Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Collection of Ransomware IOCs ( indicators of compromise)?


  • Please log in to reply
1 reply to this topic

#1 1stone

1stone

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 09 June 2016 - 04:24 PM

Hi all

 

I would be intrested in a Collection e.g. of

- Malware-Executables with the path and hash

- Extensions which are created during encryption

- Extensions of encrypted files

- PNG, GIF, HTML, etc. names

 

I've started to prevent infections with McAfee-VSE (Access-Protection-Rules, PUP). E.g. I've defined following PUPs:

eiasus.exe Locker from W97M-Downloader
doc._bewerbung_09_09_2015.pdf.exe Possible Malware
info_bank_pdf.exe Possible Malware
instructions_document.exe Possible Locky
ladybi.exe Possible Locky
perdoma.exe Possible Locky
loubueen.exe Possible Locky
varayge.exe Possible Locky
eruseedb.exe Possible Locky
label8.exe Possible Locky
samses.exe Possible CryptoTrojaner
76ghby6f45.exe Possible CryptoTrojaner
malpractice-budapest.exe Possible KryptoTrojaner
malpracticeplace.exe Possible KryptoTrojaner
malpractice_cashiers.exe Possible KryptoTrojaner
yQx4305s.exe Possible Locky
JcWoz53K.exe Possible Locky
mABMhF4r30.exe Possible Locky
UfobCB0EnOP.exe Possible Locky
AaIFaNr0MRjfNi.exe Possible Locky
UNI2iX8zM8rtpsz.exe Possible Locky
Bewerbungsmappe-gepackt.exe Possible Petya
BewerbungsmappePDF.exe Possible Petya
Bewerbungsmappe.PDF.exe Possible Petya
BewerbungsMappe.PDF..exe  Possible Petya
BewerbungsmappeZeugnisseLebenslauf.exe Possible Petya
Bewerbung.pdf.exe Possible Petya
Bewerbungsunterlagen.PDF.exe Possible Petya
uTorrent.exeuTorrent.exe Possible Manamecrypt
cryptohost.exe Possible CryptoHost
5021052.exe Possible Nemucod
drpbx.exe Possible Jigsaw
80.exe Possible TeslaCrypt 4.1a
3b788cd6389faa6a3d14c17153f5ce86.exe Possible Enigma
mspdclr.exe Possible Malware (SWIFT)
suerdf.exe Possible Cryptohitman
mogfh.exe Possible Cryptohitman
zcrypt.exe Possible ZCryptor
badransom.exe Possible BadBlock
etc.

 

...and a lot of Access-Protection-Rules:

Prevent EXCEL.EXE, OUTLOOK.EXE, POWERPNT.EXE, WINWORD.EXE to creatr .scr in **\Users\*\AppData\Roaming\**\*.scr

Prevent EXCEL.EXE, POWERPNT.EXE, WINWORD.EXE to create **\Users\**\temp\**\*.vbs

Prevent creation of *.turn, nsw3.tmp, *.locky,
Prevent all processes creation of **.tmp.tmp except EXPLORER.EXE, MIGRATORSERVER.EXE, OUTLOOK.EXE, RUNDLL32.EXE

Prevent execution of C:\Windows\directx.exe (Radamant)

etc.

 

Instead of searching the wohle Internet for useful informations it would be glad to have a list with all the findings about Ransomware...

 

Thanks in advance

 

Hausi

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 09 June 2016 - 05:41 PM

Simply having a whitelist of executables isn't of a whole lot of use - they constantly change the filename with ransomness on each victim.

 

As for IOCs in terms of ransom notes or file extensions, the Ransomware Overview Google Doc has a lot of that information.

 

https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pub?output=html

 

Otherwise, you are welcome to PM me if you have interest in having access to the API of ID Ransomware, which offers the regex to detect ransom notes and encrypted file patterns. It requires HMAC authentication, so you may only use it with a program you write yourself basically.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users