[Community-sigs] unlock26 Ransomware (DotRansomware RaaS)

Christopher Marczewski cmarczewski at sourcefire.com
Mon Apr 10 12:36:23 EDT 2017 

Askar,

We have finished reviewing the signature. It will be published soon,
pending a successful FP test.

Thanks again for the submission.

On Fri, Mar 31, 2017 at 2:15 PM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Askar,
>
> Thank you again for another submission this week. This signature is
> currently under review.
>
> We'll be sure to keep you posted.
>
> On Fri, Mar 31, 2017 at 2:48 AM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
> wrote:
>
>> Hello!
>>
>> There is signature for unlock26 ransomware (aka DotRansomware RaaS)
>>
>> Info:
>> - https://twitter.com/jiriatvirlab/status/834872917020250113
>> - https://twitter.com/CryptoInsane/status/834846766973452288
>> - https://www.bleepingcomputer.com/news/security/new-raas-port
>> al-preparing-to-spread-unlock26-ransomware/
>>
>> Samples:
>> https://www.virustotal.com/ru/file/d03d843a0abfcd2308dfbedc5
>> b6dc6c128e340f875542c7c94cf2c65791bed68/analysis/
>> https://www.hybrid-analysis.com/sample/d03d843a0abfcd2308dfb
>> edc5b6dc6c128e340f875542c7c94cf2c65791bed68?environmentId=100
>> - 4BBDB76EA771A34DC1ED3070FE4BBBF64357160F
>> - ED435A6230F8920B543C44B71F95F537AFB8387B
>>
>> Simple logical signature for filecryptor invariants looks for specific
>> strings:
>>
>> Win.Ransomware.unlock26;Engine:51-255,Target:1;0&1&2&3&4&5&
>> 6&7;63616368652E6462;6E74757365722E64;526561644D65;686964646
>> 56E;73006800610064006F;2670726963653D;26636F756E747279;2661707049
>>
>> Best regards,
>> Askar
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.832.2975 <(443)%20832-2975>
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list