# Copyright (c) 2014-2022 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: linux encoder, qnacrypt, eCh0raix

# Reference: https://www.cyber.nj.gov/threat-profiles/ransomware-variants/linuxencoder
# Reference: https://vms.drweb.com/virus/?i=7704004&lng=en

z54n57pg2el6uze2.onion.to

# Reference: https://www.fortinet.com/blog/threat-research/closer-look-satan-ransomwares-propagation-technics.html

/cry32
/cry64

# Reference: https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/ (# QNAPCrypt)
# Reference: https://otx.alienvault.com/pulse/5d260d04ee31a2a96a077c0d

http://192.99.206.61/d.php
192.99.206.61:65000
sg3dwqfpnr4sl5hh.onion

# Reference: https://twitter.com/campuscodi/status/1169921091164413954
# Reference: https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/
# Reference: https://searchengines.guru/showthread.php?t=1021112 (Russian)

y7mfrrjkzql32nwcmgzwp3zxaqktqywrwvzfni4hm4sebtpw5kuhjzqd.onion

# Reference: https://twitter.com/joakimkennedy/status/1268243062611984384
# Reference: https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/
# Reference: https://www.virustotal.com/gui/file/88a73f1c1e5a7c921f61638d06f3fed7389e1b163da7a1cc62a666d0a88baf47/detection

veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion
/crp_linux_386
/crp_linux_arc
/crp_linux_arcle-hs38
/crp_linux_arm
/crp_linux_arm4
/crp_linux_arm4l
/crp_linux_arm4t
/crp_linux_arm4tl
/crp_linux_arm4tll
/crp_linux_arm5
/crp_linux_arm5l
/crp_linux_arm5n
/crp_linux_arm6
/crp_linux_arm64
/crp_linux_arm6l
/crp_linux_arm7
/crp_linux_arm7l
/crp_linux_arm8
/crp_linux_armv4
/crp_linux_armv4l
/crp_linux_armv5l
/crp_linux_armv6
/crp_linux_armv61
/crp_linux_armv6l
/crp_linux_armv7l
/crp_linux_dbg
/crp_linux_exploit
/crp_linux_i4
/crp_linux_i486
/crp_linux_i586
/crp_linux_i6
/crp_linux_i686
/crp_linux_kill
/crp_linux_m68
/crp_linux_m68k
/crp_linux_mips
/crp_linux_mips64
/crp_linux_mipseb
/crp_linux_mipsel
/crp_linux_mpsl
/crp_linux_pcc
/crp_linux_powerpc
/crp_linux_powerpc-440fp
/crp_linux_powerppc
/crp_linux_ppc
/crp_linux_pp-c
/crp_linux_ppc2
/crp_linux_ppc440
/crp_linux_ppc440fp
/crp_linux_root
/crp_linux_root32
/crp_linux_sh
/crp_linux_sh4
/crp_linux_sparc
/crp_linux_spc
/crp_linux_ssh4
/crp_linux_x32
/crp_linux_x32_64
/crp_linux_x64
/crp_linux_x86
/crp_linux_x86_32
/crp_linux_x86_64

# Reference: https://twitter.com/_re_fox/status/1466970787345223680
# Reference: https://twitter.com/_re_fox/status/1466978766664744960

http://178.18.249.42
178.18.249.42:8082

# Reference: https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/
# Reference: https://otx.alienvault.com/pulse/6113690279e9eb9f64fac829

http://183.76.46.30
http://2.37.149.230
http://64.42.152.46
http://98.144.56.47

# Reference: https://www.virustotal.com/gui/file/24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073/detection
# Reference: https://www.virustotal.com/gui/file/a130125a498a358b75cd9a1256ea873baeacd81f77c3d2ea475f3e547f899509/detection
# Reference: https://www.virustotal.com/gui/file/3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd/detection
# Reference: https://www.virustotal.com/gui/file/3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d/detection

185.193.126.161:9100