There is a thread on Reddit that lists many known Cryptolocker file extensions (both the extension that the newly-encrypted file gets, and the ransom note file).

 

file-sight-paste-extensionsA number of customers have asked to be able to more easily paste this list of file names into the list of file types to watch, which is now possible (currently in the 6.3 Preview build).

 

 

Using lists like this can help catch existing Cryptolocker variants, but hackers are always adapting.  Detecting behavior is better, which we mentioned in a previous blog post is what some of our customers are doing.

 

 

The current list is below.  Note that README.txt is in the list which you will have to decide if you want to alert on.

Cryptolocker Encrypted File Extensions

*.ecc
*.ezz
*.exx
*.zzz
*.xyz
*.aaa
*.abc
*.ccc
*.vvv
*.xxx
*.ttt
*.micro
*.encrypted
*.locked
*.crypto
*_crypt
*.crinf
*.r5a
*.XRNT
*.XTBL
*.crypt
*.R16M01D05
*.pzdc
*.good
*.LOL!
*.OMG!
*.RDM
*.RRK
*.encryptedRSA
*.crjoker
*.EnCiPhErEd
*.LeChiffre
*.keybtc@inbox_com
*.0x0
*.bleep
*.1999
*.vault
*.HA3
*.toxcrypt
*.magic
*.SUPERCRYPT
*.CTBL
*.CTB2
*.locky 

Cryptolocker Ransom Filenames

*HELPDECRYPT.TXT
*HELP_YOUR_FILES.TXT
*HELP_TO_DECRYPT_YOUR_FILES.txt
*RECOVERY_KEY.txt
*HELP_RESTORE_FILES.txt
*HELP_RECOVER_FILES.txt
*HELP_TO_SAVE_FILES.txt
*DecryptAllFiles.txt
*DECRYPT_INSTRUCTIONS.TXT
*INSTRUCCIONES_DESCIFRADO.TXT
*How_To_Recover_Files.txt
*YOUR_FILES.HTML
*YOUR_FILES.url
*encryptor_raas_readme_liesmich.txt
*Help_Decrypt.txt
*DECRYPT_INSTRUCTION.TXT
*HOW_TO_DECRYPT_FILES.TXT
*ReadDecryptFilesHere.txt
*Coin.Locker.txt _secret_code.txt
*About_Files.txt
*Read.txt
*ReadMe.txt
*DECRYPT_ReadMe.TXT
*DecryptAllFiles.txt

*FILESAREGONE.TXT
*IAMREADYTOPAY.TXT
*HELLOTHERE.TXT
*READTHISNOW!!!.TXT
*SECRETIDHERE.KEY
*IHAVEYOURSECRET.KEY
*SECRET.KEY
*HELPDECYPRT_YOUR_FILES.HTML
*help_decrypt_your_files.html
*HELP_TO_SAVE_FILES.txt
*RECOVERY_FILES.txt
*RECOVERY_FILE.TXT
*RECOVERY_FILE*.txt

*HowtoRESTORE_FILES.txt
*HowtoRestore_FILES.txt
*howto_recover_file.txt

*restorefiles.txt
*howrecover+*.txt
*_how_recover.txt

*recoveryfile*.txt
*recoverfile*.txt
*recoveryfile*.txt
*Howto_Restore_FILES.TXT
*help_recover_instructions+*.txt
*_Locky_recover_instructions.txt

 

Share →

One Response to Cryptolocker File Extension List

  1. […] Another post lists file extensions that some people are using to detect current CryptLocker variants. […]

(19)