Crypto ransomware by extensions

 

Crypto ransomware is a category of ransomware viruses, which, apart from demanding the certain ransom payment, has file-encrypting capabilities. Thus, this type of viruses is also referred to as crypto-malware or crypto-viruses. The ransom is asked for the decryption of the encrypted data, which is to be transferred using the anonymous cryptocurrency, typically,- Bitcoins. The data files are locked and made unreadable after the encryption carried out by the crypto program, which is embedded in a data encryption mechanism. Accordingly, crypto viruses are also called crypto-lockers or file-lockers. They can act as screen lockers, preventing victims from accessing their computers or simply change the desktop background with the image of the ransom note. Crypto-malware is developed to target individual users, as well as computer networks belonging to huge corporations. This type of cyber threats is classified among the most dangerous viruses, since their developers typically employ elaborate data encryption mechanisms, which can even stay unpacked by the most experienced engineers in the field. Consequently, cyber criminals can make huge profits.

Most of the crypto-lockers can be identified by the specific filename extensions they append to the encrypted files. Usually, it is an additional extension added to the original name of the file and its extension. These extensions can be simple and be comprised of a short combination of characters or stand up as a simple phrase or a word. Often times they bear the title after which the crypto program itself has been named. However, some of these malicious extensions can even contain contact e-mails, the specific identification number of the infection, the BTC payment address, a string of random characters, etc. as additional assets.

However, not every crypto-malware has been designed to use a particular extension, appended to the encrypted files. There are such crypto ransomware coders, who, by chasing the glory of the most successful crypto-viruses, develop file-encrypting programs, adding the copied extensions to the aimed at files to falsify the infection of another crypto virus. There are also such crypto-lockers in the wild, which, instead of targeting the special file types, encrypt and lock the full disk. Other file-locking applications do not rename the encrypted files to make the corrupted data unavailable to be recognized by looking in the title. Thus, even though the extension appended may be a valuable indicator of the certain ransomware compromise, you cannot use it as the only identification mark of the particular crypto-ransomware infection or it is simple not present.

-email-[email_addre... .encrypted.decrypte...
.f41o1!____GLOK9200@gmail....
!____cocoslim98@gmai...%random%.EnCrYpTeD
(encrypted).*.crypt
*нет данных....!___[email]_.crypt
.#<email># i....01
.02.0402
.0x0.1999
.1AcTiv7HDn82LmJHaUf....2xx9
.31392E30362E3230313....31392E30362E3230313...
.3P7m.3RNu
.492.4rwcry4w
.666.707
.725.726
.777.7h9r
.7zipper.8lock8
.911.???
.ACTUM.ATLAS
.AiraCropEncrypted!.Alcatraz
.BONUM.BRT92
.BUSH.Bill_Clinton@derpym...
.C-email-[email]-[fi....CCC
.CHIP.CRRRT
.CRYPTED.CRYPTOBOSS
.CRYPTOSHIELD.Cerber2
.Dale.Dexter
.EMPTY.ENCR
.ENCRYPTED_BY_LLTP.Encrypted
.FFF.GRANNY
.H3LL.HA3
.H_F_D_locked.HakunaMatata
.Hollycrypt.I\\'WANT MO...
.ID-*8characters+cou....ID-[A-Fo-9],{8}+cou...
.JezRoz.KEYH0LES
.KEYHOLES.KEYZ
.LEGO.LIGHTNING
.LOCKED.LeChiffre
.MIKOYAN.MOLE
.MRCR1.NEMUCOD
.NIGGA.NM4
.NumberDot..OMG!
.OXR.OhNo!
.PAY.PEGS1
.R5A.RARE1
.RENSEMWARE.REVENGE
.REYPTSON.ReaGan
.SUPERCRYPT.SecureCrypted
.TRMT.TheTrumpLockerf
.TheTrumpLockerp..UNLIS
.VBRANSOM.Venusf
.VforVendetta.WAmarlocked
.WINDOWS.Wana Decrypt0r Troj...
.Whereisyourfiles.Xcri
.YAYA.YYTO
.ZINO.ZW
.[4 digits random ex....[5 random character...
.[6 letters].[Cho.dambler@yandex...
.[Help244@Ya.RU].LOC....[a random combinati...
.[a-z0-9].[bitcoin143@india.c...
.[byd@india.com].SON....[chines34@protonmai...
.[email].[email]
.[email].BRT92.[email].aleta
.[email].xtbl.[email].xtbl
.[microcost@bigmir.n....[payment_email].ID[...
.[random].[victim_id]_luck
._[ID Number].UIWIX.__dilmaV1
._xratteamLucked.a19
.aRpt.aaa
.ace.adk
.adr.aes
.aesir.amnesia
.ap19.armadilo1
.bam.bart
.bin.bitkangoroo
.blackfeather.bleep
.breaking_bad.breeding123
.brickr.btc
.btc-help-you.btcbtcbtc
.bud.cRh8
.canihelpyou.centrumfr@india.com
.cerber.cerber2
.cerber3.cfm
.cifgksaffsfyghd.code
.coded.comrade
.coverton.cradle
.crinf.crjoker
.crptd.crptrgr
.cry.cry_
.cryakl.cryp1
.crypt.crypt38
.crypte.crypted
.crypted_file.crypto
.cryptotorlocker2015....crypz
.crysis.cuck
.czvxce.decrypt2017 and .hn...
.ded.deria
.devil.diablo6
.dkdfln.dxxd
.eQTz.ebay
.ecc.ecrypt
.email-[email].[vers....enc
.encedRSA.encrypted
.encryptedAES.encryptedRSA
.encryptile.enigma
.enjey.evil
.evillock.exe
.exotic.explorer
.ezz.f**k_you_ av_we_are...
.fantom.filock
.firecrypt.flyper
.frtrss.fu*k
.fucked.fun
.gefickt.gotham
.gws.hacked
.happydayzz.heisenberg
.help.herbst
.hermes.hush
.hydracrypt.id-[A NUMBER]_locke...
.id-[A NUMBER]_r9oj.id-[A NUMBER]_x3m
.id-[ID]-[email].inf....id-[ID].[email].xtb...
.id-[ID].okean-1955@....id-[ID]_[email1]_[e...
.id-[id].[email].are....id-{ID Number}_fud@...
.id_[ID]_[email].rmd.id_[ID]_[email].scl
.ifuckedyou.ipygh
.isis.jaff
.jeepers.justbtcwillhelpyou
.karma.keepcalm
.kencf.kirked
.kkk.kokolocker
.kraken.lambda_l0cked
.lamo.lcked
.letmetrydecfiles.llawex
.lmao.lock
.lock75.lock93
.locked.locked-by-mafia
.locklock.locky
.lok.lovewindows
.lukitus.m0on
.madebyadam.maktub
.maysomware.mention9823
.mordor.mtk118
.nWcrypt.needdecrypt
.needkeys.neitrino
.no_more_ransom.novalid
.ocean.odcodc
.odin.only-we_can-help_yo...
.oops.osiris
.padcrypt.payforunlock
.payransom.paytounlock
.pec.pmxkab
.pnr.porno
.poshcoder.potato
.pr0tect.project34@india.com
.protected.pscrypt
.psh.purge
.pwned.rack
.ransomcuck.razy
.rdm.rdmk
.reaGAN.rekt
.rescuers@india.com.....resurrection
.rip.robinhood
.rokku.rose
.rrk.rumblegoodboy
.sad.sage
.sanction.sea
.serp.serpent
.sexy.shit
.skjdthghh.skunk
.stn.suppose666
.sux.switch
.szf.tdelf
.theworldisyours.thor
.ttt.uk-dealer@sigaint.o...
.umbrecrypt_ID_[ID].unlockvt@india.com
.upzbrf.versiegelt
.via.viki
.vindows.wallet
.wannacry.wcry
.wflx.whycry
.wnx.write_me_[btc2017@i...
.write_on_email.xdata
.xtbl.xxx
.yl.ytbl
.zCrypt.zXz
.zepto.zn2016
.zuzya.zyklon
.~.~HL
@keeENC
HUSTONWEHAVEAPROBLEM...Heimdall---
KK_.Lock.
[customised][decr@cock.li].gryph...
[email].xtbl[email]___
[full disk][gladius_rectus@aol....
[none][random]
[restoreassistant2@t...[teroda@bigmir.net]....
[unknown]_Ink.HavocCrypt!
_[original_extension...____tarTrojan-Ransom...
_crypt_crypt0.
_morf56@meta.ua __nullByte
iaufkakfhsarafid-[ID].{payfornatur...
id-[affiliate_id].[a...id.-[ID].[email].xtb...
noneoorr.
 
 
December 30, 2016 08:37