Did you find and submit a ransom notes
to ID Ransomware? Uploading both
encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
There are several ransomware infections that do not append an obvious extension
to the end of encrypted filenames or add a known file pattern (filemarker) which helps to identify it. CryptoWall, CrypMic, DMA Locker, Microsoft Decryptor (CryptXXX), PClock, Spora, Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker, KawaiiLocker, Hermes, LoveServer and Power Worm do not append or change file extensions
Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock and Cryptofag do not use a filemarker.
The best way to identify the different ransomwares that do not append an extension is the ransom note (including it's name), samples of the encrypted files, the malware file itself or at least information related to the email address used by the cyber-criminals to request payment. Without any of that information or a file marker/unique hex pattern identifier, it is difficult to determine what you are dealing with.
Based on current infection rates and statistics, PClock
is the most prevalent ransomware variant that does not change the extension or leave a filemarker. Unfortunately, newer PClock variants
are not decryptable