CryptoWall, PClock, Spora, Sigma, CrypMic, DMA Locker, Locker, AES-Matrix, Microsoft Decryptor (CryptXXX), Cryptofag, TeslaCrypt v4.0, CryptoHost, MotoxLocker (DetoxCrypto), KawaiiLocker, Hermes, Data Keeper, LoveServer, Power Worm, KEYHolder and CryptorBit encrypts files but do not append or change file extensions
. Newer variants of Nemucod (Nemucod-AES) and Mobef also do not append any extensions to encrypted filenames.
Some ransomware variants (i.e. DMA Locker, TeslaCrypt, CrypMic) will add a unique hex pattern (filemarker) identifier in the header of every encrypted file so the ransomware can identify the file as one it encrypted. Spora-encrypted files utilize a 4 byte long Crc32 file marker. CryptoWall is identified by how the files are renamed. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim. PClock, Mobef and Cryptofag do not use a filemarker.
The best way to identify the different ransomwares with ID Ransomware is the ransom note
(including it's name), samples of the encrypted files
, any obvious extensions appended
to the encrypted files, information related to any email addresses
provided by the cyber-criminals to request payment and the malware file
responsible for the infection.
Without the above information or if there is no extension or filemarker in encrypted files, our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here
with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested
" box under the Browse button.