More information is needed to determine specifically what infection you are dealing with since there are several different ransomware infections which utilize a random 4, 5, 6, 7 character extension
and Maktub Locker
are the two most common ransomware infections which use a random 6-7
character extension appended to the end of the file name. Alma Locker
uses a random 5-6
character extension. Princess Locker
uses a random 4-5
character extension. Some Xorist Ransomware
variants will also have a random character extension (.73i87A, .p5tkjw, .0JELvV, UslJ6m, .n1wLp0, .5vypSa, .YNhlv1, .PoAr2w, .6FKR8d, .neitrino, .rtyrtyrty) appended to the end of the file name.
The best way to identify the different ransomwares that use "random character extensions" is the ransom note or at least information related to the email address used by the cyber-criminals.
Did you find any ransom notes
? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url
file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.CTB-Locker
will leave files (ransom notes) named DecryptAllFiles.txt, DecryptAllFiles_<user name>.txt, !Decrypt-All-Files.[7-random].html that contains ransom instructions but the newer variants do not always leave a ransom note
if the malware fails to change the background like it typically does. An AllFilesAreLocked_<user name>.bmp image file may be left in the My Documents folder which contains further instructions on how to pay the ransom.Maktub Locker
displays a ransom note named _DECRYPT_INFO_[random].html.Alma Locker
will leave files (ransom notes) named Unlock_files_<random>.html, Unlock_files_<random>.txt.Princess Locker
will leave files (ransom notes) named !_HOW_TO_RESTORE_[extension].TXT, !_HOW_TO_RESTORE_[extension].html.Xorist Ransomware
variants will leave files (ransom notes) named HOW_TO_DECRYPT_FILES.TXT, READ TO DECRYPTIONS_.txt.
Based on infection rates we see, you are most likely dealing with CTB-Locker. You can submit samples of encrypted files and ransom notes to ID Ransomware
for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.