Ransomware Bundle

bundle

#1

###Bundle details and download
https://www.extrahop.com/community/bundles/tomr/ransomware-bundle/

###Description
This bundle provides a trigger that can help detect Ransomware (or cryptographic) attacks in real-time. There are multiple techniques available through this bundle, but all detection mechanisms are based upon analyzing traffic from the SMB/CIFS network protocol (a file sharing protocol, traditionally for Microsoft Windows systems). The trigger is intended to be highly configurable and is annotated to provide additional information for settings you can modify.


Alert on high sustained CIFS writes
#2

There’s a new version (v1.2.0) I just posted on the forum (the link is above). Nothing major in this release, but I have tuned some of the default knobs which should reduce a large degree of the minimal false positives we detect in the bundle.

Also, I’ve included file extension definitions for many of the newer Ransomware variants that have come out in the past month (e.g. zcrypt, jigsaw, etc.).

Let me know if you have questions or need assistance!


#3

And now we have a newer version (v1.2.5) that was just published. Please upgrade to the latest bundle as soon as possible.


#4

Some new additions to the various trigger variables:

var type_one_blacklist_basic = [
“imsorry”, // Imsorry Ransomware
“spectre”, // Spectre Ransomware
“ram”, // Ramsey Ransomware
“lost”, // Jigsaw Variant
“tax”, // Unnamed Ransomware
“cerber3”, // Cerber Ransomware
“tdelf”, // TheDarkEncryptor Ransomware
“ogre”, // Ogre Ransomware
“WINDOWS”, // $usyLocker
“[3bitcoins@protonmail.com].blocking”, // BTCWare Variant
“zilla”, // Zilla Ransomware
“BeethoveN”, // BeethoveN Ransomware
“R3K7M9”, // Jigsaw Variant
“cr020801”, // Unnamed Ransomware
“payforunlock”, // CryptoGod Ransomware
“sVn”, // Jaff Ransomware
“pr0tect”, // SOREBRECT Ransomware
“sux”, // Jigsaw Variant Ransomware
“Wana Decryptor Trojan-Syria Edition”, // Wana Decrypt0r Trojan-Syria Edition Ransomware
“breeding123”, // SamSam Ransomware
“mention9823”, // SamSam Ransomware
“nsmf”, // NSMF Ransomware
“kuntzware”, // Kuntzware Ransomware
“zilla”, //Zilla Ransomware
“enc”, //Gangsta Ransomware
“org”, //QuakeWay Ransomware
“lamo”, //EyLamo Ransomware
“rat”, // Jigsaw Variant
“locked”, // HiddenTear Variant, MusicGuy Ransomware
“MMM”, // MMM Ransomware
“0x004867”, // MMM Ransomware
“moments2900”, // Samas/SamSam Ransomware
“ipygh”, // Karo Ransomware
“via”, // ViACrypt Ransomware
“bubble”, // CryptoBubble Ransomware
“gankLocked”, // Gank Ransomware
“wallet”, // Dharma Ransomware
“63vc4”, // Nemesis/Cry36
“aleta”, // BTCWare Ransomware
“dcry”, // Un-named Ransomware
“3ncrypt3d”, // GlobeImposter Ransomware
];

var type_one_blacklist_advanced = [
“Lock\.”, // Crypt888
“petya\.dll”, // Petya/(Not)Petya
“id_.?_[webmafia@asia.com].t5019", // Nemesis/Cry36 Ransomware
"#
.?#id#*.?”, // Striked Ransomware
];

var type_two_whitelist_basic =
[
“cdc”, // Pyxis File
“cdctx”, // Pyxis File
“vtc”, // Bosch DVR File (Security Cameras)
“vib”, // vSphere Installation Bundle
“utx”, // Pyxis Machine File
“tmh”, // Trace Message Header File
“tml”, // Padgen File
“sbstore”, // Mozilla Firefox Cache File
“hdr”, // Image File
“recpt”, // Pyxis File
“mwtx”, // Pyxis File
“mmtx”, // Pyxis File
“matx”, // Pyxis File
“little”, // Mozilla Firefox Startup Cache
“lck”, // Lock File created by Paradox Relational Database Management System
“hr”, // Created by Centricity
“hrq”, // Created by Centricity
“ht”, // Created by Centricity
“xmq”, // Centricity DTS Server File
“dtx”, // Pyxis File
“label”, // Dymo Label Templates
“milt”, // Pharmacy Application Log File
“edf”, // Sleepware G3
“rml”, // Sleepware G3 Capture File
“clinicalnotesform”, // Centricity?
“dl_”, // Sleepware G3 File
“vbk”, // Veeam Backup File
“vbm”, // Veeam Backup File
“vbm_.?", // Veeam Backup File (Partial)
"vbm.
?”, // Veeam Backup File
“.vbm_.?temp", // Veeam Backup File
"\.vbm
.
?_temp”, // Veeam Backup Temp Files
“.*?temp”, // Veeam Backup Temp Files
“userinfo”, // Userinfo File
“dylib”, // Websense Policy File
“ctrl”, // MDLink Log Files
“pkc”, // MDLink Package
“test”, // EMU Test File
“stc”, // EMU File
“ent”, // EMU File
“epo”, // EMU File
“erd”, // EMU File
“snc”, // EMU File
“vt2”, // EMU File
@tmp@”, // BDI Rehab Temporary File
“ierl”, // OneContent BDI Temporary File
“loc”, // Centricity Temporary File
“85x”, // MFM EDI Temporary File
“sem”, // Centricity Temporary File
“def”, // OneContent Temporary Image File
“ffl”, // MFM-MSCM Data File
“directory”, // Adobe Flash Cache File
“sl”, // Centricity Error Log File
“vsdx”, // Visio File
“~vsdx”, // Visio Temp File

                                      ]; 

var type_four_blacklist_advanced = [
“Sifre_Coz_Talimat\.html”, // Executioner Ransomware
“ReadMe_Important\.txt”, // Mora Project Ransomware
“READ_IT\.txt”, // $usyLocker Ransomware
“OkuBeni\.txt”, // Zilla Ransomware
“your_key\.rsa”, // Unnamed Ransomware
“READ ME ABOUT DECRYPTION\.txt”, // SOREBRECT Ransomware
“readme.txt”, // NSMF Ransomware
“File_Encryption_Notice.txt”, // aZaZel Ransomware
“__iWasHere.txt”, // QuakeWay Ransomware
“note\.html”, // Reetner Ransomware
“### DECRYPT MY FILES ###\.html”, // Nemesis/Cry36 Ransomware
“Ransom\.rtf”, // Fenrir Ransomware
“Ransompng_6304118_26774912\.png”, // Fenrir Ransomware
“HOW_TO_DECRYPT\.txt”, // Un-Named Ransomware
];


#5

Here are some later additions (includes @smlextrahop01’s above) for type 1, 2 and 4.

More than 90% of environments I’ve seen require these type 2 exceptions. Please review prior to installing into your environment.

// //
// Type 1 basic adds start //
// //

“0402”, // 0402 Ransomware
“0x004867”, // MMM Ransomware
“0x009d8a”, // MMM Ransomware
“3301”, // 3301 Ransomware
“3ncrypt3d”, // GlobeImposter Ransomware
“490”, // GlobeImposter Ransomware
“492”, // GlobeImposter Ransomware
“63vc4”, // Nemesis/Cry36
“707”, // GlobeImposter Ransomware
“725”, // GlobeImposter Ransomware
“726”, // GlobeImposter Ransomware
“[3bitcoins@protonmail.com].blocking”, // BTCWare Variant
“acc”, // Un-Named Ransomware
“actum”, // GlobeImposter Ransomware
“adr”, // KRider (MyLittleRansomware) Variant
“aes”, // Vortex Ransomware
“afc”, // Jigsaw Variant
“akira”, // Akira Ransomware
“aleta”, // Aleta Ransomware
“alosia”, // Stupid Ransomware
“astra”, // GlobeImposter Ransomware
“atom”, // Atom - Zilla Variant
“au1crypt”, // GlobeImposter Ransomware
“bam!”, // Bam Ransomware
“Beethoven”, // BeethoveN Ransomware
“blocked2”, // Xorist Ransomware
“bonum”, // GlobeImposter Ransomware
“braincrypt”, // Braincrypt Ransomware
“breeding123”, // SamSam Ransomware
“brt92”, // GlobeImposter Ransomware
“bubble”, // CryptoBubble Ransomware
“bush”, // GlobeImposter Ransomware
“c8b089f”, // GlobeImposter Ransomware
“cerber3”, // Cerber Ransomware
“cesar”, // Dharma Ransomware
“cezar”, // Dharma Ransomware
“ck”, // CryptoMix Ransomware
“cnc”, // CryptoMix Ransomware
“coded”, // GlobeImposter Ransomware
“country82000”, // SamSam Ransowmare Variant
“cr020801”, // Unnamed Ransomware
“crypt12”, // Crypt12 Ransomware
“cryptah”, // Hidden Tear Variant
“crystal”, // Crystal Ransomware
“cyron”, // Cyron Ransomware
“cyt”, // WininiCrypt Ransomware
“d2550a49bf52dfc23f2c013c5”, // GlobeImposter Ransomware
“dcry”, // DCry Ransomware
“dg”, // CryptoMix Ransomware
“diablo6”, // Diablo6 Ransomware
“ebay”, // EbayWall Ransomware
“empty”, // CryptoMix Ransomware
“enc”, // Gangsta Ransomware
“eoc”, // Fake Turkish WannaCry
“error”, // Error Ransomware
“explorer”, // Explerer - Hidden Tear Variant
“exte”, // CryptoMix Ransomware
“fdp”, // Oxar Ransomware
“flat”, // FlatChestWare Ransomware
“flux”, // Flux Ransomware
“fmoon”, // MoonCrypter Ransomware
“fuck”, // GlobeImposter Ransomware
“fuck_you_av_we_are_not_globe_fake”, // GlobeImposter Variant
“ganklocked”, // Gank Ransomware
“gg”, // BRansomware
“gotham”, // GlobeImposter
“graff”, // GlobeImposter Ransomware
“granny”, // GlobeImposter Ransomware
“happ”, // GlobeImposter
“hello”, // Hello (Xorist) Ransomware
“help”, // GlobeImposter Ransomware
“hobot2good”, // HiddenTear Variant
“imsorry”, // Imsorry Ransomware
“ipygh”, // Karo Ransomware
“isis”, // Trojan DZ Ransomware
“jeep”, // GlobeImposter Ransomware
“jezroz”, // InfiniteTear Ransomware
“kill”, // Jigsaw Ransomware Variant
“kk”, // SyncCrypt Ransomware
“korea”, // Jigsaw Variant
“kuntzware”, // Kuntzware Ransomware
“lalabitch”, // Lalabitch Ransomware
“lamo”, // EyLamo Ransomware
“lego”, // GlobeImposter Ransomware
“locked”, // HiddenTear Variant, MusicGuy Ransomware, Bit Paymer
“lost”, // Jigsaw Variant
“lukitus”, // Locky Ransomware
“malki”, // Malki Ransomware
“master”, // BTCware
“mention9823”, // SamSam Ransomware
“mmm”, // MMM Ransomware
“moments2900”, // Samas/SamSam Ransomware
“mordor”, // Mordor Ransomware
“mtk118”, // GlobeImposter Variant
“mychemicalromance4ever”, // Lambda Locker Ransomware
“nigga”, // GlobeImposter Ransomware
“node0”, // RansooM Ransomware
“noob”, // CryptoMix Ransomware
“nsmf”, // NSMF Ransomware
“null”, // Null Ransomware
“ocean”, // GlobeImposter Ransomware
“ogonia”, // CryptoMix Ransomware
“ogre”, // Ogre Ransomware
“oops”, // Oops Ransomware
“org”, // QuakeWay Ransomware
“oxr”, // HiddenTear, Oxar Ransomware
“p1crypt”, // GlobeImposter Variant
“pa-siem”, // PA-SIEM Ransowmare
“pabluklocker”, // Polish Jigsaw Ransomware
“payforunlock”, // CryptoGod Ransomware
“pedo”, // Oxar Ransomware
“petya”, // JCoder Ransomware
“pirate”, // CryptoMix Ransomware
“pohu”, // Unknown Ransomware
“pr0tect”, // SOREBRECT Ransomware
“prosperous666”, // SamSam Variant
“purge”, // Purge Ransomware
“qwqd”, // DCry Ransomware
“r3k7m9”, // Jigsaw Variant
“ram”, // Ramsey Ransomware
“ransed”, // Ransed Ransomware
“rat”, // Jigsaw Variant
“rdwf”, // RanDsomeWare Ransomware
“reagan”, // GlobeImposter Ransomware
“reyptson”, // Reyptson Ransomware
“rose”, // A1 Lock (GlobeImposter Variant)
“rumblegoodboy”, // GlobeImposter Ransomware
“s1crypt”, // GlobeImposter Ransomware
“scarab”, // Scarab Ransomware
“scorpio”, // Scorpio Ransomware
“sea”, // GlobeImposter Ransomware
“sevendays”, // SevenDays Ransomware
“shinigami”, // Shinigami Ransomware
“shutdown57”, // Shutdown57 Ransomware
“sifreli”, // Un-Named Ransomware
“skunk”, // GlobeImposter Ransomware
“snake”, // SnakeLocker Ransomware
“spectre”, // Spectre Ransomware
“srpx”, // Serpent Ransomware
“supported2017”, // SamSam Ransomware
“sux”, // Jigsaw Variant Ransomware
“svn”, // Jaff Ransomware
“symbiom_ransomware_locked”, // HiddenTear Variant
“tax”, // Unnamed Ransomware
“tdelf”, // TheDarkEncryptor Ransomware
“tgif”, // SnakeLocker Ransomware
“torrent”, // BitTorrent File
“trump”, // GlobeImposter Ransomware
“uloz”, // Oxar Ransomware
“unknown”, // NZMR Ransomware
“unlis”, // GlobeImposter Ransomware
“via”, // ViACrypt Ransomware
“wallet”, // Dharma Ransomware
“wamarlocked”, // Balbaz Ransomware
“wana decryptor trojan-syria edition”, // Wana Decrypt0r Trojan-Syria Edition Ransomware
“windows”, // $usyLocker
“wooly”, // Wooly Ransomware
“wxdrjbgsda”, // ECC Crypto based Ransomware
“xolsec”, // Xolsec Ransomware
“yl”, // ChinaYunLang
“zablokowane”, // Polski Ransomware
“zayka”, // CryptoMix Ransomware
“zero”, // CryptoMix Ransomware
“zilla”, // Zilla Ransomware
“zuzya”, // GlobeImposter Ransomware

// //
// Type 1 basic adds end //
// //


// //
// Type 1 advanced adds start //
// //

“([a-z0-9A-Z]{10})”, // ECC Crypto based Ransomware
“.?-email-.?\.pirate”, // Unidentified Ransomware
“.?\.blocking", // BTCWare Ransomware
".
?\.nuclear”, // BTCWare Ransomware
“.?encryptended.?”, // Encryptended Ransomware
“19599\.js”, // Cerber
@usa\.com”,
@Ya\.ru”,
“\.#.?#id#.?”, // Striked Ransomware
“\..?\.blocking", // Multiple Ransomware and Variants
"\.
.?\.BRT92”, // GlobeImposter Ransomware
“\..?\.gryphon", // Gryphon Ranosmware
"\.
.?\.ogg”, // Ursniff Keylogger
“\..?\.Ru.?\.Scorpio”, // Scorpio
“\..?\.t5019", // Nemesis/Cry36 Ransomware
"\.
.?mich78@usa\.com”, // Un-Named Ransomware
“\..?unknown.?”, // NZMR Ransomware, Viro Ransomware
“\.+ assaassin@meta\.ua”, // Ransomware
“\…?@yandex\.com.?”, // .NET Based Ransomware
“\…?\.crypton", // Gryphon Ransomware
“\.\.726”, // GlobeImposter Ransomware
“\.\.txt”, // GlobeImposter Ransomware
“\.Cerber_RansomWare@qq\.com”, // Xorist Ransomware
"\.encrypted.
?”, // Matroska Ransomware
“\.encrypted\…?", // CryptoWire Variant (WanaCry4)
"\.extension=.
?=.?\.crypt12", // Crypt12 Ransomware
“\.HOUSTONWEHAVEAPROBLEM@KEEMAIL\.ME”, // Matroska - Hidden Tear Variant
"\.id.
?\.arena”, // Dharma Ransomware
“\.locked-*.?”, // Unlock26 Ransomware
“BBFK\.exe”, // FUAKED Ransomware
“Data_Locker\.exe”, // HiddenTear, Oxar
“Lock\.”, // Crypt888
“petya\.dll”, // Petya/(Not)Petya
“samsam\.exe”, // Samsam

// //
// Type 1 advanced adds end //
// //


// //
// Type 2 basic adds start //
// //

“85x”, // MFM EDI Temporary File
@tmp@”, // BDI Rehab Temporary File
“.vbm_.?temp", // Veeam Backup Temp Files
“acb”, // Adobe Acrobat file
“acrodata”,
“adm”,
“adml”,
“admx”,
“aiping”,
“AIpng”,
“api”, // Adobe Acrobat file
“appcache”,
“application”,
“appref-ms”, // Microsoft ClickOnce file
“AppSharingMediaProviderlog”,
“asax”,
“ascx”,
“ashx”,
“asm”,
“asmx”,
“assets”,
“au”, // Sun Microsystems NeXT systems
“audit”,
“aup”, // Adobe Acrobat file
“autoprefixer”,
“bim”, //MS Visual Studio
“browswer”,
“cap”,
“case”, // SlipCover Case Template
“cat”,
“cd”, //MS Visual Studio
“cdc”, // Pyxis File
“cdctx”, // Pyxis File
“cer”, // Adobe Acrobat file
“cfx”,
“chm”, // Microsoft Compiled HTML Help
“clinicalnotesform”, // Centricity?
“clx”, // Adobe Acrobat file
“cmd”,
“cmdline”,
“cmtx”,
“cnt”,
“compiled”,
“con”, // Medimizer X3 control file (healthcare)
“conf”,
“contact”,
“ctl”, // Visual Basic UserControl Object File
“ctrl”, // MDLink Log Files
“custom-css”,
“customUI”,
“data”, // Microsoft Visual Studio data file
“database”,
“datasource”,
“db-shm”,
“db-wal”,
“dbp”, //MS Visual Studio
“def”, // OneContent Temporary Image File
“default”,
“der”, // Adobe Acrobat file
“DeskLink”,
“dir”,
“directory”, // Adobe Flash Cache File
“disabled”,
"dl
", // Sleepware G3 File
“dtproj”, // MSSQL Server Data Tools project configurations
“dtx”, // Pyxis File
“dwproj”, //MS Visual Studio
“dylib”, // Websense Policy File
“edf”, // Sleepware G3
“elf”,
“eml”,
“en-US”,
“engine”,
“ent”, // EMU File
“env”, // Adobe Acrobat file
“eot”,
“epo”, // EMU File
“erd”, // EMU File
“exv”, // Adobe Acrobat file
“feed-ms”,
“feedsdb-ms”,
“ffl”, // MFM-MSCM Data File
“file”,
“fingerprint”,
“flt”,
“flv”, // Video file common on Philips Fetal Monitors
“fpt”, // FileMaker Pro file
“frt”, // FoxPro database file
“frx”,
“fsif”, // MSCM Label Printing
“git”,
“gitattributes”,
“github”,
“gitignore”,
“gitkeep”,
“gitmodules”,
“google”,
“hdr”, // Image File
“heu”,
“hist”,
“hlp”, // Help file
“hr”, // Created by Centricity
“hrq”, // Created by Centricity
“ht”, // Created by Centricity
“hta”,
“htc”,
“hyp”, // Adobe Acrobat file
“icc”,
“ierl”, // OneContent BDI Temporary File
“in”,
“inc”,
“joboptions”, // Adobe Acrobat file
“jsonlz4”,
“kfp”, // Adobe Acrobat file
“label”, // Dymo Label Templates
“lastgoodload”,
“lck”, // Lock File created by Paradox Relational Database Management System
“lex”,
“lib”,
“library-ms”,
“little”, // Mozilla Firefox Startup Cache
“lm8”,
“lng”,
“loc”, // Centricity Temporary File
“man”,
“manifest”,
“MAPIMail”,
“matx”, // Pyxis File
“md”,
“md5”,
“mif”,
“milt”, // Pharmacy Application Log File
“mmtx”, // Pyxis File
“mo”,
“msb”,
“MSMessageStore”,
“mst”, // Windows Installer Setup Transform File
“mts”, // High-definition MPEG Transport Stream video format
“mui”,
“mwtx”, // Pyxis File
“myapp”,
“mydocs”,
“name”,
“nupkg”,
“nuspec”,
“ocx”, // Adobe Acrobat file
“oeaccount”,
“opal”,
“otf”, // Adobe Acrobat file
“outlook”,
“pat”,
“pb”,
“pbk”,
“pcf”, // Reflections Portable Compiled Format file
“pfb”, // Adobe Acrobat file
“pfm”, // Adobe Acrobat file
“pfx”,
“pid”,
“pkc”, // MDLink Package
“pm”,
“png0”,
“prc”,
“ps1”,
“psd1”,
“pyc”,
“rc”,
“rc2”, // Remote Desktop config files
“rds”,
“recpt”, // Pyxis File
“resources”,
“resx”,
“rml”, // Sleepware G3 Capture File
“rptproj”,
“rsd”,
“runtime”,
“sbs”,
“sbstore”, // Mozilla Firefox Cache File
“scss”,
“sem”, // Centricity Temporary File
“settingcontent-ms”,
“settings”,
“sh”,
“sl”, // Centricity Error Log File
“slc”,
“snc”, // EMU File
“srs”,
“stc”, // EMU File
“store”,
“strings”, // Adobe Acrobat file
“svc”,
“svcinfo”,
“swc”, // Adobe Acrobat file
“swz”,
“targets”,
“tasks”,
“template”,
“test”, // EMU Test File
“theme”, // Microsoft theme file
“themex”, // Microsoft theme file
“tis”,
“tlb”, //MS Visual Studio
“tmh”, // Trace Message Header File
“tml”, // Padgen File
“tmpl”,
“tps”, // TiePie Multi Channel software
“transform”,
“ts”,
“typescript”,
“UccApilog”,
“ukh”, // SMSClientInstall.UKH
“update”,
“userinfo”, // Userinfo File
“utx”, // Pyxis Machine File
“vb”,
“vbk”, // Veeam Backup File
“vbm”, // Veeam Backup File
"vbm.
?”, // Veeam Backup File
“vbm_.*?”, // Veeam Backup File (Partial)
“vbp”,
“vbproj”,
“vcproj”,
“vcrd”,
“vdproj”,
“ve6”, // Microsoft SQL files
“version”,
“vfx”,
“vib”, // vSphere Installation Bundle
“vir”,
“vjsproj”, //MS Visual Studio
“voa”, // UKH-LabDe-Prod creates these
“vol”,
“vpol”,
“vsch”,
“vsdir”, //MS Visual Studio
“vsdx”, // Visio File
“vsixmanifest”, //MS Visual Studio
“vsk”, //MS Visual Studio
“vsm”,
“vsmacros”,
“vsmdi”,
“vspscc”,
“vsscc”,
“vssettings”, // Microsoft Visual Studio settings
“vssscc”,
“vstdir”, //MS Visual Studio
“vstemplate”, //MS Visual Studio
“vsz”, //MS Visual Studio
“vt2”, // EMU File
“vtc”, // Bosch DVR File (Security Cameras)
“WCFService”,
“wdp”,
“web”,
“webinfo”,
“WebServerSetup”,
“website”, // Internet Explorer Pinned Site Shortcut
“WindowsXP”,
“winprf”, //MS Visual Studio
“wmdb”,
“wmf”,
“woff”,
“workbench”,
“wpl”,
“wsf”, //MS Visual Studio
“xaml”,
“xkb”, // Epic Text build file
“xla”, // Epic related file
“xlam”, // Epic Export Tools
“xlb”,
“xlt”,
“xltx”,
“xml0”,
“xmq”, // Centricity DTS Server File
“xsl”,
“xsl”, // Expressing style sheets
“xslt”, // XML style transformation file
“xyz”, // Molecule Viewer models
“ytr”, // Adobe Acrobat file
“zdct”, // Adobe Acrobat file
“ZFSendToTarget”,
“~vsdx”, // Visio Temp File

// //
// Type 2 basic adds end //
// //

//---------------------------------------------------------------

// //
// Type 2 advanced adds start //
// //

“\\AppData\\Local\\Microsoft\\Windows\\WER\\ReportArchive\\”, // Windows app-crash reports
“\\AppData\\Local\\Temp\\CitrixLogs\\”,
// “\\UPM\_Profile\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\vgpwx1mc.default\\startupCache\\”,
// “\\UPM\_Profile\\AppData\\Roaming\\Microsoft\\UProof\\\w+?.9.bin$”,

// //
// Type 2 advanced adds end //
// //

//---------------------------------------------------------------

// //
// Type 4 adds start //
// //

“!#READ_ME#!\.hta”, // BTCWare Ransomware
“!#READ_ME#!\.txt”, // Aleta Ransomware
“!back_files!\.html”, // GlobeImposter Ransomware
“!SOS!\.[html|htm|txt]”, // 0402 Ransomware
“!your_files!\.html”, // GlobeImposter Ransomware
“### - ODZYSKAJ SWOJE DANE - ###\.TXT”, // Polski Ransomware
“### DECRYPT MY FILES ###\.html”, // Nemesis/Cry36 Ransomware
“__iWasHere\.txt”, // QuakeWay Ransomware
“_HELP_INSTRUCTION\.txt”, // CryptoMix Ransomware
INTERESTING_INFORMACION_FOR_DECRYPT\.(txt|TXT)", // CryptoMix Ransomware
read_it_for_recover_files\.html", // Diamond computer Encryption Ransomware
"README-Encrypted-Files\.html", // PoshCoder(?) Variant
“ARE_YOU_WANNA_GET_YOUR_FILES_BACK\.txt”, // Bitshifter Ransomware
“Como_Recuperar_Tus_Ficheros\.txt”, // Reyptson Ransomware
“DECRYPT_MY_FILES\.html”, // 3301 Ransomware
“dummy_file\.txt”, // FUAKED Ransomware
“ebay-msg\html”, // EbayWall Ransomware
“File_Encryption_Notice\.txt”, // aZaZel Ransomware
“free_files!\.html”, // GlobeImposter Ransomware
“here_your_files!\.html”, // GlobeImposter Ransomware
“how_to_back_files\.html”, // GlobeImposter Ransomware
“HOW_TO_DECRYPT\.txt”, // Un-Named Ransomware
“IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS\.TXT”, // Scarab, Scorpio Ransomware
“Instruction for file recovery\.txt”, // Un-Named Ransomware
“instrukt\.txt”, // Polish Ransomware
“KEY and AMMOUNT\.txt”, // Ransomware
“Learn how to recover your files\.txt”, // Un-Named Ransomware
“lukitus\.(htm|txt|html|bmp|jpg|jpeg)”, // Locky Ransomware
“note\.html”, // Reetner Ransomware
“OkuBeni\.txt”, // Zilla Ransomware
“PLEASE-README-AFFECTED-FILES\.html”, // SamSam Variant
“Ransom\.rtf”, // Fenrir Ransomware
“Ransompng_6304118_26774912\.png”, // Fenrir Ransomware
“READ ME ABOUT DECRYPTION\.txt”, // SOREBRECT Ransomware
“READ_IT\.txt”, // $usyLocker Ransomware
“Read_ME\.html”, // GlobeImposter Ransomware
“READ_ME_HELP_ME\.txt”, // FCP Ransomware
“readme\.txt”, // NSMF Ransomware
"README
*.?
*.?\.txt”, // Blackout Ransomware
"README_1910092
#####\.txt”, // FileCryptor Ransomware
“ReadMe_Important\.txt”, // Mora Project Ransomware
“README_Ransomware_Symbiom\.txt”, // Hidden Tear Variant
“README_TO_RESTORE_FILES_t7Q\.(html|txt)”, // Serpent Ransomware
“readme_txt”, // Bit Paymer
“RECOVER-FILES-*.?\.(html|txt|htm)”, // GlobeImposter Ransomware
“RESTORE_INFO-C3E24FCE\.txt”, // ECC Crypto based Ransomware
“shutdown57\.php”, // Shutdown57 Ransomware
“Sifre_Coz_Talimat\.html”, // Executioner Ransomware
“UNLOCK_guiDE\.tXT”, // LambdaLocker Ransomware
“where_my_files\.txt”, // Apocalypse
“your_key\.rsa”, // Unnamed Ransomware

// //
// Type 4 adds end //
// //