You are on page 1of 73

Extensions Extension Pattern

.CryptoHasYou. .enc
777 .777 ._[timestamp]_$[email]$.777
7ev3n .R4A e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777
7h9r .R5A
.7h9r
8lock8 .8lock8
AiraCrop ._AiraCropEncrypted
Al-Namrood .unavailable
Alcatraz Locker .disappeared
.Alcatraz
ALFA Ransomware .bin
Alma Ransomware random random(x5)
Alpha Ransomware .encrypt
Alphabet
AMBA .amba
Angela Merkel .angelamerkel
AngleWare .AngleWare
Angry Duck .adk
Anony
Anubis .coded
Apocalypse .encrypted [filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random
ApocalypseVM .SecureCrypted
.encrypted *filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13
ASN1 .locked
AutoLocky .locky
Aw3s0m3Sc0t7 .enc
BadBlock
BadEncript .bript
BaksoCrypt .adr
Bandarchor .id-1235240425_help@dec
.id-[ID]_[EMAIL_ADDRESS]
BarRax .BarRax
Bart .bart.zip
BitCryptor .bart
.clf
BitStak .bitstak
BlackShades Crypter .Silent
Blocatto .blocatto
Booyah
Brazilian .lock
Brazilian Globe .id-%ID%_garryweber@protonmail
BrLock
Browlock
BTCWare .btcware
Bucbi
BuyUnlockCode (.*).encoded.([A-Z0-9]{9})
Central Security Treatment Organi.cry
Cerber .cerber
CerberTear .cerber2
Chimera .crypt
CHIP 4 random characters, e.g., .PzZs, .MKJL
.CHIP
Click Me Game .DALE
Clock
CloudSword
Cockblocker .hannah
CoinVault .clf
Coverton .coverton
Crptxxx .enigma
.crptxxx
Cryaki .{CRYPTENDBLACKDC}
Crybola
CryFile .criptiko
CryLocker .criptoko
.cry
CrypMIC
Crypren .ENCRYPTED
Crypt38 .crypt38
CryptConsole random decipher_ne@outlook.com_[encrypted_filename]
Cryptear unCrypte@outlook.com_[encrypted_filename]
Crypter
CryptFIle2 .scl id[_ID]email_xerx@usa.com.scl
CryptInfinite .crinf
CryptoBit
CryptoBlock
CryptoDefense
CryptoDevil .devil
CryptoFinancial
CryptoFortress .frtrss
CryptoGraphic Locker .clf
CryptoHost
CryptoJacky
CryptoJoker .crjoker
CryptoLocker .encrypted
CryptoLocker 1.0.0 .ENC
CryptoLocker 5.1
CryptoLuck / YafunnLocker .[victim_id]_luck [A-F0-9]{8}_luck
CryptoMix .code .id_(ID_MACHINE)_email_xoomx@dr.com_.code
CryptON .scl
_crypt .id_*_email_zeta@dr.com
name_crypt..extension
.id-_locked
CryptoRansomeware
Cryptorium .ENC
CryptoRoger .crptrgr
CryptoShadow .doomed
CryptoShield .CRYPTOSHIELD grfg.wct.CRYPTOSHIELD
CryptoShocker .locked
CryptoTorLocker2015 .CryptoTorLocker2015!
CryptoTrooper
CryptoWall 1 no filename change
CryptoWall 2 no filename change
CryptoWall 3 no filename change
CryptoWall 4 <random>.<random>, e.g.,
CryptoWire 27p9k967z.x1nep
CryptXXX .crypt
CryptXXX 2.0 .crypt
CryptXXX 3.0 .crypt
CryptXXX 3.1 .cryp1
CryPy .cry
CTB-Faker
CTB-Locker .ctbl .([a-z]{6,7})
CTB-Locker WEB
CuteRansomware .已加密
Cyber SpLiTTer Vbs .encrypted
Damage .damage
Dharma .dharma .<email>.(dharma|wallet|zzzzz)
Deadly for a Good Purpose .wallet .id-%ID%.[moneymaker2@india.com].wallet
Death Bitches .locked
DeCrypt Protect .html
DEDCryptor .ded
Demo .encrypted
Depsex .Locked-by-Mafia
DeriaLock .deria
DetoxCrypto
Digisom
DirtyDecrypt
DMALocker
DMALocker 3.0
DNRansomware .fucked
Domino .domino
Donald Trump .ENCRYPTED
DoNotChange .id-7ES642406.cry
.Do_not_change_the_filename
DummyLocker .dCrypt
DXXD .dxxd
DynA-Crypt .crypt
EDA2 / HiddenTear .locked
EdgeLocker .edgel
EduCrypt .isis
EiTest .locked
.crypted
El-Polocker .ha3
Encoder.xxxx
encryptoJJS .enc
Enigma .enigma
Enjey .1txt
EnkripsiPC .fucked
Erebus Encrypt the extension using ROT-
Evil .file0locked
Exotic .evillock
.exotic random.exotic
FabSysCrypto
Fadesoft
Fairware
Fakben .locked
FakeGlobe aka GlobeImposter .crypt
FakeCryptoLocker .cryptolocker
Fantom .fantom
FenixLocker .comrade
.FenixIloveyou!!
FILE FROZR
FileLocker .ENCR
FireCrypt .firecrypt
Flyper .locked
Fonco
FortuneCookie
Free-Freedom .madebyadam
FSociety .fs0ciety
Fury .dll
GhostCrypt .Z81928819
Gingerbread
Globe v1 .purge
Globe v2 .lovewindows .<email>.<random>
Globe v3 .openforyou@india.com e.g.: .7076.docx.okean-
.[random].blt
GNL Locker .[random].encrypted
.locked <ID>.locked, e.g.,
GOG .L0CKED bill.!ID!8MMnF!ID!.locked
Gomasom .crypt !___[EMAILADDRESS]_.crypt
Goopic
Gopher
Gremit .rnsmwr
Guster .locked
Hacked .versiegelt
HappyDayzz .encrypted
Harasom .html
HDDCryptor
Heimdall
Help_dcfile .XXX
Herbst .herbst
Hermes
Hi Buddy! .cry
Hitler removes extensions
HolyCrypt (encrypted)
HTCryptor
Hucky .locky [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.lo
HydraCrypt hydracrypt_ID_[\w]{8}
IFN643
iLock .crime
iLockLight .crime
International Police Association <6 random characters>
iRansom .Locked
Jack.Pot
JagerDecryptor !ENC
JapanLocker
Jeiphoos
Jhon Woddy .killedXXX
Jigsaw .btc
Job Crypter .kkk
.locked
JohnyCryptor .css
Kaandsona .kencf
Kangaroo .crypted_file
Karma .karma
Karmen .grt
Kasiski [KASISKI]
KawaiiLocker
KeRanger .encrypted
KeyBTC keybtc@inbox_com
KEYHolder
KillDisk
KillerLocker .rip
KimcilWare .kimcilware
Kirk .locked
.Kirked
Koolova
Korean .암호화됨
Kostya .kostya
Kozy.Jozy .31392E30362E32303136.([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9
Kraken .kraken [base64].kraken
KratosCrypt .kratos
KRider .kr3
KryptoLocker
LambdaLocker .lambda_l0cked
LanRan

LeChiffre .LeChiffre

Lick .Licked
Linux.Encoder
LK Encryption
LLTP Locker .ENCRYPTED_BY_LLTP
LockCrypt .ENCRYPTED_BY_LLTPp
.lock
Locked-In
Locker
LockLock .locklock
Locky .locky ([A-F0-9]{32}).locky
Lock93 .zepto
.lock93 ([A-F0-9]{32}).zepto
Lomix
Lortok .crime
LowLevel04 oor.
M4N1F3STO
Mabouia
MacAndChess
Magic .magic
MaktubLocker [a-z]{4,6}
Marlboro .oops
MarsJoke .a19
MasterBuster .ap19
Matrix
Meister
Merry X-Mas! .PEGS1
Meteoritan .MRCR1
MIRCOP Lock.
MireWare .fucked
Mischa .fuck .([a-zA-Z0-9]{4})
MM Locker .locked
Mobef .KEYZ
Mole .KEYH0LES
.mole
Monument .mole02
MOTD .enc
MSN CryptoLocker
n1n1n1
N-Splitter .кибер разветвитель
Nagini
NanoLocker
Nemucod .crypted
Netix
Nhtnwcuf
NMoreira .maktub
NoobCrypt .__AiraCropEncrypted!
Nuke .nuclear55
Nullbyte _nullbyte
Ocelot
ODCODC .odcodc C-email-abennaki@india.com-(
Offline ransomware .cbf email-[params].cbf
OMG! Ransomware .LOL!
Onyx .OMG!
Operation Global III .EXE
Owl dummy_file.encrypted dummy_file.encrypted.[extension
OzozaLocker .Locked
PadCrypt .padcrypt
Padlock Screenlocker
Patcher .crypt
PayDay .sexy
PayDOS
Paysafecard Generator 2016 .cry_ test.cry_jpg
PClock
PetrWrap
Petya
Philadelphia .locked <file_hash>.locked
Phoenix .R.i.P
Pickles .EnCrYpTeD %random%.EnCrYpTeD
PizzaCrypts .id-[victim_id]-maestro@pizzacrypts.info
PokemonGO .locked
Popcorn Time .filock
Polyglot
Potato .potato
PowerWare .locky
PowerWorm
Princess Locker [a-z]{4,6},[0-9]
PRISM
Project34
ProposalCrypt .crypted
Ps2exe
PyL33T .d4nk
R
R980 .crypt
RAA encryptor .locked
Rabion
Radamant .RDM
Rakhni .RRK
.locked .coderksu@gmail_com_id[0-9]{2,3}
Ramsomeer .kraken .crypt@india.com.[\w]{4,12}
Ranion
Rannoh locked-<original name>.[a-zA-Z]{4}
RanRan .zXz
Ransoc
Ransom32
RansomLock
RansomPlus .encrypted
RarVault
Razy .razy
Rector .fear
.vscrypt
Red Alert .infected
RektLocker .rekt
RemindMe .remind
Revenge .crashed
.REVENGE
Rokku .rokku
RoshaLock
RozaLocker .ENC
Runsomewere
RussianRoulette
SADStory
Sage 2.0 .sage
Sage 2.2 .sage
Samas-Samsam .encryptedAES
Sanction .encryptedRSA
.sanction
Sanctions .wallet
Sardoninir .enc
Satan .stn
Satana Sarah_G@ausi.com___
Saturn
Scarab .scarab
Scraper
SerbRansom .velikasrbija
Serpent .serpent
Serpico
Shark .locked
ShellLocker .L0cked
ShinoLocker .shino
Shujin
Simple_Encoder .~
SkidLocker / Pompous .locked
SkyName
Smash!
Smrss32 .encrypted
SNSLocker .RSNSlocked
Spora .RSplited
Sport .sport
Stampado .locked
Strictor .locked
Surprise .surprise
Survey .tzu
SynoLocker
SZFLocker .szf
TeamXrat .___xratteamLucked
TeleCrypt .xcri
TeslaCrypt 0.x - 2.2.0 .vvv
TeslaCrypt 3.0+ .ecc
.micro
TeslaCrypt 4.1A .xxx
TeslaCrypt 4.2
Thanksgiving
Threat Finder
TorrentLocker .Encrypted
TowerWeb .enc
Toxcrypt .toxcrypt
Trojan .braincrypt
Troldesh .breaking_bad
TrueCrypter .better_call_saul
.enc
Trump Locker .TheTrumpLockerf
Turkish .TheTrumpLockerfp
.sifreli
Turkish (Fake CTB-Locker) .encrypted
Turkish Ransom .locked
UltraLocker
UmbreCrypt umbrecrypt_ID_[VICTIMID]
UnblockUPC
Ungluk .H3LL
Unlock26 .0x0
.locked-[XXX]
Unlock92 .CRRRT
Vanguard .CCCRRRPPP
VapeLauncher
VaultCrypt .vault
VBRANSOM 7 .xort
.VBRANSOM
VenisRansomware
VenusLocker .Venusf
Vindows Locker .Venusp
.vindows
Virlock .exe
Virus-Encoder .CrySiS .id-
Vortex .xtbl
.aes ########.decryptformoney@i
vxLock .vxLock
WannaCry .wcry
WildFire Locker .wncry
.wflx
Winnix Cryptor .wnx
XCrypt
XData .~xdata~
Xorist .EnCiPhErEd
XRTN .73i87A
.xrtn
XYZWare
You Have Been Hacked!!! .Locked
YourRansom .yourransom
Zcrypt .zcrypt
Zeta .code
Zimbra .scl
.crypto
ZinoCrypt .ZINO
Zlader / Russian .vault
Zorro .zorro
zScreenLocker
Zyka .locked
Zyklon .zyklon
Ransom Note Filename(s) Comment Encryption Algorithm
YOUR_FILES_ARE_LOCKED.txt AES(256)
read_this_file.txt XOR
FILES_BACK.txt
README_.TXT AES
READ_IT.txt Based on HiddenTear AES(256)
How to decrypt your files.txt related to TeamXRat
Read_Me.Txt
ransomed.html
README HOW TO DECRYPT YOUR FILES.Made by creators of Cerber
Unlock_files_randomx5.html AES(128)
Read Me (How Decrypt) !!!!.txt AES(256)
Doesn't encrypt any files /
ПРОЧТИ_МЕНЯ.txt provides you
Websites onlythe key
READ_ME.txt amba@riseup.net
READ_ME.txt
Demands 10 BTC

Decryption Instructions.txt EDA2 AES(256)


*.How_To_Decrypt.txt decryptionservice@mail.ru
*.Contact_Here_To_Recover_Your_Files.txt
*.How_To_Get_Back.txt recoveryhelp@bk.ru
Apocalypse ransomware version
!!!!!readme!!!!!.htm which uses VMprotect
info.txt
info.html
Help Decrypt.html
More.html
Based on my-Little-Ransomware
HOW TO DECRYPT.txt Files might be partially AES(256)
encrypted
Based on HiddenTear
recover.txt Possible affiliations with
recover.bmp RockLoader,
Has a GUI. Locky and Dridex
CryptoGraphic Locker family. Base64 + String
Hacked_Read_me_to_decrypt_files.html Replacement
AES(256)
YourID.txt Based on HiddenTear AES(256)
EXE was replaced to neutralize
MENSAGEM.txt threat
Based on EDA2 AES(256)
HOW_OPEN_FILES.html
AES
no local encryption, browser only
#_HOW_TO_FIX_!.hta Related to / new version of
CryptXXX
no file name change, no GOST
extension
BUYUNLOCKCODE.txt Does not delete Shadow Copies
!Recovery_[random_chars].html
!Recovery_[random_chars].txt
# DECRYPT MY FILES #.html AES
# DECRYPT MY FILES #.txt
YOUR_FILES_ARE_ENCRYPTED.HTML
YOUR_FILES_ARE_ENCRYPTED.TXT
CHIP_FILES.txt
DALE_FILES.TXT
Does not encrypt anything
Warning警告.html

wallpaper.jpg CryptoGraphic Locker family.


!!!-WARNING-!!!.html Has a GUI. AES(256)
!!!-WARNING-!!!.txt
HOW_TO_FIX_!.txt Uses @enigma0x3's UAC bypass

SHTODELATVAM.txt Moves bytes


Instructionaga.txt
!Recovery_[random_chars].html Identifies victim locations
!Recovery_[random_chars].txt
README.TXT w/Google Maps API
CryptXXX clone/spinoff AES(256)
README.HTML
READ_THIS_TO_DECRYPT.html
AES
How decrypt files.hta Impersonates the Globe
Ransomware AES(256)
Does not actually encrypt the
files, but simply renames them RSA

OKSOWATHAPPENDTOYOURFILES.TXT sekretzbel0ngt0us.KEY AES and RSA


do not confuse with CryptorBit
RaaS
HOW_DECRYPT.TXT no extension change
HOW_DECRYPT.HTML

READ IF YOU WANT YOUR FILES BACK.ht Mimics Torrentlocker. Encrypts AES(256), RSA (1024)
wallpaper.jpg only a50%
Has GUI.of each file up to 5 MB
Subvariants:
RAR's victim'sCoinVault
files AES(256) (RAR
has a GUI implementation)
README!!!.txt AES-256
GetYouFiles.txt no longer relevant RSA

%AppData%\@WARNING_FILES_ARE_ENCRYP via RIG EK AES(256)


HELP_YOUR_FILES.html (CryptXXX)
HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0) RSA, AES-256 and
SHA-256
Only renames files and does not
!Where_are_my_files!.html encrypt them AES
LEER_INMEDIATAMENTE.txt
# RESTORING FILES #.HTML CryptoMix Variant AES(256) / ROT-13
# RESTORING FILES #.TXT
ATTENTION.url AES
HOW TO DECRYPT FILES.txt
%Temp%\<random>.bmp AES
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.TXT
HELP_DECRYPT.TXT
HELP_DECRYPT.PNG
HELP_DECRYPT.TXT
HELP_DECRYPT.PNG
HELP_YOUR_FILES.HTML
HELP_YOUR_FILES.PNG AES(256)
de_crypt_readme.bmp, .txt, .html Comes with Bedep
<personal-ID>.txt, .html, .bmp Locks screen. Ransom note
names
Comes are
withanBedep
ID.
StilerX credential stealing
README_FOR_DECRYPT.txt AES

AllFilesAreLocked <user_id>.bmp RSA(2048)


DecryptAllFiles <user_id>.txt websites only AES(256)
你的檔案被我們加密啦!!!.txt Based on my-Little-Ransomware AES(128)
Your files encrypted by our friends !!! txt Based on HiddenTear
Written in Delphi Combination of SHA-1
README.txt CrySiS variant and Blowfish
README.jpg Encrypts in 2017
READ_IT.txt

Based on EDA2 AES(256)


HELP_YOUR_FILES.txt only encrypts .jpg files
READ_ME.txt Based on HiddenTear
unlock-everybody.txt
AES
Digisom Readme0.txt (0 to 9)

cryptinfo.txt no extension change AES(256) in ECB mode,


decrypting.txt Encrypted files
no extension have prefix:
change Version 2-4 also RSA
AES(256)
Code to decrypt: 83KYG9NW- XPTLOCK5.0
README_TO_RECURE_YOUR_FILES.txt 3K39V-2T3HJ-93F3Q-GT
Based on Hidden Tear AES(256)
AES
HOW TO DECODE FILES!!!.txt AES(128)
КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt
ReadMe.TxT

Open sourced C# AES(256)

README.txt Based on Hidden Tear

qwer.html Has a GUI


qwer2.html
Instructions.html Coded in GO
How to recover.enc
enigma.hta AES(128)
enigma_encr.txt Based on RemindMe
The encryption password is
README.HTML based on the computer name AES
Coded in Javascript
Also encrypts executables AES(128)
Based on HiddenTear

Target Linux O.S.


READ ME FOR DECRYPT.txt Based on Hidden Tear
HOW_OPEN_FILES.hta

DECRYPT_YOUR_FILES.HTML Based on EDA2 AES(128)


RESTORE-FILES![id]
Help to decrypt.txt
RaaS

[random_chars]-READ_ME.html AES(256)
Based on EDA2 / HiddenTear
help-file-decrypt.enc contact email
<startupfolder>/pronk.txt safefiles32@mail.ru also as
Unlock code is: adam or
fs0ciety.html adamdude9
Based on EDA2
DECRYPT_YOUR_FILES.HTML Based on RemindMe
Based on Hidden Tear AES(256)

How to restore files.hta Blowfish


Blowfish
Extesion depends on the config RC4
UNLOCK_FILES_INSTRUCTIONS.html andfile.
. Itencrypts
Only seems Globe
DE or is
NLacountry AES(256)
AES (256)
DecryptFile.txt
no ransom note
Your files have been crypted.html
OS X ransomware (PoC)

Jigsaw Ransomware variant


3DES
AES(128)
Uses https://diskcryptor.net for Custom (net shares),
full
File disk encryption
marker: "Heimdall---" XTS-AES (disk)
AES-128-CBC
help_dcfile.txt
AES(256)
DECRYPT_INFORMATION.html Filemarker: "HERMES" AES
UNIQUE_ID_DO_NOT_REMOVE Based on HiddenTear AES(256)
Deletes files
AES
Includes a feature to disable the
_Adatok_visszaallitasahoz_utasitasok.txtvictim's
Based onwindows
Locky firewall AES, RSA (hardcoded)
_locky_recover_instructions.txt
README_DECRYPT_HYRDA_ID_[ID number CrypBoss Family

%Temp%\<random>.bmp CryptoTorLocker2015 variant

Important_Read_Me.html Prepends filenames


Base64 encoding,
readme_liesmich_encryptor_raas.txt Windows, Linux. Campaign ROT13, andRSA
RC6 (files), top-bottom
2048
stopped. Actor claimed
Same codebase as he (RC6 key)
DNRansomware
Has a GUI AES(256)
Comment débloquer mes fichiers.txt Based on HiddenTear, but uses TripleDES
Readme.txt TripleDES, decrypter is PoC
Crashes before it encrypts
filename.Instructions_Data_Recovery.txt From the developer behind the
# DECRYPT MY FILES #.html Apocalypse
pretends Ransomware,
to be a Windows AES
# DECRYPT MY FILES #.txt optimization program called
RaaS
INSTRUCCIONES.txt Based on HiddenTear
How Decrypt Files.txt
OS X Ransomware AES
DECRYPT_YOUR_FILES.txt
READ.txt
how_decrypt.gif via remote attacker.
how_decrypt.html tuyuljahat@hotmail.com contact AES(256)
Possibly Portuguese dev
websites only AES
RANSOM_NOTE.txt Payments in Monero
With Italian text that only targets
ReadMe.txt the Test
Based onfolder on the user's
HiddenTear AES(256)

w.jpg Potential Kit RSA(2048)


_HELP_YOUR_FILES.html selectedkozy.jozy@yahoo.com
README_ALL.html kratosdimetrici@gmail.com

KryptoLocker_README.txt Based on HiddenTear AES(256)


READ_IT.hTmL Python Ransomware AES(256)
@__help__@ Variant of open-source
MyLittleRansomware

How to decrypt LeChiffre files.html Encrypts first 0x2000 and last


0x2000 bytes.
Via remote attacker

RANSOM_NOTE.txt Variant of Kirk


Linux Ransomware
Based on HiddenTear
LEAME.txt Targeting Spanish speaking AES-256
ReadMe.TxT victims
RESTORE_CORUPTED_FILES.HTML Based on RemindMe
no extension change
READ_ME.TXT has GUI AES(256)
_Locky_recover_instructions.txt Affiliations with Dridex and AES(128)
_Locky_recover_instructions.bmp Necurs botnets
Based on the idiotic open-source
ransomware called CryptoWire
Prepends filenames
Does not encrypt
Unlock code=suckmydicknigga
OS X ransomware (PoC)
Based on HiddenTear
DECRYPT_ReadMe1.TXT Based on EDA2 AES(256)
DECRYPT_ReadMe.TXT
_DECRYPT_INFO_[extension pattern].html AES(256), RSA (2048)
_HELP_Recover_Files_.html XOR
!!! Readme For Decrypt !!!.txt
ReadMeFilesDecrypt!!!.txt
CreatesReadThisFileImportant.txt
[5 numbers]-MATRIX-README.RTF GnuPG
Targeting French victims
YOUR_FILES_ARE_DEAD.HTA Written in Delphi
MERRY_I_LOVE_YOU_BRUCE.HTA
where_are_your_files.txt
readme_your_files_have_been_encrypted.txt
Prepends files AES
READ_IT.txt Demands 48.48 BTC
Based on HiddenTear AES(256)
YOUR_FILES_ARE_ENCRYPTED.HTML Packaged with Petya
YOUR_FILES_ARE_ENCRYPTED.TXT
READ_IT.txt PDFBewerbungsmappe.exe
Based on EDA2 AES(256)
4-14-2016-INFECTION.TXT
IMPORTANT.README
INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT
Use the DarkLocker 5 porn
motd.txt screenlocker
RESTORE_YOUR_FILES.txt
decrypt explanations.html Filemaker: "333333333333"
Russian Koolova Variant
Looks for
ATTENTION.RTF C:\Temp\voldemort.horcrux
no extension change AES (256), RSA
Decrypted.txt has a(a0.exe)
7zip GUI variant cannot be XOR(255)
decrypted 7zip
AES(256)
!_RECOVERY_HELP_!.txt Does not encrypt the files / Files
HELP_ME_PLEASE.txt
Recupere seus arquivos. Leia-me!.txt are destroyed
.aac is the extension used by the mix of RSA and AES-
Learn how to recover your files.txt new version seen in July, 2017 256
!!_RECOVERY_instructions_!!.html AES
!!_RECOVERY_instructions_!!.txt
Does not encrypt anything
HOW_TO_RESTORE_FILES.txt XOR
desk.bmp email addresses overlap with .
desk.jpg
how to get data.txt 777 addresses
Georgian ransomware
Is a file infector (virus)
log.txt
HOW TO DECRYPT YOU FILES.txt
IMPORTANT READ ME.txt has a live support chat
File Decrypt Help.html Unlock code is: ajVr/G\RJz0R
README!.txt Targeting macOS users
!!!!!ATENÇÃO!!!!!.html Based off of Hidden-Tear
Batch file
Passcode: AES1014DW256
Your files are locked !.txt CryptoLocker Copycat XOR
Your files are locked !!.txt
YOUR_FILES_ARE_ENCRYPTED.TXT overwrites MBR Modified Salsa20
encrypts MFT
Coded by "The_Rainmaker" AES(256)
Important!.txt Based on HiddenTear
READ_ME_TO_DECRYPT.txt Python Ransomware

Based on Hidden Tear AES(256)


restore_your_files.html AES(256)
restore_your_files.txt Immitates CTB-Locker AES(256)
README.png AES(256)
README.html Open-sourced PowerShell AES(128)
DECRYPT_INSTRUCTION.html no decryption possible AES, but throws key
looks like CryptoWall 3, but with
!_HOW_TO_RESTORE_[extension].TXT additional warnings at the bottom that ransom
away,price
destroys
will go
theupfiles
after some time
!_HOW_TO_RESTORE_[extension].html
ПАРОЛЬ.txt

Python Ransomware
Ransomware.txt
DECRYPTION INSTRUCTIONS.txt
rtext.txt
!!!README!!![id].rtf Possible affiliation with Pony
RaaS
YOUR_FILES.url Copy of Ranion RaaS AES(256)
<startup folder>\fud.bmp Files might be partially
<startup folder>\paycrypt.bmp encrypted
Based on the DUMB ransomware
RaaS service AES(256)
me>.[a-zA-Z]{4}
VictemKey_0_5
VictemKey_5_30 Doesn't encrypt user files
no extension change, Javascript
Ransomware
Locks the desktop Asymmetric 1024

RarVault.htm
AES(128)

Based on Hidden Tear


Readme.txt AES(256)
decypt_your_files.html
# !!!HELP_FILE!!! #.txt CryptoMix / CryptFile2 Variant AES(256)
README_HOW_TO_UNLOCK.TXT possibly related with Chimera Curve25519 + ChaCha
README_HOW_TO_UNLOCK.HTML Stores your files in a password
protected RAR file
Based on HT/EDA2
Utilizes the Jigsaw Ransomware
Variant of the Philadelphia
ransomware
Variant of CryPy
!Recovery_[3_random_chars].html Predecessor CryLocker
Sage 2.2 deletes volume
HELP_DECRYPT_YOUR_FILES.html snapshotsattacks
Targeted through AES(256) + RSA(2096)
###-READ-FOR-HELLPP.html
DECRYPT_YOUR_FILES.HTML -Jexboss
Based on HiddenTear, but AES(256) + RSA(2096)
RESTORE_ALL_DATA.html heavily modified keygen AES(256) + RSA(2048)

HELP_DECRYPT_FILES.html RaaS AES(256) + RSA(2096)


!satana!.txt
#DECRYPT_MY_FILES#.txt VM aware, deletes volume
#DECRYPT_MY_FILES#.vbs shadow copies, disables
Post encryption, text file is
dropped
no extension changeidentifier
w/personal

HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html
Batch file AES(256)
HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt
Passcode:
DetoxCryptoRSA1014DJW2048
Variant AES
Readme.txt AES(256)

文件解密帮助.txt
_RECOVER_INSTRUCTIONS.ini AES
READ_IT.txt Based on EDA2 AES(256)
Based on HiddenTear

_HOW_TO_Decrypt.bmp
READ_Me.txt Based on EDA2 AES(256)
[Infection-ID].HTML

Random message includes bitcoin Coded by "The_Rainmaker" AES(256)


wallet address with instructions Randomly
Based deletes
on EDA2, a file Guy
shows every AES(256)
DECRYPTION_HOWTO.Notepad Fawkes
Based onmaskEDA2 AES(256)
ThxForYurTyme.txt Still in development, shows
FileIce survey
Exploited Synology NAS
firmware directly over WAN
Como descriptografar os seus arquivos.txt AES(256)
Telecrypt will generate a random
HELP_TO_SAVE_FILES.txt string to encrypt with that is
Factorization
Howto_RESTORE_FILES.html 4.0+ has no extension AES(256) + ECHD +
RECOVER<5_chars>.html no special extension SHA1
AES(256) + ECHD +
RECOVER<5_chars>.png
RECOVER<5_chars>.html SHA1
RECOVER<5_chars>.png
HELP_DECRYPT.HTML Files cannot be decrypted
HOW_TO_RESTORE_FILES.html Has a GUI
Newer variants not decryptable. AES(256) CBC for files
DECRYPT_INSTRUCTIONS.html
Payment_Instructions.jpg Only first 2 MB are encrypted RSA(1024) for AES key
tox.html
!!! HOW TO DECRYPT FILES !!!.txt
README<number>.txt May download additional AES(256)
nomoreransom_note_original.txt malware after encryption AES(256)
What happen to my files.txt

Beni Oku.txt keys in '%name%.manifest.xml


DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html AES(256)
Based on the idiotic open-source AES(256)
ransomware
README_DECRYPT_UMBRE_ID_[victim_id].jpg called CryptoWire AES
CrypBoss Family
README_DECRYPT_UMBRE_ID_[victim_id].txt
Files encrypted.txt
READTHISNOW!!!.txt Ransom note instructs to use AES
Hellothere.txt
ReadMe-XXX.html Bitmessage to get in contact
READ_ME_!.txt
GO Ransomware
CryptoWire variant
VAULT.txt uses gpg.exe
xort.txt Does not actually encrypt
In dev
ReadMe.txt VenisRansom@protonmail.com
Based on EDA2 AES(256)
AES
Polymorphism / Self-replication
How to decrypt your data.txt AES(256)

@Please_Read_Me@.txt
HOW_TO_UNLOCK_FILES_README_(<ID>).
Zyklon variant
YOUR FILES ARE ENCRYPTED!.txt GPG
Xhelp.jpg
HOW_CAN_I_DECRYPT_MY_FILES.txt
HOW TO DECRYPT FILES.TXT encrypted files will still have the XOR or TEA
original non-encrypted
VaultCrypt family header of
Based on HiddenTear
Attempt to steal passwords
README.txt

# HELP_DECRYPT_YOUR_FILES #.TXT
how.txt mpritsken@priest.com
ZINO_NOTE.TXT
VaultCrypt family RSA
Take_Seriously (Your saving grace).txt

Hidden Tear family, GNL Locker


variant
Also known as Date Added/Modified Decryptor Info 1 Info 2
http://www.nyxbone.com/malware/CryptoHasYou.html
Sevleg https://decrypter.emsisoft.com/777
7ev3n-HONE$T https://github.com/hasherezade/malware_analysis/tree/master/7ev3n
http://www.nyxbone.com/malware/7ev3n-HONE$T.html
https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be
http://www.nyxbone.com/malware/7h9r.html
http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lo
https://twitter.com/PolarToffee/status/796079699478900736
https://decrypter.emsisoft.com/al-namrood
https://twitter.com/PolarToffee/status/792796055020642304
http://www.bleepingcomputer.com/news/security/new-alfa-or-
https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-9
https://info.phishlabs.com/blog/alma-ransomware-analysis-of
http://www.bleepingcomputer.com/news/
AlphaLocker http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip
http://www.bleepingcomputer.com/news/security/decrypted-a
https://twitter.com/malwarebread/status
https://twitter.com/PolarToffee/status/812331918633172992
https://twitter.com/benkow_/status/747813034006020096
https://twitter.com/malwrhunterteam/status/79826821836435
https://twitter.com/BleepinComputer/status/84453141847470
https://twitter.com/demonslay335/status/7903347464883650
Based on HiddenTear https://twitter.com/struppigel/status/842047409446387714
ngocanh http://nyxbone.com/malware/Anubis.html
Fabiansomeware https://decrypter.emsisoft.com/apocalypse
http://blog.emsisoft.com/2016/06/29/apocalypse-ransomwar
http://decrypter.emsisoft.com/download/apocalypsevm
https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-1
https://decrypter.emsisoft.com/autolocky
https://twitter.com/struppigel/status/828902907668000770
https://decrypter.emsisoft.com/badblock
http://www.nyxbone.com/malware/BadBlock.html
https://twitter.com/demonslay335/status/8130641897198059
https://twitter.com/JakubKroustek/status/7604822990079221
https://0xc1r3ng.wordpress.com/2016/06
Rakhni https://reaqta.com/2016/03/bandarchor-ransomware-still-acti
https://www.bleepingcomputer.com/news
https://twitter.com/demonslay335/status/8356685403677777
BaCrypt http://now.avg.com/barts-shenanigans-are-no-match-for-avg/
http://phishme.com/rockloader-downloading-new-ransomware
https://www.proofpoint.com/us/threat-ins
https://noransom.kaspersky.com/
https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip
SilentShade http://nyxbone.com/malware/BlackShades.html
http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccat
Salam!
http://www.nyxbone.com/malware/brazilianRansom.html
https://twitter.com/JakubKroustek/status/8218314378842112
https://www.proofpoint.com/us/threat-insight/post/ransomwa

https://twitter.com/malwrhunterteam/status/84519967934001
http://researchcenter.paloaltonetworks.com/2016/05/unit42-b
http://www.bleepingcomputer.com/forums/t/625820/central-s
https://blog.malwarebytes.org/threat-analysis/2016/03/cerbe
https://community.rsa.com/community/p
https://twitter.com/struppigel/status/795630452128227333
http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-
https://blog.malwarebytes.org/threat-analysis/2015/12/inside
http://malware-traffic-analysis.net/2016/11/17/index.html
https://www.bleepingcomputer.com/news
https://www.youtube.com/watch?v=Xe30kV4ip8w
https://twitter.com/JakubKroustek/status/7949568098660188
https://twitter.com/BleepinComputer/status/82265333568159
https://twitter.com/jiriatvirlab/status/801910919739674624
https://noransom.kaspersky.com/
http://www.bleepingcomputer.com/news/security/paying-the-c
https://twitter.com/malwrhunterteam/status/83946716876072
https://support.kaspersky.com/viruses/disinfection/8547
https://support.kaspersky.com/viruses/disinfection/8547
http://virusinfo.info/showthread.php?t=185396
Cry, CSTO, Central http://www.bleepingcomputer.com/news/security/the-crylocke
Security Treatment http://blog.trendmicro.com/trendlabs-security-intelligence/cry
https://github.com/pekeinfo/DecryptCrypren
http://www.nyxbone.com/malware/Crypren.html
https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip
https://blog.fortinet.com/2016/06/17/buggy-russian-ransomw
https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutloo
https://twitter.com/PolarToffee/status/824705553201057794
Hidden Tear http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html
https://twitter.com/jiriatvirlab/status/802554159564062722
https://www.proofpoint.com/us/threat-insight/post/ransomwa
https://decrypter.emsisoft.com/
http://www.pandasecurity.com/mediacenter/panda-security/c
http://news.softpedia.com/news/new-cry
https://twitter.com/drProct0r/status/810500976415281154
https://blog.malwarebytes.com/threat-an
https://decrypter.emsisoft.com/
https://twitter.com/PolarToffee/status/843527738774507522
Ranscam http://blog.talosintel.com/2016/07/ranscam.html
https://nakedsecurity.sophos.com/2016/

Manamecrypt, http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-
Telograph, ROI https://twitter.com/jiriatvirlab/status/838779371750031360

https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-inform
https://reaqta.com/2016/04/uncovering-ransomware-distribut
https://twitter.com/malwrhunterteam/status/83974794012200
https://twitter.com/malwrhunterteam/status/78289010494786
http://www.bleepingcomputer.com/news/security/cryptoluck-r
https://twitter.com/malwareforme/status
Zeta http://www.nyxbone.com/malware/CryptoMix.html
https://www.cert.pl/en/news/single/techn
Nemesis https://decrypter.emsisoft.com/crypton
https://www.bleepingcomputer.com/news/security/crypton-ran
https://twitter.com/JakubKroustek/status
X3M
https://twitter.com/malwrhunterteam/status/81767261765834

http://www.bleepingcomputer.com/news/security/new-ransom
https://twitter.com/struppigel/status/821992610164277248
https://www.bleepingcomputer.com/news/security/cryptomix-
http://www.bleepingcomputer.com/forums/t/617601/cryptosh
http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-rans
http://news.softpedia.com/news/new-open-source-linux-ranso

https://blogs.technet.microsoft.com/mmpc/2015/01/13/crow
https://www.virustotal.com/en/file/45317

https://twitter.com/struppigel/status/791554654664552448
https://www.bleepingcomputer.com/news
CryptProjectXXX https://support.kaspersky.com/viruses/disinfection/8547
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ran
CryptProjectXXX https://support.kaspersky.com/viruses/disinfection/8547
https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-
http://blogs.cisco.com/security/cryptxxx-
UltraDeCrypter https://support.kaspersky.com/viruses/disinfection/8547
http://www.bleepingcomputer.com/news/security/cryptxxx-up
http://blogs.cisco.com/security/cryptxxx-
UltraCrypter https://support.kaspersky.com/viruses/disinfection/8547
https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ra

http://www.bleepingcomputer.com/news/security/ctb-faker-ra
Citroni
https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/
https://github.com/eyecatchup/Critroni-p
my-Little- https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool
https://github.com/aaaddress1/my-Little-Ransomware
Ransomware
CyberSplitter https://twitter.com/struppigel/status/778871886616862720
https://twitter.com/struppigel/status/806
https://decrypter.emsisoft.com/damage
https://twitter.com/demonslay335/status/8356640678430146
https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-fo
https://twitter.com/malwrhunterteam/status/78553337300772
https://twitter.com/JaromirHorejsi/status/8155552584789811
http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-de
http://www.bleepingcomputer.com/forums/t/617395/dedcrypt
http://www.nyxbone.com/malware/DEDCr
https://twitter.com/struppigel/status/798573300779745281
MafiaWare https://twitter.com/BleepinComputer/status/81706932093734
https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-acti
https://www.bleepingcomputer.com/news/security/new-derial
Based on Detox: http://www.bleepingcomputer.com/news/security/new-detoxc
Calipso https://twitter.com/PolarToffee/status/829727052316160000
https://twitter.com/demonslay335/status/7525863345277091
https://decrypter.emsisoft.com/
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-l
https://github.com/hasherezade/dma_unlocker
https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-l
https://twitter.com/BleepinComputer/status/82250005651121
http://www.nyxbone.com/malware/Domino.html
http://www.bleepingcomputer.com/news/
https://www.bleepingcomputer.com/news/security/the-donald
https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id
https://twitter.com/struppigel/status/794108322932785158
https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help
https://www.bleepingcomputer.com/news/security/the-dxxd-ra
https://www.bleepingcomputer.com/news/security/dyna-crypt
Cryptear
https://twitter.com/BleepinComputer/status/81539289133819
EduCrypter http://www.filedropper.com/decrypter_1
https://twitter.com/JakubKroustek/status/7470311713479106
https://twitter.com/BroadAnalysis/status/8456888195339304
https://twitter.com/malwrhunterteam/sta
Los Pollos Hermanos
Trojan.Encoder.6491 http://www.bleepingcomputer.com/news/security/the-week-in
http://vms.drweb.ru/virus/?_is=1&i=87473

http://www.bleepingcomputer.com/news/security/the-enigma-
https://twitter.com/malwrhunterteam/status/83902201823011
IDRANSOMv3 https://twitter.com/demonslay335/status/811343914712100872
https://twitter.com/BleepinComputer/status/81126425448149
https://twitter.com/struppigel/status/811
Manifestus https://www.bleepingcomputer.com/news/security/erebus-ran
https://twitter.com/jiriatvirlab/status/818443491713884161
https://twitter.com/PolarToffee/status/82
http://www.bleepingcomputer.com/news/security/eviltwins-ex
https://twitter.com/struppigel/status/837565766073475072
https://twitter.com/malwrhunterteam/status/82976881903180
https://twitter.com/malwrhunterteam/sta
http://www.bleepingcomputer.com/news/security/new-fairwar
https://blog.fortinet.com/post/fakben-team-ransomware-uses
https://decrypter.emsisoft.com/globeimposter
https://twitter.com/malwrhunterteam/status/80979540242164
https://twitter.com/PolarToffee/status/812312402779836416
Variants: http://www.bleepingcomputer.com/news/security/fantom-rans
Comrade Circle https://decrypter.emsisoft.com/fenixlocker
https://twitter.com/fwosar/status/777197255057084416
https://twitter.com/rommeljoven17/status/846973265650335
https://twitter.com/jiriatvirlab/status/836616468775251968
https://www.bleepingcomputer.com/news/security/firecrypt-ra
https://twitter.com/malwrhunterteam/status/77377148564314

https://twitter.com/struppigel/status/842302481774321664
Roga https://twitter.com/BleepinComputer/status/81213560837422
https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-
http://www.bleepingcomputer.com/news/security/new-fsociet
https://twitter.com/siri_urz/status/79596
https://support.kaspersky.com/viruses/disinfection/8547
https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip
http://www.bleepingcomputer.com/forums/t/614197/ghostcry
https://twitter.com/ni_fi_70/status/796353782699425792
Purge https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
http://www.bleepingcomputer.com/news/security/the-globe-ra
Purge https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
Purge https://decrypter.emsisoft.com/globe3
Variants, from old to http://www.bleepingcomputer.com/forums/t/611342/gnl-locke
latest: https://twitter.com/BleepinComputer/status/81611221881526
https://decrypter.emsisoft.com/
http://blog.trendmicro.com/trendlabs-security-intelligence/ang

https://twitter.com/struppigel/status/794444032286060544
https://twitter.com/BleepinComputer/status/81213132497900
https://twitter.com/demonslay335/status/8068788035071016
https://twitter.com/malwrhunterteam/status/84711406422449
https://decrypter.emsisoft.com/
Mamba https://www.linkedin.com/pulse/mamba-new-full-disk-encrypti
blog.trendmicro.com/trendlabs-security-in
https://www.bleepingcomputer.com/news/security/heimdall-o

https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herb
https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-su
https://www.bleepingcomputer.com/news/security/hermes-ran
http://www.nyxbone.com/malware/hibuddy.html
http://www.bleepingcomputer.com/news/security/developmen
https://twitter.com/jiriatvirlab/status/825
http://www.bleepingcomputer.com/news/security/new-python
https://twitter.com/BleepinComputer/status/80328839681483
Hungarian Locky https://blog.avast.com/hucky-ransomware-a-hungarian-locky-w
(Hucky) https://decrypter.emsisoft.com/
http://www.malware-traffic-analysis.net/2016/02/03/index2.ht
https://twitter.com/struppigel/status/791576159960072192
https://twitter.com/BleepinComputer/status/81708536714487

http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe
https://twitter.com/demonslay335/status/7961342647440834
https://twitter.com/struppigel/status/791639214152617985
https://twitter.com/JakubKroustek/status/7578739760476979
shc Ransomware https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRans
https://blog.fortinet.com/2016/10/19/japanlocker-an-excavati
SyNcryption
Encryptor RaaS, http://www.nyxbone.com/malware/RaaS.html
http://blog.trendmicro.com/trendlabs-sec
Sarento https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip
https://twitter.com/BleepinComputer/status/82250910548724
CryptoHitMan http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-w
https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ra
https://twitter.com/demonslay335/status
(subvariant) http://www.nyxbone.com/malware/jobcrypter.html
https://twitter.com/malwrhunterteam/sta
http://forum.malekal.com/jobcrypter-geniesanstravaille-
Käändsõna https://twitter.com/BleepinComputer/status/81992785843709
RansomTroll https://www.bleepingcomputer.com/news/security/the-kangar
https://www.bleepingcomputer.com/news/security/researcher
https://twitter.com/malwrhunterteam/status/84174700243836
https://twitter.com/MarceloRivero/status/8323029767441735
https://safezone.cc/resources/kawaii-decryptor.195/
http://news.drweb.com/show/?i=9877&lng=en&c=5
http://www.welivesecurity.com/2016/03/07/new-mac-ransomw
https://decrypter.emsisoft.com/
http://www.bleepingcomputer.com/forums/t/559463/keyholde
https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-r
http://www.welivesecurity.com/2017/01/
https://twitter.com/malwrhunterteam/status/78223229984063
https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-fi
http://www.bleepingcomputer.com/news/security/the-kimcilw
https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e7
https://www.bleepingcomputer.com/news/security/star-trek-th
https://www.bleepingcomputer.com/news/security/koolova-ra
http://www.nyxbone.com/malware/koreanRansom.html
http://www.bleepingcomputer.com/news/security/the-week-in
QC http://www.nyxbone.com/malware/KozyJozy.html
http://www.bleepingcomputer.com/forum

https://twitter.com/demonslay335/status/7460904837226864
https://twitter.com/malwrhunterteam/status/83699557038445

https://twitter.com/struppigel/status/847689644854595584

https://decrypter.emsisoft.com/lechiffre
https://blog.malwarebytes.org/threat-analysis/2016/01/lechiff

https://twitter.com/JakubKroustek/status/8424048666140385
Linux.Encoder.{0,3} https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable
https://twitter.com/malwrhunterteam/status/84518329087304
https://www.bleepingcomputer.com/news/security/new-lltp-ra
09/29/2017 https://www.bleepingcomputer.com/forums/t/648384/lockcry
https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-s
https://twitter.com/struppigel/status/807169774098796544
http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-a
https://www.bleepingcomputer.com/forums/t/626750/lockloc
08/08/2017 - Diablo6 http://www.bleepingcomputer.com/news/security/new-locky-v
WSF variant:
Locky variant added http://blog.trendmicro.com/trendlabs-sec
https://twitter.com/malwrhunterteam/status/78988248836567
https://twitter.com/siri_urz/status/801815087082274816

https://twitter.com/jiriatvirlab/status/808015275367002113

https://blog.malwarebytes.org/threat-analysis/2016/03/maktu
https://decrypter.emsisoft.com/marlboro
https://www.bleepingcomputer.com/news/security/marlboro-r
https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/
https://www.proofpoint.com/us/threat-insight/post/MarsJoke
https://twitter.com/struppigel/status/791943837874651136
https://twitter.com/rommeljoven17/status/804251901529231
https://twitter.com/siri_urz/status/840913419024945152
MRCR https://decrypter.emsisoft.com/mrcr
https://www.bleepingcomputer.com/news/security/merry-chris
https://www.bleepingcomputer.com/news
https://twitter.com/malwrhunterteam/status/84461488962056
Crypt888 http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-s
http://blog.trendmicro.com/trendlabs-security-intelligence/ins
http://www.nyxbone.com/malware/Mirco
https://www.avast.com/ransomware-decryption-tools#!
"Petya's little brother" http://www.bleepingcomputer.com/news/security/petya-is-bac
Booyah https://www.proofpoint.com/us/threat-insight/post/ransomwa
Yakes http://nyxbone.com/malware/Mobef.html
http://researchcenter.paloaltonetworks.co
CryptoBit
CryptoMix https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-mole
https://twitter.com/malwrhunterteam/status/84482633918613
https://www.bleepingcomputer.com/forums/t/642409/motd-ra
https://twitter.com/struppigel/status/810766686005719040
https://twitter.com/demonslay335/status/7906084843037122
https://twitter.com/demonslay335/status
https://twitter.com/JakubKroustek/status/8159616636440084
https://www.youtube.com/watch?v=dAVM
http://www.bleepingcomputer.com/news/security/the-nagini-ra
http://github.com/Cyberclues/nanolocker-decryptor
https://decrypter.emsisoft.com/nemucod
https://blog.cisecurity.org/malware-analysis-report-nemucod-r
RANSOM_NETIX.A https://github.com/Antelox/NemucodFR
http://blog.trendmicro.com/trendlabs-security-intelligence/net
https://twitter.com/demonslay335/status/8392214573601955
XRatTeam https://decrypter.emsisoft.com/nmoreira
https://twitter.com/fwosar/status/803682662481174528
XPan https://twitter.com/JakubKroustek/status/7572675503466414
https://www.bleepingcomputer.com/news

https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip
https://www.bleepingcomputer.com/news/security/the-nullbyt
https://twitter.com/malwrhunterteam/status/81764854723137
http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip
http://www.nyxbone.com/malware/odcodc.html
https://twitter.com/PolarToffee/status/81
Vipasana, Cryakl https://support.kaspersky.com/viruses/disinfection/8547
http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomw
GPCode
https://twitter.com/struppigel/status/791557636164558848
http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-r
CryptoWire https://twitter.com/JakubKroustek/status/8423429967754485
https://decrypter.emsisoft.com/ozozalocker
https://twitter.com/malwrhunterteam/status/80150340186767
http://www.bleepingcomputer.com/news/security/padcrypt-th
https://twitter.com/malwrhunterteam/sta
https://twitter.com/BleepinComputer/status/81163507515883
https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-rans
https://www.bleepingcomputer.com/news/security/new-maco
https://twitter.com/BleepinComputer/status/80831663509438
Serpent https://www.bleepingcomputer.com/news/security/ransomwa
https://twitter.com/JakubKroustek/status/7960837681550786
CryptoLocker clone https://decrypter.emsisoft.com/
https://www.bleepingcomputer.com/news/security/old-cryptol
WinPlock https://securelist.com/blog/research/77762/petrwrap-the-new
Goldeneye http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generat
https://blog.malwarebytes.org/threat-analysis/2016/04/petya-
https://www.bleepingcomputer.com/news
https://www.youtube.com/watch?v=mSqxFjZq_z4
https://decrypter.emsisoft.com/philadelphia
www.bleepingcomputer.com/news/security/the-philadelphia-ra
https://twitter.com/BleepinComputer/status/80481031545620
https://twitter.com/JakubKroustek/status/8348211661163274
http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip
http://www.nyxbone.com/malware/pokemonGO.html
http://www.bleepingcomputer.com/news/
https://www.bleepingcomputer.com/news/security/new-schem
https://support.kaspersky.com/8547
https://securelist.com/blog/research/76182/polyglot-the-fake

PoshCoder https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_de
https://www.carbonblack.com/2016/03/25/threat-alert-powerw
http://researchcenter.paloaltonetworks.co
https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/
https://www.bleepingcomputer.com/news/security/introducing
https://blog.malwarebytes.com/threat-an
http://www.enigmasoftware.com/prismyourcomputerhasbeenl

https://twitter.com/demonslay335/status/812002960083394560
https://twitter.com/malwrhunterteam/status/81161388870585
https://twitter.com/jiriatvirlab/status/803297700175286273
https://twitter.com/Jan0fficial/status/834706668466405377
https://twitter.com/malwrhunterteam/status/84670548174173
https://otx.alienvault.com/pulse/57976b52b900fe01376feb01
RAA https://reaqta.com/2016/06/raa-ransomware-delivering-pony/
http://www.bleepingcomputer.com/news/
https://twitter.com/CryptoInsane/status/84618114002528256
https://decrypter.emsisoft.com/radamant
http://www.bleepingcomputer.com/news/security/new-radama
http://www.nyxbone.com/malware/radam
Agent.iih https://support.kaspersky.com/us/viruses/disinfection/10556
Aura
https://www.bleepingcomputer.com/news/security/ranion-rans
https://support.kaspersky.com/viruses/disinfection/8547
https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption
http://researchcenter.paloaltonetworks.com/2017/03/unit42-t
https://www.bleepingcomputer.com/news
https://www.proofpoint.com/us/threat-insight/post/ransoc-de
https://www.bleepingcomputer.com/news

https://www.symantec.com/security_response/writeup.jsp?do
https://twitter.com/jiriatvirlab/status/825411602535088129

http://www.nyxbone.com/malware/Razy(German).html
http://nyxbone.com/malware/Razy.html
https://support.kaspersky.com/viruses/disinfection/4264
https://twitter.com/JaromirHorejsi/status/8155576013123297
https://support.kaspersky.com/viruses/disinfection/4264
http://www.nyxbone.com/malware/RemindMe.html
https://www.bleepingcomputer.com/news/security/revenge-ra
https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-
https://twitter.com/siri_urz/status/842452104279134209
https://twitter.com/jiriatvirlab/status/840863070733885440
https://twitter.com/struppigel/status/801812325657440256
https://twitter.com/struppigel/status/823925410392080385
https://twitter.com/malwrhunterteam/status/84535685303919
https://www.bleepingcomputer.com/news/security/sage-2-0-ra
https://www.govcert.admin.ch/blog/27/sa
https://malwarebreakdown.com/2017/03/16/sage-2-2-ransom
https://malwarebreakdown.com/2017/03
samsam.exe https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.z
http://blog.talosintel.com/2016/03/samsam-ransomware.htm
http://www.intelsecurity.com/advanced-th
MIKOPONI.exe
https://www.bleepingcomputer.com/news/security/sanctions-
https://twitter.com/BleepinComputer/status/83595540995335
https://www.bleepingcomputer.com/news/security/new-satan
https://blog.malwarebytes.com/threat-analysis/2016/06/satan
https://blog.kaspersky.com/satana-ranso
02/19/2018

http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
https://twitter.com/malwrhunterteam/status/83011619087384
https://www.bleepingcomputer.com/news
PayDOS https://www.bleepingcomputer.com/news/security/ransomwa
https://www.proofpoint.com/us/threat-ins
http://www.nyxbone.com/malware/Serpico.html
Atom http://www.bleepingcomputer.com/news/security/the-shark-ra
http://www.bleepingcomputer.com/news/
https://twitter.com/JakubKroustek/status/7993882893376716
https://twitter.com/JakubKroustek/status/7605601471314083
http://www.bleepingcomputer.com/news/
KinCrypt http://www.nyxbone.com/malware/chineseRansom.html
http://blog.trendmicro.com/trendlabs-sec
http://www.bleepingcomputer.com/news/security/the-shark-ra
http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-d
http://www.nyxbone.com/malware/SkidLocker.html
https://twitter.com/malwrhunterteam/status/81707902872519
https://www.bleepingcomputer.com/news/security/smash-ran

http://nyxbone.com/malware/SNSLocker.html
https://blog.gdatasoftware.com/2017/01/29442-spora-worm-a
http://blog.emsisoft.com/2017/01/10/fro

https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
https://cdn.streamable.com/video/mp4/kfh3.mp4
http://blog.trendmicro.com/trendlabs-sec
http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaig
http://www.nyxbone.com/malware/Strictor.html

http://www.bleepingcomputer.com/news/security/in-dev-ranso

http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-r
https://securelist.com/blog/research/76153/teamxrat-brazilia
Trojan- https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3
https://blog.malwarebytes.com/threat-analysis/2016/11/telec
https://securelist.com/blog/research/765
Ransom.Win32.Telec
AlphaCrypt https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-dec
http://www.talosintel.com/teslacrypt_tool/
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-dec
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-dec
https://www.endgame.com/blog/your-package-has-been-succe
https://blog.kaspersky.com/raknidecrypto
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-dec
http://www.bleepingcomputer.com/news/security/teslacrypt-4
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants
https://twitter.com/BleepinComputer/status/80148642036809
Crypt0L0cker http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cra
https://twitter.com/PolarToffee/status/804008236600934403
http://blog.talosintelligence.com/2017/03
CryptoFortress http://www.bleepingcomputer.com/forums/t/618055/towerwe

BrainCrypt https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip
https://twitter.com/PolarToffee/status/811249250285842432
Shade https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf
http://www.nyxbone.com/malware/Troldesh.html
https://www.bleepingcomputer.com/news
XTBL http://www.bleepingcomputer.com/news/security/truecrypter-
https://www.bleepingcomputer.com/news/security/new-trump
https://twitter.com/struppigel/status/821991600637313024
https://twitter.com/JakubKroustek/status/8420348873979084
http://www.nyxbone.com/malware/turkishRansom.html
https://twitter.com/struppigel/status/807161652663742465
https://www.bleepingcomputer.com/news
http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransom
https://www.bleepingcomputer.com/forums/t/627582/unblock

https://www.bleepingcomputer.com/news/security/new-raas-p
https://twitter.com/malwrhunterteam/status/83903839994422
https://twitter.com/JAMESWT_MHT/status/834783231476166
https://twitter.com/struppigel/status/839771195830648833
CrypVault http://www.nyxbone.com/malware/russianRansom.html
Zlader https://twitter.com/BleepinComputer/status/81785133907833
https://twitter.com/Antelox/status/785849412635521024
http://pastebin.com/HuK99Xmj
https://blog.malwarebytes.com/threat-analysis/2016/08/venu
http://www.nyxbone.com/malware/venus
https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph
https://twitter.com/JakubKroustek/status/8007299441124270
https://www.bleepingcomputer.com/news
https://rol.im/VindowsUnlocker.zip
http://www.nyxbone.com/malware/Virlock.html
http://www.welivesecurity.com/2014/12/
CrySiS http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware
http://www.nyxbone.com/malware/virus-encoder.html
http://blog.trendmicro.com/trendlabs-sec
Ŧl๏tєгค http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip
https://twitter.com/struppigel/status/839778905091424260
гคภร๏๓ฬคгє
WannaCrypt https://twitter.com/struppigel/status/846241982347427840
https://docs.google.com/spreadsheets/d
WCry
Hades Locker https://labs.opendns.com/2016/07/13/wildfire-ransomware-ga
https://twitter.com/PolarToffee/status/811940037638111232
https://twitter.com/JakubKroustek/status/8257905849714729
https://www.bleepingcomputer.com/news/security/xdata-rans
https://support.kaspersky.com/viruses/disinfection/2911
https://decrypter.emsisoft.com/xorist
https://twitter.com/malwrhunterteam/status/83363600672112
https://twitter.com/malwrhunterteam/status/80828054980241
https://twitter.com/_ddoxer/status/827555507741274113
https://www.bleepingcomputer.com/news
Zcryptor https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-l
CryptoMix https://twitter.com/JakubKroustek/status/8040098315185725
http://www.bleepingcomputer.com/forums/t/617874/zimbra-ra
https://twitter.com/malwrhunterteam/status/84278157541059
VaultCrypt http://www.nyxbone.com/malware/russianRansom.html
CrypVault https://twitter.com/BleepinComputer/status/84453837032381
https://twitter.com/struppigel/status/794077145349967872
https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip
https://twitter.com/GrujaRS/status/826153382557712385
GNL Locker
Screenshots
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
omputer/status/844531418474708993
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
om/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/
https://www.google.de/search?tbm=isch&q=Ransomware+AutoLocky
el/status/828902907668000770
http://www.nyxbone.com/images/articulos/malware/badblock/5.png
#NAME?
#NAME?
#NAME?
ay335/status/835668540367777792
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png
oustek/status/821831437884211201
#NAME?
#NAME?
nterteam/status/845199679340011520
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
nterteam/status/839467168760725508
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
http://www.nyxbone.com/images/articulos/malware/crypren/0.png
https://www.google.de/search?tbm=isch&q=Ransomware+Crypt38
ee/status/824705553201057794
https://www.google.de/search?tbm=isch&q=Ransomware+Cryptear
b/status/802554159564062722
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
ee/status/843527738774507522
#NAME?
#NAME?
#NAME?
#NAME?
b/status/838779371750031360
#NAME?
#NAME?
#NAME?
#NAME?
https://twitter.com/malwareforme/status/798258032115322880
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
el/status/821992610164277248
er.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/
#NAME?
#NAME?
ews/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml
#NAME?
#NAME?
#NAME?
#NAME?
www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
orejsi/status/815555258478981121
#NAME?
#NAME?
el/status/798573300779745281
omputer/status/817069320937345024
er.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/
https://www.google.de/search?tbm=isch&q=Ransomware+DetoxCrypto
ee/status/829727052316160000
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
3330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/
#NAME?
#NAME?
#NAME?
#NAME?
omputer/status/815392891338194945
https://www.google.de/search?tbm=isch&q=Ransomware+EduCrypt
witter.com/malwrhunterteam/status/845652520202616832
#NAME?
#NAME?

#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
el/status/837565766073475072
witter.com/malwrhunterteam/status/838700700586684416
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
oven17/status/846973265650335744
#NAME?
#NAME?
#NAME?
#NAME?
el/status/842302481774321664
omputer/status/812135608374226944
#NAME?
#NAME?
#NAME?
status/796353782699425792
#NAME?
#NAME?
#NAME?
#NAME?
omputer/status/816112218815266816
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
ay335/status/806878803507101696
nterteam/status/847114064224497666
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
er.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/
#NAME?
#NAME?
#NAME?
omputer/status/803288396814839808
#NAME?
#NAME?
el/status/791576159960072192
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
ww.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?

https://www.google.de/search?tbm=isch&q=Ransomware+KratosCrypt
nterteam/status/836995570384453632
https://www.google.de/search?tbm=isch&q=Ransomware+KryptoLocker

el/status/847689644854595584

https://www.google.de/search?tbm=isch&q=Ransomware+LeChiffre

oustek/status/842404866614038529
https://www.google.de/search?tbm=isch&q=Ransomware+Linux.Encoder
nterteam/status/845183290873044994
er.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/
er.com/forums/t/648384/lockcrypt-lock-support-topic-readmetxt/
el/status/807169774098796544
https://www.google.de/search?tbm=isch&q=Ransomware+Locker
er.com/forums/t/626750/locklock-ransomware-locklock-help-support/
#NAME?
#NAME?
tatus/801815087082274816
#NAME?
#NAME?
b/status/808015275367002113
https://www.google.de/search?tbm=isch&q=Ransomware+Mabouia

#NAME?
#NAME?
er.com/news/security/marlboro-ransomware-defeated-in-one-day/
/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker
el/status/791943837874651136
oven17/status/804251901529231360
tatus/840913419024945152
www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/
nterteam/status/844614889620561924
#NAME?
#NAME?
#NAME?
#NAME?
http://nyxbone.com/images/articulos/malware/mobef/0.png
y/decryptor-released-for-the-mole02-cryptomix-ransomware-variant/
nterteam/status/844826339186135040
er.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/
el/status/810766686005719040
https://www.google.de/search?tbm=isch&q=Ransomware+n1n1n1
www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q
#NAME?
#NAME?
#NAME?
rendlabs-security-intelligence/netflix-scam-delivers-ransomware/
ay335/status/839221457360195589
tatus/803682662481174528
https://www.google.de/search?tbm=isch&q=Ransomware+NoobCrypt

er.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/
nterteam/status/817648547231371264
http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png
#NAME?
#NAME?
#NAME?
#NAME?
oustek/status/842342996775448576
nterteam/status/801503401867673603
https://www.google.de/search?tbm=isch&q=Ransomware+PadCrypt
omputer/status/811635075158839296
er.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/
omputer/status/808316635094380544
er.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/
oustek/status/796083768155078656
https://www.google.de/search?tbm=isch&q=Ransomware+PClock
research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/
#NAME?
#NAME?
omputer/status/804810315456200704
oustek/status/834821166116327425
#NAME?
#NAME?
er.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/
https://www.google.de/search?tbm=isch&q=Ransomware+Polyglot

#NAME?
#NAME?
blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/
https://www.google.de/search?tbm=isch&q=Ransomware+PRISM

nterteam/status/811613888705859586
b/status/803297700175286273
al/status/834706668466405377
nterteam/status/846705481741733892
#NAME?
#NAME?
sane/status/846181140025282561
#NAME?
#NAME?

er.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/
https://www.google.de/search?tbm=isch&q=Ransomware+Rannoh
www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/
www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/
https://www.google.de/search?tbm=isch&q=Ransomware+Ransom32
https://www.google.com/search?tbm=isch&q=Ransomware+RansomLock
b/status/825411602535088129

yxbone.com/malware/Razy.html
https://www.google.de/search?tbm=isch&q=Ransomware+Rector
orejsi/status/815557601312329728
https://www.google.de/search?tbm=isch&q=Ransomware+RektLocker
http://i.imgur.com/gV6i5SN.jpg
er.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/
https://www.google.de/search?tbm=isch&q=Ransomware+Rokku
tatus/842452104279134209
b/status/840863070733885440
#NAME?
#NAME?
nterteam/status/845356853039190016
#NAME?
#NAME?
#NAME?
#NAME?
er.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/
omputer/status/835955409953357825
er.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/
https://www.google.de/search?tbm=isch&q=Ransomware+Satana

https://www.google.de/search?tbm=isch&q=Ransomware+Scraper
www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/
www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers
#NAME?
#NAME?
oustek/status/799388289337671680
#NAME?
#NAME?
r.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/
https://www.google.de/search?tbm=isch&q=Ransomware+SkidLocker+/+Pompous
nterteam/status/817079028725190656
er.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/

http://nyxbone.com/images/articulos/malware/snslocker/16.png
og.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/
https://www.google.de/search?tbm=isch&q=Ransomware+Sport
og.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
docs.google.com/spreadsheets/d/1XNCCiiwpIfW8y0mzTUdLLVzoW6x64hkHJ29hcQW5deQ/pubhtml#
#NAME?
#NAME?
#NAME?
er.com/news/security/xdata-ransomware-on-a-rampage-in-ukraine/#.WR-iz69z-MA.twitter
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
nterteam/status/842781575410597894
https://www.google.de/search?tbm=isch&q=Ransomware+Zlader+/+Russian
omputer/status/844538370323812353
#NAME?
#NAME?
#NAME?
x-and-ultralocker-families/
data-via-diamondfox-malware/
ionable-content/
Proposed Name Extensions Extension Pattern PoC
WonderCrypter .h3ll SECRETISHIDINGHEREINSIDE.KEY,
? .crypttt YOUGOTHACKED.TXT
? .neitrino MESSAGE.TXT
? .xcrypt
? FILES_BACK.TXT
PLAUGE17? .PLAUGE17 PLAGUE17.txt
? 4252016XYLITOL.KEY666
WHAT IS SQ sq_ (prepends file) WHAT IS SQ_.txt
? PLEASE READ.txt
? .locked UNLOCK_FILES_INSTRUCTIONS.txt
Protected? .protected HOW_TO_RESTORE_YOUR_DATA.html
AxCrypter .axx
? PLEASEREAD.ME
? .iloveworld
Comment
Submitted to IDR
Submitted to IDR
Submitted to IDR, ransom email: danny.walswen@protonmail.com
Submitted to IDR
Submitted to IDR, note: http://pastebin.com/Wvw7mGqB
Submitted to IDR, note: http://pastebin.com/zc4zMNpw
Submitted to BC, Mobef?
http://www.bleepingcomputer.com/forums/t/583610/how-to-decrypt-ransomware-name-what-is-sq/
Submitted to IDR, note: http://pastebin.com/6J4g33FQ
Submitted to IDR and BC, note: http://pastebin.com/xj947Lh2,
http://www.bleepingcomputer.com/forums/t/611342/locked-
Submitted to IDR and BC, note: http://pastebin.com/2dAVDB4m,
http://www.bleepingcomputer.com/forums/t/613801/protected-
Abuses legit AxCrypt software
Submitted to IDR:
http://pastebin.com/E6Rds9m7
Sonar.cryptolocker!g80
Status
Need analysed
(7f76dd15545a6bf1804bed893e5e8214feb2f0368d3c6a6bccfddba
Needs identified
Needs identified
Needs identified
Needs identified
Needs identified
Needs identified
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Hunting for sample
Name Microsoft Detection Name Microsoft Info
.CryptoHasYou. Trojan:Win32/Dynamer!ac https://www.microsoft.com/security/portal/threat/encyclope
777 Ransom:Win32/Empercrypt.A https://www.microsoft.com/security/portal/threat/Encyclop
7ev3n
8lock8
Alma Ransomware
ApocalypseVM Win32/Cribit https://www.microsoft.com/security/portal/threat/encyclope
AutoLocky
BadBlock
Bart
BitStak
BlackShades Crypter Ransom:JS/Brolo www.microsoft.com/security/portal/threat/encyclopedia/En
Blocatto
Booyah Ransom: Win32/Cendode.A https://www.microsoft.com/security/portal/threat/encyclope
Brazilian Win32/Cerber https://www.microsoft.com/security/portal/threat/Encyclop
BrLock Win32/Chicrypt https://www.microsoft.com/security/portal/threat/encyclope
Browlock Ransom: MSIL/Vaultlock.A https://www.microsoft.com/security/portal/threat/encyclope
Bucbi
BuyUnlockCode
Cerber
Chimera Ransom: Win32/Crowti https://www.microsoft.com/security/portal/threat/encyclope
CoinVault
Coverton
Cryaki Ransom: Win32/Crowti https://www.microsoft.com/security/portal/threat/encyclope
Crybola Win32/Fortrypt https://www.microsoft.com/security/portal/threat/encyclope
CryLocker
Crypt38 Ransom: Win32/Crilock.A https://www.microsoft.com/security/portal/threat/encyclope
CryptoBit
CryptoDefense
CryptoGraphic Locker Ransom: MSIL/Nojocrypt.A https://www.microsoft.com/security/portal/threat/encyclope
CryptoHost
CryptoJoker
CryptoWall 1 Ransom: Win32/DMALocker https://www.microsoft.com/security/portal/threat/encyclope
CryptoWall 2 Ransom: Win32/DMALocker.A https://www.microsoft.com/security/portal/threat/encyclope
CryptoWall 4 Ransom: MSIL/Ryzerlo https://www.microsoft.com/security/portal/threat/encyclope
CryptXXX Ransom: PowerShell/Polock.A https://www.microsoft.com/security/portal/threat/encyclope
CryptXXX 2.0
CTB-Locker
CTB-Locker WEB
CuteRansomware
DeCrypt Protect
DEDCryptor Trojan: Win32/Harasom.A https://www.microsoft.com/security/portal/threat/encyclope
EduCrypt
El-Polocker Ransom: Win32/Tobfy.X https://www.microsoft.com/security/portal/threat/encyclope
Enigma
Fakben
Fonco Ransom:MSIL/JigsawLocker.A https://www.microsoft.com/security/portal/threat/Encyclop
Fury
GhostCrypt
Goopic Ransom: MacOS_X/KeRanger.A https://www.microsoft.com/security/portal/threat/encyclope
Gopher Ransom: Win32/Isda https://www.microsoft.com/security/portal/threat/encyclope
Harasom Ransom: BAT/Xibow https://www.microsoft.com/security/portal/threat/encyclope
Hi Buddy!
HydraCrypt
iLock
iLockLight Ransom: Win32/Locky https://www.microsoft.com/security/portal/threat/encyclope
TrojanDownloader: JS/Locky
International Police Association https://www.microsoft.com/security/portal/threat/encyclope
Jeiphoos
Jigsaw
Job Crypter
KeRanger Win32/Takabum https://www.microsoft.com/security/portal/threat/encyclope
KeyBTC
KEYHolder
KryptoLocker JS/Nemucod https://www.microsoft.com/security/portal/threat/encyclope
LeChiffre
Linux.Encoder
Locker
Locky
Lortok
LowLevel04
MIRCOP
Mischa
MM Locker
Mobef
Nemucod
ODCODC
Offline ransomware
Operation Global III
PadCrypt
RemindMe
PClock
PowerWare
PowerWorm
PRISM
Radamant
Rannoh
Ransom32 Win32/Tescrypt https://www.microsoft.com/security/portal/threat/encyclope
RansomLock Ransom: Win32/Teerac https://www.microsoft.com/security/portal/threat/encyclope
RektLocker Win32/Fortrypt https://www.microsoft.com/security/portal/threat/encyclope
Rokku
Samas-Samsam
Sanction Win32/Troldesh https://www.microsoft.com/security/portal/threat/Encyclop
Satana
Serpico
Simple_Encoder Ransom: BAT/Xibow https://www.microsoft.com/security/portal/threat/encyclope
Smrss32
Sport
Stampado
Surprise
SynoLocker
SZFLocker
TeslaCrypt 0.x - 2.2.0
TeslaCrypt 3.0+
TeslaCrypt 4.1A
TeslaCrypt 4.2
TorrentLocker
TowerWeb
Toxcrypt
Troldesh
TrueCrypter Win32/ZCryptor.A https://blogs.technet.microsoft.com/mmpc/2016/05/26/link
Turkish Ransom
Ungluk
Unlock92
WildFire Locker
Xorist
Zcrypt
Zimbra
Zlader / Russian
Zyklon
0
0
0
0
0
0
Sandbox IOCs Snort
https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8da67c?environ
https://otx.alienvault.com/pulse/57180b18c1492d015c14bed8/
https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d50290b5?environm
https://otx.alienvault.com/pulse/573b02701116a040ceccdd85/
https://otx.alienvault.com/pulse/57180dbf0ebaa4015af21166/
https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed332d?environm
https://www.hybrid-analysis.com/sample/d572a7d7254846adb73aebc3f7891398e513bdac9aac0623199
https://otx.alienvault.com/browse?q=Alma+Ransomware
https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c8439bb?environm
https://otx.alienvault.com/pulse/57166d65c1492d015c14bcc4/

https://otx.alienvault.com/pulse/56eac97aaef9214b1550b37e/

soft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolo
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.A
https://otx.alienvault.com/pulse/5721628cce2199015fb2b101/
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environm
https://otx.alienvault.com/browse?q=Brazilian
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d6c710?environm
https://otx.alienvault.com/pulse/572df3997740f10160c78d5c/
https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f575dbef?environ
https://otx.alienvault.com/pulse/55fabc314637f26df7745efc/
https://otx.alienvault.com/browse?q=Bucbi

w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423ef4c4?environm
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004d354?environm
#NAME?
#NAME? https://www.snort.org/search?query=cryptolocker&submit_search=
#NAME?
https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e61e5b?environm
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=ctb-locker
https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea5b12?environm
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.A
#NAME?
https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014d8b?environm
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-2147272113#tab=2
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.A
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2?environm
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7?environ
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Isda
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME?
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky
#NAME? https://www.snort.org/rule_docs/1-37844
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Locky
https://www.hybrid-analysis.com/sample/b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0?environm
#NAME?
#NAME?
#NAME? http://pastebin.com/0604rgUn
#NAME? http://pastebin.com/F6Pyqiqg
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabum
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=Petya&submit_search=
#NAME?
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/
http://seclists.org/snort/2013/q3/900
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?

#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME? https://www.snort.org/search?query=samsam&submit_search=
https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb773d392?environ
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32%2fTeerac
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt

w.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh
https://otx.alienvault.com/browse?q=Rokku

#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=teslacrypt&submit_search=
#NAME? https://www.snort.org/search?query=torrentlocker&submit_search=

s.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
7891398e513bdac9aac06231991e07e7b55fac8?environmentId=4

er&submit_search=
submit_search=

&submit_search=
&submit_search=
&submit_search=
&submit_search=
er&submit_search=
No Measure Type
1 Backup and Restore Recovery
2 Process
Block Macros GPO
3 Disable WSH GPO
4 Filter Attachments Mail Gateway
5 Level Attachments
Filter 1 Mail Gateway
6 Level 2Marking
Email Mail Gateway
7 Restrict program GPO
8 execution
Show File Extensions User Assistence
9 Enforce UAC Prompt GPO
10 Remove Admin Best Practice
11 Privileges
Restrict Workstation Best Practice
12 Communication
Sandboxing Email Advanced
13 Input
Execution Prevention Malware
3rd Party Tools
14 Change Default "Open GPO
15 With" to Notepad
File Screening Monitoring
16 Restrict program GPO
17 execution
EMET #2 GPO
18 Sysmon 3rd Party Tools

Footnotes
Complexity The complexity of implementation also includes the costs of implementation (e.g. simple to implem
Effectiveness Do not overrate a 'high' in this column as it is a relative effectiveness in comparison to other measur
Impact The effects on business processes, administration or user experience
Description Complexity* Effectiveness*
Make sure to have adequate backup processes on place and Medium High
frequently
Disable test ainrestore
macros Office of these
files backups from the Internet. This can
downloaded Low High
be configured
Disable Windowsto work in Host
Script two different modes: Low Medium
Filter the following attachments on your mail gateway: Low Medium
.386, .ace,
Filter .acm, .acv,
the following .ade, .adp,on
attachments .adt,
your.ani,
mail.app, .arc, .arj, .asd,
gateway: Low High
(Filter expression
Marking emails with of Level
warning1 plus) .doc,to.xls,
banners .rtf, .docm,
differentiate .xlsm,(sender) Medium
source High
domains
Block with low executions
all program trust, that are on the
from black lists, or that areand
%LocalAppData% non-trusted Medium Medium
%AppData%
Set folder
the registry key "HideFileExt" to 0 in order to show all file Low Low
extensions, even of known file types. This helps
Enforce administrative users to confirm an action that requires avoiding cloaking Low Medium
elevated rights
Remove and restrict administrative rights whenever possible. Medium Medium
Malware can only modify files that users have write access
Activate the Windows Firewall to restrict workstation to workstation Medium to. Low
communication
Using sandbox that opens email attachments and removes Medium High
attachments
Software thatbased
allowsontobehavior
control theanalysis
execution of processes - Medium Medium
sometimes
Force integrated
extensions in Antivirus
primarily used forsoftware
infections to open up in Notepad Low Medium
rather than Windows
Server-side Scriptwith
file screening Hosttheorhelp
Internet Explorer
of File Server Resource Low Medium
Manager
Block program executions (AppLocker) Medium Medium
Detect and block exploitation techniques Medium Medium
Detect Ransomware in an early stage with new Sysmon 5 Medium Low
File/Registry monitoring

complexity of implementation also includes the costs of implementation (e.g. simple to implement but costly)
ot overrate a 'high' in this column as it is a relative effectiveness in comparison to other measures
effects on business processes, administration or user experience
Impact* Possible Issues Link 1 Link 2
Low http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=
Low https://www.404techsupport.com/2016/04/office2016-macro-group-polic
https://support.office.com/en-us/article/Enab
Medium Administrative VBS scripts on http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/Ad
Low Workstations
High Office Communication with old versions
High of Microsoft Office files (.doc, .xls)
Medium Web embedded software installers http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-
http://www.thirdtier.net/ransomware-preventi
Low http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.h
Low administrator resentment https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx
Medium Higher administrative costs
Low
-
-
Medium Some extensions will have legitimate https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-o
Low uses, e.g., .vbs for logon scripts. http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto
Medium Configure & test extensively https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.as
http://social.technet.microsoft.com/wiki/con
Low www.microsoft.com/emet http://windowsitpro.com/security/control-em
Low https://twitter.com/JohnLaTwC/status/799792296883388416
s/back-up-restore-faq#1TC=windows-7
office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html

ier.net/ransomware-prevention-kit/
0-file-extensions-hide-show.html
dd835564(WS.10).aspx

change-the-default-behavior-of-potentially-malicious-file-extensions/
0Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm
hnet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx
pro.com/security/control-emet-group-policy
92296883388416
=en-US&rs=en-US&ad=US

-from-running.aspx
Infographics
Hint: if you can't see the graphics in the HTML version try to download this document as XLSX in the "Download" section

Source: https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-a
Source: Symantec, via @certbund

https://www.f-secure.com/documents/996508/1030743/cyber-security-report-2017
Download Links

XLSX Download
ODS Download
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?output=xlsx
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?output=ods
Composition This initial list has been composed by Mosh @nyxbone and transformed into this Google Docs fo
https://twitter.com/nyxbone/status/715675420159508480/photo/1

Contributors Florian Roth


Bart P
Michael Gillespie
Marcelo Rivero
Daniel Gallagher
Mosh
Karsten Hahn
Anthony Kasza
John Bambenek
Devon Ackerman
Fernando Mercês
Jas Chase

Support If you are a security researcher and want to support us, please contact me on Twitter @cyb3rops,

License Ransomware Overview is licensed under a Creative Commons Attribution-NonCommercial-ShareA


https://creativecommons.org/licenses/by-nc-sa/4.0/

Sources https://id-ransomware.malwarehunterteam.com/
https://bartblaze.blogspot.com
http://www.malekal.com/
http://www.bleepingcomputer.com/
https://blog.malwarebytes.org/
http://www.nyxbone.com/
http://www.nyxbone.com/malware/RansomwareOverview.html
http://www.tripwire.com/state-of-security/security-data-protection/ransomware-happy-ending-10
http://www.thewindowsclub.com/list-ransomware-decryptor-tools
https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/
https://decrypter.emsisoft.com/
https://www.nomoreransom.org/

Google Shortcode http://goo.gl/b9R8DE


omposed by Mosh @nyxbone and transformed into this Google Docs format by @cyb3rops
ne/status/715675420159508480/photo/1

@cyb3rops
@bartblaze
@demonslay335
@MarceloRivero
@DanielGallagher
@nyxbone
@struppigel
@anthonykasza
@bambenek
@AboutDFIR
@MercesFernando
@jasc22

rcher and want to support us, please contact me on Twitter @cyb3rops, tell me a bit about your background and I'll grant you write a

licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


org/licenses/by-nc-sa/4.0/

Identify ransomware by ransom note or encrypted file sample

Backup of spreadsheet
state-of-security/security-data-protection/ransomware-happy-ending-10-known-decryption-cases/
ub.com/list-ransomware-decryptor-tools
osoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/
Decrypters
Decrypters + info
ckground and I'll grant you write access to this list.