[Community-sigs] unlock26 Ransomware (DotRansomware RaaS)
Christopher Marczewski
cmarczewski at sourcefire.com
Fri Mar 31 14:15:10 EDT 2017
Askar,
Thank you again for another submission this week. This signature is
currently under review.
We'll be sure to keep you posted.
On Fri, Mar 31, 2017 at 2:48 AM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:
> Hello!
>
> There is signature for unlock26 ransomware (aka DotRansomware RaaS)
>
> Info:
> - https://twitter.com/jiriatvirlab/status/834872917020250113
> - https://twitter.com/CryptoInsane/status/834846766973452288
> - https://www.bleepingcomputer.com/news/security/new-raas-
> portal-preparing-to-spread-unlock26-ransomware/
>
> Samples:
> https://www.virustotal.com/ru/file/d03d843a0abfcd2308dfbedc5b6dc6
> c128e340f875542c7c94cf2c65791bed68/analysis/
> https://www.hybrid-analysis.com/sample/d03d843a0abfcd2308dfbedc5b6dc6
> c128e340f875542c7c94cf2c65791bed68?environmentId=100
> - 4BBDB76EA771A34DC1ED3070FE4BBBF64357160F
> - ED435A6230F8920B543C44B71F95F537AFB8387B
>
> Simple logical signature for filecryptor invariants looks for specific
> strings:
>
> Win.Ransomware.unlock26;Engine:51-255,Target:1;0&1&2&
> 3&4&5&6&7;63616368652E6462;6E74757365722E64;526561644D65;68696464656E;
> 73006800610064006F;2670726963653D;26636F756E747279;2661707049
>
> Best regards,
> Askar
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
--
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975
More information about the Community-sigs
mailing list