More information is needed to determine what infection you are dealing with since there are several ransomware infections which utilize a random 5, 6, 7 character extension
and Maktub Locker
are the two most common ransomware infections which use these random 6-7 character extension for files. Alma Locker Ransomware
uses a random 5-6 character extension. Some Xorist Ransomware
variants will also have a random character extension (.73i87A, .p5tkjw, .0JELvV, UslJ6m, .n1wLp0, .5vypSa, .YNhlv1, .PoAr2w, .6FKR8d, .neitrino, .rtyrtyrty) appended to the end of the file name
Did you find any ransom notes
? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url
file. Most ransomware will also drop a ransom note in every directory/affected folder where data was encrypted.CTB-Locker
will leave files (ransom notes) with names like DecryptAllFiles.txt, DecryptAllFiles_<user name>.txt, !Decrypt-All-Files.[7-random].html that contains ransom instructions but the newer variants do not always leave a ransom note
if the malware fails to change the background like it typically does. An AllFilesAreLocked_<user name>.bmp image file may be left in the My Documents folder which contains further instructions on how to pay the ransom.Maktub Locker
displays a ransom note named _DECRYPT_INFO_[random].html.Alma Locker
will leave files (ransom notes) with names like Unlock_files_<random>.html, Unlock_files_<random>.txt.Xorist Ransomware
variants will leave files (ransom notes) named HOW_TO_DECRYPT_FILES.TXT, READ TO DECRYPTIONS_.txt.
Based on infection rates we see, it is most likely you are dealing with CTB-Locker. You can submit samples of encrypted files and ransom notes to ID Ransomware
for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.