Posted 08 March 2017 - 07:31 AM
Are there any obvious file extensions appended to or with your encrypted data files (i.e. several random hexadecimal characters, words or email addresses)? If so, what is the extension and is it the same for each encrypted file or is it different?
Did you find any ransom notes and if so, what is the actual name of the note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder (C:\ProgramData, C:\Documents and Settings\All Users\Application Data) for an image the malware typically uses for the background note or a randomly named .html, .txt, .png, .bmp, .url file. Most ransomware will also drop a ransom note in every directory/affected folder where data has been encrypted.
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?
The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.
.Windows Insider MVP 2017-2018Microsoft MVP Reconnect 2016Microsoft MVP Consumer Security 2007-2015 Member of UNITE, Unified Network of Instructors and Trusted EliminatorsIf I have been helpful & you'd like to consider a donation, click