Technical Breakdown of the @safetyjabber.com Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: [email protected] Renaming Convention: Original file: report.xlsx After encryption: [email protected] The malware does NOT modify filenames or add random strings—only appends the exact extension [email protected] after the original filename. Hidden volumes or shadow-copied directories are enumerated and receive the same…

Detailed Resource for the Ransomware Variant using the .rape.lol* extension (Note: the asterisk acts as a wildcard—*.rape.lol[0-9] is the more precise victim-side pattern, e.g., file.pdf.rape.lol1, file.xls.rape.lol2, etc.) Technical Breakdown 1. File Extension & Renaming Patterns Exact extension witnessed: .rape.lol1, .rape.lol2, .rape.lol3, incrementing with each successive encryption pass on the victim host or network-share target. Renaming…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The @qq_com group appends the literal string .qq_com (dot-lowercase) to every file it encrypts. Renaming Convention: Original: Document.docx → Document.docx.qq_com Folder-level: Inside every directory it drops a ransom note file called !README!.txt or !readme!!!.txt. Thumb-print suffix: In some later samples a hash of…

Technical Breakdown: @qq.com* (Tellyouthepass Ransomware Clone) 1. File Extension & Renaming Patterns Confirmation of File Extension: Encrypted files keep their original name, then have: @qq.com*.**xxxx** appended, where **xxxx** is a four-digit hexadecimal identifier unique to every machine (e.g., [email protected]*.3F2A) Renaming Convention: All sub-folders inside every mapped drive ALSO have a ransom-note file (Restore_My_Files.txt) dropped next…

@qq.com Ransomware Deep-Dive (File-extension identifier: “.qq.com” – including the full public suffix)* Technical Breakdown 1. File Extension & Renaming Patterns Exact extension appended: Each encrypted file is suffixed with .qq.com – e.g., Report—2024-05.xlsx → Report—2024-05.xlsx.qq.com Renaming convention: – Files are not moved to other directories; the extension is double-dotted into the original file name. –…

Community Resource: qbmail.biz (a/k/a “FileHelp” or “QilinMail”) Ransomware Threat Brief Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .FILEHELP (the malware also renames files with a singular and lowercase “.filehelp” in some builds; both spellings are equally valid signals of infection). Renaming Convention: Original file Monthly_Report.xlsx → Monthly_Report.xlsx.filehelp (extension appended, preserving…

ProtonMail Outlook Decryptor Ransomware — Technical Report & Recovery Guide (Threat: files altered with “.protonmail…” extension, contact email @protonmail.*) Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .protonmail[Random-ID] Examples: Annual_Report.xlsx → Annual_Report.xlsx.protonmail59c22, Accounts.db → Accounts.db.protonmaila4e71. Renaming Convention: The ransomware appends the literal string “.protonmail”, immediately followed by an 5-to-6-character hexadecimal ID…

Technical Breakdown: Ransomware Variant with @pm.me* Extension (also referred to by many sources as Zeropadypt / “Zero-Phobos” or simply the “PM.ME” campaign) 1. Filename & Rename Behaviour ● Exact extension appended: • Victim files get a double extension that ends in ID-<8-10_hex_digits>.[<attacker_email>]@pm.me* • Real-world examples: – picture.jpg.ID-A4D82E91.[[email protected]].pm3 – report.xlsx.ID-3C7AE114.[[email protected]].zero (The suffix after @pm.me is an…

Disclaimer: The extension [email protected] has been seen in-the-wild, but it is often retro-fitted onto several unrelated payloads (conti leaks, Phobos/Eking clones, etc.). Much of the threat-intel collected in 2023–2024 points to a low-volume phobos-derivative strain re-branded by a splinter actor. Treat the analysis below as representative of what the community typically sees when that extension…

Ransomware Resource Sheet for “.pipikaki” (Based on public threat-intel, live malware samples monitored in 2023-Q3 and curated from CERT/ISAC repositories – Last revised 2024-05-15) Technical Breakdown 1. File Extension & Renaming Patterns • Extension after encryption: *.pipikaki (lowercase, appended without spaces). • Renaming convention:   <original-file-name>.<original-extension>.<8-char-hash>.pipikaki Example → Spreadsheet.xlsx.A7F2E9C0.pipikaki The 8-byte hash is derived from Curve25519…