Are there any obvious file extensions appended
to or with your encrypted data files? If so, what is the extension and is it the same for each encrypted file or is it different? Some types of ransomware will completely rename, encrypt or even scramble file names while others do not append any extensions.
Did you find any ransom notes
and if so, what is the actual name of the note?
Did you submit (upload) any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware
for assistance with identification
? Uploading both
encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
As typical with ransomware, some victims have reported they paid the ransom and were successful in decrypting their data. Some victims have reported paying the ransom only to discover the criminals wanted more money
...demanding additional payments with threats the data would be destroyed or exposed. Still others have reported they paid but the cyber-criminals did not provide a decryptor or a key
to decrypt the files, while others reported the decryption software
they received did not work
, resulted in errors and in some cases caused damage to the files. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work
properly or work at all and decryption of very large files may be unsuccessful even with the criminal's decyption tool.