From ca73a4f7354acfe5c6b4b73560dca8c0552ce168 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Tue, 2 May 2017 09:02:12 +0100 Subject: [PATCH 1/2] Add in Mordor and CryptoMix extensions Just some additional extensions. On another note what is people's views on clearing out some of the older extensions from earlier versions of families (i.e. Locky has 8 IOCs alone yet only osiris is being used). There is an argument to be made for older variants being identified as part of research but I am wondering about performance. --- modules/signatures/ransomware_fileextensions.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/signatures/ransomware_fileextensions.py b/modules/signatures/ransomware_fileextensions.py index dadba46..c0e0df8 100644 --- a/modules/signatures/ransomware_fileextensions.py +++ b/modules/signatures/ransomware_fileextensions.py @@ -78,6 +78,7 @@ def run(self): (".*\.sexy$", ["PayDay"]), (".*\.kraken$", ["Kraken"]), (".*\.lesli$", ["CryptoMix"]), + (".*\.WALLET$", ["CryptoMix"]), (".*\.sage$", ["Sage"]), (".*\.CRYPTOSHIELD$", ["CryptoShield"]), (".*\.serpent$", ["Serpent"]), @@ -85,6 +86,7 @@ def run(self): (".*\.MOLE$", ["Mole"]), (".*\.onion$", ["Dharma"]), (".*\.grt$", ["Karmen"]), + (".*\.mordor$", ["Mordor"]), ] for indicator in indicators: From 2a5075243daf84073c6e6bde4d21daaeba13f3a1 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Fri, 12 May 2017 07:49:16 +0100 Subject: [PATCH 2/2] Add in Jaff ransomware --- modules/signatures/ransomware_fileextensions.py | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/signatures/ransomware_fileextensions.py b/modules/signatures/ransomware_fileextensions.py index c0e0df8..2b62e61 100644 --- a/modules/signatures/ransomware_fileextensions.py +++ b/modules/signatures/ransomware_fileextensions.py @@ -87,6 +87,7 @@ def run(self): (".*\.onion$", ["Dharma"]), (".*\.grt$", ["Karmen"]), (".*\.mordor$", ["Mordor"]), + (".*\.jaff$", ["Jaff"]), ] for indicator in indicators: