Ransomware Overview List

Name .CryptoHasYou. 7ev3n Alpha Alpha Ransom Ransomwar ware e AutoLocy !an"archor !itCryptor !ooyah !ra,ilian !rLoc !rowloc !uci !uy/nlocCo"e Cerer Chimera Chinese Ransom Coinault Coverton Cryai Cryola Cryptear Crypt;%leCrypt%n+inite Crypto&e+ense CryptoHost Crypto?oer Cryp Crypto toLo Loc cer er Crypto)ix Crypto8orLocer-4B Crypto8orLocer-4B CryptoDall Crypt Crypt -.4 C8!#Locer C8!#Locer DE! &eCrypt Protect &)ALocer &)ALocer 3.4 E&AE&A-  Hi"" Hi""en en8 8ear ear El#Polocer Eni=ma ;aen

Extensions .enc .RBA .RIA .encr .e ncrypt ypt .locy

Extension Pattern

Comment

.i"#$%&'($E)A%L(A&&RE**' .cl+   EE was replace" to neutrali,e !ase" on Ethreat &A-

.loc

no local encryptionG rowser onlychan=eG no no +ile name 0.12.enco"e".0$A#4#5' extension &oes not "elete *ha"ow Copies

.cerer .crypt .txt .cl+   .coverton .eni=ma .6CRYP8EN&!LAC9&C:

.scl .crin+  

i"$(%&'email(xerxs victim>s +iles

.cr@oer .enc .encry rypt pte" e" no lon= lon=er er rele releva vant nt .co"e .i"(0%&()ACH%NE2(email(xoomx<"r.com(.co"e .Crypto8 .Crypto8orLocer-4B orLocer-4B 0ran"om2 .crypt Locs screen. Ransom note names are an %& .ctl   .0$a#,'6FG7:2 wesites only .html no extension chan=e no extension chan=e .loc .loce e" " Jpen source" CKG H8 has PRN exploit .ha3 .eni=ma .loce" !ase" on Hi""en 8ear

;ury omasom opher Harasom Hi !u""y Hy"raCrypt iLoc iLocLi=ht  ?i=saw  ?o Crypter  ?oCrypter 9eRan=er 9ey!8C 9EYHol"er 9imcilDare 9ryptoLocer LeChi++re Linux.Enco"er Locer Locy Lorto LowLevel4I )aouia )a=ic )atuLocer )ireDare )) Locer )oe+  NanoLocer Nemuco"

J++line ransomware J) Ransomware Jpera Jperatio tion n loal loal %%% PCloc Petya PowerDare Raa* Ra"amant

.crypt .html .cry

((($E)A%LA&&RE**'(.crypt J*  ransomware 0PoC2 !ase" on Hi""en8ear hy"racrypt(%&($Mw'6: Cryp!oss ;amily

.crime .crime .tc . .loce" .loce" .encrypte" .eytc
!ase" on Hi""en8earG ut uses 8riple&E*G "ecrypter J*  Ransomware

.imcilware .loce"

wesites only !ase" on Hi""en8ear

.LeChi++re Linux Ransomware no extension chan=e .locy .crime oor.

0$A#;4#5'63-:2.locy Prepen"s +ilenames J*  ransomware 0PoC2 !ase" on E&A-

.ma=ic $a#,'6IGF: .+uce"

!ase" on Hi""en8ear !ase" on E&A-

.9EY .9EYH4LE*

no extension chan=e 7,ip 0a4.exe2 variant cannot e "ecrypte"

.crypte"

.c+ .LJL .J) .EE .E E

email#$params'.c+  

CryptoLocer Copycat encrypts "is partitions Jpen#source" Power*hell Ransomware as a *ervice .R&) .RR9

Rahni Rannoh Ransom3Rector Remin")e R o  u *amas#*amsam *anction *craper *i"Locer  Pompous *port *trictor *urprise *ynoLocer 8eslaCrypt 4.x # -.-.4 8eslaCrypt 3.4Q 8eslaCrypt I.A 8eslaCrypt I.8orrentLocer 8rol"esh 8rueCrypter /mreCrypt aultCrypt irus#Enco"er orist R8N la"er  Russian

.loce" .raen .vscrypt ..in+ecte" remin" .rou .encrypte"AE* .encrypte"R*A .sanction .loce" .sport .loce" .surprise .vvv .ecc .micro .xxx .Encrypte" .etter(call(saul ..xtl enc

.co"ersu<=mail(com(i"$4#5'6-G3: .crypt
.vault ..xort Cry*i* .EnCiPhErE" .73i7A .xrtn .vault

aultCrypt +amily aultCrypt +amily

Encryption Al=orithm Also nown as AE*0-BF2 7ev3n#HJNES8 AE*0-BF2 AlphaLocer AE*0-BF2

AE*0-BF2 AE* J*8 AE*

AE*0-BF2

AE*0-BF2 R*A

AE*0-BF2 0RAR implementation2

R*A0-4I2 AE*0-BF2 AE*0-BF2 AE*0-BF2 AE*0-BF2 AE* 0-2

&ecryptor %n+o *creenshots   httpTwww.nyxo KNA)E httpsT=ithu.co   httpTwww.nyxo   KNA)E httpT"ownloa".httpTwww.leepi httpT"ownloa".  httpTwww.leepi KNA)E httpsT"ecrypter.emsiso+t.comauto KNA)E Rahni   httpsTreaUta.co KNA)E httpsTnoransom.aspersy.com KNA)E *alam   KNA)E httpTwww.nyxohttpTwww.nyxo httpTwww.nyxo httpTwww.nyxo   httpsTwww.proo KNA)E KNA)E   httpTresearchce KNA)E KNA)E   httpsTlo=.malw KNA)E httpsTlo=.malw KNA)E 9inCrypt httpTwww.nyxone.commalware httpsTnoransom.aspersy.com KNA)E   httpTwww.leepi KNA)E httpsTsupport.aspersy.comvirus KNA)E httpsTsupport.aspersy.comvirus KNA)E Hi""en 8ear httpTwww.utusen.comlo="eali   KNA)E   httpsTwww.proo KNA)E httpsT"ecrypter.emsiso+t.com KNA)E httpsT"ecrypter.emsiso+t.com KNA)E )anamecryptG httpTwww.leepin=computer.com KNA)E 8elo=raphG RJ% KNA)E httpsTwww.+iree httpsTreaUt httpsTreaUta.co a.co KNA)E eta httpTwww.nyxohttpTwww.nyxo httpTwww.nyxo httpTwww.nyxo httpTwww.leepin=computer.com KNA)E KNA)E CryptPro@ect httpsTsupport.aspersy.comvirus   KNA)E CryptPro@ect httpsTwww.proo   KNA)E   KNA)E   httpsTthisissecur KNA)E httpTwww.malwareremoval=ui"es.i KNA)E   httpsTlo=.malw httpsTlo=.mal w KNA)E httpsT"ecrypter.   httpsTlo=.malw KNA)E Cryptear   KNA)E Los Pollos Hermanos   KNA)E   httpTwww.leepi KNA)E httpsTlo=.+ortin KNA)E

httpsTsupport.aspersy.comvirus httpsT"ecrypter.emsiso+t.com

AE*0-BF2

AE*0-BF2 8riple&E* 8riple&E* AE*

AE* AE*0-BF2 Linux.Enco"er.64G3: AE*0-2

AE*0-BF2 AE*0-BF2 AE*0-BF2 AE*0-BF2

!ooyah Yaes

JR0-BB2 7,ip

ipasana PCo"e JR )o"i+ie" *alsa-4 *arento AE*0-BF2

KNA)E KNA)E KNA)E httpsT"ecrypter.emsiso+t.com KNA)E   httpTwww.nyxo KNA)E httpsT"ecrypter. httpTwww.mal httpTwww.malw w KNA)E KNA)E KNA)E httpTwww.leepihttpsTwww.help httpTwww.leepi   httpsTwww.help KNA)E   httpTwww.nyxo KNA)E   httpT+orum.male KNA)E httpTnews."rwehttpTwww.welive httpTnews."rwe   httpTwww.welive KNA)E httpsT"ecrypter.emsiso+t.com KNA)E httpTwww.leepin=computer.com httpsTlo=.+ortin   httpTwww.leepi httpTwww. leepi KNA)E   KNA)E httpsT"ecrypter. httpsTlo=.mal httpsTlo=.malw w KNA)E httpsTlas.it"e+en"er.com-4B   KNA)E httpTwww.leepin=computer.com KNA)E   KNA)E KNA)E KNA)E KNA)E   KNA)E   httpsTlo=.malw KNA)E   KNA)E   httpsTwww.proo KNA)E httpTnyxone.co httpTnyxone.co httpT=ithu.comCyercluesnanol KNA)E KNA) E httpsT"ecrypter.emsiso+t.com KNA)E httpsT=ithu.comAnteloxNemuco

  httpTartla,e.l   httpTnews.thewin"owsclu.comop httpsT"ecrypter.emsiso+t.com   httpTwww.thewi   httpsTlo=.malw httpsTlo=.mal w

KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E httpTwww.nyxone.commalware httpsT"ecrypter.   httpTwww.l httpTwww.leepi KNA)E

A=ent.iih Aura

Curve25519 + ChaCha

AE*0-BF2 Q R*A0-45F2 samsam.exe AE*0-BF2 Q R*A0-45F2 )%9JPJN%.exe AE*0-BF2 AE*0-BF2 AE*0-BF2 AlphaCrypt AE*0-BF2 Q ECH& Q *HA AE*0-BF2 Q ECH& Q *HA AE*0-BF2 AE*0-BF2 AE* uses =p=.exe AE*0-BF2

R*A

Crypt4L4cer Crypto;ortress *ha"e 8!L Crypault la"er

aultCrypt Crypault

httpsTsupport.aspersy.comusvi KNA)E httpsTsupport.aspersy.comvir httpsTsuppor t.aspersy.comviruses"isin+ectio uses"isin+ectionB nB httpsTwww.=oo=l httpsTsupport.aspersy.comvir httpsTsuppor t.aspersy.comviruses"isin+ectio uses"isin+ectionInIhttpTi.im=ur.com   httpsTlo=.malw KNA)E   httpTlo=.talosin KNA)E   KNA)E httpTsecurelist.comlo=research KNA)E httpTwww.leepihttpTwww.nyxo httpTwww.leepi   httpTwww.nyxo KNA)E KNA)E   httpTwww.nyxo KNA)E   KNA)E KNA)E httpTwww.leepin=computer.com   KNA)E KNA)E httpsTwww.en"= KNA)E httpTwww.leepi KNA)E httpTwww.leepin=computer.com KNA)E   httpTwww.nyxo KNA)E httpTwww.leepihttpTwww.leep httpTwww.leepi httpTwww.leep httpTwww.thewin"owsclu.come   KNA)E   httpTwww.nyxo KNA)E   httpTwww.nyxo KNA)E httpsTsupport.aspersy.comvirus KNA)E KNA)E   httpTwww.nyxo KNA)E

ne.comima=esarticulosmalwarer ne.comima=esart iculosmalwarera,ilianRansom4.pn= a,ilianRansom4.pn=

hineseRansom.html

ne.comima=esarticulosmalwarecryp ne.comima=esart iculosmalwarecryptomixr-.pn= tomixr-.pn=

orumstBB5IF3eyhol"er#ransomware orumstBB5IF3eyhol"er #ransomware#support#an" #support#an"#help#topic# #help#topic#how#"ecrypt=i how#"ecrypt=i+how#"ecrypt +how#"ecrypthtml html

ima=esarticulosmalwaremoe+4.pn=

aa*.html

7 e."esearchtmVischWUVRansomwareQRansom3I =FiB*N.@p=

tatic.comima=esnewsransomware tatic.comima=esne wsransomwarettruecrypte ttruecryptertruecrypt rtruecrypter.pn= er.pn=

Propose" Name Remin")e Don"e Don"erCr rCrypt ypter er     ort eta  PLA/E7  DHA8 %* *X   

Extensions .remin" .h3ll .h3ll .crypttt .loc .neitrino .xcrypt .xort

.PLA/E7

Extension Pattern

PoC "ecrypt(your(+iles.html *ECRE8%*H%&%NHERE%N*% &E.9EYG A88EN8%JN.88G REA&(%8.88 ) E**AE.88

xort.txt .i"(1(email(,eta<"r.com HELP(YJ/R(;%LE*.H8)L ;%LE*(!AC9.88 PLA/E7.txt 4252016XYLITOL.KEY66

sU( 0prepen"s +ile2

.loce"

DHA8 %* *X(.txt PLEA*E REA&.txt %(A.txt /NLJC9(;%LE*(%N*8R/C8% JN*.txt

Comment *tatus httpTwww.leepin=computer.coHuntin= +or sample *u *umitt mitte e" to %&R Nee" Nee" ana analyse lyse" " 07+ 07+7F" 7F""BBI BBIBa BaF F++4I 4I e"5 "53eBe 3eBe-I I+  +  *umitte" to %&R Nee"s i"enti+ie" *umitte" to %&R Nee"s i"enti+ie" *umitte" to %&RG ransom emailT Nee"s i"enti+ie" "anny.walswen
-+43F"3cFaFcc+""aF47BcFF"2

Name .Crypt rypto oHasY HasYo ou. 7ev3n AutoLocy !an"archor !itCryptor !ooyah !ra,ilian !rowloc !uy/n uy/nlo loccCo" Co"e e Cerer Chimera Coinault Coverton Cryai Cryola Cryptear Crypt%n+inite Crypto&e+ense CryptoHost Crypto?oer CryptoLocer Crypto8orLocer-4B CryptoDall Crypt C8!#Locer C8!#Locer DE! &eCrypt Protect &)ALocer &)AL &)ALoc oce err 3.4 3.4 E&AE&A-  Hi"" Hi""en en8 8ear ear El#P El#Po olol loloce ocerr ;ury omasom opher Harasom Hi !u""y Hy"raCrypt iLoc iLocLi=ht  ?i=saw

)icroso+t &etection Name 8ro@anT @anTDi Din3 n3- -& &ynam yname erac ac RansomTDin3-Empercrypt.A

)icroso+t %n+o httpsTwww.microso+  httpsTwww.microso+ 

Din3-Criit

httpsTwww.microso+ 

RansomT?*!rolo Rans Ransom omTT Din3 in3-C -Cen"o en"o" "e.A e.A Din3-Cerer Din3-Chicrypt RansomT )*%Laultloc.A

www.microso+t.coms httpsTwww.microso+  httpsTwww.microso+  httpsTwww.microso+  httpsTwww.microso+ 

RansomT Din3-Crowti

httpsTwww.microso+ 

RansomT Din3-Crowti Din3-;ortrypt

httpsTwww.microso+ 

RansomT Din3-Cr Criloc.A

httpsTwww.microso+ 

RansomT Din3-Crowti Din3-;ortrypt

httpsTwww.microso+ 

RansomT )*%L[email protected]

httpsTwww.microso+ 

RansomT Din3-&)ALocer Rans Ransom omTT Din3 in3-& -&)ALo )ALoc ce er.A r.A Rans Ransom omTT )*%L )*%LR Ry, y,er erlo lo Rans Ransom omTT Powe wer* r*he helllPo lPolo loc c.A .A

httpsTwww.microso+  httpsTwww.microso+  httpsTwww.microso+  httpsTwww.microso+ 

8ro@anT Din3-Harasom.A

httpsTwww.microso+ 

RansomT Din3-8o+y.

httpsTwww.microso+ 

RansomT)*%L?i=sawLocer.A RansomT)*%L?i=sawLoce r.A

httpsTwww.microso+ 

 ?o Crypter  ?oCrypter 9eRan=er 9ey!8C 9EYHol"er 9imcilDare 9ryptoLocer LeChi++re Linux.Enco"er Locer Locy Lorto LowLevel4I )aouia )a=ic )atuLocer )oe+  NanoLocer Nemuco" J++line ransomware J) Ransomware Jperation loal %%% PCloc Petya Raa* Raa* Ra"amant Rannoh Rannoh Remin")e Rector Remin")e Rou *amas#*amsam *anction *craper *i"Locer  Pompous *port *trictor *urprise *ynoLocer

RansomT )acJ*(9eRan=er.A RansomT Din3-%s"a RansomT !A8iow

httpsTwww.microso+  httpsTwww.microso+ 

RansomT Din3-Locy 8ro@an&ownloa"erT ?*Locy

httpsTwww.microso+ 

Din3-8aaum

httpsTwww.microso+ 

?*Nemuco"

httpsTwww.microso+ 

Din3-8escrypt

httpsTwww.microso+ 

8eslaCrypt 3.4Q 8eslaCrypt I.A 8eslaCrypt I.8orrentLocer 8rueCrypter /mreCrypt aultCrypt irus#Enco"er orist R8N Alpha Ransomware 4

RansomT Din3-8eerac Din3-;ortrypt D in3-8rol"esh

httpsTwww.microso+  httpsTwww.microso+ 

RansomT !A8iow

httpsTwww.microso+ 

*an"ox %JCs httpsTwww.hyri"#a httpsTwww.hyri"#a httpsTwww.hyri"#a httpsTwww.hyri"#a httpsTwww.hyri"#a

ecurityportalthreat .comsecurityportal httpsTwww.hyri"#a httpsTwww.hyri"#a httpsTwww.hyri"#a

.comsecurityportal httpsTwww.hyri"#a

httpsTwww.hyri"#a .comsecurityportal httpsTwww.hyri"#a

httpsTwww.hyri"#a .comsecurityportal httpsTwww.hyri"#a .comsecurityportal

.comsecurityportal httpsTwww.hyri"#a

httpsTwww.hyri"#a

*nort KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E

.comsecurityportal .comsecurityportal

.comsecurityportal

.comsecurityportal

.comsecurityportal

KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E httpsTotx.alienvault.comrowseUVRannoh

httpsTwww.hyri"#a

KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E

.comsecurityportal .comsecurityportal .comsecurityportal

KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E KNA)E

)easure 8ype !acup an" Restore Recovery Process !loc )acros PJ &isale D*H PJ ;ilter Attachments )ail ateway Level Attachments  ;ilter )ail ateway Level - pro=ram Restrict PJ execution *how ;ile /ser Extensions Assistence En+orce /AC Prompt PJ

&escription )ae sure to have a"eUuate acup processes on place an" +reUuently test ainrestore these acups +rom the %nternet. &isale macros J++ice o+ +iles "ownloa"e" 8his e &isacan le D incon+i=ure" "ows *criptto Howor st in two "i++erent mo"esT ;ilter the +ollowin= attachments on your mail =atewayT .exeG .atG .psG .@sG .@seG .scrG .comG .vG .vsG .veG ;ilter the +ollowin= attachments on.ocxG your.@arG mail =atewayT 0;ilter Level  plus2executions ."ocG .xlsG .rt+  !loc all pro=ram +rom the ZLocalApp&ataZ an" ZApp&ataZ +ol"er *et the re=istry ey [Hi"e;ileExt[ to 4 in or"er to show all +ile extensionsG even o+ ive nown +ile 8his avoi"in= En+orce a"ministrative a"ministrat users totypes. con+irm anhelps action that reUuires elevate" ri=hts Remove A"min !est Practice Remove an" restrict a"ministrative ri=hts whenever possile. Privile=e" )alware canDin"ows only mo"i+y +iles to that users worstation have write access to. Restrict Dorstation !est Practice Activate the ;irewall restrict to Communication worstation communication *an"oxin= Email A"vance" /sin= san"ox that opens email attachments an" removes %nput )alware analysis Execution 3r" Party 8ools attachments *o+tware thatase" allowson toehavior control the execution o+ processes # Prevention sometimes inte=rate" in Antivirus so+tware

;ootnotes Comple Complexit xityy E++ect E++ective ivenes nesss %mpa %mpact ct

8he comple complexit xityy o+ implem implement entati ation on also also inclu" inclu"es es the costs costs o+ implem implement entati ation on 0 &o not overr overrate ate a >hi=h >hi=h>> in this this column column as it is a relati relative ve e++ect e++ective ivenes nesss in compa compa 8he 8he e++e e++ect ctss on usi usine ness ss proc proces esse sesG sG a"mi a"mini nist stra rati tion on or user user expe experi rien ence ce

Comple Com plexit xity1 y1 E++e E++ecti ctiven veness ess1 1 %mp %mpact act1 1 Medium

High

Low

Low

High

Low

Low

Medium

Medium

Low

Medium

Low

Low

High

High

Medium

Medium

Medium

Low

Low

Low

Low

Medium

Low

Medium

Medium

Medium

Medium

Low

Low

Medium

High

-

Medium

Medium

-

.=. simple to implement ut costly2 rison to other measures

Possi Pos sile le %ss %ssues ues

A"ministrative A"ministrative !* scripts on Dorstations J++ice Communication with ol" versions o+ )icroso+t J++ice +iles s De eme""e" so+tware installers installer a"ministrator a"ministrator resentment Hi=her a"ministrative a"ministrative costs

Lin  Lin httpTwin"ows.microso+t.come httpTwin"ows. microso+t.comen#uswin"owsac#up n#uswin"owsac#up#restore#+aU #restore#+aUK8CVwin" K8CVwin"ows#7 ows#7 httpsTwww.I4Itechsup httpsTsuppor httpsTsupport.o++ice.co t.o++ice.comen#usarticleEna men#usarticleEnale#or#"isale le#or#"isale#macros#in#J++ic #macros#in#J++ic httpTwww.win"owsnetworin=.c httpTwww.win" owsnetworin=.comaseDin"ows8ip omaseDin"ows8ipsDin"owsPA" sDin"owsPA"min8ipsCustomi,atio min8ipsCustomi,ation&is n&is

httpTwww.+at"ex.netp httpsTcommunity httpsTcommunity.spicewors.co .spicewors.comtopic35F43#crypt mtopic35F43#cryptolocer#preve olocer#prevention# ntion# httpTwww.seven+orums.comtuto httpTwww.seve n+orums.comtutorials4B74#+ile#ext rials4B74#+ile#extensions#hi"e#show ensions#hi"e#show.html .html httpsTtechnet.microso+t.co httpsTtechnet. microso+t.comen#uslirary men#uslirary""3BBFI0D*.42.asp ""3BBFI0D*.42.aspxx

#+iles#-43F+"#"I4#Ie7I#IBe#F+e"a7eBcFuiVen#/*WrsVen #+iles#-43F+"#"I4#Ie7I#IBe#F+e" a7eBcFuiVen#/*WrsVen#/*Wa"V/* #/*Wa"V/* aleDin"ows*criptin=HostD*H.html

it#up"ate"

*ourceT httpsTwww.en"=ame.comlo=your#paca=e#has#een#success+ully#encrypte"#teslacrypt#Ia#an"#ma

*ourceT *ymantecG iaT
Composition

8his initial list has een compose" y )osh
Jther Contriutors

;lorian Roth
*upport

%+ you are a security researcher an" want to support usG please contact me on 8witter an" %>ll =rant you write httpsTi"#ransomware.malwarehunterteam.com httpsTartla,e.lo=spot.com httpTwww.maleal.com httpTwww.leepin=computer.com httpsTlo=.malwareytes.or= httpTwww.nyxone.com httpTwww.tripwire.comstate#o+#securitysecurity#"ata#pr httpTwww.thewin"owsclu.comlist#ransomware#"ecrypt

*ources

photo

%"enti+y ransomware y ransom note or encrypte" +ile sample

tectionransomware#happy#en"in=#4#nown#"ecryption#cases r#tools