============================================================ BLACK SHADES RANSOMWARE – COMMUNITY RESPONSE GUIDE SECTION 1: TECHNICAL BREAKDOWN File Extension & Renaming Patterns • File extension: .blax • Renaming convention: ‑ Original name kept in full, then a 40-symbol hexadecimal user-ID (derived from the first 20 bytes of the ECDH public key), a hyphen, then a 4-digit counter, and finally “.blax”.…

Black Feather Ransomware Intelligence Report Last updated: 2024-05-30 Technical Break-down 1. File Extension & Renaming Patterns Confirms to: .BF (upper-case) Example: AnnualBudget.xlsx → AnnualBudget.xlsx.BF Renaming Convention: • Files remain in original tree structure (no random sub-folders). • Every 100th file is also prefixed with [BLACK-FEATHER-#] where # is an ascending integer (used by the decryptor…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware’s definitive, appended suffix is .black (always lowercase, no-second extension). Renaming Convention: Original file name + 8-byte hash of the original path + .black  Example: Annual_Report.xlsx → Annual_Report.xlsx.BE7FAC2E.black  Directories themselves are untouched; only the files inside are renamed. 2. Detection & Outbreak…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .bl3 Renaming Convention: Upon encrypting a file, BL3 appends the suffix .bl3 to the original name without changing the base filename. Example: Quarterly_Report.xlsx becomes Quarterly_Report.xlsx.bl3 2. Detection & Outbreak Timeline Approximate Start Date/Period: First public sightings occurred in mid-2020, with a notable spike…

Ransomware Resource Center Identifier: .bl0cked Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The variant appends the literal suffix “.bl0cked” (with a zero instead of the letter “o”) to every file it encrypts, e.g., Invoice_2024.xlsx.bl0cked. Renaming Convention: Original filename → SHA-256-based encrypted payload name → original filename + .bl0cked. The ransomware…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .bl00dy (note the two zeroes). Renaming Convention: The malware keeps the original file name and appends “.bl00dy” to every encrypted file (e.g., Project.xlsx becomes Project.xlsx.bl00dy). A ransom note (README_note.txt on Windows or README.txt on ESXi) is then dropped in every encrypted folder and…

Technical Breakdown: bkransomware (.bk file extension) 1. File Extension & Renaming Patterns Confirmation of File Extension: Every encrypted file is appended with the single, lowercase extension .bk placed after the original extension (example: report.xlsx becomes report.xlsx.bk). Renaming Convention: The malware does NOT alter the original file name or internal directory structure inside archives. The .bk…

Technical Breakdown – “.bkqfmsahpt” Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: “.bkqfmsahpt” is appended as a fifth-level extension (e.g., picture.jpg.bkqfmsahpt). Renaming Convention: <original_filename>.<original_ext>.bkqfmsahpt You will NOT see any e-mail address or victim-ID between the name parts – just the original name + the new extension. 2. Detection & Outbreak Timeline First…

Technical Breakdown: ────────────────── File Extension & Renaming Patterns • Confirmation of File Extension: .bkpx – the malware appends this 5-byte suffix to every encrypted file. • Renaming Convention: OriginalFileName.ext → OriginalFileName.ext.bkpx  When the executable listxe.exe is dropped, it renames the file only once. Hidden extensions in Windows Explorer may mask the double extension until toggled…

Technical Breakdown – “.bkp” Ransomware (T-REX / CryT0x variant) 1. File Extension & Renaming Patterns Exact Extension: .bkp (prepended with “.” – no trailing dots or random characters). Renaming Convention: – Plain encryption of file and streams in place (no extra suffix). – After encryption the extension simply becomes “[original_name].bkp”. – If system language is…