Any files that are encrypted with CryptXXX Ransomware
will have the .crypt
extension appended to the end of the affected filename and leave files (ransom notes) named de_crypt_readme.txt, de_crypt_readme.html, de_crypt_readme.bmp, de_crypt_readme.png. CryptXXX 2.x/3.x variants will leave unique Personal ID files using random 12 hexadecimal characters with names like <id-number>.html, <id-number>.txt, <id-number>.bmp (i.e. S45CC72F3463.txt, !4AD604B8AE89.txt), !Recovery_<id-number>.html, !Recovery_<id-number>.txt, !Recovery_<id-number>.bmp (i.e. !Recovery_4582C8FAEB15.txt).
Any files that are encrypted with CryptXXX 3.x / UltraDeCrypter / UltraCrypter
will have the .cryp1
extension appended to the end of the affected filename. More information about CryptXXX Version 3.100 is provided in this article
Any files that are encrypted with Chimera Ransomware
appends a .crypt
extension to the end of each filename and leaves files (ransom notes) named YOUR_FILES_ARE_ENCRYPTED.HTML.
You can submit samples of encrypted files and ransom notes to ID Ransomware
for assistance with identification and confirmation. If ID Ransomware cannot identify the infection, you can post the case SHA1
it gives you in your next reply for Demonslay335
to manually inspect the files.