Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A complete list of Ransomware file ext and readme file name


  • Please log in to reply
4 replies to this topic

#1 Cyberzero

Cyberzero

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 24 February 2016 - 05:53 PM

Does anyone / does anyone know where a list of all ransomeware file names might be?

I.E. is a full list stored on bleeping anyware?

Anyone want to take a shot and a list.

 

This is what I have sp far.

 

.micro
.aaa
.crjoker
.cryptotorlocker
.ecc
.encrypted
.exx
.ezz
.xyz
.zzz
.frtrss
.hydracrypt_ID
.locky
.lol!
.lol
.r5a
.ttt
.vault
.vvv
.xxx
.crypt
restore_files_rvrk.html
recover_instruction
restore_fi
want your files back.
confirmation.key
cryptolocker.
decrypt_instruct
enc_files.txt
help_decrypt
help_recover
help_restore
help_your_file
how to decrypt
how_recover
how_to_decrypt
how_to_recover
howto_restore
howtodecrypt
install_tor
last_chance.txt
message.txt
readme_decrypt
readme_for_decrypt
recovery_file.txt
recovery_key.txt
vault.hta
vault.key
vault.txt
your_files.url
recovery+
help_recover_instructions+vgv
_Locky_recover_instructions.txt

 

I have written a small batch file to monitor for the making of these files.

I am running it hourly and mailing if I get a hit.

 

But better data and or if there is a list that gets updated the better I could monitor.

 

I read that Kaspersky is scanning for these file types in there a/v products.

I asked Vipre if they could to something sim.. The answer I got is not and this time, too many variants.

 

So I wrote my own.

Takes like 3 to 5 mins to do a directory listing and this does file matching.

I have a whitelist file for files that am M$ or whoever that is safe but is near the bad guys file name.

 

So again I ask?

 

Is this data here somewhere?

 

If so could you direct me?

If not...

Know of other types of file ext I am missing?

 

Thanks

 

Cyberzero



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:11 PM

Posted 24 February 2016 - 06:16 PM

Quietman7 has some pretty extensive lists in his posts.

 

...

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples of ransom notes:

HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt,
About_Files.txt, Read.txt, ReadMe.txt, Coin.Locker.txt, _Locky_recover_instructions.txt, ATTENTION.RTF
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt, 
DECRYPT_INSTRUCTIONS.TXT, How_To_Recover_Files.txt, How_To_Restore_Files.txt, ReadDecryptFilesHere.txt
Help_Decrypt.txt, YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, IMPORTANT READ ME.txt, README1.txt...README10.txt
_secret_code.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles_.txt, AllFilesAreLocked_.bmp, BLEEPEDFILES.TXT
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, IHAVEYOURSECRET.KEY
SECRET.KEY, SECRETIDHERE.KEY, HELP_DECYPRT_YOUR_FILES.HTML, README_DECRYPT_UMBRE_ID_[victim_id].txt
help_decrypt_your_files.html, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.TXT, howto_recover_file_.txt, HELP_TO_SAVE_FILES.txt
how_recover+[random].txt, _how_recover_.txt, restore_files_.txt, recover_file_[random].txt
recover_files_[random].txt, recovery_file_[random].txt, help_recover_instructions+[random].txt
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].txt, help recover files.txt, Recovery+[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
...

 

 

 

...


These are some of the more common ransomware file extensions appended to encrypted files....ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .ENC, .locky, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

 

 

Here's a list I have compiled myself, some may be duplicates of your list and Quientman7's.

.R5A, .ecc, .ezz, .crypt, .encrypted, .encrypted, .crinf, .frtrss, .crjocker, .ecc, .CTBL, .CTBL2, .locked, .HA3, .0x0, .bleep, .1999, .bleep, .html, .locked, .hydracrypt_ID_*, .keybtc@inbox_com, .locky, .magic, .LOL!, .ENC, .POSHKODER, .rdm, .rrk, .vscrypt, .infected, .korrektor, .bloc, .sanctioned, .pzdc, .crypt, .good, .supercrypt, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .unbrecrypt_ID_*, .crypt, .R16M01D05, .xrtn, .encrypt

And some ransom notes.

HELP_TO_SAVE_FILES.txt, BitCryptorFileList.txt, BUYUNLOCKCODE, YOUR_FILES_ARE_ENCRYPTED.HTML, Coin.Locker.txt, DECRYPT_INSTRUCTIONS.HTML, ReadDecryptFilesHere.txt, HOW_DECRYPT.TXT, READ IF YOU WANT YOUR FILES BACK.HTML, GetYouFiles.txt, HOW TO DECRYPT FILES.HTML, DECRYPT_INSTRUCTION.TXT, HELP_DECRYPT.TXT, HELP_YOURFILES.HTML, HowDecrypt.gif, Decrypt All Files *.bmp, cryptinfo.txt, DECRYPT_Readme.TXT.ReadMe, qwer.html, qwer2.html, Hellothere.txt, FILESAREGONE.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT_Readme.TXT.ReadMe, README_DECRYPT_HYDRA_ID_*.txt, DECRYPT_YOUR_FILES.HTML, KryptoLocker_README.txt, _Locky_recover_instructions.txt, DECRYPT_Readme.TXT.ReadMe, ATTENTION.RTF, how to get data.txt, IMPORTANT READ ME.txt, UnblockFiles.vbs, YOUR_FILES.url, exit.hhr.obleep, HOW_TO_DECRYPT.HTML, HOW-TO-DECRYPT-FILES.HTML, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, _H_e_l_p_RECOVER_INSTRUCTIONS+*.txt, DECRYPT_INSTRUCTIONS.HTML, README_DECRYPT_UMBRE_ID_*.txt, Help_Decrypt.txt, CryptLogFile.txt

I don't know of any real central database for these currently, but I'm working on a tool that will utilize one eventually here for public use.


Edited by Demonslay335, 24 February 2016 - 06:17 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:11 PM

Posted 24 February 2016 - 06:34 PM

And of course your lists need to be constantly updated and easily searched in order to resolve to the applicable ransomware infection.

My listings include the more commonly encountered infections. There are many more extensions that I do not include since there were only one or two reports.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Cyberzero

Cyberzero
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 25 February 2016 - 01:02 AM

This is a great start.

 

But I do think if someone to manage these file types (as a list) so this could be setup and check every time some like me runs a  program like mine.

 

I think this could be a worth cause.

 

Anyone know if this site has a updateable knowledge base like function?

Just somewhere where trusted people could update and add to?

And others couldn't wipe out to screw this up.

 

Any thoughts?



#5 Cyberzero

Cyberzero
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 PM

Posted 25 February 2016 - 01:06 AM

Ye

 

Quietman7 has some pretty extensive lists in his posts.

 

...

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples of ransom notes:

HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt,
About_Files.txt, Read.txt, ReadMe.txt, Coin.Locker.txt, _Locky_recover_instructions.txt, ATTENTION.RTF
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt, 
DECRYPT_INSTRUCTIONS.TXT, How_To_Recover_Files.txt, How_To_Restore_Files.txt, ReadDecryptFilesHere.txt
Help_Decrypt.txt, YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, IMPORTANT READ ME.txt, README1.txt...README10.txt
_secret_code.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles_.txt, AllFilesAreLocked_.bmp, BLEEPEDFILES.TXT
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, IHAVEYOURSECRET.KEY
SECRET.KEY, SECRETIDHERE.KEY, HELP_DECYPRT_YOUR_FILES.HTML, README_DECRYPT_UMBRE_ID_[victim_id].txt
help_decrypt_your_files.html, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.TXT, howto_recover_file_.txt, HELP_TO_SAVE_FILES.txt
how_recover+[random].txt, _how_recover_.txt, restore_files_.txt, recover_file_[random].txt
recover_files_[random].txt, recovery_file_[random].txt, help_recover_instructions+[random].txt
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].txt, help recover files.txt, Recovery+[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
...

 

 

 

...


These are some of the more common ransomware file extensions appended to encrypted files....ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .ENC, .locky, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

 

 

Here's a list I have compiled myself, some may be duplicates of your list and Quientman7's.

.R5A, .ecc, .ezz, .crypt, .encrypted, .encrypted, .crinf, .frtrss, .crjocker, .ecc, .CTBL, .CTBL2, .locked, .HA3, .0x0, .bleep, .1999, .bleep, .html, .locked, .hydracrypt_ID_*, .keybtc@inbox_com, .locky, .magic, .LOL!, .ENC, .POSHKODER, .rdm, .rrk, .vscrypt, .infected, .korrektor, .bloc, .sanctioned, .pzdc, .crypt, .good, .supercrypt, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .unbrecrypt_ID_*, .crypt, .R16M01D05, .xrtn, .encrypt

And some ransom notes.

HELP_TO_SAVE_FILES.txt, BitCryptorFileList.txt, BUYUNLOCKCODE, YOUR_FILES_ARE_ENCRYPTED.HTML, Coin.Locker.txt, DECRYPT_INSTRUCTIONS.HTML, ReadDecryptFilesHere.txt, HOW_DECRYPT.TXT, READ IF YOU WANT YOUR FILES BACK.HTML, GetYouFiles.txt, HOW TO DECRYPT FILES.HTML, DECRYPT_INSTRUCTION.TXT, HELP_DECRYPT.TXT, HELP_YOURFILES.HTML, HowDecrypt.gif, Decrypt All Files *.bmp, cryptinfo.txt, DECRYPT_Readme.TXT.ReadMe, qwer.html, qwer2.html, Hellothere.txt, FILESAREGONE.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT_Readme.TXT.ReadMe, README_DECRYPT_HYDRA_ID_*.txt, DECRYPT_YOUR_FILES.HTML, KryptoLocker_README.txt, _Locky_recover_instructions.txt, DECRYPT_Readme.TXT.ReadMe, ATTENTION.RTF, how to get data.txt, IMPORTANT READ ME.txt, UnblockFiles.vbs, YOUR_FILES.url, exit.hhr.obleep, HOW_TO_DECRYPT.HTML, HOW-TO-DECRYPT-FILES.HTML, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, _H_e_l_p_RECOVER_INSTRUCTIONS+*.txt, DECRYPT_INSTRUCTIONS.HTML, README_DECRYPT_UMBRE_ID_*.txt, Help_Decrypt.txt, CryptLogFile.txt

I don't know of any real central database for these currently, but I'm working on a tool that will utilize one eventually here for public use.

Yes This is exactly what I am talking about.

Let everyone know when and where this pop's up.

 

Thanks






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users