Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File Screens and Crypto Malware


  • Please log in to reply
16 replies to this topic

#1 spangenb

spangenb

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 01 March 2016 - 12:51 PM

Since ransomware really exploded we have been employing passive file screens on our Windows servers to at least get early warning that something is going on.  This technique works great for known variants, but keeping informed about all the new variants as they come out is a difficult task.  Is there any sort of central clearinghouse for information about what filenames or extensions are used by various malware?  It would be great to have all that information in one place so that we could check it periodically or get notified about updates.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 01 March 2016 - 01:08 PM

I'm working on something like that, at least in the sense of being able to determine the variant that encrypted the files. :wink:

 

Subscribing to the BleepingComputer news RSS feed is a great way to know of most break-throughs and news-worthy attacks.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 01 March 2016 - 01:16 PM

Thanks!  I will look up the RSS feed.



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 01 March 2016 - 01:29 PM

Links are at the top of the main site, following them on social media also works if you aren't into RSS. I also subscribe to a few other feeds that are recommended from BC's media links like Emsisoft and MalwareHunterTeam.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 ZexGX

ZexGX

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 01 March 2016 - 02:43 PM

If there's ever a central list, I'd like to know as well. Following social media/RSS feeds with general news isn't really ideal for this exact purpose.

 

Here's mine that I created mostly for the more recent cryptovirii:

*.aaa
*.abc
*.ccc
*.cerber
*.cryptolocker
*.doc.exe
*.doc.mp3
*.docx.mp3
*.ecc
*.encrypted
*.exx
*.ezz
*.LeChiffre
*.locky
*.micro
*.pdf.exe
*.pdf.mp3
*.rdm
*.rrk
*.ttt
*.vvv
*.xls.exe
*.xls.mp3
*.xlsx.exe
*.xlsx.mp3
*.xxx
*.xyz
*.zip.exe
*.zzz
*crypt*.bmp
*crypt*.htm*
*crypt*.txt
*help*recover*
*help*restore*
*help*your*
*recover*.bmp
*recover*.htm*
*recover*.png
*recover*.txt
*restore*file*.bmp
*restore*file*.htm*
*secret*code*.txt
DeLeChiffre.rar



#6 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 01 March 2016 - 02:50 PM

Excellent.  Thanks ZexGX.  That's the sort of listing I am looking for.  We do get a few false positives on extensions like *.aaa, but that's better than the alternative!



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 01 March 2016 - 05:11 PM

A repository listing of all Bleeping Computer Crypto malware Information and ransomware topics can be found in this index.These are some of the more common ransomware file extensions appended to encrypted files list I maintain

.ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, .locked, .crypto, _crypt, .crypt, .crinf, .pzdc, .good, .R16M01D05, .cerber, .73i87A, .p5tkjw, PoAr2w, .r5a, .XTBL, .YTBL, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .cryptcryptcrypt@gmail.com, .0x0, .bleep, .1999, .vault, .HA3, .frtrss, .toxcrypt, .magic, .ENC, .locky, _sq.<filename>, .k2p, .Sanction, .krypted, .SPORT, .cwgoqia, .trun, .crysis, .xrtn, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters such as .uogltic, .rpyxhhm, .mtrsxox, .phszfud.


These are examples of ransom notes:
HELP_DECRYPT.TXT, DECRYPT_INSTRUCTION.TXT, HELP_YOUR_FILES.TXT, HELP_FILE_[random number/letter].HTML
Help_File_[random number/letter].html, install_tor.url, HELP_TO_DECRYPT_YOUR_FILES.txt, ATTENTION.RTF
Read.txt, ReadMe.txt, README1.txt...README10.txt, READ_IF_YOU_WANT_YOUR_FILES.html, WHAT IS SQ_.txt
READ!!!!!!!!!!!.ME.txt, _Locky_recover_instructions.txt, ReadDecryptFilesHere.txt, ABOUT_FILES!.txt
Help_Decrypt.txt, README!!.TXT, YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt,
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, How_To_Recover_Files.txt, How_To_Restore_Files.txt, Coin.Locker.txt
HOW_TO_DECRYPT_FILES.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT MY FILES#..txt, IMPORTANT READ ME.txt
_secret_code.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles_.txt, AllFilesAreLocked_.bmp, BLEEPEDFILES.TXT
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, IHAVEYOURSECRET.KEY
SECRET.KEY, SECRETIDHERE.KEY, HELP_DECYPRT_YOUR_FILES.HTML, README_DECRYPT_UMBRE_ID_[victim_id].txt
help_decrypt_your_files.html, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.TXT, howto_recover_file_.txt, HELP_TO_SAVE_FILES.txt
how_recover+[random].txt, _how_recover_.txt, restore_files_.txt, recover_file_[random].txt
recover_files_[random].txt, recovery_file_[random].txt, help_recover_instructions+[random].txt
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt, help recover files.txt, Recovery+[5-random].txt
_ReCoVeRy_+[5_random].txt, Recovery_[5_random].txt, RECOVERY.TXT, RECOVERY_KEY.txt, README_FOR_DECRYPT.txt

Note: The [random] represents random characters which some ransom notes names may include.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 02 March 2016 - 08:06 AM

Thanks quietman7.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 02 March 2016 - 08:30 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 spangenb

spangenb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 04 March 2016 - 02:40 PM

quietman7, what I am really asking for in my original post is someplace on the Web that maintains updated versions of the lists you provided above.  Are you aware of such a place?  I didn't see a link to such a list in the link you sent.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 04 March 2016 - 02:53 PM

I am not aware of any place such a comprehensive list is maintained.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 fonguy

fonguy

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 March 2016 - 01:02 PM

Here is my complete list to date:

*.aaa

*.lol

*.lol!

*help*your*files*

*want your files back.*

_H_e_l_p_RECOVER_INSTRCTIONS*

decrypt_instruct*.*

DECRYPT_INSTRUCTION.*

enc_files.txt

HELP_DECRYPT*

help_decrypt*.*

help_restore*.*

how to decrypt*.*

how_to_decrypt*.*

howtodecrypt*.*

install_tor*.*

last_chance.txt

recovery_file.txt

recovery_key.txt

recovery+sigxi.*

restore_files*

*secret_code.txt

vault.txt

*.locky

*.cerber

*.ecc

*.eee

*.zzz

*.ccc

*.xyz

*.*cry

*.*crypto

*.*darkness

*.*enc*

*.*kb15

*.*kb4

*.*kraken

*.*locked

*.*nochance

*.*obleep

*.*exx

*@gmail_com_*

*@india.com*

*cpyt*

*crypt*

*decipher*

*keemail.me*

*qq_com*

*ukr.net*

*.frtrss

*.vault

*wat your files back.*

confirmation.key

message.txt

vault.hta

vault.key

*.abc

*.vvv

*.ttt

*.xxx

*.micro



#13 fonguy

fonguy

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 March 2016 - 01:07 PM

Has anyone found a "central list " ??  If someone would create a way to enter a text file into file resource manger file groups instead of one at a time it would be worth some money !!!



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,493 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:45 AM

Posted 07 March 2016 - 01:17 PM

I'm working on a tool that will have a database like this online, so I might open an API for it down the road if the beta is successful.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 07 March 2016 - 01:58 PM

Has anyone found a "central list " ??  If someone would create a way to enter a text file into file resource manger file groups instead of one at a time it would be worth some money !!!

There currently is not central list except those created privately by a few folks and already provided here.

Demonslay335 is working on a project and will provide a link when it is finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users