Ransomware Resource Sheet Variant: EMAN ransomware (extension .eman) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: .eman (lower-case) is appended to every encrypted object. Typical rename pattern: original_name.ext.[random-8-hex-chars].[attacker_email].eman Example: Project_Q3.xlsx → [email protected] The 8-character hex block is unique per machine and is also used as the victim ID inside the ransom note. 2.…

RANSOMWARE BRIEFING Extension in-the-wild: *.id-******.zip Attacker e-mail left in ransom note: [email protected] TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Exact extension: .id-******.zip (six random alphanumeric characters after the id- tag) Renaming convention: OriginalName.docx → OriginalName.docx.id-A7B4C9.zip The last 12 bytes of every encrypted file are also overwritten with a static marker “09 57 6F 6C…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .sorena Renaming Convention: original_name.ext.email=*[email protected]*id={8-hex-chars}.sorena Example: Report.xlsx becomes Report.xlsx.email=*[email protected]*id=A9F3B2C1.sorena 2. Detection & Outbreak Timeline First publicly-sighted samples: mid-November 2022 (earliest upload to VirusTotal 2022-11-14). Small, geographically-scattered waves observed through Q1-2023; no large-scale spam run yet, suggesting targeted RDP/themed-phage distribution rather than mass-malspam. 3. Primary…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .odveta Renaming Convention: Each file is renamed to the pattern original_name.ext.email=*[email protected]*id=***.odveta (The *** section is a short, victim-specific identifier—usually 4–6 upper-case letters or digits—so two machines in the same organisation will share the same ID.) 2. Detection & Outbreak Timeline First public samples:…

Kronos Ransomware (.kronos) – Community Resource (File marker: email=*[email protected]*id=***.kronos) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmed extension: .kronos Full renaming pattern: <original_name>.email=*[email protected]*id=<8-hex-chars>.kronos Example: budget.xlsx.email=*[email protected]*id=A1B2C3D4.kronos Note: The “email=” and “id=” strings are literal; the extension is the last 6 bytes (.k r o n s) – some e-mail clients strip the “*”, so samples…

ODVETA Ransomware Threat Report Extension observed in the wild: .odveta (the token in front of the extension – e.g. “[email protected]=**” – is only a marker left by the operator and can change from campaign to campaign) TECHNICAL BREAKDOWN 1. File-Extension & Renaming Pattern Exact extension added: .odveta (lower-case) Full rename template used in recent waves:…

Ransomware Resource – “.boruta” Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of file extension: „.boruta“ (lower-case, 6 letters, no wild-cards). Example: Contract.docx → Contract.docx.boruta Secondary artifact: Every folder receives a plain-text ransom note buy_bitcoins.wav.boruta.readme.txt. The wave file is an empty 0-byte placeholder that simply carries the extension so victims notice the note immediately.…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: email-*@*id-*.* (wild-cards are literal – every encrypted file receives its own unique address, e.g. [email protected], [email protected]) Renaming Convention: Original name + original extension are kept. The string  email-<attacker-e-mail>@<host>.id-<8-hex-chars>  is appended directly to the file name (no dot before the extension). Folders and mapped…

Ransomware Brief: “.elvispresley” Extension (Compiled for defenders, incident-response teams, and affected users) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmation of File Extension: Every encrypted file receives the suffix .elvispresley (lower-case). Renaming Convention: Original → <original_name>.<original_ext>.elvispresley Example: Q4-Budget.xlsx becomes Q4-Budget.xlsx.elvispresley No e-mail address, victim-ID, or random hex is inserted between the two extensions (no…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: «.elvis» (lower-case) is appended as a SECOND extension, e.g. Report.xlsx.elvis, Invoice_03.pdf.elvis. Renaming Convention: – Original name + «.elvis» (no e-mail, no random bytes, no campaign-ID in the name itself). – Files are overwritten in place; no double-extension stripping occurs, so a file already…