{"id":4663,"date":"2016-03-03T10:45:52","date_gmt":"2016-03-03T16:45:52","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=4663"},"modified":"2016-09-27T08:26:43","modified_gmt":"2016-09-27T13:26:43","slug":"cryptolocker-file-extension-list","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/cryptolocker-file-extension-list\/","title":{"rendered":"Cryptolocker File Extension List"},"content":{"rendered":"

There is a thread on Reddit<\/a> that lists many known Cryptolocker file extensions (both the extension that the newly-encrypted file gets, and the ransom note file).<\/span><\/p>\n

\u00a0<\/p>\n

\"file-sight-paste-extensions\"<\/a>A number of customers have asked to be able to more easily paste this list of file names into the list of file types to watch, which is now possible (currently in the 6.3 Preview build<\/a>).<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

Using lists like this\u00a0can help catch existing Cryptolocker variants, but hackers are always adapting. \u00a0Detecting behavior is better, which we mentioned in a previous blog post is what some of our customers are doing<\/a>.<\/span><\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

The current list is below. \u00a0Note that README.txt is in the list which you\u00a0will have to decide if you want to alert on.<\/span><\/p>\n

Cryptolocker Encrypted File Extensions<\/strong><\/span><\/h3>\n

*.ecc<\/span>
\n *.ezz<\/span>
\n *.exx<\/span>
\n *.zzz<\/span>
\n *.xyz<\/span>
\n *.aaa<\/span>
\n *.abc<\/span>
\n *.ccc<\/span>
\n *.vvv<\/span>
\n *.xxx<\/span>
\n *.ttt<\/span>
\n *.micro<\/span>
\n *.encrypted<\/span>
\n *.locked<\/span>
\n *.crypto<\/span>
\n *_crypt<\/span>
\n *.crinf<\/span>
\n *.r5a<\/span>
\n *.XRNT<\/span>
\n *.XTBL<\/span>
\n *.crypt<\/span>
\n *.R16M01D05<\/span>
\n *.pzdc<\/span>
\n *.good<\/span>
\n *.LOL!<\/span>
\n *.OMG!<\/span>
\n *.RDM<\/span>
\n *.RRK<\/span>
\n *.encryptedRSA<\/span>
\n *.crjoker<\/span>
\n *.EnCiPhErEd<\/span>
\n *.LeChiffre<\/span>
\n *.keybtc@inbox_com<\/span>
\n *.0x0<\/span>
\n *.bleep<\/span>
\n *.1999<\/span>
\n *.vault<\/span>
\n *.HA3<\/span>
\n *.toxcrypt<\/span>
\n *.magic<\/span>
\n *.SUPERCRYPT<\/span>
\n *.CTBL<\/span>
\n *.CTB2<\/span>
\n *.locky\u00a0<\/span><\/p>\n

Cryptolocker Ransom Filenames<\/strong><\/span><\/h3>\n

*HELPDECRYPT.TXT
\n *HELP_YOUR_FILES.TXT
\n *HELP_TO_DECRYPT_YOUR_FILES.txt
\n *RECOVERY_KEY.txt
\n *HELP_RESTORE_FILES.txt
\n *HELP_RECOVER_FILES.txt
\n *HELP_TO_SAVE_FILES.txt
\n *DecryptAllFiles.txt
\n *DECRYPT_INSTRUCTIONS.TXT
\n *INSTRUCCIONES_DESCIFRADO.TXT
\n *How_To_Recover_Files.txt
\n *YOUR_FILES.HTML
\n *YOUR_FILES.url
\n *encryptor_raas_readme_liesmich.txt
\n *Help_Decrypt.txt
\n *DECRYPT_INSTRUCTION.TXT
\n *HOW_TO_DECRYPT_FILES.TXT
\n *ReadDecryptFilesHere.txt
\n *Coin.Locker.txt _secret_code.txt
\n *About_Files.txt
\n *Read.txt
\n *ReadMe.txt<\/span>
\n *DECRYPT_ReadMe.TXT
\n *DecryptAllFiles.txt <\/span>
\n *FILESAREGONE.TXT<\/span>
\n *IAMREADYTOPAY.TXT<\/span>
\n *HELLOTHERE.TXT<\/span>
\n *READTHISNOW!!!.TXT<\/span>
\n *SECRETIDHERE.KEY <\/span>
\n *IHAVEYOURSECRET.KEY<\/span>
\n *SECRET.KEY<\/span>
\n *HELPDECYPRT_YOUR_FILES.HTML
\n *help_decrypt_your_files.html
\n *HELP_TO_SAVE_FILES.txt
\n *RECOVERY_FILES.txt
\n *RECOVERY_FILE.TXT
\n *RECOVERY_FILE*.txt <\/span>
\n *HowtoRESTORE_FILES.txt<\/span>
\n *HowtoRestore_FILES.txt
\n *howto_recover_file.txt<\/span>
\n *restorefiles.txt<\/span>
\n *howrecover+*.txt
\n *_how_recover.txt<\/span>
\n *recoveryfile*.txt<\/span>
\n *recoverfile*.txt <\/span>
\n *recoveryfile*.txt<\/span>
\n *Howto_Restore_FILES.TXT<\/span>
\n *help_recover_instructions+*.txt<\/span>
\n *_Locky_recover_instructions.txt<\/span><\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

There is a thread on Reddit that lists many known Cryptolocker file extensions (both the extension that the newly-encrypted file gets, and the ransom note file). \u00a0 A number of customers have asked to be able to more easily paste this list of file names into the list of file types to watch, which is […]<\/p>\n","protected":false},"author":3,"featured_media":4664,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,13,6,8],"tags":[],"class_list":["post-4663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptolocker","category-pc-security","category-tech","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=4663"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4663\/revisions"}],"predecessor-version":[{"id":4873,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4663\/revisions\/4873"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/4664"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=4663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=4663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=4663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}