[Community-sigs] unlock26 Ransomware (DotRansomware RaaS)
Askar Dyussekeyev
dyussekeyev at yandex.kz
Fri Mar 31 02:48:00 EDT 2017
Hello!
There is signature for unlock26 ransomware (aka DotRansomware RaaS)
Info:
- https://twitter.com/jiriatvirlab/status/834872917020250113
- https://twitter.com/CryptoInsane/status/834846766973452288
- https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/
Samples:
https://www.virustotal.com/ru/file/d03d843a0abfcd2308dfbedc5b6dc6c128e340f875542c7c94cf2c65791bed68/analysis/
https://www.hybrid-analysis.com/sample/d03d843a0abfcd2308dfbedc5b6dc6c128e340f875542c7c94cf2c65791bed68?environmentId=100
- 4BBDB76EA771A34DC1ED3070FE4BBBF64357160F
- ED435A6230F8920B543C44B71F95F537AFB8387B
Simple logical signature for filecryptor invariants looks for specific strings:
Win.Ransomware.unlock26;Engine:51-255,Target:1;0&1&2&3&4&5&6&7;63616368652E6462;6E74757365722E64;526561644D65;68696464656E;73006800610064006F;2670726963653D;26636F756E747279;2661707049
Best regards,
Askar
More information about the Community-sigs
mailing list