Javascript must be enabled to download our products and perform other essential functions.

Buy Now Download Free Trial

Back to Setup Guide for Ransomware Protection

Detection via Encrypted File Extensions and Ransom Note Filenames

PA File Sight file auditing diagram

Most ransomware attacks will either leave a ransom note in the folders they attack, or they will rename the encrypted files with a new extension. For example, finance.xls might become finance.xls.encrypted after it has been encrypted.

There are a number of sites on the Internet that keep lists of file extensions and ransom note filenames that have been seen. PA File Sight can watch for these being written. The danger of course is any malware writer can change their malware to use different extensions and ransom note filenames. Similar to the honey pots method, this is a simple method that is simple to setup so it doesn't hurt to add it.

Create a new File Sight monitor to watch the target folder D:\

Add common ransomware file extensions

Get a list of typical encrypted file extensions. There are a variety of lists on the Internet with these lists. One example is (scroll down to "Raw List").

These lists will always be outdated, but find the newest one you can to protect against the latest known ransomware variants.

On the File Types tab, you can replace the * and insert the list of file extensions you found. They need to be in the format of:

as shown in the screenshot below.

Double check the list to make sure there aren't any file extensions that might be typically used at your location, and if there are, remove them.

You can also paste a list of ransom note filenames that are in the format of:

*{ransom note filename}

as shown below:

Add common ransomware ransom note filenames

Be VERY careful and check this list of files carefully. Readme.txt is often included in these lists, but it is also a popular and legitimate filename.


Note that filenames and extensions are NOT case sensitive.

For the File Activities tab, we want to be alerted if a file is created that has one of the target extensions:

Alert when files are created

Uncheck everything on the Directory Activities tab:

Alert when files are created

For this monitor, there isn't much reason to ignore anything. The rest of the tabs can be skipped.

Next: Protection Responses - Add User to Blocked User List

As I mentioned in the meeting, and I'll say it here, I've worked with several different monitoring systems in my career and nothing holds a candle to PA [Server Monitor].

Adam A., Symantec, USA ionicons-v5-b