EXOCRYPT-XTC Ransomware – Community Threat Guide (File extension observed: .xtc) 1 – Technical Breakdown 1.1 File Extension & Renaming Pattern Confirmed extension appended: .xtc Example: Quarterly-Report.xlsx → Quarterly-Report.xlsx.xtc No email, victim-ID, or random hex string inserted – the malware keeps the original base name and simply tacks on “.xtc”. Ransom note dropped in every affected…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .exocrypt (lower-case) is appended as a secondary extension, e.g. Quarterly-Q3.xlsx.exocrypt Renaming Convention: – Files are first exfiltrated (staged in %TEMP%\exo_stg\ under random GUID names), then AES-256-CTR encrypted, then renamed in-place with the extra suffix. – The malware wipes the MFT entry for the…

exo Ransomware – Community Threat Dossier Prepared by: Cybersecurity Incident Response / Ransomware Intel Unit Last update: 2024-05-01 TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmation of File Extension: The malware appends “.exo” in lower-case, without a secondary tag (e.g., document.xlsx → document.xlsx.exo). Renaming Convention: – File is first encrypted IN-PLACE (original data overwritten…

Ransomware Report – “.EXISC” Variant Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: Every encrypted file receives the .exisc suffix (e.g., Project.docx ⇒ Project.docx.exisc). Renaming Convention: Original filename is preserved; no e-mail address, victim-ID, or random string is inserted—the only change is the single-level append of .exisc. 2. Detection & Outbreak…

Ransomware File-Extension “.exilencetg” – Community Resource v1.0 (Compiled by independent malware analysts – last refreshed May 2024) TECHNICAL BREAKDOWN 1. File Extension & Renaming Pattern Confirmed extension: .exilencetg Renaming convention: original_name.[original_ext].id-<8-hex-chars>.[{contact-mail}].exilencetg Example: Annual-Budget.xlsx → Annual-Budget.xlsx.id-A3F62891.[[email protected]].exilencetg 2. Detection & Outbreak Timeline First public submission: 20 Nov 2022 (Malware-Bazaar hash: 337f9e…) Inflection point (wide SMB/rdp scans): February–March…

ExecutionerPlus Ransomware – Community Defense & Recovery Guide Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .pluss ExecutionerPlus Renaming Convention: Victims see two sequential renames: Original file report.xlsx → report.xlsx.id-<8-hex-chars>[<victim_id>].pluss After reboot, the same file is appended with ..executionerplus (double-dot) so the final name becomes: report.xlsx.id-A1B2C3D4[COMP12345].pluss..executionerplus Folders receive a plain text…

Ransomware Variant Report – “Executioner” Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .executioner (lower-case, no second-level token such as “.id-” or “.[[email]]”). Renaming Convention: Original file name → <original_name>.executioner. – No e-mail address, victim ID, or random string is appended, making quick visual identification trivial (e.g., Report.xlsx.executioner). 2. Detection &…

Technical Breakdown: 1. File Extension & Renishing Patterns Exact extension used: .excuses (the ransom-note and encrypted files both drop this txt-icon extension) Renaming pattern: After encryption the malware deletes the original file and writes a new file named exactly as the original but with “.excuses” appended → Quarterly-Report.xlsx becomes Quarterly-Report.xlsx.excuses Volume label wipe: all drives…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmed ransom extension: .air – always appended to every encrypted file. Email-stem added to the middle: The Trojan inserts the attacker’s address [email protected] just before the final extension so that a file formerly called Project_Q4.xlsx becomes [email protected] (no spaces, all lower-case). Directory names are NOT touched—only file…

Technical Breakdown – the EWDF ransomware strain 1. File extension & renaming patterns Confirmation of file extension – .ewdf (lower-case) is appended to every encrypted object (e.g. report.xlsx → report.xlsx.ewdf). Renaming convention – The malware keeps the original file name and simply adds a second extension. Directory listings therefore look benign at first glance, but…