Forked from CHEF-KOCH/List of ransomware extensions
Created
November 30, 2017 08:18
-
-
Save kayvanaarssen/60ff489dd31845a1240978d8d5572782 to your computer and use it in GitHub Desktop.
List of ransomware extensions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| filescrn filegroup export /file:C:\filegroup.xml /filegroup:filegroupname | |
| filescrn filegroup import /file:C:\filegroup.xml /filegroup:filegroupname | |
| Output: | |
| C:\Windows\system32>filescrn filegroup import /remote:SERVER /file:\\server\share\FileScreeningTest\file.xml /filegroup:"Ransomware File Group" /overwrite | |
| This tool is deprecated and may be removed in future releases of Windows. Please | |
| use the Windows PowerShell cmdlets in the FileServerResourceManager module to a | |
| dminister File Server Resource Manager functionality. | |
| File groups imported successfully. | |
| C:\Windows\system32>ver | |
| Microsoft Windows [Version 6.3.9600] | |
| C:\Windows\system32>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" | |
| OS Name: Microsoft Windows Server 2012 R2 Datacenter | |
| OS Version: 6.3.9600 N/A Build 9600 | |
| Research: | |
| https://technet.microsoft.com/en-ca/library/cc788027.aspx | |
| https://technet.microsoft.com/en-ca/library/cc788048.aspx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $servers = | |
| ("server1", | |
| "server2", | |
| "server3") | |
| foreach ($server in $servers) { | |
| echo $server | |
| filescrn filegroup import /remote:$server /file:\\server\share\FileListedAbove.xml /filegroup:"Ransomware File Group" /overwrite | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" ?> | |
| <Root > | |
| <Header DatabaseVersion = '2.0' > | |
| </Header><QuotaTemplates ></QuotaTemplates> | |
| <DatascreenTemplates ></DatascreenTemplates> | |
| <FileGroups > | |
| <FileGroup Name = 'Ransomware%sFile%sGroup' Id = '{DC7085CC-D915-438A-B7BC-7015DD846010}' Description = '' > | |
| <Members > | |
| <Pattern PatternValue = '*.0x0' ></Pattern> | |
| <Pattern PatternValue = '*.1999' ></Pattern> | |
| <Pattern PatternValue = '*.*obleep' ></Pattern> | |
| <Pattern PatternValue = '*.LOL!' ></Pattern> | |
| <Pattern PatternValue = '*.aaa' ></Pattern> | |
| <Pattern PatternValue = '*.abc' ></Pattern> | |
| <Pattern PatternValue = '*.bleep' ></Pattern> | |
| <Pattern PatternValue = '*.ccc' ></Pattern> | |
| <Pattern PatternValue = '*.ctbl' ></Pattern> | |
| <Pattern PatternValue = '*.ctb2' ></Pattern> | |
| <Pattern PatternValue = '*.crinf' ></Pattern> | |
| <Pattern PatternValue = '*.crjoker' ></Pattern> | |
| <Pattern PatternValue = '*.diablo6' ></Pattern> | |
| <Pattern PatternValue = '*.Lukitus' ></Pattern> | |
| <Pattern PatternValue = '*.cry' ></Pattern> | |
| <Pattern PatternValue = '*.crypto*' ></Pattern> | |
| <Pattern PatternValue = '*.cryptotorlocker*' ></Pattern> | |
| <Pattern PatternValue = '*.darkness' ></Pattern> | |
| <Pattern PatternValue = '*.ecc' ></Pattern> | |
| <Pattern PatternValue = '*.enc' ></Pattern> | |
| <Pattern PatternValue = '*.EnCiPhErEd' ></Pattern> | |
| <Pattern PatternValue = '*.zepto' ></Pattern> | |
| <Pattern PatternValue = '*.crypt1' ></Pattern> | |
| <Pattern PatternValue = '*.encrypted*' ></Pattern> | |
| <Pattern PatternValue = '*.exx' ></Pattern> | |
| <Pattern PatternValue = '*.ezz' ></Pattern> | |
| <Pattern PatternValue = '*.frtrss' ></Pattern> | |
| <Pattern PatternValue = '*.good' ></Pattern> | |
| <Pattern PatternValue = '*.ha3' ></Pattern> | |
| <Pattern PatternValue = '*.hydracrypt*' ></Pattern> | |
| <Pattern PatternValue = '*.kb15' ></Pattern> | |
| <Pattern PatternValue = '*.kraken' ></Pattern> | |
| <Pattern PatternValue = '*.lechiffre' ></Pattern> | |
| <Pattern PatternValue = '*.locky' ></Pattern> | |
| <Pattern PatternValue = '*.magic' ></Pattern> | |
| <Pattern PatternValue = '*.micro' ></Pattern> | |
| <Pattern PatternValue = '*.nochance' ></Pattern> | |
| <Pattern PatternValue = '*.omg!' ></Pattern> | |
| <Pattern PatternValue = '*.r16M*' ></Pattern> | |
| <Pattern PatternValue = '*.r5a' ></Pattern> | |
| <Pattern PatternValue = '*.rdm' ></Pattern> | |
| <Pattern PatternValue = '*.rrk' ></Pattern> | |
| <Pattern PatternValue = '*.supercrypt' ></Pattern> | |
| <Pattern PatternValue = '*.toxcrypt' ></Pattern> | |
| <Pattern PatternValue = '*.ttt' ></Pattern> | |
| <Pattern PatternValue = '*.vault' ></Pattern> | |
| <Pattern PatternValue = '*.vvv' ></Pattern> | |
| <Pattern PatternValue = '*.xxx' ></Pattern> | |
| <Pattern PatternValue = '*.xrnt' ></Pattern> | |
| <Pattern PatternValue = '*.xtbl' ></Pattern> | |
| <Pattern PatternValue = '*.xyz' ></Pattern> | |
| <Pattern PatternValue = '*.zzz' ></Pattern> | |
| <Pattern PatternValue = '*@gmail_com_*' ></Pattern> | |
| <Pattern PatternValue = '*@india.com*' ></Pattern> | |
| <Pattern PatternValue = '*gmail*.crypt' ></Pattern> | |
| <Pattern PatternValue = '*install_tor*.*' ></Pattern> | |
| <Pattern PatternValue = '*keemail.me*' ></Pattern> | |
| <Pattern PatternValue = '*qq_com*' ></Pattern> | |
| <Pattern PatternValue = '*restore_fi*.*' ></Pattern> | |
| <Pattern PatternValue = '*ukr.net*' ></Pattern> | |
| <Pattern PatternValue = '*want%syour%sfiles%sback.*' ></Pattern> | |
| <Pattern PatternValue = 'DECRYPT_HELP.*' ></Pattern> | |
| <Pattern PatternValue = 'HELP_YOUR_FILES.*' ></Pattern> | |
| <Pattern PatternValue = 'confirmation.key' ></Pattern> | |
| <Pattern PatternValue = 'cryptolocker.*' ></Pattern> | |
| <Pattern PatternValue = 'decrypt_instruct*.*' ></Pattern> | |
| <Pattern PatternValue = 'djqfu*.*' ></Pattern> | |
| <Pattern PatternValue = 'enc_files.txt' ></Pattern> | |
| <Pattern PatternValue = 'help_decrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'helpdecrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'help_recover*.*' ></Pattern> | |
| <Pattern PatternValue = 'help_restore*.*' ></Pattern> | |
| <Pattern PatternValue = 'help_your_file*.*' ></Pattern> | |
| <Pattern PatternValue = 'how%sto%sdecrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'how_decrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'how_recover*.*' ></Pattern> | |
| <Pattern PatternValue = 'how_to_decrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'how_to_recover*.*' ></Pattern> | |
| <Pattern PatternValue = 'howto_restore*.*' ></Pattern> | |
| <Pattern PatternValue = 'howto_restore_file*.*' ></Pattern> | |
| <Pattern PatternValue = 'howtodecrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'install_tor*.*' ></Pattern> | |
| <Pattern PatternValue = 'instructions_xxxx.png' ></Pattern> | |
| <Pattern PatternValue = 'last_chance.*' ></Pattern> | |
| <Pattern PatternValue = 'message.txt' ></Pattern> | |
| <Pattern PatternValue = 'readme_decrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'readme_for_decrypt*.*' ></Pattern> | |
| <Pattern PatternValue = 'recovery_file.txt' ></Pattern> | |
| <Pattern PatternValue = 'recovery_key.txt' ></Pattern> | |
| <Pattern PatternValue = '*recover_instructions.txt' ></Pattern> | |
| <Pattern PatternValue = 'restore_fi.*' ></Pattern> | |
| <Pattern PatternValue = 'vault.hta' ></Pattern> | |
| <Pattern PatternValue = 'vault.key' ></Pattern> | |
| <Pattern PatternValue = 'vault.txt' ></Pattern> | |
| <Pattern PatternValue = 'HELP_TO_DECRYPT_YOUR_FILES.txt' ></Pattern> | |
| <Pattern PatternValue = 'HELP_TO_SAVE_FILES.txt' ></Pattern> | |
| <Pattern PatternValue = 'DecryptAllFiles.txt' ></Pattern> | |
| <Pattern PatternValue = 'DECRYPT_INSTRUCTIONS.TXT' ></Pattern> | |
| <Pattern PatternValue = 'INSTRUCCIONES_DESCIFRADO.TXT' ></Pattern> | |
| <Pattern PatternValue = 'How_To_Recover_Files.txt' ></Pattern> | |
| <Pattern PatternValue = 'YOUR_FILES.HTML' ></Pattern> | |
| <Pattern PatternValue = 'YOUR_FILES.url' ></Pattern> | |
| <Pattern PatternValue = 'encryptor_raas_readme_liesmich.txt' ></Pattern> | |
| <Pattern PatternValue = 'Help_Decrypt.txt' ></Pattern> | |
| <Pattern PatternValue = 'DECRYPT_INSTRUCTION.TXT' ></Pattern> | |
| <Pattern PatternValue = 'HOW_TO_DECRYPT_FILES.TXT' ></Pattern> | |
| <Pattern PatternValue = 'ReadDecryptFilesHere.txt' ></Pattern> | |
| <Pattern PatternValue = 'Coin.Locker.txt' ></Pattern> | |
| <Pattern PatternValue = '_secret_code.txt' ></Pattern> | |
| <Pattern PatternValue = 'DECRYPT_ReadMe.TXT' ></Pattern> | |
| <Pattern PatternValue = 'FILESAREGONE.TXT' ></Pattern> | |
| <Pattern PatternValue = 'IAMREADYTOPAY.TXT' ></Pattern> | |
| <Pattern PatternValue = 'HELLOTHERE.TXT' ></Pattern> | |
| <Pattern PatternValue = 'READTHISNOW!!!.TXT' ></Pattern> | |
| <Pattern PatternValue = 'SECRETIDHERE.KEY' ></Pattern> | |
| <Pattern PatternValue = 'IHAVEYOURSECRET.KEY' ></Pattern> | |
| <Pattern PatternValue = 'SECRET.KEY' ></Pattern> | |
| <Pattern PatternValue = 'RECOVERY_FILES.txt' ></Pattern> | |
| <Pattern PatternValue = 'RECOVERY_FILE*.txt' ></Pattern> | |
| <Pattern PatternValue = 'HowtoRESTORE*.txt' ></Pattern> | |
| <Pattern PatternValue = 'howto_recover_file.txt' ></Pattern> | |
| <Pattern PatternValue = 'restorefiles.txt' ></Pattern> | |
| <Pattern PatternValue = 'howrecover+*.txt' ></Pattern> | |
| <Pattern PatternValue = '_how_recover.txt' ></Pattern> | |
| <Pattern PatternValue = 'recoveryfile*.txt' ></Pattern> | |
| <Pattern PatternValue = 'recoverfile*.txt' ></Pattern> | |
| <Pattern PatternValue = 'Howto_Restore_FILES.TXT' ></Pattern> | |
| <Pattern PatternValue = 'help_recover_instructions+*.txt' ></Pattern> | |
| <Pattern PatternValue = '_Locky_recover_instructions.txt' ></Pattern> | |
| </Members> | |
| <NonMembers ></NonMembers> | |
| </FileGroup></FileGroups></Root> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| File extensions appended to files: | |
| .ecc, .ezz, .exx, .zzz, .xyz, .aaa, *.cryp1, .abc, .ccc, .vvv, *.zepto, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .diablo6, .Lukitus, .locky or 6-7 length extension consisting of random characters. | |
| Known ransom note files: | |
| HELPDECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, Coin.Locker.txt _secret_code.txt, About_Files.txt, Read.txt, ReadMe.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles.txt FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY IHAVEYOURSECRET.KEY, SECRET.KEY, HELPDECYPRT_YOUR_FILES.HTML, help_decrypt_your_files.html HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE[random].txt HowtoRESTORE_FILES.txt, HowtoRestore_FILES.txt, howto_recover_file.txt, restorefiles.txt, howrecover+[random].txt, _how_recover.txt, recoveryfile[random].txt, recoverfile[random].txt recoveryfile[random].txt, Howto_Restore_FILES.TXT, help_recover_instructions+[random].txt, _Locky_recover_instructions.txt | |
| Note: The [random] represents random characters which some ransom notes names may include. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment