malware/koreanRansom.html #NAME?
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-
#NAME?
http://www.nyxbone.com/malware/KozyJozy.html
http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransom
#NAME?

https://twitter.com/demonslay335/status/746090483722686465
#NAME?
https://twitter.com/malwrhunterteam/status/836995570384453632
#NAME?

https://twitter.com/struppigel/status/847689644854595584

https://decrypter.emsisoft.com/lechiffre
https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransom
#NAME?

https://twitter.com/JakubKroustek/status/842404866614038529
https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
#NAME?
https://twitter.com/malwrhunterteam/status/845183290873044994
https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-
09/29/2017 https://www.bleepingcomputer.com/forums/t/648384/lockcrypt-lock-support-topic-read
https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupte
https://twitter.com/struppigel/status/807169774098796544
http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#
#NAME?
https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-he
08/08/2017 - http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-ex
WSF variant: #NAME?
Diablo6 Locky http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky
https://twitter.com/malwrhunterteam/status/789882488365678592
#NAME?
https://twitter.com/siri_urz/status/801815087082274816
#NAME?
#NAME?
https://twitter.com/jiriatvirlab/status/808015275367002113
#NAME?
 #NAME?
https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dan
#NAME?
https://decrypter.emsisoft.com/marlboro
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-o
https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/
https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB
https://twitter.com/struppigel/status/791943837874651136
https://twitter.com/rommeljoven17/status/804251901529231360
https://twitter.com/siri_urz/status/840913419024945152
https://decrypter.emsisoft.com/mrcr
https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its
https://www.bleepingcomputer.com/news/security/-merry-christmas-r
https://twitter.com/malwrhunterteam/status/844614889620561924
http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/
http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-
http://www.nyxbone.com/malware/Mircop.html
#NAME?
https://www.avast.com/ransomware-decryption-tools#! #NAME?
http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-name
#NAME?
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cry
#NAME?
http://nyxbone.com/malware/Mobef.html
http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-
http://nyxbone.com/images/articulos/malware/mobe
https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-mole02-cryptomix-ransomw
https://twitter.com/malwrhunterteam/status/844826339186135040
https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-to
https://twitter.com/struppigel/status/810766686005719040
https://twitter.com/demonslay335/status/790608484303712256
https://twitter.com/demonslay335/status/831891344897482754
#NAME?
https://twitter.com/JakubKroustek/status/815961663644008448
https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.b
http://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemo
#NAME?
http://github.com/Cyberclues/nanolocker-decryptor #NAME?
https://decrypter.emsisoft.com/nemucod
https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/
#NAME?
https://github.com/Antelox/NemucodFR
http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransom

https://twitter.com/demonslay335/status/839221457360195589
https://decrypter.emsisoft.com/nmoreira
https://twitter.com/fwosar/status/803682662481174528
https://twitter.com/JakubKroustek/status/757267550346641408
https://www.bleepingcomputer.com/news/security/noobcrypt-ransom
#NAME?

https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip
https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to
https://twitter.com/malwrhunterteam/status/817648547231371264
http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip
http://www.nyxbone.com/malware/odcodc.html
https://twitter.com/PolarToffee/status/813762510302183424
http://www.nyxbone.com/images/articulos/malware
https://support.kaspersky.com/viruses/disinfection/8547
http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.h
#NAME?
#NAME?
https://twitter.com/struppigel/status/791557636164558848
#NAME?
http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/
#NAME?
https://twitter.com/JakubKroustek/status/842342996775448576
https://decrypter.emsisoft.com/ozozalocker
https://twitter.com/malwrhunterteam/status/801503401867673603
http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-l
https://twitter.com/malwrhunterteam/status/798141978810732544
#NAME?
https://twitter.com/BleepinComputer/status/811635075158839296
https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/
https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-loc
 https://twitter.com/BleepinComputer/status/808316635094380544
https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos
https://twitter.com/JakubKroustek/status/796083768155078656
https://decrypter.emsisoft.com/
https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pcl
#NAME?
https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-
05.12.2023 http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator
https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/
https://www.bleepingcomputer.com/news/security/petya-ransomware
#NAME?
https://www.youtube.com/watch?v=mSqxFjZq_z4
https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/petya
https://decrypter.emsisoft.com/philadelphia
www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-merc
#NAME?
https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew
https://www.bleepingcomputer.com/forums/t/688649/phobos-ransom
https://www.google.com/url?sa=i&rct=j&q=&esrc=
https://twitter.com/BleepinComputer/status/804810315456200704
https://twitter.com/JakubKroustek/status/834821166116327425
http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip #NAME?
http://www.nyxbone.com/malware/pokemonGO.html
http://www.bleepingcomputer.com/news/security/pokemongo-ransom
#NAME?
https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ra
https://support.kaspersky.com/8547
https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/
#NAME?

https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py
https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-wri
http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerwar
#NAME?
https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip
#NAME?
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/
https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-p
https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ranso
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-remov
#NAME?

https://twitter.com/demonslay335/status/812002960083394560
https://twitter.com/malwrhunterteam/status/811613888705859586
https://twitter.com/jiriatvirlab/status/803297700175286273
https://twitter.com/Jan0fficial/status/834706668466405377
https://twitter.com/malwrhunterteam/status/846705481741733892
https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/
#NAME?
https://reaqta.com/2016/06/raa-ransomware-delivering-pony/
http://www.bleepingcomputer.com/news/security/the-new-raa-ransom
#NAME?
https://twitter.com/CryptoInsane/status/846181140025282561
https://decrypter.emsisoft.com/radamant
http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-r
http://www.nyxbone.com/malware/radamant.html
#NAME?
https://support.kaspersky.com/us/viruses/disinfection/10556 #NAME?

https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-ava
https://support.kaspersky.com/viruses/disinfection/8547 #NAME?
https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption
http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attack
https://www.bleepingcomputer.com/news/security/new-ranran-ransom
https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware
https://www.bleepingcomputer.com/news/security/ransoc-ransomwar
#NAME?
https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99
#NAME?
https://twitter.com/jiriatvirlab/status/825411602535088129

http://www.nyxbone.com/malware/Razy(German).html
http://nyxbone.com/malware/Razy.html
https://support.kaspersky.com/viruses/disinfection/4264 #NAME?
https://twitter.com/JaromirHorejsi/status/815557601312329728
 https://support.kaspersky.com/viruses/disinfection/4264 #NAME?
http://www.nyxbone.com/malware/RemindMe.html
http://i.imgur.com/gV6i5SN.jpg
https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-va
https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/
#NAME?
https://twitter.com/siri_urz/status/842452104279134209
https://twitter.com/jiriatvirlab/status/840863070733885440
https://twitter.com/struppigel/status/801812325657440256#NAME?
https://twitter.com/struppigel/status/823925410392080385#NAME?
https://twitter.com/malwrhunterteam/status/845356853039190016
https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-fo
https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-gener
#NAME?
https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate
https://malwarebreakdown.com/2017/03/10/finding-a-good-man/
#NAME?
https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip
http://blog.talosintel.com/2016/03/samsam-ransomware.html
http://www.intelsecurity.com/advanced-threat-research/content/Analy
#NAME?
#NAME?
https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of
https://twitter.com/BleepinComputer/status/835955409953357825
https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-thr
https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
https://blog.kaspersky.com/satana-ransomware/12558/
#NAME?
02/19/2018

http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/ #NAME?
https://twitter.com/malwrhunterteam/status/830116190873849856
https://www.bleepingcomputer.com/news/security/ultranationalist-de
https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos
https://www.proofpoint.com/us/threat-insight/post/new-serpent-ranso
http://www.nyxbone.com/malware/Serpico.html #NAME?
http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows
http://www.bleepingcomputer.com/news/security/shark-ransomware-
#NAME?
https://twitter.com/JakubKroustek/status/799388289337671680
https://twitter.com/JakubKroustek/status/760560147131408384
http://www.bleepingcomputer.com/news/security/new-educational-sh
#NAME?
http://www.nyxbone.com/malware/chineseRansom.html
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-lan
#NAME?
http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows
http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/
http://www.nyxbone.com/malware/SkidLocker.html #NAME?
https://twitter.com/malwrhunterteam/status/817079028725190656
https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-th

https://thedfirreport.com/2020/06/21/snatch-ransomware/
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-in
http://nyxbone.com/malware/SNSLocker.html
http://nyxbone.com/images/articulos/malware/snslo
https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware
http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-sp
#NAME?
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
https://cdn.streamable.com/video/mp4/kfh3.mp4
http://blog.trendmicro.com/trendlabs-security-intelligence/the-econom
http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-st
http://www.nyxbone.com/malware/Strictor.html #NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-
#NAME?
#NAME?
 http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/
#NAME?
https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransom
#NAME?
05.12.2023 https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3
https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusi
https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit
#NAME?
https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-d
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-e
https://www.fireeye.com/blog/threat-research/2015/05/teslacrypt_followin.html
#NAME?
http://www.talosintel.com/teslacrypt_tool/ #NAME?
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-e
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomwar
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-e
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacry
https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/
#NAME?
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomwar
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-e
http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-f
#NAME?
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomwar
https://twitter.com/BleepinComputer/status/801486420368093184
#NAME?
#NAME?
http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-ha
https://twitter.com/PolarToffee/status/804008236600934403
http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-
#NAME?
http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-suppo
#NAME?
#NAME?
https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip
https://twitter.com/PolarToffee/status/811249250285842432
#NAME?
https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf
http://www.nyxbone.com/malware/Troldesh.html
https://www.bleepingcomputer.com/news/security/kelihos-botnet-del
#NAME?
http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-paym
#NAME?
https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-
#NAME?
https://twitter.com/struppigel/status/821991600637313024#NAME?
https://twitter.com/JakubKroustek/status/842034887397908480
#NAME?
http://www.nyxbone.com/malware/turkishRansom.html #NAME?
https://twitter.com/struppigel/status/807161652663742465
https://www.bleepingcomputer.com/news/security/-proof-of-concept-
#NAME?
http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware
#NAME?
https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-sup
#NAME?
#NAME?
https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread
#NAME?
https://twitter.com/malwrhunterteam/status/839038399944224768
#NAME?
https://twitter.com/JAMESWT_MHT/status/834783231476166657
#NAME?
https://twitter.com/struppigel/status/839771195830648833#NAME?
http://www.nyxbone.com/malware/russianRansom.html #NAME?
https://twitter.com/BleepinComputer/status/817851339078336513
#NAME?
https://twitter.com/Antelox/status/785849412635521024
http://pastebin.com/HuK99Xmj #NAME?
https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransom
http://www.nyxbone.com/malware/venusLocker.html
#NAME?
https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph
https://twitter.com/JakubKroustek/status/800729944112427008
https://www.bleepingcomputer.com/news/security/vindowslocker-ran
#NAME?
https://rol.im/VindowsUnlocker.zip
http://www.nyxbone.com/malware/Virlock.html
http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-re
#NAME?
http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/
http://www.nyxbone.com/malware/virus-encoder.html
http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targ
#NAME?
http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip
https://twitter.com/struppigel/status/839778905091424260#NAME?
#NAME?
https://twitter.com/struppigel/status/846241982347427840
https://docs.google.com/spreadsheets/d/1XNCCiiwpIfW8y0mzTUdL
https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/
#NAME?
https://twitter.com/PolarToffee/status/811940037638111232
#NAME?
https://twitter.com/JakubKroustek/status/825790584971472902
#NAME?
https://www.bleepingcomputer.com/news/security/xdata-ransomware-on-a-rampage-in-
https://support.kaspersky.com/viruses/disinfection/2911 #NAME?
https://decrypter.emsisoft.com/xorist #NAME?
https://twitter.com/malwrhunterteam/status/833636006721122304
#NAME?
https://twitter.com/malwrhunterteam/status/808280549802418181
#NAME?
https://twitter.com/_ddoxer/status/827555507741274113
https://www.bleepingcomputer.com/news/security/yourransom-is-the
#NAME?
https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
#NAME?
https://twitter.com/JakubKroustek/status/804009831518572544
#NAME?
http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-pyt
#NAME?
https://twitter.com/malwrhunterteam/status/842781575410597894
http://www.nyxbone.com/malware/russianRansom.html #NAME?
https://twitter.com/BleepinComputer/status/844538370323812353
https://twitter.com/struppigel/status/794077145349967872
#NAME?
https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip
https://twitter.com/GrujaRS/status/826153382557712385
#NAME?
#NAME?
 IOCs (Network Based Indicators) IOCs (Host-Based Indicators)

1418474708993

-at-92-53-105-43-drops-asn1-ransomware/

xbone.com/images/articulos/malware/badblock/5.png

0367777792

xbone.com/images/articulos/malware/brazilianRansom/0.png
37884211201
9679340011520

7168760725508

xbone.com/images/articulos/malware/crypren/0.png
com/malwareforme/status/798258032115322880

/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/

linux-ransomware-shows-infosec-community-divide-508669.shtml

om/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/

ropbox.com/s/2gtk33g6rwlkcfb/Crysis%20Lock.png?dl=0

58478981121

9320937345024
/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/
ansomware-id-7es642406cry-do-not-change-the-file-namecryp/

2891338194945

eam/status/845652520202616832

eam/status/838700700586684416

65650335744

5608374226944
2218815266816

3507101696
4064224497666

/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/

8396814839808
2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/

5570384453632

66614038529

3290873044994
/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/
84/lockcrypt-lock-support-topic-readmetxt/

50/locklock-ransomware-locklock-help-support/
/marlboro-ransomware-defeated-in-one-day/
/MarsJoke-Ransomware-Mimics-CTB-Locker

01529231360

om/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/
4889620561924

.com/images/articulos/malware/mobef/0.png
d-for-the-mole02-cryptomix-ransomware-variant/
6339186135040
09/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/

?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q

ligence/netflix-scam-delivers-ransomware/

7360195589

/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/
8547231371264
xbone.com/images/articulos/malware/odcodc/1c.png

96775448576
3401867673603

5075158839296
/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/
6635094380544
/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/
68155078656

p-the-new-petya-based-ransomware-used-in-targeted-attacks/

oogle.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwjVjaiqlobgAhUK7mEKHU3IChsQjRx6BAgBEAU&url=http
0315456200704
66116327425

/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/

hreat-analysis/2016/11/princess-ransomware/

3888705859586

5481741733892

/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/

om/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/
om/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/

01312329728
com/gV6i5SN.jpg
/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/

6853039190016

/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/
5409953357825
/new-satan-ransomware-available-through-a-ransomware-as-a-service-/

om/news/security/ultranationalist-developer-behind-serbransom-ransomware/
hreat-insight/post/new-serpent-ransomware-targets-danish-speakers

89337671680

he-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/

9028725190656
/smash-ransomware-is-cute-rather-than-dangerous/

193.188.22.29 (:443) commands executed during the attack:

193.188.22.29 (:37462)
.com/images/articulos/malware/snslocker/16.png vssadmin delete shadows /all /quiet
1/10/from-darknet-with-love-meet-spora-ransomware/

labs-security-intelligence/the-economics-behind-ransomware-prices/
heets/d/1XNCCiiwpIfW8y0mzTUdLLVzoW6x64hkHJ29hcQW5deQ/pubhtml#

/xdata-ransomware-on-a-rampage-in-ukraine/#.WR-iz69z-MA.twitter
1575410597894

8370323812353
HU3IChsQjRx6BAgBEAU&url=https%3A%2F%2Fwww.bankinfosecurity.com%2Fdharma-gang-pushes-phobos-crypto-locking-ransomwa
-pushes-phobos-crypto-locking-ransomware-a-11961&psig=AOvVaw1myPcgPH-PrIBZzFQQiF8F&ust=1548410922537711
8F&ust=1548410922537711
Proposed Name Extensions Extension PoC
WonderCrypter .h3ll Pattern SECRETISHIDINGHEREINSID
? .crypttt E.KEY,
? .neitrino MESSAGE.TXT
? .xcrypt
? FILES_BACK.TXT
PLAUGE17? .PLAUGE17 PLAGUE17.txt
? 4252016XYLITOL.KEY666
WHAT IS SQ sq_ (prepends fileWHAT IS SQ_.txt
? PLEASE READ.txt
? .locked UNLOCK_FILES_INSTRUCTI
Protected? .protected ONS.txt
HOW_TO_RESTORE_YOUR_
AxCrypter .axx DATA.html
? PLEASEREAD.ME
? .iloveworld
Comment
Submitted to IDR
Submitted to IDR
Submitted to IDR, ransom email:
danny.walswen@protonmail.com
Submitted to IDR
Submitted to IDR, note:
http://pastebin.com/Wvw7mGqB
Submitted to IDR, note: http://pastebin.com/zc4zMNpw
Submitted to BC, Mobef?
http://www.bleepingcomputer.com/forums/t/583610/how-to-decrypt-ransomware-name-what-is-sq/
Submitted to IDR, note: http://pastebin.com/6J4g33FQ
Submitted to IDR and BC, note:
http://pastebin.com/xj947Lh2,
Submitted to IDR and BC, note:
http://pastebin.com/2dAVDB4m,
Abuses legit AxCrypt software
Submitted to IDR:
http://pastebin.com/E6Rds9m7
Sonar.cryptolocker!g80
Status
Need analysed
(7f76dd15545a6bf1804bed893e5e8214feb2f0368d3c6a6b
Needs identified
Needs identified
Needs identified
Needs identified
Needs identified
Needs identified
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Name Microsoft Detection Name Microsoft Info Sandbox
.CryptoHasYou. Trojan:Win32/Dynamer!ac https://www.microsoft.com/security/portal/threat/encyclopedia/ent
https://www.hybrid-analysis.com/sample/afd3
777 Ransom:Win32/Empercrypt.A https://www.microsoft.com/security/portal/threat/Encyclopedia/En
https://www.hybrid-analysis.com/sample/295
7ev3n
8lock8 https://www.hybrid-analysis.com/sample/902
Alma Ransomware
ApocalypseVM Win32/Cribit https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/7d6
AutoLocky
BadBlock
Bart
BitStak
BlackShades Crypter Ransom:JS/Brolo www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx
Blocatto
Booyah Ransom: Win32/Cendode.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Brazilian Win32/Cerber https://www.microsoft.com/security/portal/threat/Encyclopedia/En
https://www.hybrid-analysis.com/sample/a37
BrLock Win32/Chicrypt https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/a37
Browlock Ransom: MSIL/Vaultlock.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/3ab
Bucbi
BuyUnlockCode
Cerber
Chimera Ransom: Win32/Crowti https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
CoinVault
Coverton
Cryaki Ransom: Win32/Crowti https://www.hybrid-analysis.com/sample/e12
https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Crybola Win32/Fortrypt https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
CryLocker
Crypt38 Ransom: Win32/Crilock.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/034
CryptoBit
CryptoDefense
CryptoGraphic Locker Ransom: MSIL/Nojocrypt.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/cdd
CryptoHost
CryptoJoker
CryptoWall 1 Ransom: Win32/DMALocker https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/053
CryptoWall 2 Ransom: Win32/DMALocker.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
CryptoWall 4 Ransom: MSIL/Ryzerlo https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/d44
CryptXXX Ransom: PowerShell/Polock.A https://www.microsoft.com/security/portal/threat/encyclopedia/ent
CryptXXX 2.0
CTB-Locker
CTB-Locker WEB
CuteRansomware
DeCrypt Protect
DEDCryptor Trojan: Win32/Harasom.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
EduCrypt
El-Polocker Ransom: Win32/Tobfy.X https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/1a6
Enigma
Fakben
Fonco Ransom:MSIL/JigsawLocker.A https://www.microsoft.com/security/portal/threat/Encyclopedia/En
https://www.hybrid-analysis.com/sample/3ae
Fury
GhostCrypt
Goopic Ransom: MacOS_X/KeRanger.A https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Gopher Ransom: Win32/Isda https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Harasom Ransom: BAT/Xibow https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Hi Buddy!
HydraCrypt
iLock
iLockLight Ransom: Win32/Locky https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
TrojanDownloader: JS/Locky
International Police Association https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/b7d
Jeiphoos
Jigsaw
Job Crypter
KeRanger Win32/Takabum https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
KeyBTC
KEYHolder
KryptoLocker JS/Nemucod https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
LeChiffre
Linux.Encoder
Locker
Locky
Lortok
LowLevel04
MIRCOP
Mischa
MM Locker
Mobef
Nemucod
ODCODC
Offline ransomware
Operation Global III
PadCrypt
RemindMe
PClock
PowerWare
PowerWorm
PRISM
Radamant
Rannoh
Ransom32 Win32/Tescrypt https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
https://www.hybrid-analysis.com/sample/20f
RansomLock Ransom: Win32/Teerac https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
RektLocker Win32/Fortrypt https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Rokku
Samas-Samsam
Sanction Win32/Troldesh https://www.microsoft.com/security/portal/threat/Encyclopedia/En
Satana
Serpico
Simple_Encoder Ransom: BAT/Xibow https://www.microsoft.com/security/portal/threat/encyclopedia/Ent
Smrss32
Sport
Stampado
Surprise
SynoLocker
SZFLocker
TeslaCrypt 0.x - 2.2.0
TeslaCrypt 3.0+
TeslaCrypt 4.1A
TeslaCrypt 4.2
TorrentLocker
TowerWeb
Toxcrypt
Troldesh
TrueCrypter Win32/ZCryptor.A https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-
Turkish Ransom
Ungluk
Unlock92
WildFire Locker
Xorist
Zcrypt
Zimbra
Zlader / Russian
Zyklon
0
0
0
0
0
0
IOCs Snort
https://otx.alienvault.com/pulse/57180b18c1492d015c14bed8/
https://otx.alienvault.com/pulse/573b02701116a040ceccdd85/
https://otx.alienvault.com/pulse/57180dbf0ebaa4015af21166/
https://www.hybrid-analysis.com/sample/d572a7d7254846adb73aebc3f7891398e513bdac9aac06231991e07e7b55fac8?environ
#NAME?
https://otx.alienvault.com/pulse/57166d65c1492d015c14bcc4/

https://otx.alienvault.com/pulse/56eac97aaef9214b1550b37e/

#NAME?
#NAME?
https://otx.alienvault.com/pulse/5721628cce2199015fb2b101/
#NAME?
https://otx.alienvault.com/pulse/572df3997740f10160c78d5c/
https://otx.alienvault.com/pulse/55fabc314637f26df7745efc/
#NAME?

#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=cryptolocker&submit_search=
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=ctb-locker
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
 #NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/rule_docs/1-37844
#NAME?
#NAME?
#NAME? http://pastebin.com/0604rgUn
#NAME? http://pastebin.com/F6Pyqiqg
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=Petya&submit_search=
#NAME?
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/
http://seclists.org/snort/2013/q3/900
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?

#NAME?
#NAME?
 #NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=samsam&submit_search=
#NAME?
curity/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32%2fTeerac
curity/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt

#NAME?

#NAME?
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=torrentlocker&submit_search=

.com/mmpc/2016/05/26/link-lnk-to-ransom/
c06231991e07e7b55fac8?environmentId=4
Infographics
Hint: if you can't see the graphics in the HTML version try to download this document as XLSX in the "Download"

Source: https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware
Source: Symantec, via @certbund

https://www.f-secure.com/documents/996508/1030743/cyber-security-report-2017
wnload" section

-malware-attack-chain
Download Links

XLSX Download
ODS Download
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?output=xlsx
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?output=ods
Y0Hvmc5g/pub?output=xlsx
Y0Hvmc5g/pub?output=ods
Composition This initial list has been composed by Mosh @nyxbone and transformed into this Google Docs fo
https://twitter.com/nyxbone/status/715675420159508480/photo/1

Contributors Florian Roth

Bart P
Michael Gillespie
Marcelo Rivero
Daniel Gallagher
Mosh
Karsten Hahn
Anthony Kasza
John Bambenek
Devon Ackerman
Fernando Mercês
Jas Chase
Nader Zaveri

Support If you are a security researcher and want to support us, please contact me on Twitter @cyb3rops,

License Ransomware Overview is licensed under a Creative Commons Attribution-NonCommercial-Shar

https://creativecommons.org/licenses/by-nc-sa/4.0/

Sources https://id-ransomware.malwarehunterteam.com/
https://bartblaze.blogspot.com
http://www.malekal.com/
http://www.bleepingcomputer.com/
https://blog.malwarebytes.org/
http://www.nyxbone.com/
http://www.nyxbone.com/malware/RansomwareOverview.html
http://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10
http://www.thewindowsclub.com/list-ransomware-decryptor-tools
https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/
https://decrypter.emsisoft.com/
https://www.nomoreransom.org/
https://www.fireeye.com/blog.html
Google Shortcode http://goo.gl/b9R8DE
een composed by Mosh @nyxbone and transformed into this Google Docs format by @cyb3rops
yxbone/status/715675420159508480/photo/1

@cyb3rops
@bartblaze
@demonslay335
@MarceloRivero
@DanielGallagher
@nyxbone
@struppigel
@anthonykasza
@bambenek
@AboutDFIR
@MercesFernando
@jasc22
@NaderZaveri

esearcher and want to support us, please contact me on Twitter @cyb3rops, tell me a bit about your background and I'll grant yo

ew is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

ons.org/licenses/by-nc-sa/4.0/

Identify ransomware by ransom note or encrypted file sample

computer.com/

Backup of spreadsheet
com/state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/
wsclub.com/list-ransomware-decryptor-tools
microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/
Decrypters
Decrypters + info
Ransomware Background, Summary, and IOCs
r background and I'll grant you write access to this list.