You might have heard about Crypto Defense ransomware family - if not please refer to the this.
This morning I gave a shot with (development version) Hook Analyser 3.1, and passed the keyword "Crypto Defense" to understand co-relation of malware variants behaviors.
Following are the results* -
- Blue dot - keyword (Crypto defense)
- Red dot - malware sample or hash
- Black dot - IP address where malware sample or hash communicates to
- Apparently, many "unique" variants of malware samples (of Crypto defense family) have been released - which could indicate that this ransomware is gaining attention or is actively being used by cyber criminals.
- Imphash of malware variants are different - which indicates that the malware samples might have been compiled by different threat actors / compilers.
- Certain variants share similar IOC's - in terms of IP addresses they communicate to.
- Tor network is being leveraged by cyber criminals on this malware family - for payment / decryption process related purposes
- Certain malware variants have been seen since 2009. However, majority of them are being seen in 2013.
Indicators of Compromise (IOCs) for Crypto Defense - To help security community and incident responders, I have uploaded malware variants indicator of compromises (XML format).
You may download it from here
*Please be advised that the results are based on information available on the Internet and there is a probability that it may not be accurate and complete. I'd recommend to perform validation.