Overview

*Warning: filter1.py wants to read the family names from the first table in this file! First column must be the family names.

family	avclass label
7ev3n	TBD
Alcatraz-Locker	TBD
AlphaCrypt	TBD
AngryDuck	TBD
BadRabbit	TBD
BandarChor	TBD
~~Bart~~	TBD
Browlock	TBD
Bucbi	TBD
~~CHIP~~	TBD
CTB-Locker	TBD
Citron	TBD
Cerber	`cerber`
Chanitor	TBD
Chimera	TBD
Coinvault	TBD
Comrade-Circle	TBD
Critroni	TBD
Crowti	TBD
CryLocker	TBD
CrypVault	TBD
CryptFile2	TBD
CryptInfinite	TBD
CryptXXX	TBD
CryptoApp	TBD
CryptoDefense	TBD
CryptoFortress	TBD
CryptoJocker	TBD
CryptoLocker	TBD
CryptoLuck	TBD
CryptoMix	TBD
CryptoShield	TBD
CryptoWall	TBD
Cryptvault	TBD
Crysis	TBD
DMALocker	TBD
DXXD	TBD
Dharma	TBD
DirtyDecrypt	`dircrypt`
Disakil	TBD
Domino	TBD
~~Dumb~~	TBD
DummyLocker	TBD
Encryptor	TBD
~~Enigma~~	TBD
Exotic	TBD
Fakben	TBD
Fantom	TBD
Fsociety	TBD
GandCrab	TBD
Ginx	TBD
~~Globe~~	TBD
Gomasom	TBD
Gpcoder	TBD
Gremit	TBD
HDDCryptor	TBD
HadesLocker	TBD
Herbst	TBD
Hi Buddy	TBD
Hidden Tear	TBD
HydraCrypt	TBD
Jaff	TBD
Jigsaw	`jigsaw`
Job Cryptor	TBD
Karmen	TBD
KeRanger	TBD
KillerLocker	TBD
Kostya	TBD
~~Kovter~~	TBD
Kraken	TBD
LeChiffre	TBD
Linkup	TBD
Lock93	TBD
LockDroid	TBD
LockLock	TBD
Locky	TBD
LowLevel404	TBD
MBL Advisory	TBD
MIRCOP	TBD
MMLocker	TBD
Mabouia	TBD
~~Magic~~	TBD
Maktub	TBD
Mamba	TBD
MarsJoke	TBD
Matsnu	TBD
~~Mole~~	TBD
Mordor	TBD
Nanolocker	TBD
Nemucod	TBD
~~Nuke~~	TBD
Nullbyte	TBD
Nymaim	TBD
ORX-Locker	TBD
Onion	TBD
Pacman	TBD
PayCrypt	TBD
PayDay	TBD
Pclock	TBD
Petya	TBD
NotPetya	TBD
Phonywall	TBD
PoshCoder	TBD
Power Worm	TBD
Radamant	TBD
Ransom-FUE	TBD
Ransom32	TBD
~~Ransomlock~~	TBD
~~Razy~~	TBD
~~Revenge~~	TBD
~~Reveton~~	TBD
~~Rex~~	TBD
Ryuk	TBD
Hermes	TBD
~~Sage~~	TBD
SamSam	TBD
Satana	TBD
Serpent	TBD
SharkRaaS	TBD
Simplocker	TBD
Slocker	TBD
Sodinokibi	TBD
Synolocker	TBD
TeslaCrypt	`tescrypt`
Threat Finder	TBD
TorrentLocker	TBD
~~Tox~~	TBD
ToxCrypt	TBD
Troldesh	TBD
Umbrecrypt	TBD
Unix.Ransomcrypt	TBD
Unnamed_0	TBD
~~Urausy~~	TBD
VaultCrypt	TBD
VenusLocker	TBD
Vipasana	TBD
VirLock	TBD
Viruscoder	TBD
WannaCry	`wannacry`
WildFire	TBD
WinPlock	TBD
XRTN	TBD
Xorist	TBD
ZCryptor	TBD
Zerolocker	TBD
Zyklon	TBD
n1n1n1	TBD

Struck-out families have been genericided because they (3 out of 4):

match a huge number of samples
contain way too many different avclass labels
are very rarely detected as something containing ransom
are a common English word

genericidy.py is used to get the numbers and sorts the families according to the first 3 criteria. The families are then filtered manually.

family	samples	labels	ransom	fraction	unicorns
Globe	4448	58	0.72468	0.33421	0.80126
Kovter	6213	254	4.17811	0.46683	0.70964
Revenge	245	33	0.01022	0.01841	0.90612
Dumb	779	209	0.11583	0.05853	0.89859
CHIP	1470	123	0.11474	0.11045	0.99116
Bart	2219	176	0.13290	0.16673	0.98963
Nuke	1850	389	0.24189	0.13900	0.96757
Urausy	32794	619	5.28424	2.46404	0.82747
Reveton	23306	596	3.53314	1.75114	0.84099
Ransomlock	35756	1766	12.09938	2.68659	0.70466
Sage	11680	799	0.71278	0.87760	0.95950
Razy	111950	1163	0.42245	8.41157	0.93777
Magic	4084	116	0.00000	0.30686	0.98531
Enigma	11424	1247	0.01817	0.85836	0.99492
Mole	37496	1701	0.03619	2.81733	0.99176
Tox	60370	953	0.01621	4.53601	0.99715
Rex	719047	1544	0.00690	54.02692	0.99175

Ransomlock is a generic label used for many annoying lock-the-desktop type programs.
Tox is a Ransomware-as-a-Service, but also matches toxic and is hence useless.
Kovter, Reveton and Urausy are families of lock-the-desktop type programs with scary police-themes messages.
VirLock has an incredibly huge number of samples, but that's fully expected for a fully polymorphic virus. Left in the sample, though sharing the encrypted files is expected to be problematic when each of them contains a copy of the malware...

Some lock-the-desktop ransomware might encrypt files, but finding the single instance that does that in several 10k samples is impractical.

TheZoo collection

https://github.com/ytisf/theZoo

family	directory name
Matsnu	`Ransomware.Matsnu`
Radamant	`Ransomware.Radamant`
Petrwrap	`Ransomware.Petrwrap`
DirtyDecrypt	`Win32Dircrypt.Trojan.Ransom.ABZ`
TeslaCrypt	`Ransomware.TeslaCrypt`
Unnamed_0	`Ransomware.Unnamed_0`
Cerber	`Ransomware.Cerber`
CryptoWall	`Ransomware.Cryptowall`
Jigsaw	`Ransomware.Jigsaw`
Locky	`Ransomware.Locky`
Mamba	`Ransomware.Mamba`
Petya	`Ransomware.Petya`
Rex	`Ransomware.Rex`
Satana	`Ransomware.Satana`
Vipasana	`Ransomware.Vipasana`
WannaCry_Plus	`Ransomware.WannaCry_Plus`
WannaCry	`Ransomware.WannaCry`

Cuckoo's signatures

family	signature filename
7ev3n	`ransomware_fileextensions.py`
Alcatraz-Locker	`ransomware_files.py`, `ransomware_fileextensions.py`
AlphaCrypt	`ransomware_files.py`
AngryDuck	`ransomware_fileextensions.py`
Bart	`ransomware_fileextensions.py`
CHIP	`ransomware_files.py`, `ransomware_fileextensions.py`
CTB-Locker	`ransomware_files.py`
Cerber	`ransomware_files.py`
Chanitor	`ransom_mutex.py`
Chimera	`ransomware_files.py`
Comrade-Circle	`ransomware_files.py`, `ransomware_fileextensions.py`
CryLocker	`ransomware_fileextensions.py`
CrypVault	`ransomware_files.py`
CryptFile2	`ransomware_files.py`, `ransomware_fileextensions.py`
CryptXXX	`ransomware_files.py`, `ransomware_fileextensions.py`
CryptoLocker	`ransomware_files.py`
CryptoLuck	`ransomware_fileextensions.py`
CryptoMix	`ransomware_fileextensions.py`
CryptoShield	`ransomware_fileextensions.py`
CryptoWall	`ransomware_files.py`
Crysis	`ransomware_fileextensions.py`
DMALocker	`ransomware_files.py`
DXXD	`ransomware_fileextensions.py`
Dharma	`ransomware_fileextensions.py`
Domino	`ransomware_fileextensions.py`
DummyLocker	`ransomware_fileextensions.py`
Enigma	`ransomware_fileextensions.py`
Exotic	`ransomware_fileextensions.py`
Fakben	`ransomware_files.py`
Fantom	`ransomware_files.py`, `ransomware_fileextensions.py`
Fsociety	`ransomware_fileextensions.py`
Globe	`ransomware_fileextensions.py`
Gremit	`ransomware_fileextensions.py`
HadesLocker	`ransomware_files.py`, `ransomware_fileextensions.py`
Herbst	`ransomware_fileextensions.py`
HydraCrypt	`ransomware_files.py`, `ransomware_fileextensions.py`
Jaff	`ransomware_fileextensions.py`
Karmen	`ransomware_fileextensions.py`
KillerLocker	`ransomware_fileextensions.py`
Kostya	`ransomware_fileextensions.py`
Kraken	`ransomware_fileextensions.py`
LeChiffre	`ransomware_files.py`
Lock93	`ransomware_fileextensions.py`
LockLock	`ransomware_fileextensions.py`
Locky	`ransomware_files.py`, `ransomware_fileextensions.py`
MMLocker	`ransomware_files.py`
Maktub	`ransomware_files.py`
MarsJoke	`ransomware_files.py`
Mole	`ransomware_fileextensions.py`
Mordor	`ransomware_fileextensions.py`
Nuke	`ransomware_files.py`, `ransomware_fileextensions.py`
Nullbyte	`ransomware_fileextensions.py`
PayDay	`ransomware_fileextensions.py`
Radamant	`ransomware_files.py`
Razy	`ransomware_fileextensions.py`
Revenge	`ransomware_fileextensions.py`
Sage	`ransomware_fileextensions.py`
Satana	`ransomware_files.py`
Serpent	`ransomware_fileextensions.py`
TeslaCrypt	`ransomware_files.py`
ToxCrypt	`ransomware_fileextensions.py`
Troldesh	`ransomware_fileextensions.py`
VenusLocker	`ransomware_fileextensions.py`
Viruscoder	`ransomware_viruscoder.py`
WannaCry	`ransomware_fileextensions.py`
WildFire	`ransomware_files.py`
WildFire-Locker	`ransomware_fileextensions.py`
WinPlock	`ransomware_files.py`
n1n1n1	`ransomware_files.py`

Symantec ISTRs

https://www.symantec.com/security-center/archived-publications

Volume 21/2016 has a complete timeline of ransomware on page 59, going all the way back to Gpcoder in 2005.

| Name | ISTR Volume | +-------------------+------------------+ | 73v3n | 21/2016 | | BadRabbit | 23/2018 | | BandarChor | 21/2016 | | Browlock | 21/2016 | | Bucbi | 22/2017 | | CTB-Locker/Citron | 21/2016 | | Cerber | 22/2017, 23/2018 | | Chimera-Locker | 21/2016 | | Coinvault | 21/2016 | | CryptInfinite | 21/2016 | | CryptXXX | 22/2017 | | CryptoApp | 21/2016 | | CryptoJocker | 21/2016 | | CryptoLocker | 22/2017 | | Cryptolocker2015 | 21/2016 | | Cryptowall | 23/2018, 21/2016 | | Cryptvault | 21/2016 | | Crysis | 24/2019 | | DMA-Locker | 21/2016 | | Disakil | 23/2018, 22/2017 | | Dumb | 21/2016 | | Encryptor RaaS | 21/2016 | | Ginx | 21/2016 | | Gomasom | 21/2016 | | Gpcoder | 21/2016 | | HDDCryptor | 22/2017 | | Hi Buddy | 21/2016 | | Hidden Tear | 21/2016 | | Hydracrypt | 21/2016 | | Job Cryptor | 21/2016 | | KeRanger | 21/2016, 22/2017 | | Kovter | 21/2016 | | LeChiffre | 21/2016 | | Linkup | 21/2016 | | LockDroid | 21/2016 | | Locky | 23/2018, 22/2017, 21/2016 | | LowLevel404 | 21/2016 | | MIRCOP | 22/2017 | | Mabouia OSX POC | 21/2016 | | Magic | 21/2016 | | Nanolocker | 21/2016 | | Nemucod | 22/2017 | | Nymaim | 21/2016 | | ORX-Locker | 21/2016 | | Onion | 21/2016 | | Pacman | 21/2016 | | PayCrypt | 21/2016 | | Pclock | 21/2016 | | Petya / NotPetya | 23/2018 | | Phonywall | 23/2018 | | Power Worm | 21/2016 | | Radamant | 21/2016 | | Ransom32 | 21/2016, 22/2017 | | Ransomlock | 22/2017 | | Reveton | 21/2016 | | Ryuk / Hermes | 24/2019 | | SamSam | 24/2019, 22/2017 | | SharkRaaS | 22/2017 | | Simplocker | 21/2016, 22/2017 | | Slocker | 21/2016 | | Synolocker | 21/2016 | | TeslaCrypt | 21/2016 | | Threat Finder | 21/2016 | | TorrentLocker | 21/2016, 23/2018 | | Tox | 21/2016 | | Troldesh | 21/2016 | | Umbrecrypt | 21/2016 | | Unix.Ransomcrypt | 21/2016 | | Urausy | 21/2016 | | VaultCrypt | 21/2016 | | Vipasana | 21/2016 | | VirLock | 21/2016 | | Wannacry | 23/2018 | | XRTN | 21/2016 | | ZCryptor | 22/2017 | | Zerolocker | 21/2016 | | Zyklon | 22/2017 |

ShieldFS paper

https://doi.org/10.1145/2991079.2991110

CryptoLock paper

https://doi.org/10.1109/ICDCS.2016.46

"Filecoder" is a generic label by AV software; it matches 12674 samples from 300 different families.

Other

Name	Source
GandCrab	https://www.hornetsecurity.com/de/security-informationen/gandcrab-analyse
Sodinokibi	https://heise.de/-4483691

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

families.md

families.md

Overview

TheZoo collection

Cuckoo's signatures

Symantec ISTRs

ShieldFS paper

CryptoLock paper

Other

Files

families.md

Latest commit

History

families.md

File metadata and controls

Overview

TheZoo collection

Cuckoo's signatures

Symantec ISTRs

ShieldFS paper

CryptoLock paper

Other