DFIR Report Dataset – AI for Cybersecurity in Banking

Intrusion Detection Evaluation Dataset ↗

Accessed DFIR Report data via API to relevant report.
Inserted results into a table.
Table currently consists of 413 records.

Description	Extensions	Extension Pattern	Ransom Note Filename(s)	Comment	Encryption Algorithm	Also known as	Date Added/Modified	Decryptor	Info 1	Info 2	IOCs (Network Based Indicators)	IOCs (Host-Based Indicators)
.CryptoHasYou.	.enc		YOUR_FILES_ARE_LOCKED.txt		AES(256)				http://www.nyxbone.com/malware/CryptoHasYou.html
777	0.777	._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777	read_this_file.txt		XOR	Sevleg		https://decrypter.emsisoft.com/777
7ev3n	.R4A .R5A		FILES_BACK.txt			7ev3n-HONE$T		https://github.com/hasherezade/malware_analysis/tree/master/7ev3n https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be	http://www.nyxbone.com/malware/7ev3n-HONE$T.html
7h9r	.7h9r		README_.TXT		AES				http://www.nyxbone.com/malware/7h9r.html
8lock8	.8lock8		READ_IT.txt	Based on HiddenTear	AES(256)			http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/
AiraCrop	._AiraCropEncrypted		How to decrypt your files.txt	related to TeamXRat					https://twitter.com/PolarToffee/status/796079699478900736
Al-Namrood	.unavailable .disappeared		Read_Me.Txt					https://decrypter.emsisoft.com/al-namrood
Alcatraz Locker	.Alcatraz		ransomed.html						https://twitter.com/PolarToffee/status/792796055020642304
ALFA Ransomware	.bin		README HOW TO DECRYPT YOUR FILES.HTML	Made by creators of Cerber					http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/
Alma Ransomware	random	random(x5)	Unlock_files_randomx5.html		AES(128)			https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283	https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter	http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/
Alpha Ransomware	.encrypt		Read Me (How Decrypt) !!!!.txt		AES(256)	AlphaLocker		http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip	http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/	https://twitter.com/malwarebread/status/804714048499621888
Alphabet				Doesn’t encrypt any files / provides you the key					https://twitter.com/PolarToffee/status/812331918633172992
AMBA	.amba		ПРОЧТИ_МЕНЯ.txt READ_ME.txt	Websites only amba@riseup.net					https://twitter.com/benkow_/status/747813034006020096
Angela Merkel	.angelamerkel								https://twitter.com/malwrhunterteam/status/798268218364358656
AngleWare	.AngleWare		READ_ME.txt						https://twitter.com/BleepinComputer/status/844531418474708993
Angry Duck	.adk			Demands 10 BTC					https://twitter.com/demonslay335/status/790334746488365057
Anony						Based on HiddenTear ngocanh			https://twitter.com/struppigel/status/842047409446387714
Anubis	.coded		Decryption Instructions.txt	EDA2	AES(256)				http://nyxbone.com/malware/Anubis.html
Apocalypse	.encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt	[filename].ID-8characters+countrycode[cryptservice@inbox.ru].[random7characters] filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}	.How_To_Decrypt.txt .Contact_Here_To_Recover_Your_Files.txt .Where_my_files.txt .Read_Me.Txt md5.txt	decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru		Fabiansomeware		https://decrypter.emsisoft.com/apocalypse	http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/
ApocalypseVM	.encrypted .locked		*.How_To_Get_Back.txt	Apocalypse ransomware version which uses VMprotect				http://decrypter.emsisoft.com/download/apocalypsevm
ASN1			!!!!!readme!!!!!.htm						https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/
AutoLocky	.locky		info.txt info.html					https://decrypter.emsisoft.com/autolocky
Aw3s0m3Sc0t7	.enc								https://twitter.com/struppigel/status/828902907668000770
BadBlock			Help Decrypt.html					https://decrypter.emsisoft.com/badblock	http://www.nyxbone.com/malware/BadBlock.html
BadEncript	.bript		More.html						https://twitter.com/demonslay335/status/813064189719805952
BaksoCrypt	.adr			Based on my-Little-Ransomware					https://twitter.com/JakubKroustek/status/760482299007922176	https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/
Bandarchor	.id-1235240425_help@decryptservice.info	.id-[ID]_[EMAIL_ADDRESS]	HOW TO DECRYPT.txt	Files might be partially encrypted	AES(256)	Rakhni			https://reaqta.com/2016/03/bandarchor-ransomware-still-active/	https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/
BarRax	.BarRax			Based on HiddenTear					https://twitter.com/demonslay335/status/835668540367777792
Bart	.bart.zip .bart .perl		recover.txt recover.bmp	Possible affiliations with RockLoader, Locky and Dridex		BaCrypt		http://now.avg.com/barts-shenanigans-are-no-match-for-avg/	http://phishme.com/rockloader-downloading-new-ransomware-bart/	https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky
BitCryptor	.clf			Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.				https://noransom.kaspersky.com/
BitStak	.bitstak				Base64 + String Replacement			https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip
BlackShades Crypter	.Silent		Hacked_Read_me_to_decrypt_files.html YourID.txt		AES(256)	SilentShade			http://nyxbone.com/malware/BlackShades.html
Blocatto	.blocatto			Based on HiddenTear	AES(256)			http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/
Booyah				EXE was replaced to neutralize threat		Salam!
Brazilian	.lock		MENSAGEM.txt	Based on EDA2	AES(256)				http://www.nyxbone.com/malware/brazilianRansom.html
Brazilian Globe		.id-%ID%_garryweber@protonmail.ch	HOW_OPEN_FILES.html						https://twitter.com/JakubKroustek/status/821831437884211201
BrLock					AES				https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered
Browlock				no local encryption, browser only
BTCWare	.btcware		#_HOW_TO_FIX_!.hta	Related to / new version of CryptXXX					https://twitter.com/malwrhunterteam/status/845199679340011520
Bucbi				no file name change, no extension	GOST				http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/
BuyUnlockCode		(.*).encoded.([A-Z0-9]{9})	BUYUNLOCKCODE.txt	Does not delete Shadow Copies
Central Security Treatment Organization	.cry		!Recovery_[random_chars].html !Recovery_[random_chars].txt						http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/
Cerber	.cerber .cerber2 .cerber3		# DECRYPT MY FILES #.html # DECRYPT MY FILES #.txt # DECRYPT MY FILES #.vbs # README.hta _{RAND}_README.jpg _{RAND}_README.hta _HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg _HELP_DECRYPT_[A-Z0-9]{4-8}_.hta _HELP_HELP_HELP_%random%.jpg _HELP_HELP_HELP_%random%.hta _HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg _HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta		AES				https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/	https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410
CerberTear									https://twitter.com/struppigel/status/795630452128227333
Chimera	.crypt 4 random characters, e.g., .PzZs, .MKJL		YOUR_FILES_ARE_ENCRYPTED.HTML YOUR_FILES_ARE_ENCRYPTED.TXT .gif					http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/	https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/
CHIP	.CHIP .DALE		CHIP_FILES.txt DALE_FILES.TXT						http://malware-traffic-analysis.net/2016/11/17/index.html	https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/
Click Me Game									https://www.youtube.com/watch?v=Xe30kV4ip8w
Clock				Does not encrypt anything					https://twitter.com/JakubKroustek/status/794956809866018816
CloudSword			Warning警告.html						https://twitter.com/BleepinComputer/status/822653335681593345
Cockblocker	.hannah								https://twitter.com/jiriatvirlab/status/801910919739674624
CoinVault	.clf		wallpaper.jpg	CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!				https://noransom.kaspersky.com/
Coverton	.coverton .enigma .czvxce		!!!-WARNING-!!!.html !!!-WARNING-!!!.txt		AES(256)				http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/
Crptxxx	.crptxxx		HOW_TO_FIX_!.txt	Uses @enigma0x3’s UAC bypass					https://twitter.com/malwrhunterteam/status/839467168760725508
Cryaki	.{CRYPTENDBLACKDC}							https://support.kaspersky.com/viruses/disinfection/8547
Crybola								https://support.kaspersky.com/viruses/disinfection/8547
CryFile	.criptiko .criptoko .criptokod .cripttt .aga		SHTODELATVAM.txt Instructionaga.txt		Moves bytes			http://virusinfo.info/showthread.php?t=185396
CryLocker	.cry		!Recovery_[random_chars].html !Recovery_[random_chars].txt	Identifies victim locations w/Google Maps API		Cry, CSTO, Central Security Treatment Organization			http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/
CrypMIC			README.TXT README.HTML README.BMP	CryptXXX clone/spinoff	AES(256)				http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/
Crypren	.ENCRYPTED		READ_THIS_TO_DECRYPT.html					https://github.com/pekeinfo/DecryptCrypren	http://www.nyxbone.com/malware/Crypren.html
Crypt38	.crypt38				AES			https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip	https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption
CryptConsole	random	decipher_ne@outlook.com_[encrypted_filename] unCrypte@outlook.com_[encrypted_filename]	How decrypt files.hta	Impersonates the Globe Ransomware Will not actually encrypt files				https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/	https://twitter.com/PolarToffee/status/824705553201057794
Cryptear					AES(256)	Hidden Tear		http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html
Crypter				Does not actually encrypt the files, but simply renames them					https://twitter.com/jiriatvirlab/status/802554159564062722
CryptFIle2	.scl	id[_ID]email_xerx@usa.com.scl			RSA				https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered
CryptInfinite	.crinf							https://decrypter.emsisoft.com/
CryptoBit			OKSOWATHAPPENDTOYOURFILES.TXT	sekretzbel0ngt0us.KEY do not confuse with CryptorBit	AES and RSA				http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/	http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml
CryptoBlock				RaaS					https://twitter.com/drProct0r/status/810500976415281154	https://blog.malwarebytes.com/threat-analysis/2017/03/cryptoblock-and-its-c2/
CryptoDefense			HOW_DECRYPT.TXT HOW_DECRYPT.HTML HOW_DECRYPT.URL	no extension change				https://decrypter.emsisoft.com/
CryptoDevil	.devil								https://twitter.com/PolarToffee/status/843527738774507522
CryptoFinancial						Ranscam			http://blog.talosintel.com/2016/07/ranscam.html	https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/
CryptoFortress	.frtrss		READ IF YOU WANT YOUR FILES BACK.html	Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB	AES(256), RSA (1024)
CryptoGraphic Locker	.clf		wallpaper.jpg	Has a GUI. Subvariants: CoinVault BitCryptor
CryptoHost				RAR’s victim’s files has a GUI	AES(256) (RAR implementation)	Manamecrypt, Telograph, ROI Locker		http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/
CryptoJacky									https://twitter.com/jiriatvirlab/status/838779371750031360
CryptoJoker	.crjoker		README!!!.txt GetYouFiles.txt crjoker.html		AES-256
CryptoLocker	.encrypted .ENC			no longer relevant	RSA			https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html	https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/
CryptoLocker 1.0.0									https://twitter.com/malwrhunterteam/status/839747940122001408
CryptoLocker 5.1									https://twitter.com/malwrhunterteam/status/782890104947867649
CryptoLuck / YafunnLocker	.[victim_id]_luck	[A-F0-9]{8}_luck	%AppData%\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt.	via RIG EK	AES(256)				http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/	https://twitter.com/malwareforme/status/798258032115322880
CryptoMix	.code .scl .rmd .lesli .rdmk .CRYPTOSHIELD .CRYPTOSHIEL	.id_(ID_MACHINE)_email_xoomx@dr.com_.code .id__email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl .email[supl0@post.com]id[\[[a-z0-9]{16}\]].lesli filename.email[email]_id[id*].rdmk	HELP_YOUR_FILES.html (CryptXXX) HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0) INSTRUCTION RESTORE FILE.TXT			Zeta			http://www.nyxbone.com/malware/CryptoMix.html	https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/
CryptON	_crypt .id-_locked .id-_locked_by_krec .id-_locked_by_perfect .id-_x3m .id-_r9oj .id-_garryweber@protonmail.ch .id-_steaveiwalker@india.com_ .id-_julia.crown@india.com_ .id-_tom.cruz@india.com_ .id-_CarlosBoltehero@india.com_ .id-_maria.lopez1@india.com_	name_crypt..extension			RSA, AES-256 and SHA-256	Nemesis X3M		https://decrypter.emsisoft.com/crypton	https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/	https://twitter.com/JakubKroustek/status/829353444632825856
CryptoRansomeware									https://twitter.com/malwrhunterteam/status/817672617658347521
Cryptorium	.ENC			Only renames files and does not encrypt them
CryptoRoger	.crptrgr		!Where_are_my_files!.html		AES				http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/
CryptoShadow	.doomed		LEER_INMEDIATAMENTE.txt						https://twitter.com/struppigel/status/821992610164277248
CryptoShield	.CRYPTOSHIELD	grfg.wct.CRYPTOSHIELD	# RESTORING FILES #.HTML # RESTORING FILES #.TXT	CryptoMix Variant	AES(256) / ROT-13				https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/
CryptoShocker	.locked		ATTENTION.url		AES				http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/
CryptoTorLocker2015	.CryptoTorLocker2015!		HOW TO DECRYPT FILES.txt %Temp%\.bmp					http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/
CryptoTrooper					AES				http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml
CryptoWall 1		no filename change	DECRYPT_INSTRUCTION.HTML DECRYPT_INSTRUCTION.TXT DECRYPT_INSTRUCTION.URL INSTALL_TOR.URL
CryptoWall 2		no filename change	HELP_DECRYPT.TXT HELP_DECRYPT.PNG HELP_DECRYPT.URL HELP_DECRYPT.HTML
CryptoWall 3		no filename change	HELP_DECRYPT.TXT HELP_DECRYPT.PNG HELP_DECRYPT.URL HELP_DECRYPT.HTML						https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/	https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/
CryptoWall 4		., e.g., 27p9k967z.x1nep	HELP_YOUR_FILES.HTML HELP_YOUR_FILES.PNG
CryptoWire					AES(256)				https://twitter.com/struppigel/status/791554654664552448	https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/
CryptXXX	.crypt		de_crypt_readme.bmp, .txt, .html	Comes with Bedep		CryptProjectXXX		https://support.kaspersky.com/viruses/disinfection/8547	http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information
CryptXXX 2.0	.crypt		.txt, .html, .bmp	Locks screen. Ransom note names are an ID. Comes with Bedep.		CryptProjectXXX		https://support.kaspersky.com/viruses/disinfection/8547	https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool	http://blogs.cisco.com/security/cryptxxx-technical-deep-dive
CryptXXX 3.0	.crypt .cryp1 .crypz .cryptz random			Comes with Bedep		UltraDeCrypter UltraCrypter		https://support.kaspersky.com/viruses/disinfection/8547	http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/	http://blogs.cisco.com/security/cryptxxx-technical-deep-dive
CryptXXX 3.1	.cryp1			StilerX credential stealing				https://support.kaspersky.com/viruses/disinfection/8547	https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100
CryPy	.cry		README_FOR_DECRYPT.txt		AES
Crysis	.bip	.id-[id].[email].bip		Locks screen. Ransom note ask to contact 888@cock.email. Attack timeline shows machine was compromised by RDP bruteforce first then implant the ransomware as final step					https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/	https://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/
CTB-Faker									http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/
CTB-Locker	.ctbl	.([a-z]{6,7})	AllFilesAreLocked .bmp DecryptAllFiles .txt .html		RSA(2048)	Citroni
CTB-Locker WEB				websites only	AES(256)				https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/	https://github.com/eyecatchup/Critroni-php
CuteRansomware	.已加密 .encrypted		你的檔案被我們加密啦!!!.txt Your files encrypted by our friends !!! txt	Based on my-Little-Ransomware	AES(128)	my-Little-Ransomware		https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool	https://github.com/aaaddress1/my-Little-Ransomware
Cyber SpLiTTer Vbs				Based on HiddenTear		CyberSplitter			https://twitter.com/struppigel/status/778871886616862720	https://twitter.com/struppigel/status/806758133720698881
Damage	.damage			Written in Delphi	Combination of SHA-1 and Blowfish			https://decrypter.emsisoft.com/damage	https://twitter.com/demonslay335/status/835664067843014656
Dharma	.dharma .wallet .zzzzz .adobe	..(dharma\|wallet\|zzzzz) .id-%ID%.[moneymaker2@india.com].wallet	README.txt README.jpg Info.hta	CrySiS variant				https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/	https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-filenameemailwalletbipcmbarena-support-topic/
Deadly for a Good Purpose				Encrypts in 2017					https://twitter.com/malwrhunterteam/status/785533373007728640
Death Bitches	.locked		READ_IT.txt						https://twitter.com/JaromirHorejsi/status/815555258478981121
DeCrypt Protect	.html							http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/
DEDCryptor	.ded			Based on EDA2	AES(256)				http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/	http://www.nyxbone.com/malware/DEDCryptor.html
Demo	.encrypted		HELP_YOUR_FILES.txt	only encrypts .jpg files					https://twitter.com/struppigel/status/798573300779745281
Depsex	.Locked-by-Mafia		READ_ME.txt	Based on HiddenTear		MafiaWare			https://twitter.com/BleepinComputer/status/817069320937345024
DeriaLock	.deria		unlock-everybody.txt					https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/	https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/
DetoxCrypto					AES	Based on Detox: Calipso We are all Pokemons Nullbyte			http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/
Digisom			Digisom Readme0.txt (0 to 9)						https://twitter.com/PolarToffee/status/829727052316160000
DirtyDecrypt									https://twitter.com/demonslay335/status/752586334527709184
DMALocker			cryptinfo.txt decrypting.txt start.txt	no extension change Encrypted files have prefix: Version 1: ABCXYZ11 Version 2: !DMALOCK Version 3: !DMALOCK3.0 Version 4: !DMALOCK4.0	AES(256) in ECB mode, Version 2-4 also RSA			https://decrypter.emsisoft.com/ https://github.com/hasherezade/dma_unlocker https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg	https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/
DMALocker 3.0				no extension change	AES(256) XPTLOCK5.0			https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg	https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/
DNRansomware	.fucked			Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT					https://twitter.com/BleepinComputer/status/822500056511213568
Domino	.domino		README_TO_RECURE_YOUR_FILES.txt	Based on Hidden Tear	AES(256)				http://www.nyxbone.com/malware/Domino.html	http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/
Donald Trump	.ENCRYPTED				AES				https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/
DoNotChange	.id-7ES642406.cry .Do_not_change_the_filename		HOW TO DECODE FILES!!!.txt КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt		AES(128)			https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/
DummyLocker	.dCrypt								https://twitter.com/struppigel/status/794108322932785158
DXXD	.dxxd		ReadMe.TxT					https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/	https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/
DynA-Crypt	.crypt								https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/
EDA2 / HiddenTear	.locked			Open sourced C#	AES(256)	Cryptear
EdgeLocker	.edgel								https://twitter.com/BleepinComputer/status/815392891338194945
EduCrypt	.isis .locked		README.txt	Based on Hidden Tear		EduCrypter		http://www.filedropper.com/decrypter_1	https://twitter.com/JakubKroustek/status/747031171347910656
EiTest	.crypted								https://twitter.com/BroadAnalysis/status/845688819533930497	https://twitter.com/malwrhunterteam/status/845652520202616832
El-Polocker	.ha3		qwer.html qwer2.html locked.bmp	Has a GUI		Los Pollos Hermanos
Encoder.xxxx			Instructions.html	Coded in GO		Trojan.Encoder.6491			http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/	http://vms.drweb.ru/virus/?_is=1&i=8747343
encryptoJJS	.enc		How to recover.enc
Enigma	.enigma .1txt		enigma.hta enigma_encr.txt enigma_info.txt		AES(128)				http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/
Enjey				Based on RemindMe					https://twitter.com/malwrhunterteam/status/839022018230112256
EnkripsiPC	.fucked			The encryption password is based on the computer name		IDRANSOMv3 Manifestus		https://twitter.com/demonslay335/status/811343914712100872	https://twitter.com/BleepinComputer/status/811264254481494016	https://twitter.com/struppigel/status/811587154983981056
Erebus		Encrypt the extension using ROT-23	README.HTML		AES				https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/
Evil	.file0locked .evillock			Coded in Javascript					https://twitter.com/jiriatvirlab/status/818443491713884161	https://twitter.com/PolarToffee/status/826508611878793219
Exotic	.exotic	random.exotic		Also encrypts executables	AES(128)				http://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/
FabSysCrypto				Based on HiddenTear					https://twitter.com/struppigel/status/837565766073475072
Fadesoft									https://twitter.com/malwrhunterteam/status/829768819031805953	https://twitter.com/malwrhunterteam/status/838700700586684416
Fairware				Target Linux O.S.					http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/
Fakben	.locked		READ ME FOR DECRYPT.txt	Based on Hidden Tear					https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code
FakeGlobe aka GlobeImposter	.crypt		HOW_OPEN_FILES.hta					https://decrypter.emsisoft.com/globeimposter	https://twitter.com/malwrhunterteam/status/809795402421641216
FakeCryptoLocker	.cryptolocker								https://twitter.com/PolarToffee/status/812312402779836416
Fantom	.fantom .comrade		DECRYPT_YOUR_FILES.HTML RESTORE-FILES![id]	Based on EDA2	AES(128)	Variants: Comrade Circle			http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/
FenixLocker	.FenixIloveyou!!		Help to decrypt.txt					https://decrypter.emsisoft.com/fenixlocker	https://twitter.com/fwosar/status/777197255057084416
FILE FROZR				RaaS					https://twitter.com/rommeljoven17/status/846973265650335744
FileLocker	.ENCR								https://twitter.com/jiriatvirlab/status/836616468775251968
FireCrypt	.firecrypt		[random_chars]-READ_ME.html		AES(256)				https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/
Flyper	.locked			Based on EDA2 / HiddenTear					https://twitter.com/malwrhunterteam/status/773771485643149312
Fonco			help-file-decrypt.enc /pronk.txt	contact email safefiles32@mail.ru also as prefix in encrypted file contents
FortuneCookie									https://twitter.com/struppigel/status/842302481774321664
Free-Freedom	.madebyadam			Unlock code is: adam or adamdude9		Roga			https://twitter.com/BleepinComputer/status/812135608374226944
FSociety	.fs0ciety .dll		fs0ciety.html DECRYPT_YOUR_FILES.HTML	Based on EDA2 Based on RemindMe				https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/	http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/	https://twitter.com/siri_urz/status/795969998707720193
Fury								https://support.kaspersky.com/viruses/disinfection/8547
GhostCrypt	.Z81928819			Based on Hidden Tear	AES(256)			https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip	http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/
Gingerbread									https://twitter.com/ni_fi_70/status/796353782699425792
Globe v1	.purge		How to restore files.hta		Blowfish	Purge		https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221	http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/
Globe v2	.lovewindows .openforyou@india.com	.. e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg			Blowfish	Purge		https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
Globe v3	.[random].blt .[random].encrypted .[random].raid10 .[mia.kokers@aol.com] .[random].globe .unlockvt@india.com .rescuers@india.com.3392cYAn548QZeUf.lock .locked .decrypt2017 .hnumkhotep			Extesion depends on the config file. It seems Globe is a ransomware kit.	RC4 AES(256)	Purge		https://decrypter.emsisoft.com/globe3
GNL Locker	.locked	.locked, e.g., bill.!ID!8MMnF!ID!.locked	UNLOCK_FILES_INSTRUCTIONS.html and .txt	Only encrypts DE or NL country	AES (256)	Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker			http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/
GOG	.L0CKED		DecryptFile.txt						https://twitter.com/BleepinComputer/status/816112218815266816
Gomasom	.crypt	!___[EMAILADDRESS]_.crypt		no ransom note				https://decrypter.emsisoft.com/
Goopic			Your files have been crypted.html						http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/
Gopher				OS X ransomware (PoC)
Gremit	.rnsmwr								https://twitter.com/struppigel/status/794444032286060544
Guster	.locked								https://twitter.com/BleepinComputer/status/812131324979007492
Hacked	.versiegelt .encrypted .payrmts .locked .Locked			Jigsaw Ransomware variant					https://twitter.com/demonslay335/status/806878803507101696
HappyDayzz					3DES AES(128) AES(192) AES(256) DES RC2 RC4				https://twitter.com/malwrhunterteam/status/847114064224497666
Harasom	.html							https://decrypter.emsisoft.com/
HDDCryptor				Uses https://diskcryptor.net for full disk encryption	Custom (net shares), XTS-AES (disk)	Mamba			https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho	blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/
Heimdall				File marker: “Heimdall—“	AES-128-CBC				https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/
Help_dcfile	.XXX		help_dcfile.txt
Herbst	.herbst				AES(256)				https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
Hermes			DECRYPT_INFORMATION.html UNIQUE_ID_DO_NOT_REMOVE	Filemarker: “HERMES”	AES			https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/	https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/
Hi Buddy!	.cry			Based on HiddenTear	AES(256)				http://www.nyxbone.com/malware/hibuddy.html
Hitler		removes extensions		Deletes files					http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/	https://twitter.com/jiriatvirlab/status/825310545800740864
HolyCrypt	(encrypted)				AES				http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/
HTCryptor				Includes a feature to disable the victim’s windows firewall Modified in-dev HiddenTear					https://twitter.com/BleepinComputer/status/803288396814839808
Hucky	.locky	[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky	_Adatok_visszaallitasahoz_utasitasok.txt _locky_recover_instructions.txt	Based on Locky	AES, RSA (hardcoded)	Hungarian Locky (Hucky)			https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe
HydraCrypt		hydracrypt_ID_[\w]{8}	README_DECRYPT_HYRDA_ID_[ID number].txt	CrypBoss Family				https://decrypter.emsisoft.com/	http://www.malware-traffic-analysis.net/2016/02/03/index2.html
IFN643									https://twitter.com/struppigel/status/791576159960072192
iLock	.crime								https://twitter.com/BleepinComputer/status/817085367144873985
iLockLight	.crime
International Police Association		<6 random characters>	%Temp%\.bmp	CryptoTorLocker2015 variant				http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe
iRansom	.Locked								https://twitter.com/demonslay335/status/796134264744083460
Jack.Pot									https://twitter.com/struppigel/status/791639214152617985
JagerDecryptor	!ENC		Important_Read_Me.html	Prepends filenames					https://twitter.com/JakubKroustek/status/757873976047697920
JapanLocker					Base64 encoding, ROT13, and top-bottom swapping	shc Ransomware SyNcryption		https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php	https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots
Jeiphoos			readme_liesmich_encryptor_raas.txt	Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.	RC6 (files), RSA 2048 (RC6 key)	Encryptor RaaS, Sarento			http://www.nyxbone.com/malware/RaaS.html	http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/
Jhon Woddy	.killedXXX			Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH				https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip	https://twitter.com/BleepinComputer/status/822509105487245317
Jigsaw	.btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz .encrypted .hush .paytounlock .uk-dealer@sigaint.org .gefickt .nemo-hacks.at.sigaint.org			Has a GUI	AES(256)	CryptoHitMan (subvariant)		http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/	https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/	https://twitter.com/demonslay335/status/795819556166139905
Job Crypter	.locked .css		Comment débloquer mes fichiers.txt Readme.txt	Based on HiddenTear, but uses TripleDES, decrypter is PoC	TripleDES				http://www.nyxbone.com/malware/jobcrypter.html http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html	https://twitter.com/malwrhunterteam/status/828914052973858816
JohnyCryptor
Kaandsona	.kencf			Crashes before it encrypts		Käändsõna RansomTroll			https://twitter.com/BleepinComputer/status/819927858437099520
Kangaroo	.crypted_file		filename.Instructions_Data_Recovery.txt	From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda					https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/
Karma	.karma		# DECRYPT MY FILES #.html # DECRYPT MY FILES #.txt	pretends to be a Windows optimization program called Windows-TuneUp	AES				https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/
Karmen	.grt			RaaS Based on HiddenTear					https://twitter.com/malwrhunterteam/status/841747002438361089
Kasiski	[KASISKI]		INSTRUCCIONES.txt						https://twitter.com/MarceloRivero/status/832302976744173570
KawaiiLocker			How Decrypt Files.txt					https://safezone.cc/resources/kawaii-decryptor.195/
KeRanger	.encrypted			OS X Ransomware	AES			http://news.drweb.com/show/?i=9877&lng=en&c=5	http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/
KeyBTC	keybtc@inbox_com		DECRYPT_YOUR_FILES.txt READ.txt readme.txt					https://decrypter.emsisoft.com/
KEYHolder			how_decrypt.gif how_decrypt.html	via remote attacker. tuyuljahat@hotmail.com contact address					http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml
KillDisk					AES(256)				https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/	http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/
KillerLocker	.rip			Possibly Portuguese dev					https://twitter.com/malwrhunterteam/status/782232299840634881
KimcilWare	.kimcilware .locked			websites only	AES			https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it	http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/
Kirk	.Kirked		RANSOM_NOTE.txt	Payments in Monero				https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/	https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/
Koolova				With Italian text that only targets the Test folder on the user’s desktop					https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/
Korean	.암호화됨		ReadMe.txt	Based on HiddenTear	AES(256)				http://www.nyxbone.com/malware/koreanRansom.html
Kostya	.kostya								http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/
Kozy.Jozy	.31392E30362E32303136_[ID-KEY]_LSBJ1	.([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})	w.jpg	Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com	RSA(2048)	QC			http://www.nyxbone.com/malware/KozyJozy.html	http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/
Kraken	.kraken	[base64].kraken	_HELP_YOUR_FILES.html
KratosCrypt	.kratos		README_ALL.html	kratosdimetrici@gmail.com					https://twitter.com/demonslay335/status/746090483722686465
KRider	.kr3								https://twitter.com/malwrhunterteam/status/836995570384453632
KryptoLocker			KryptoLocker_README.txt	Based on HiddenTear	AES(256)
LambdaLocker	.lambda_l0cked		READ_IT.hTmL	Python Ransomware	AES(256)
LanRan			@__help__@	Variant of open-source MyLittleRansomware					https://twitter.com/struppigel/status/847689644854595584
LeChiffre	.LeChiffre		How to decrypt LeChiffre files.html	Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker				https://decrypter.emsisoft.com/lechiffre	https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/
Lick	.Licked		RANSOM_NOTE.txt	Variant of Kirk					https://twitter.com/JakubKroustek/status/842404866614038529
Linux.Encoder				Linux Ransomware		Linux.Encoder.{0,3}		https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
LK Encryption				Based on HiddenTear					https://twitter.com/malwrhunterteam/status/845183290873044994
LLTP Locker	.ENCRYPTED_BY_LLTP .ENCRYPTED_BY_LLTPp		LEAME.txt	Targeting Spanish speaking victims	AES-256				https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/
LockCrypt	.lock		ReadMe.TxT				09/29/2017		https://www.bleepingcomputer.com/forums/t/648384/lockcrypt-lock-support-topic-readmetxt/
Locked-In			RESTORE_CORUPTED_FILES.HTML	Based on RemindMe				https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/	https://twitter.com/struppigel/status/807169774098796544
Locker				no extension change has GUI				http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545
LockLock	.locklock		READ_ME.TXT		AES(256)				https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/
Locky	.locky .zepto .odin .shit .thor .aesir .zzzzz .osiris .DIABLO6 .lukitus	([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris	_Locky_recover_instructions.txt _Locky_recover_instructions.bmp _HELP_instructions.txt _HELP_instructions.bmp _HOWDO_text.html _WHAT_is.html _INSTRUCTION.html DesktopOSIRIS.(bmp\|htm) OSIRIS-[0-9]{4}.htm	Affiliations with Dridex and Necurs botnets IOCs: https://ghostbin.com/paste/7jm4j	AES(128)		08/08/2017 – Diablo6 Locky variant added 09/28/2017 – Lukitus Locky varinat added		http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/	WSF variant: http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/ Odin: https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/ OSIRIS: https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/
Lock93	.lock93								https://twitter.com/malwrhunterteam/status/789882488365678592
Lomix				Based on the idiotic open-source ransomware called CryptoWire					https://twitter.com/siri_urz/status/801815087082274816
Lortok	.crime
LowLevel04	oor.			Prepends filenames
M4N1F3STO				Does not encrypt Unlock code=suckmydicknigga					https://twitter.com/jiriatvirlab/status/808015275367002113
Mabouia				OS X ransomware (PoC)
MacAndChess				Based on HiddenTear
Magic	.magic		DECRYPT_ReadMe1.TXT DECRYPT_ReadMe.TXT	Based on EDA2	AES(256)
MaktubLocker		[a-z]{4,6}	_DECRYPT_INFO_[extension pattern].html		AES(256), RSA (2048)				https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/
Marlboro	.oops		_HELP_Recover_Files_.html		XOR			https://decrypter.emsisoft.com/marlboro	https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/
MarsJoke	.a19 .ap19		!!! Readme For Decrypt !!!.txt ReadMeFilesDecrypt!!!.txt					https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/	https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker
MasterBuster			CreatesReadThisFileImportant.txt						https://twitter.com/struppigel/status/791943837874651136
Matrix			[5 numbers]-MATRIX-README.RTF		GnuPG				https://twitter.com/rommeljoven17/status/804251901529231360
Meister				Targeting French victims					https://twitter.com/siri_urz/status/840913419024945152
Merry X-Mas!	.PEGS1 .MRCR1 .RARE1 .MERRY .RMCM1		YOUR_FILES_ARE_DEAD.HTA MERRY_I_LOVE_YOU_BRUCE.HTA	Written in Delphi		MRCR		https://decrypter.emsisoft.com/mrcr	https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/	https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/
Meteoritan			where_are_your_files.txt readme_your_files_have_been_encrypted.txt						https://twitter.com/malwrhunterteam/status/844614889620561924
MIRCOP	Lock.			Prepends files Demands 48.48 BTC	AES	Crypt888		http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/ https://www.avast.com/ransomware-decryption-tools#!	http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/	http://www.nyxbone.com/malware/Mircop.html
MireWare	.fucked .fuck		READ_IT.txt	Based on HiddenTear	AES(256)
Mischa		.([a-zA-Z0-9]{4})	YOUR_FILES_ARE_ENCRYPTED.HTML YOUR_FILES_ARE_ENCRYPTED.TXT	Packaged with Petya PDFBewerbungsmappe.exe		“Petya’s little brother”			http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/
MM Locker	.locked		READ_IT.txt	Based on EDA2	AES(256)	Booyah			https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered
Mobef	.KEYZ .KEYH0LES		4-14-2016-INFECTION.TXT IMPORTANT.README			Yakes CryptoBit			http://nyxbone.com/malware/Mobef.html	http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/
Mole	.mole .mole02		INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT			CryptoMix		https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-mole02-cryptomix-ransomware-variant/
Monument				Use the DarkLocker 5 porn screenlocker Jigsaw variant					https://twitter.com/malwrhunterteam/status/844826339186135040
MOTD	.enc		motd.txt						https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/
MSN CryptoLocker			RESTORE_YOUR_FILES.txt						https://twitter.com/struppigel/status/810766686005719040
n1n1n1			decrypt explanations.html	Filemaker: “333333333333”					https://twitter.com/demonslay335/status/790608484303712256	https://twitter.com/demonslay335/status/831891344897482754
N-Splitter	.кибер разветвитель			Russian Koolova Variant					https://twitter.com/JakubKroustek/status/815961663644008448	https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q
Nagini				Looks for C:\Temp\voldemort.horcrux					http://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/
NanoLocker			ATTENTION.RTF	no extension change has a GUI	AES (256), RSA			http://github.com/Cyberclues/nanolocker-decryptor
Nemucod	.crypted		Decrypted.txt	7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes	XOR(255) 7zip			https://decrypter.emsisoft.com/nemucod https://github.com/Antelox/NemucodFR http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/	https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/
Netix					AES(256)	RANSOM_NETIX.A			http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/
NETWALKER
Nhtnwcuf			!_RECOVERY_HELP_!.txt HELP_ME_PLEASE.txt	Does not encrypt the files / Files are destroyed					https://twitter.com/demonslay335/status/839221457360195589
NMoreira	.maktub .__AiraCropEncrypted! .aac		Recupere seus arquivos. Leia-me!.txt Learn how to recover your files.txt	.aac is the extension used by the new version seen in July, 2017	mix of RSA and AES-256	XRatTeam XPan AiraCrop		https://decrypter.emsisoft.com/nmoreira	https://twitter.com/fwosar/status/803682662481174528
NoobCrypt									https://twitter.com/JakubKroustek/status/757267550346641408	https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/
Nuke	.nuclear55		!!_RECOVERY_instructions_!!.html !!_RECOVERY_instructions_!!.txt		AES
Nullbyte	_nullbyte							https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip	https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/
Ocelot				Does not encrypt anything					https://twitter.com/malwrhunterteam/status/817648547231371264
ODCODC	.odcodc	C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc	HOW_TO_RESTORE_FILES.txt		XOR			http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip	http://www.nyxbone.com/malware/odcodc.html	https://twitter.com/PolarToffee/status/813762510302183424
Offline ransomware	.cbf	email-[params].cbf	desk.bmp desk.jpg	email addresses overlap with .777 addresses		Vipasana, Cryakl		https://support.kaspersky.com/viruses/disinfection/8547	http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html
OMG! Ransomware	.LOL! .OMG!		how to get data.txt			GPCode
Onyx				Georgian ransomware					https://twitter.com/struppigel/status/791557636164558848
Operation Global III	.EXE			Is a file infector (virus)				http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/
Owl	dummy_file.encrypted	dummy_file.encrypted.[extension]	log.txt			CryptoWire			https://twitter.com/JakubKroustek/status/842342996775448576
OzozaLocker	.Locked		HOW TO DECRYPT YOU FILES.txt					https://decrypter.emsisoft.com/ozozalocker	https://twitter.com/malwrhunterteam/status/801503401867673603
PadCrypt	.padcrypt		IMPORTANT READ ME.txt File Decrypt Help.html	has a live support chat					http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/	https://twitter.com/malwrhunterteam/status/798141978810732544
Padlock Screenlocker				Unlock code is: ajVr/G\RJz0R					https://twitter.com/BleepinComputer/status/811635075158839296
Patcher	.crypt		README!.txt	Targeting macOS users				https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/	https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/
PayDay	.sexy		!!!!!ATENÇÃO!!!!!.html	Based off of Hidden-Tear					https://twitter.com/BleepinComputer/status/808316635094380544
PayDOS				Batch file Passcode: AES1014DW256		Serpent			https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/
Paysafecard Generator 2016	.cry_	test.cry_jpg							https://twitter.com/JakubKroustek/status/796083768155078656
PClock			Your files are locked !.txt Your files are locked !!.txt Your files are locked !!!.txt Your files are locked !!!!.txt %AppData%\WinCL\winclwp.jpg	CryptoLocker Copycat	XOR	CryptoLocker clone WinPlock		https://decrypter.emsisoft.com/	https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/
PetrWrap									https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/
Petya	.encrypted		YOUR_FILES_ARE_ENCRYPTED.TXT YOUR_FILES_ARE_ENCRYPTED.HTML README.TXT	– overwrites MBR – encrypts MFT – PDFBewerbungsmappe.exe – Symantec & FireEye have confirmed that the initial attack vector is MEDoc (tax account software)	Modified Salsa20	Goldeneye	29.09.2023	http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator https://www.youtube.com/watch?v=mSqxFjZq_z4	https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/ https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html	https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/ https://symantec-blogs.broadcom.com/blogs/threat-intelligence/petya-ransomware-wiper?om_ext_cid=biz_social_NAM_twitter_Asset%2520Type%2520%2520-%2520Blog,Petya
Philadelphia	.locked	.locked		Coded by “The_Rainmaker”	AES(256)			https://decrypter.emsisoft.com/philadelphia	www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/
Phobos	.phobos	file name[ID-000QQQ.hacker@AOL.com].phobos		Rebranded Dharma Ransom Note					https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew	https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-help-topic-phobos-phoboshta/page-2
Phoenix	.R.i.P		Important!.txt	Based on HiddenTear					https://twitter.com/BleepinComputer/status/804810315456200704
Pickles	.EnCrYpTeD	%random%.EnCrYpTeD	READ_ME_TO_DECRYPT.txt	Python Ransomware					https://twitter.com/JakubKroustek/status/834821166116327425
PizzaCrypts	.id-[victim_id]-maestro@pizzacrypts.info							http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip
PokemonGO	.locked			Based on Hidden Tear	AES(256)				http://www.nyxbone.com/malware/pokemonGO.html	http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/
Popcorn Time	.filock		restore_your_files.html restore_your_files.txt		AES(256)				https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/
Polyglot				Immitates CTB-Locker	AES(256)			https://support.kaspersky.com/8547	https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/
Potato	.potato		README.png README.html		AES(256)
PowerWare	.locky			Open-sourced PowerShell	AES(128)	PoshCoder		https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip	https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/	http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/
PowerWorm			DECRYPT_INSTRUCTION.html looks like CryptoWall 3, but with additional warnings at the bottom that ransom price will go up after some time	no decryption possible	AES, but throws key away, destroys the files
Princess Locker		[a-z]{4,6},[0-9]	!_HOW_TO_RESTORE_[extension].TXT !_HOW_TO_RESTORE_[extension].html !_HOW_TO_RESTORE_id.txt .id @_USE_TO_FIX_JJnY.txt					https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/	https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/	https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/
PRISM									http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/
Project34			ПАРОЛЬ.txt
ProposalCrypt	.crypted							https://twitter.com/demonslay335/status/812002960083394560	https://twitter.com/malwrhunterteam/status/811613888705859586
Ps2exe									https://twitter.com/jiriatvirlab/status/803297700175286273
PyL33T	.d4nk			Python Ransomware					https://twitter.com/Jan0fficial/status/834706668466405377
R			Ransomware.txt						https://twitter.com/malwrhunterteam/status/846705481741733892
R980	.crypt		DECRYPTION INSTRUCTIONS.txt rtext.txt						https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/
RAA encryptor	.locked		!!!README!!![id].rtf	Possible affiliation with Pony		RAA			https://reaqta.com/2016/06/raa-ransomware-delivering-pony/	http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/
Rabion				RaaS Copy of Ranion RaaS					https://twitter.com/CryptoInsane/status/846181140025282561
Radamant	.RDM .RRK .RAD .RADAMANT		YOUR_FILES.url		AES(256)			https://decrypter.emsisoft.com/radamant	http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/	http://www.nyxbone.com/malware/radamant.html
Rakhni	.locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15	.coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\w]{4,12}	\fud.bmp \paycrypt.bmp \strongcrypt.bmp \maxcrypt.bmp or a similar named bmp in the startup folder %APPDATA%\Roaming\.bmp is set as wallpaper	Files might be partially encrypted		Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor		https://support.kaspersky.com/us/viruses/disinfection/10556
Ramsomeer				Based on the DUMB ransomware
Ranion				RaaS service	AES(256)				https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/
Rannoh		locked-.[a-zA-Z]{4}						https://support.kaspersky.com/viruses/disinfection/8547
RanRan	.zXz		VictemKey_0_5 VictemKey_5_30 VictemKey_30_100 VictemKey_100_300 VictemKey_300_700 VictemKey_700_2000 VictemKey_2000_3000 VictemKey_3000 zXz.html					https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption	http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/	https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/
Ransoc				Doesn’t encrypt user files					https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles	https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/
Ransom32				no extension change, Javascript Ransomware
RansomLock				Locks the desktop	Asymmetric 1024				https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2
RansomPlus	.encrypted								https://twitter.com/jiriatvirlab/status/825411602535088129
RarVault			RarVault.htm
Razy	.razy .fear				AES(128)				http://www.nyxbone.com/malware/Razy(German).html	http://nyxbone.com/malware/Razy.html
Rector	.vscrypt .infected .bloc .korrektor							https://support.kaspersky.com/viruses/disinfection/4264
Red Alert				Based on Hidden Tear					https://twitter.com/JaromirHorejsi/status/815557601312329728
RektLocker	.rekt		Readme.txt		AES(256)			https://support.kaspersky.com/viruses/disinfection/4264
RemindMe	.remind .crashed		decypt_your_files.html						http://www.nyxbone.com/malware/RemindMe.html
Revenge	.REVENGE		# !!!HELP_FILE!!! #.txt	CryptoMix / CryptFile2 Variant	AES(256)				https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/
Rokku	.rokku		README_HOW_TO_UNLOCK.TXT README_HOW_TO_UNLOCK.HTML	possibly related with Chimera	Curve25519 + ChaCha				https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/
RoshaLock				Stores your files in a password protected RAR file					https://twitter.com/siri_urz/status/842452104279134209
RozaLocker	.ENC								https://twitter.com/jiriatvirlab/status/840863070733885440
Runsomewere				Based on HT/EDA2 Utilizes the Jigsaw Ransomware background					https://twitter.com/struppigel/status/801812325657440256
RussianRoulette				Variant of the Philadelphia ransomware					https://twitter.com/struppigel/status/823925410392080385
SADStory				Variant of CryPy					https://twitter.com/malwrhunterteam/status/845356853039190016
Sage 2.0	.sage		!Recovery_[3_random_chars].html	Predecessor CryLocker					https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/	https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga
Sage 2.2	.sage			Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.					https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate	https://malwarebreakdown.com/2017/03/10/finding-a-good-man/
Samas-Samsam	.encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork .VforVendetta .theworldisyours .Whereisyourfiles .helpmeencedfiles .powerfulldecrypt .noproblemwedecfiles .weareyourfriends .otherinformation .letmetrydecfiles .encryptedyourfiles .weencedufiles .iaufkakfhsaraf .cifgksaffsfyghd		HELP_DECRYPT_YOUR_FILES.html ###-READ-FOR-HELLPP.html 000-PLEASE-READ-WE-HELP.html CHECK-IT-HELP-FILES.html WHERE-YOUR-FILES.html HELP-ME-ENCED-FILES.html WE-MUST-DEC-FILES.html 000-No-PROBLEM-WE-DEC-FILES.html TRY-READ-ME-TO-DEC.html 000-IF-YOU-WANT-DEC-FILES.html LET-ME-TRY-DEC-FILES.html 001-READ-FOR-DECRYPT-FILES.html READ-READ-READ.html IF_WANT_FILES_BACK_PLS_READ.html READ_READ_DEC_FILES.html	Targeted attacks -Jexboss -PSExec -Hyena	AES(256) + RSA(2096)	samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe		https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip	http://blog.talosintel.com/2016/03/samsam-ransomware.html	http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf
Sanction	.sanction		DECRYPT_YOUR_FILES.HTML	Based on HiddenTear, but heavily modified keygen	AES(256) + RSA(2096)
Sanctions	.wallet		RESTORE_ALL_DATA.html		AES(256) + RSA(2048)				https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/
Sardoninir	.enc								https://twitter.com/BleepinComputer/status/835955409953357825
Satan	.stn		HELP_DECRYPT_FILES.html	RaaS	AES(256) + RSA(2096)				https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/
Satana	Sarah_G@ausi.com___		!satana!.txt						https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/	https://blog.kaspersky.com/satana-ransomware/12558/
Saturn			#DECRYPT_MY_FILES#.txt #DECRYPT_MY_FILES#.vbs #DECRYPT_MY_FILES.BMP	VM aware, deletes volume shadow copies, disables windows startup repair, clears windows backup catalog.			02/19/2018
Scarab	.scarab			Post encryption, text file is dropped w/personal identifier and email to contact as well as a Bitmessage account. Email = suupport[@]protonmail[.]com and Bitmessage = BM-2cTu8prUGDS6XmXqPrZiYXXeqyFw5dXEba
Scraper				no extension change				http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
SerbRansom	.velikasrbija								https://twitter.com/malwrhunterteam/status/830116190873849856	https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/
Serpent	.serpent		HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt	Batch file Passcode: RSA1014DJW2048	AES(256)	PayDOS			https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/	https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers
Serpico				DetoxCrypto Variant	AES				http://www.nyxbone.com/malware/Serpico.html
Shark	.locked		Readme.txt		AES(256)	Atom			http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/	http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/
ShellLocker	.L0cked								https://twitter.com/JakubKroustek/status/799388289337671680
ShinoLocker	.shino								https://twitter.com/JakubKroustek/status/760560147131408384	http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/
Shujin			文件解密帮助.txt			KinCrypt			http://www.nyxbone.com/malware/chineseRansom.html	http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/
Simple_Encoder	.~		_RECOVER_INSTRUCTIONS.ini		AES				http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/
SkidLocker / Pompous	.locked		READ_IT.txt	Based on EDA2	AES(256)			http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/	http://www.nyxbone.com/malware/SkidLocker.html
SkyName				Based on HiddenTear					https://twitter.com/malwrhunterteam/status/817079028725190656
Smash!									https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/
Smrss32	.encrypted		_HOW_TO_Decrypt.bmp
Snatch	.abcde .snatch .jimm .googl .dglnl .ohwqg .wvtr0 .hceem	appending .abcde to the original file name (e.g., filename.txt.abcde)	README_ABCDE_FILES.txt DECRYPT_ABCDE_DATA.txt						https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/	https://thedfirreport.com/2020/06/21/snatch-ransomware/	193.188.22.29 (:443) 193.188.22.29 (:37462) 193.188.22.26 193.188.22.25 67.211.209.151 (:3306) 37.59.146.180 45.147.228.91 185.61.149.242 94.140.125.150 mydatasuperhero.com mydatassuperhero.com snatch24uldhpwrm.onion snatch6brk4nfczg.onion	commands executed during the attack: vssadmin delete shadows /all /quiet bcdedit.exe /set {current} safeboot minimal shutdown.exe /r /f /t 00 net stop SuperBackupMan
SNSLocker	.RSNSlocked .RSplited		READ_Me.txt	Based on EDA2	AES(256)				http://nyxbone.com/malware/SNSLocker.html
Spora			[Infection-ID].HTML						https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware	http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/
Sport	.sport
Stampado	.locked		Random message includes bitcoin wallet address with instructions	Coded by “The_Rainmaker” Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key	AES(256)			https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221 http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/ https://decrypter.emsisoft.com/stampado	https://cdn.streamable.com/video/mp4/kfh3.mp4	http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/
Strictor	.locked			Based on EDA2, shows Guy Fawkes mask	AES(256)				http://www.nyxbone.com/malware/Strictor.html
Surprise	.surprise .tzu		DECRYPTION_HOWTO.Notepad	Based on EDA2	AES(256)
Survey			ThxForYurTyme.txt	Still in development, shows FileIce survey					http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
SynoLocker				Exploited Synology NAS firmware directly over WAN
SZFLocker	.szf							http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/
TeamXrat	.___xratteamLucked		Como descriptografar os seus arquivos.txt		AES(256)				https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/
TeleCrypt	.xcri		HELP_RESTORE.HTML RECOVER[5 random symbols].html	Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.		Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic	29.09.2023	https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3 https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/	https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/	https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/
TeslaCrypt 0.x – 2.2.0	.vvv .ecc .exx .ezz .abc .aaa .zzz .xyz		HELP_TO_SAVE_FILES.txt Howto_RESTORE_FILES.html	Factorization	RSA AES ECHD	AlphaCrypt		http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ http://www.talosintel.com/teslacrypt_tool/	https://www.fireeye.com/blog/threat-research/2015/05/teslacrypt_followin.html
TeslaCrypt 3.0+	.micro .xxx .ttt .mp3			4.0+ has no extension	AES(256) + ECHD + SHA1			http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/
TeslaCrypt 4.1A			RECOVER<5_chars>.html RECOVER<5_chars>.png RECOVER<5_chars>.txt _how_recover+.txt or .html help_recover_instructions+.BMP or .html or .txt _H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt HELP_TO_SAVE_FILES.txt or .bmp	no special extension	AES(256) + ECHD + SHA1			http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/	https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain	https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/
TeslaCrypt 4.2			RECOVER<5_chars>.html RECOVER<5_chars>.png RECOVER<5_chars>.txt _how_recover+.txt or .html help_recover_instructions+.BMP or .html or .txt _H_e_l_p_RECOVER_INSTRUCTIONS+.txt, .html or .png Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt HELP_TO_SAVE_FILES.txt or .bmp					http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/ http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/	http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/
Thanksgiving									https://twitter.com/BleepinComputer/status/801486420368093184
Threat Finder			HELP_DECRYPT.HTML	Files cannot be decrypted Has a GUI
TorrentLocker	.Encrypted .enc		HOW_TO_RESTORE_FILES.html DECRYPT_INSTRUCTIONS.html DESIFROVANI_POKYNY.html INSTRUCCIONES_DESCIFRADO.html ISTRUZIONI_DECRITTAZIONE.html ENTSCHLUSSELN_HINWEISE.html ONTSLEUTELINGS_INSTRUCTIES.html INSTRUCTIONS_DE_DECRYPTAGE.html SIFRE_COZME_TALIMATI.html wie_zum_Wiederherstellen_von_Dateien.txt	Newer variants not decryptable. Only first 2 MB are encrypted	AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt	Crypt0L0cker CryptoFortress Teerac		http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/	https://twitter.com/PolarToffee/status/804008236600934403	http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html
TowerWeb			Payment_Instructions.jpg						http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/
Toxcrypt	.toxcrypt		tox.html
Trojan	.braincrypt		!!! HOW TO DECRYPT FILES !!!.txt			BrainCrypt		https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip	https://twitter.com/PolarToffee/status/811249250285842432
Troldesh	.breaking_bad .better_call_saul .xtbl .da_vinci_code .windows10 .no_more_ransom		README.txt nomoreransom_note_original.txt	May download additional malware after encryption	AES(256)	Shade XTBL		https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf	http://www.nyxbone.com/malware/Troldesh.html	https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/
TrueCrypter	.enc				AES(256)				http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/
Trump Locker	.TheTrumpLockerf .TheTrumpLockerfp		What happen to my files.txt						https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/
Turkish	.sifreli								https://twitter.com/struppigel/status/821991600637313024
Turkish (Fake CTB-Locker)	.encrypted		Beni Oku.txt	keys in ‘%name%.manifest.xml					https://twitter.com/JakubKroustek/status/842034887397908480
Turkish Ransom	.locked		DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html		AES(256)				http://www.nyxbone.com/malware/turkishRansom.html
UltraLocker				Based on the idiotic open-source ransomware called CryptoWire	AES(256)				https://twitter.com/struppigel/status/807161652663742465	https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/
UmbreCrypt		umbrecrypt_ID_[VICTIMID]	README_DECRYPT_UMBRE_ID_[victim_id].jpg README_DECRYPT_UMBRE_ID_[victim_id].txt default32643264.bmp default432643264.jpg	CrypBoss Family	AES			http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware
UnblockUPC			Files encrypted.txt						https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/
Ungluk	.H3LL .0x0 .1999		READTHISNOW!!!.txt Hellothere.txt YOUGOTHACKED.TXT	Ransom note instructs to use Bitmessage to get in contact with attacker Secretishere.key SECRETISHIDINGHEREINSIDE.KEY secret.key	AES
Unlock26	.locked-[XXX]		ReadMe-XXX.html						https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/
Unlock92	.CRRRT .CCCRRRPPP		READ_ME_!.txt						https://twitter.com/malwrhunterteam/status/839038399944224768
Vanguard				GO Ransomware					https://twitter.com/JAMESWT_MHT/status/834783231476166657
VapeLauncher				CryptoWire variant					https://twitter.com/struppigel/status/839771195830648833
VaultCrypt	.vault .xort .trun		VAULT.txt xort.txt trun.txt .hta \| VAULT.hta		uses gpg.exe	CrypVault Zlader			http://www.nyxbone.com/malware/russianRansom.html
VBRANSOM 7	.VBRANSOM			Does not actually encrypt					https://twitter.com/BleepinComputer/status/817851339078336513
VenisRansomware				In dev VenisRansom@protonmail.com					https://twitter.com/Antelox/status/785849412635521024	http://pastebin.com/HuK99Xmj
VenusLocker	.Venusf .Venusp		ReadMe.txt	Based on EDA2	AES(256)				https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social	http://www.nyxbone.com/malware/venusLocker.html
Vindows Locker	.vindows				AES			https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph https://rol.im/VindowsUnlocker.zip	https://twitter.com/JakubKroustek/status/800729944112427008	https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/
Virlock	.exe			Polymorphism / Self-replication					http://www.nyxbone.com/malware/Virlock.html	http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/
Virus-Encoder	.CrySiS .xtbl .crypt .DHARMA	.id-########.decryptformoney@india.com.xtbl .[email_address].DHARMA	How to decrypt your data.txt		AES(256)	CrySiS		http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/ http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip	http://www.nyxbone.com/malware/virus-encoder.html	http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/
Vortex	.aes					Ŧl๏tєгค гคภร๏๓ฬคгє			https://twitter.com/struppigel/status/839778905091424260
vxLock	.vxLock
WannaCry	.wcry .wncry .WNCRY .WCRY		@Please_Read_Me@.txt			WannaCrypt WCry			https://twitter.com/struppigel/status/846241982347427840	https://docs.google.com/spreadsheets/d/1XNCCiiwpIfW8y0mzTUdLLVzoW6x64hkHJ29hcQW5deQ/pubhtml#
WildFire Locker	.wflx		HOW_TO_UNLOCK_FILES_README_().txt	Zyklon variant		Hades Locker			https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/
Winnix Cryptor	.wnx		YOUR FILES ARE ENCRYPTED!.txt		GPG				https://twitter.com/PolarToffee/status/811940037638111232
XCrypt			Xhelp.jpg						https://twitter.com/JakubKroustek/status/825790584971472902
XData	.~xdata~		HOW_CAN_I_DECRYPT_MY_FILES.txt						https://www.bleepingcomputer.com/news/security/xdata-ransomware-on-a-rampage-in-ukraine/#.WR-iz69z-MA.twitter
Xorist	.EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791 .antihacker2017		HOW TO DECRYPT FILES.TXT	encrypted files will still have the original non-encrypted header of 0x33 bytes length	XOR or TEA			https://support.kaspersky.com/viruses/disinfection/2911 https://decrypter.emsisoft.com/xorist
XRTN	.xrtn			VaultCrypt family
XYZWare				Based on HiddenTear					https://twitter.com/malwrhunterteam/status/833636006721122304
You Have Been Hacked!!!	.Locked			Attempt to steal passwords					https://twitter.com/malwrhunterteam/status/808280549802418181
YourRansom	.yourransom		README.txt						https://twitter.com/_ddoxer/status/827555507741274113	https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/
Zcrypt	.zcrypt					Zcryptor			https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
Zeta	.code .scl .rmd		# HELP_DECRYPT_YOUR_FILES #.TXT			CryptoMix			https://twitter.com/JakubKroustek/status/804009831518572544
Zimbra	.crypto		how.txt	mpritsken@priest.com					http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/
ZinoCrypt	.ZINO		ZINO_NOTE.TXT						https://twitter.com/malwrhunterteam/status/842781575410597894
Zlader / Russian	.vault			VaultCrypt family	RSA	VaultCrypt CrypVault			http://www.nyxbone.com/malware/russianRansom.html
Zorro	.zorro		Take_Seriously (Your saving grace).txt						https://twitter.com/BleepinComputer/status/844538370323812353
zScreenLocker									https://twitter.com/struppigel/status/794077145349967872
Zyka	.locked							https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip	https://twitter.com/GrujaRS/status/826153382557712385
Zyklon	.zyklon			Hidden Tear family, GNL Locker variant		GNL Locker

Generated by wpDataTables