Name

.CryptoHasYou.
7ev3n
Alpha Ransomware
AutoLocky
Bandarchor
BitCryptor
Booyah
Brazilian
BrLock
Browlock
Bucbi
BuyUnlockCode
Cerber
Chimera
Chinese Ransom
CoinVault
Coverton
Cryaki
Crybola
Cryptear
CryptFIle2
CryptInfinite
CryptoDefense
CryptoHost
CryptoJoker
CryptoLocker
CryptoMix
CryptoTorLocker2015
CryptoWall
CryptXXX
CryptXXX 2.0
CTB-Locker
CTB-Locker WEB
DeCrypt Protect
DMALocker
DMALocker 3.0
EDA2 / HiddenTear
El-Polocker
Enigma
Fakben

Extensions
.enc
.R5A
.R4A
.encrypt
.locky

Extension Pattern

Comment

.id-[ID]_[EMAIL_ADDRESS]
.clf
EXE was replaced to
neutralize
threat
Based on EDA2

.lock

no local encryption,
browser
onlychange, no
no
file name
extension
(.*).encoded.([A-Z0-9]{Does
not delete Shadow
Copies

.cerber
.crypt
.txt
.clf
.coverton
.enigma
.{CRYPTENDBLACKDC}

.scl
.crinf

id[_ID][email protected]
no extension change
RAR's victim's files

.crjoker
.encrypted
no longer relevant
.code
.id_(ID_MACHINE)[email protected]_.code
.CryptoTorLocker2015!
(random)
.crypt
Locks screen. Ransom note
names are an ID
.ctbl
.([a-z]{6,7})
websites only
.html
no extension change
no extension change
.locked
Open sourced C#, HT has
PRNG exploit
.ha3
.enigma
.locked

Based on Hidden Tear

Fury
Gomasom
Gopher
Harasom
Hi Buddy!
HydraCrypt
iLock
iLockLight
Jigsaw
Job Crypter
JobCrypter
KeRanger
KeyBTC
KEYHolder
KimcilWare
KryptoLocker
LeChiffre
Linux.Encoder
Locker
Locky
Lortok
LowLevel04
Mabouia
Magic
MaktubLocker
MireWare
MM Locker
Mobef
NanoLocker
Nemucod

Offline ransomware
OMG! Ransomware
Operation Global III
PClock
Petya
PowerWare
RaaS
Radamant

.crypt
.html
.cry

!___[EMAILADDRESS]_.crypt
OS X ransomware (PoC)
Based on HiddenTear
hydracrypt_ID_[\w]{8} CrypBoss Family

.crime
.crime
.btc
.kkk
.locked
.locked
.encrypted
.keybtc@inbox_com

Based on HiddenTear, but

uses TripleDES, decrypter
OS X Ransomware

.kimcilware
.locked

websites only
Based on HiddenTear

.LeChiffre
Linux Ransomware
no extension change
.locky
.crime
oor.

([A-F0-9]{32}).locky
Prepends filenames
OS X ransomware (PoC)
Based on EDA2

.magic
[a-z]{4,6}
.fucked

Based on HiddenTear
Based on EDA2

.KEYZ
.KEYH0LES

no extension change
7zip (a0.exe) variant
cannot be decrypted

.crypted

.cbf
.LOL!
.OMG!
.EXE

email-[params].cbf

CryptoLocker Copycat
encrypts disk partitions
Open-sourced PowerShell
Ransomware as a Service
.RDM
.RRK

Rakhni
Rannoh
Ransom32
Rector
RemindMe
Rokku
Samas-Samsam
Sanction
Scraper
SkidLocker / Pompous
Sport
Strictor
Surprise
SynoLocker
TeslaCrypt 0.x - 2.2.0
TeslaCrypt 3.0+
TeslaCrypt 4.1A
TeslaCrypt 4.2
TorrentLocker
Troldesh
TrueCrypter
UmbreCrypt
VaultCrypt
Virus-Encoder
Xorist
XRTN
Zlader / Russian

.locked
.kraken
.vscrypt
.infected
.remind
.rokku
.encryptedAES
.encryptedRSA
.sanction
.locked
.sport
.locked
.surprise
.vvv
.ecc
.micro
.xxx
.Encrypted
.better_call_saul
.xtbl
.enc

.coderksu@gmail_com_id[0-9]{2,3}
[email protected].[\w]{4,12}
locked-<original name>.[a-zA-Z]{4}
no extension change,
Javascript Ransomware
possibly related with
Chimera
Targeted attacks
-Jexboss
Based on HiddenTear, but
heavily
modified
keygen
no extension
change
Based on EDA2
Based on EDA2
Based on EDA2
Exploited Synology NAS
firmware
directly over
Factorization
4.0+ has no extension
no special extension
Newer variants not
decryptable
umbrecrypt_ID_[VICTI CrypBoss Family

.vault
.xort
.CrySiS
.EnCiPhErEd
.73i87A
.xrtn
.vault

VaultCrypt family
VaultCrypt family

Encryption Algorithm Also known as

AES(256)
7ev3n-HONE$T
AES(256)
AlphaLocker
AES(256)

AES(256)
AES
GOST
AES

AES(256)

AES(256)
RSA

AES(256) (RAR
implementation)

RSA(2048)
AES(256)
AES(256)
AES(256)
AES(256)
AES (128)

Decryptor

Info
Screenshots
http://www.nyxbone.com/malware/CryptoHasYou
#NAME?
https://github.com/hasherezade/malware_analysis/tree/master/7ev3
http://www.nyxbone.com/malware/7ev3n-HONE$
#NAME?
http://download.bleepingcomputer.com/demonslay335/AlphaDecry
http://www.bleepingcomputer.com/news/security
#NAME?
https://decrypter.emsisoft.com/autolocky
#NAME?
Rakhni
https://reaqta.com/2016/03/bandarchor-ransomw
#NAME?
https://noransom.kaspersky.com/
#NAME?
Salam!
#NAME?
http://www.nyxbone.com/malware/brazilianRanso
http://www.nyxbone.com/imag
https://www.proofpoint.com/us/threat-insight/po
#NAME?
#NAME?
http://researchcenter.paloaltonetworks.com/2016
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
KinCrypt
http://www.nyxbone.com/malware/chineseRanso
https://noransom.kaspersky.com/
#NAME?
http://www.bleepingcomputer.com/news/security
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547
#NAME?
Hidden Tear
http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b
#NAME?
https://www.proofpoint.com/us/threat-insight/po
#NAME?
https://decrypter.emsisoft.com/
#NAME?
https://decrypter.emsisoft.com/
#NAME?
Manamecrypt,
http://www.bleepingcomputer.com/news/security/cryptohost-decryp
#NAME?
Telograph, ROI
#NAME?
https://www.fireeye.com/blog/executive-perspective/2014/08/your-l
https://reaqta.com/2016/04/uncovering-ransomw
#NAME?
Zeta
http://www.nyxbone.com/malware/CryptoMix.htm
http://www.nyxbone.com/imag
http://www.bleepingcomputer.com/forums/t/565020/new-cryptotor
#NAME?
#NAME?
CryptProjectXXX
https://support.kaspersky.com/viruses/disinfection/8547
#NAME?
CryptProjectXXX
https://www.proofpoint.com/us/threat-insight/po
#NAME?
#NAME?
https://thisissecurity.net/2016/02/26/a-lockpicking
#NAME?
http://www.malwareremovalguides.info/decrypt-files-with-decrypt_m
#NAME?
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
https://decrypter.emsisoft.com/
https://github.com/hasherezade/dma_unlocker
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
Cryptear
#NAME?
Los Pollos Hermanos
#NAME?
http://www.bleepingcomputer.com/news/security
#NAME?
https://blog.fortinet.com/post/fakben-team-ranso
#NAME?

AES(256)

AES(256)
TripleDES
TripleDES
AES

AES
AES(256)
Linux.Encoder.{0,3}
AES(128)

AES(256)
AES(256)
AES(256)
AES(256)

Booyah
Yakes

XOR(255)
7zip

Vipasana
GPCode
XOR
Modified Salsa20
Sarento
AES(256)

https://support.kaspersky.com/viruses/disinfection/8547
#NAME?
https://decrypter.emsisoft.com/
#NAME?
#NAME?
https://decrypter.emsisoft.com/
#NAME?
http://www.nyxbone.com/malware/hibuddy.html
#NAME?
https://decrypter.emsisoft.com/
http://www.malware-traffic-analysis.net/2016/02/
#NAME?
#NAME?
#NAME?
http://www.bleepingcomputer.com/news/security/jigsaw-ransomwa
https://www.helpnetsecurity.com/2016/04/20/jigs
#NAME?
http://www.nyxbone.com/malware/jobcrypter.htm
#NAME?
http://forum.malekal.com/jobcrypter-geniesanstra
#NAME?
http://news.drweb.com/show/?i=9877&lng=en&c=5
http://www.welivesecurity.com/2016/03/07/new-m
#NAME?
https://decrypter.emsisoft.com/
#NAME?
http://www.bleepingcomputer.com/forums/t/5594
https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decry
http://www.bleepingcomputer.com/news/security
#NAME?
#NAME?
https://decrypter.emsisoft.com/lechiffre
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails
#NAME?
http://www.bleepingcomputer.com/forums/t/577246/locker-ransom
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
#NAME?
https://www.proofpoint.com/us/threat-insight/po
#NAME?
http://nyxbone.com/malware/Mobef.html
http://nyxbone.com/images/art
http://github.com/Cyberclues/nanolocker-decryptor
#NAME?
https://decrypter.emsisoft.com/
#NAME?
https://github.com/Antelox/NemucodFR

http://bartblaze.blogspot.com.co/2016/02/vipasan
#NAME?
#NAME?
http://news.thewindowsclub.com/operation-global-iii-ransomware-d
#NAME?
https://decrypter.emsisoft.com/
#NAME?
http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-pa
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
https://www.youtube.com/watch?v=mSqxFjZq_z4
#NAME?
http://www.nyxbone.com/malware/RaaS.html
https://decrypter.emsisoft.com/
http://www.bleepingcomputer.com/news/security
#NAME?
http://www.cyphort.com/radamant-ransomware-d

Agent.iih
Aura

Curve25519 + ChaCha
AES(256) + RSA(2096) samsam.exe
AES(256) + RSA(2096) MIKOPONI.exe
AES(256)
AES(256)
AES(256)
AlphaCrypt
AES(256) + ECHD +
SHA1
AES(256) + ECHD +
SHA1
AES(256)
AES(256)
AES
uses gpg.exe
AES(256)

RSA

Crypt0L0cker
CryptoFortress
Shade
XTBL
CrypVault
Zlader

VaultCrypt
CrypVault

https://support.kaspersky.com/us/viruses/disinfection/10556
#NAME?
https://support.kaspersky.com/viruses/disinfection/8547
https://www.google.de/search?
https://support.kaspersky.com/viruses/disinfection/4264
http://i.imgur.com/gV6i5SN.jpg
https://blog.malwarebytes.org/threat-analysis/201
#NAME?
http://blog.talosintel.com/2016/03/samsam-ranso
#NAME?
#NAME?
http://securelist.com/blog/research/69481/a-flawed-ransomware-en
#NAME?
http://www.bleepingcomputer.com/news/security/pompous-ransom
http://www.nyxbone.com/malware/SkidLocker.htm
#NAME?
#NAME?
http://www.nyxbone.com/malware/Strictor.html
#NAME?
#NAME?
#NAME?
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-r
#NAME?
http://www.talosintel.com/teslacrypt_tool/
#NAME?
https://www.endgame.com/blog/your-package-ha
#NAME?
http://www.bleepingcomputer.com/news/security
#NAME?
http://www.bleepingcomputer.com/forums/t/547708/torrentlocker#NAME?
http://www.nyxbone.com/malware/Troldesh.html
#NAME?
http://www.bleepingcomputer.com/news/security
http://www.bleepstatic.com/im
http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-um
#NAME?
http://www.nyxbone.com/malware/russianRansom
#NAME?
http://www.nyxbone.com/malware/virus-encoder
#NAME?
https://support.kaspersky.com/viruses/disinfection/2911
#NAME?
#NAME?
http://www.nyxbone.com/malware/russianRansom
#NAME?

www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png

/malware/chineseRansom.html

www.nyxbone.com/images/articulos/malware/cryptomix/r2.png

puter.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml

nyxbone.com/images/articulos/malware/mobef/0.png

/malware/RaaS.html

nfection/8547
/www.google.de/search?tbm=isch&q=Ransomware+Ransom32
nfection/4264
.imgur.com/gV6i5SN.jpg

www.bleepstatic.com/images/news/ransomware/t/truecrypter/truecrypter.png

Proposed Name
RemindMe
WonderCrypter
?
?
?
?
Xort?
Zeta
?
PLAUGE17?
?
WHAT IS SQ
?
?
?

Extensions
.remind
.h3ll
.crypttt
.8lock8
.neitrino
.xcrypt
.xort

.PLAUGE17

Extension Pattern

!!!ATTENTION.TXT!!!,
READ_IT.TXT
MESSAGE.TXT
xort.txt
.id_*[email protected] HELP_YOUR_FILES.HTML
FILES_BACK.TXT
PLAGUE17.txt
sq_ (prepends file)

.locked

PoC
decrypt_your_files.html
SECRETISHIDINGHEREINSI
DE.KEY,

4252016XYLITOL.KEY66
WHAT IS SQ_.txt
PLEASE READ.txt
I_A.txt
UNLOCK_FILES_INSTRUCTI
ONS.txt

Comment
Status
http://www.bleepingcomputer.com/forums/t/611740/remind-ransomware/
Hunting for sample
Submitted to IDR
Need analysed (7f76dd15545a6bf1804bed893e5e8214feb2f0368d3c6a6bccfddb
Submitted to IDR
Needs identified
Submitted to IDR
Needs identified
Submitted to IDR, ransom email: Needs identified
[email protected]
Submitted to IDR
Needs identified
Submitted to IDR
Needs confirmed
CONFIRMED as CryptoMix
Submitted to IDR, note:
Needs identified
http://pastebin.com/Wvw7mGqB
Needs identified
Submitted to IDR, note:
http://pastebin.com/zc4zMNpw
Submitted to BC, Mobef?
Needs identified
http://www.bleepingcomputer.com/forums/t/583610/how-to-decrypt-ransomware-name-what-is-sq/
Hunting for sample
Hunting for sample
Submitted to IDR, note:
http://pastebin.com/6J4g33FQ
https://twitter.com/hahn_katja/status/728539813570347009
Needs identified; Chinese ransomware
Submitted to IDR and BC, note: Hunting for sample
http://pastebin.com/xj947Lh2,

3e5e8214feb2f0368d3c6a6bccfddba61075c66d)

Name
.CryptoHasYou.
7ev3n
AutoLocky
Bandarchor
BitCryptor
Booyah
Brazilian
Browlock
BuyUnlockCode
Cerber
Chimera
CoinVault
Coverton
Cryaki
Crybola
Cryptear
CryptInfinite
CryptoDefense
CryptoHost
CryptoJoker
CryptoLocker
CryptoTorLocker2015
CryptoWall
CryptXXX
CTB-Locker
CTB-Locker WEB
DeCrypt Protect
DMALocker
DMALocker 3.0
EDA2 / HiddenTear
El-Pololocker
Fury
Gomasom
Gopher
Harasom
Hi Buddy!
HydraCrypt
iLock
iLockLight
Jigsaw

Microsoft Detection Name

Trojan:Win32/Dynamer!ac
Ransom:Win32/Empercrypt.A

Microsoft Info
https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/En

Win32/Cribit

https://www.microsoft.com/security/portal/threat/en

Ransom:JS/Brolo
Ransom: Win32/Cendode.A
Win32/Cerber
Win32/Chicrypt
Ransom: MSIL/Vaultlock.A

www.microsoft.com/security/portal/threat/encyclop
https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/En
https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/en

Ransom: Win32/Crowti

https://www.microsoft.com/security/portal/threat/en

Ransom: Win32/Crowti
Win32/Fortrypt

https://www.microsoft.com/security/portal/threat/e
https://www.microsoft.com/security/portal/threat/e

Ransom: Win32/Crilock.A

https://www.microsoft.com/security/portal/threat/en

Ransom: Win32/Crowti
Win32/Fortrypt

https://www.microsoft.com/security/portal/threat/e
https://www.microsoft.com/security/portal/threat/e

Ransom: MSIL/Nojocrypt.A

https://www.microsoft.com/security/portal/threat/en

Ransom: Win32/DMALocker
Ransom: Win32/DMALocker.A
Ransom: MSIL/Ryzerlo
Ransom: PowerShell/Polock.A

https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/en

Trojan: Win32/Harasom.A

https://www.microsoft.com/security/portal/threat/en

Ransom: Win32/Tobfy.X

https://www.microsoft.com/security/portal/threat/en

Ransom:MSIL/JigsawLocker.A

https://www.microsoft.com/security/portal/threat/En

Job Crypter
JobCrypter
KeRanger
KeyBTC
KEYHolder
KimcilWare
KryptoLocker
LeChiffre
Linux.Encoder
Locker
Locky
Lortok
LowLevel04
Mabouia
Magic
MaktubLocker
Mobef
NanoLocker
Nemucod
Offline ransomware
OMG! Ransomware
Operation Global III
PClock
Petya
RaaS
RaaS
Radamant
Rannoh
Rannoh
RemindMe
Rector
RemindMe
Rokku
Samas-Samsam
Sanction
Scraper
SkidLocker / Pompous
Sport
Strictor
Surprise
SynoLocker

Ransom: MacOS_X/KeRanger.A
Ransom: Win32/Isda
Ransom: BAT/Xibow

https://www.microsoft.com/security/portal/threat/en
https://www.microsoft.com/security/portal/threat/e
https://www.microsoft.com/security/portal/threat/e

Ransom: Win32/Locky
TrojanDownloader: JS/Locky

https://www.microsoft.com/security/portal/threat/e
https://www.microsoft.com/security/portal/threat/e

Win32/Takabum

https://www.microsoft.com/security/portal/threat/en

JS/Nemucod

https://www.microsoft.com/security/portal/threat/en

Win32/Tescrypt

https://www.microsoft.com/security/portal/threat/en

TeslaCrypt 3.0+
TeslaCrypt 4.1A
TeslaCrypt 4.2
TorrentLocker
TrueCrypter
UmbreCrypt
VaultCrypt
Virus-Encoder
Xorist
XRTN
Alpha Ransomware
0

Ransom: Win32/Teerac
Win32/Fortrypt
Win32/Troldesh

https://www.microsoft.com/security/portal/threat/e
https://www.microsoft.com/security/portal/threat/e
https://www.microsoft.com/security/portal/threat/En

Ransom: BAT/Xibow

https://www.microsoft.com/security/portal/threat/en

Sandbox
IOCs
Snort
https://www.hybrid-analysis.com/sample/afd3394fb538b36d20085504b86000ea3969e0ae5da8e0c058801020ec8
#NAME?
https://www.hybrid-analysis.com/sample/2955d081ed9bca764f5037728125a7487f29925956f3095c58035919d502
#NAME?
https://www.hybrid-analysis.com/sample/90256220a513536b2a09520a1abb9b0f62efc89b873c645d3fd4a1f3ebed
#NAME?
https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c843
#NAME?
https://www.hybrid-analysis.com/sample/7d66e29649a09bf3edb61618a61fd7f9fb74013b739dfc4921eefece6c843
#NAME?
#NAME?
#NAME?
osoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:JS/Brolo
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cendode.A
#NAME?
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d
#NAME?
https://www.hybrid-analysis.com/sample/a375201f22b6e71d8ea0f81266242e4638e1754aeee14059e9c5e39026d
#NAME?
https://www.hybrid-analysis.com/sample/3ab7a35b31578b439be5d9498489b5e9d2a016db0a348a145979ed75f5
#NAME?
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/e12405096f83b30b712d200b2fc42ce595e1d1254a631d989714b4fa423
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/0348cdd333879d139306c3ff510b902013739c6bb244e20bcc5a4f762004
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Crowti
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt
#NAME?
https://www.hybrid-analysis.com/sample/cddf81997b81869ad471df6b83c2dfe63a2551f4da9bdd57bce30b8d11e6
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/053369b3b63fe08c74d0269e9c29efde3500860f0394cbf6840d57032dea
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/DMALocker.A
#NAME?
https://www.hybrid-analysis.com/sample/d44a5f262ccb43f72ee2afde3e3ff2a55bbb3db5837bfa8aac2e8d7195014
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Ransom:PowerShell/Polock.A&ThreatID=-214727211
#NAME?

#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Harasom.A
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e
#NAME?

#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:MacOS_X/KeRanger.A
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Isda
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Locky
#NAME?
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Takabum
#NAME?
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
https://otx.alienvault.com/browse?q=Rannoh

#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?
https://www.hybrid-analysis.com/sample/20f8ea706350e016a5a2e926293bbc59360608bdc9d279c4635ccddeb77
#NAME?

w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32%2fTeerac
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Fortrypt
w.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Win32/Troldesh
#NAME?
#NAME?
w.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:BAT/Xibow
#NAME?
#NAME?
#NAME?
#NAME?
#NAME?

Measure
Type
Backup and Restore Recovery
Process
Block Macros
GPO
Disable WSH
GPO
Filter Attachments Mail Gateway
Level
1
Filter Attachments
Mail Gateway
Level
2
Restrict program
GPO
execution
Show File
User
Extensions
Enforce UAC Prompt Assistence
GPO
Remove Admin
Best Practice
Privileged
Restrict
Workstation Best Practice
Communication
Sandboxing
Email Advanced
Input
Malware
Execution
3rd Party Tools
Prevention

Footnotes
Complexity
Effectiveness
Impact

Description
Make sure to have adequate backup processes on place and
frequently
test ainrestore
these
backups from the Internet.
Disable macros
Office of
files
downloaded
This
canWindows
be configured
work in two different modes:
Disable
Scriptto
Host
Filter the following attachments on your mail gateway:
.exe,
.ps1, .js, .jse,
.scr, .com,
.vb,
.vbs, .vbe,
Filter .bat,
the following
attachments
on.ocx,
your.jar,
mail
gateway:
(Filter
Level
1 plus)executions
.doc, .xls, .rtf
Block all
program
from the %LocalAppData% and
%AppData%
folder
Set the registry key "HideFileExt" to 0 in order to show all file
extensions,
even of known
filetotypes.
This
avoiding
Enforce administrative
users
confirm
anhelps
action
that
requires and
elevated
rights
Remove
restrict
administrative rights whenever possible.
Malwarethe
canWindows
only modify
files to
that
users workstation
have write access
to.
Activate
Firewall
restrict
to
workstation
communication
Using
sandbox
that opens email attachments and removes
attachments
analysis
Software
thatbased
allowson
tobehavior
control the
execution of processes sometimes integrated in Antivirus software

The complexity of implementation also includes the costs of implementation (e.g. simple to i
Do not overrate a 'high' in this column as it is a relative effectiveness in comparison to other
The effects on business processes, administration or user experience

Complexity* Effectiveness* Impact*

Medium
Low
Low
Low
Low
Medium
Low
Low
Medium
Medium
Medium
Medium

High
High
Medium
Medium
High
Medium
Low
Medium
Medium
Low
High
Medium

Low
Low
Medium
Low
High
Medium
Low
Low
Medium
Low
-

mentation (e.g. simple to implement but costly)

ss in comparison to other measures

Possible Issues

Administrative VBS scripts on

Workstations
Office Communication with old
versions
of Microsoft
Office
files
Web embedded
software
installers
administrator resentment
Higher administrative costs

Link 1
Link 2
http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7
https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=tw
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindows

http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/
https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated
http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.html
https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

os-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
mization/DisableWindowsScriptingHostWSH.html

prevention-kit-updated

Source:
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-mal

Source: Symantec, Via: @certbund

ttack-chain

Composition

This initial list has been composed by Mosh @nyxbone

https://twitter.com/nyxbone/status/715675420159508480/photo/1

Other Contributors

Florian Roth @Cyb3rOps

Bart @bartblaze
Michael Gillespie @demonslay335
Marcelo Rivero @MarceloRivero
Daniel Gallagher @DanielGallagher
Mosh @nyxbone
Katja Hahn @hahn_katja

Support

If you are a security researcher and want to support us,

please contact me on Twitter and I'll grant you write
https://id-ransomware.malwarehunterteam.com/
https://bartblaze.blogspot.com
http://www.malekal.com/
http://www.bleepingcomputer.com/
https://blog.malwarebytes.org/
http://www.nyxbone.com/
http://www.tripwire.com/state-of-security/security-data-protection/ransomware
http://www.thewindowsclub.com/list-ransomware-decryptor-tools

Sources

59508480/photo/1

Identify ransomware by ransom note or encrypted file sample

ty-data-protection/ransomware-happy-ending-10-known-decryption-cases/
re-decryptor-tools