extension is more generic since it is used by several types of ransomware...CryptoShocker, LockeR, SambaCry (StorageCrypt), Bitpaymer, LOCKED, Stampado, Philapdelphia, Fantom, BankAccountSummary, RAA-SEP, Uyari, PokemonGo, Russian EDA2, JobCrypter, Zyklon Locker (GNL), ApocalypseVM, KimcilWare Ransomware, Message of Death, FirstRansomware, Zyka, C/C++ Ransomware (version of Globe) and some variants of Amnesia and Globe 3 all append the .locked
extension to the end of the affected filename. As such, more information (i.e a sample of the malware file itself, ransom note, contact email address provided by the criminals) is needed for identification and confirmation.
The best way to identify the different ransomwares is the ransom note
(including it's name), samples of the encrypted files
, any obvious extensions appended
to the encrypted files, information related to any email addresses
used by the cyber-criminals to request payment and the malware file
responsible for the infection.
You can submit samples of encrypted files, ransom notes and any contact email addresses or hyperlinks used by the cyber-criminals to ID Ransomware
for assistance with identification
. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both
encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification. If ID Ransomware cannot identify the infection, you can post the case SHA1
it gives you in your next reply for Demonslay335
to manually inspect the files.