Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by Dutan receive the fixed suffix .dutan (always lower-case). Renaming Convention: The malware renames every affected file to the pattern: <original_filename>.<original_extension>.dutan Example: Quarterly-Q3.xlsx becomes Quarterly-Q3.xlsx.dutan. 2. Detection & Outbreak Timeline Approximate Start Date/Period: Dutan first surfaced on 6 August 2019 as…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: dusk! (includes the leading dot and trailing exclamation mark). Renaming Convention: Files receive a COMPLETELY new name followed by .dusk!. – Original Quarterly_Report_Q3.xlsx becomes r9kX7aT1.doc.dusk! – The random-looking basename is generated with 8–12 mixed-case alphanumerics so that victims cannot recognise content from the…

Ransomware Intelligence Brief – “DUSK” Variant (File extension observed: .dusk) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: .dusk (lower-case) Renaming convention: Original → sample.docx After encryption → sample.docx.id[XXXXXXXX].dusk The “id[XXXXXXXX]” tag is a unique victim identifier generated from the MAC address or volume serial number; helps the affiliate panel credit the right…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .duralock05 Typical renaming pattern: originalFileName.jpg.duralock05 Report-2024.xlsx.duralock05 2. Detection & Outbreak Timeline Earliest documented sightings: October-November 2022 (first submissions to ID-Ransomware & VirusTotal). Peak activity: Q1-2023, with renewed waves each quarter through 2024. Geographic spread: Heaviest in North America, Western Europe, followed by LATAM…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: “DuraLock” (also reported as “DuraLock 2.0”) appends the fixed string .duralock to every encrypted file. – Example: Quarterly-Report.xlsx → Quarterly-Report.xlsx.duralock – No random hexadecimal IDs, e-mail addresses, or campaign numbers are inserted between the original name and the new extension. – Internally the…

Technical Breakdown: File Extension & Renaming Patterns • Confirmation of File Extension: “dungeon-00” (always in lower-case, always contains the hyphen and two underscores). • Renaming Convention: Original file is kept, one extra copy is created with the original name followed by “.dungeon-00” appended. Example – Budget.xlsx becomes Budget.xlsx.dungeon-0_0. No e-mail, victim-ID, or random string is…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .dumbstackz Renaming Convention: After encryption, the ransomware simply appends “.dumbstackz” to the original filename and leaves the original extension intact (e.g., Quarterly-Report.pdf becomes Quarterly-Report.pdf.dumbstackz). A ransom note (README_TO_RESTORE.txt) is dropped into every affected folder and on the user’s desktop. 2. Detection & Outbreak…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files are re-labeled with the stand-alone lowercase suffix .duk (e.g. report.xlsx → report.xlsx.duk) – no e-mail address, victim-ID, or random string is added. Renaming Convention: The ransomware keeps the original file name and original extension intact, simply appending .duk as the final extension.…

duhust Ransomware – Community Defense Guide Last updated: 2024-06-XX TECHNICAL BREAKDOWN File Extension & Renaming Patterns • Confirmation of File Extension: .duhust – ALWAYS lower-case; appended once (e.g. invoice.pdf → invoice.pdf.duhust) – No secondary marker file or random hex chain is inserted into the base name. • Renaming Convention: – Single-pass in-place rename (no file…

Ransomware Identifier: .ducueyuav Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: “.ducueyuav” (lowercase on-disk, lowercase in ransom note). Renaming convention: Original name → .ducueyuav Example: “Annual-Report.xlsx” becomes “Annual-Report.xlsx.ducueyuav” (no e-mail address or random ID inserted, which places it in the “Mallox / TargetCompany” cluster). 2. Detection & Outbreak Timeline First public submission to…