Comprehensive Guide to the “Builder” Ransomware Disclaimer: This document is for educational, defensive, and incident-response purposes only. Sharing current, publicly available information about threats helps the community learn, prepare, and protect itself. Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: Encrypted files are given the fixed extension “.builder” appended after the…

Technical Breakdown (buhti) 1. File Extension & Renaming Patterns Confirmation of File Extension: The .buhti extension is appended to every successfully-encrypted file. Renaming Convention: Original: Quarterly_Report.xlsx After encryption: Quarterly_Report.xlsx.buhti (no email addresses, no ransom note in the name, no embedded ID). 2. Detection & Outbreak Timeline Approximate Start Date/Period: buhti was first observed in-the-wild on…

Comprehensive Resource: BugWare Ransomware (*.bugware) Compiled by: [Your Name], Senior Incident Response & Threat Intelligence Lead Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: *.bugware (all lowercase, appended directly with no delimiter). Renaming Convention: original_name.original_extension.id-<8-hex-chars>.[attacker_email].bugware Example: AnnualReport.xlsx.id-4f3a2b1c.[[email protected]].bugware Alternate variant for high-volume shares: foldername_ENCRYPTED.bugware (directory-hash replaced filename entirely). 2. Detection & Outbreak…

Ransomware Intelligence Bulletin – “.bugs” Variant Prepared for the DFIR & IT communities – use at your own responsibility. Always validate any tools in a secure lab before deploying in production. Technical Breakdown 1. File Extension & Renaming Pattern Exact file-extension added: Example → document.docx → document.docx.bugs or report.xlsx → report.xlsx.bugs Renaming convention: The ransomware…

Ransomware Family Profile – “.bug” (Dharma/CrySiS variant) Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension: .bug at the end of every encrypted file. • Renaming Convention: – Plain → [original name].id-[8-hex-chars].[attacker_email].bug – Example: AnnualReport.xlsx becomes AnnualReport.xlsx.id-BC1D7A43.[[email protected]].bug 2. Detection & Outbreak Timeline • First reliable public sighting: November 2018. • Surge…

# Community Ransomware Brief – “BUFAS” Family (extension .bufas) # Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: All encrypted files receive the .bufas suffix appended to the original name. Renaming Convention: Files in every folder are renamed exactly as follows: <original_name>.<original_extension>.bufas The offender does NOT replace directories, volumes, or the…

Ransomware Resource Guide Family/Extension: “.buddyransome” (a.k.a. “Buddy Ransom-Some”, “BuddySome”) Technical Breakdown 1. File Extension & Renaming Patterns • File extension – “.buddyransome” is appended to every encrypted file, typically after the original extension. Example: 2023-Q3-Budget.xlsx.buddyransome • Renaming convention – UTF-8 filename multiplied: Five random LRU hexadecimal digits ([0-9a-f]) are injected between the original filename and…

Smaug Ransomware (.BUDAK) Threat Advisory Comprehensive Guide for Defenders & Victims Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .budak is appended to every encrypted file (lower-case, never uppercase). Pattern: <original_name.id-<8-char_hex_user_id>.[attacker_email1.attacker_email2].budak> Example → spreadsheet.xlsx.id-A7B3E8D1.[[email protected]@tutanota.com].budak 2. Detection & Outbreak Timeline First public sighting: 07 March 2024 (submitted to ID-Ransomware by an IT-admin…

Technical Breakdown (bud ransomware) 1. File Extension & Renaming Patterns Confirmation of File Extension: Observed ransomware samples append .bud (case-insensitive) to encrypted files. Renaming Convention: Files are renamed in one of two observed patterns, depending on compilation flags: [original_filename].[original_extension].bud [8-byte_hex_id]-[original_filename].bud The hex_id is derived from the victim system’s MAC address XOR’d with a static value…

Ransomware Profile: “.bucbi” (a.k.a. Bucbi Ransomware) Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Encrypted files are renamed with the single “.bucbi” suffix appended directly after the original file name and extension. Example: Report2024Q1.xlsx becomes Report2024Q1.xlsx.bucbi. Renaming Convention: ‑ Original full filename is kept intact. ‑ No additional e-mail address, victim-ID,…