Ransomware Profile – “Ducky” Extension (.ducky) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension added: .ducky (Example: Project.docx → Project.docx.ducky) Renaming convention: – Original file name and original extension are preserved; the string “.ducky” is simply appended. – No e-mail address, victim-ID, or hex-timestamp is inserted, which makes quick visual identification harder for…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .duckryptor (lower-case) Renaming Convention: – Original filename is kept intact, the extension is appended (not replaced). – Example: ProjectQ3.xlsx becomes ProjectQ3.xlsx.duckryptor – Folders receive a plain-text marker file: HOW_TO_BACK_FILES.txt (same content as the desktop ransom note). 2. Detection & Outbreak Timeline First public…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files hit by “Duck” ransomware acquire the extra suffix “.duck” (e.g., Report.xlsx → Report.xlsx.duck). Renaming Convention: The malware only appends the new extension; it does not scramble the original file name, path, or drive letter—helping you quickly identify the scope via a simple…

Ransomware Resource Sheet Variant/extension observed: .dubai317898@gmailcom Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: Every encrypted file receives the verbatim appendix .dubai317898@gmailcom (note the missing ‘.’ between “gmail” and “com”). Example: Annual_Report.xlsx → Annual_Report.xlsx.dubai317898@gmailcom Renaming Convention: – Original file name and internal extension are preserved. – The string is simply concatenated;…

Ransomware with the “.dts” file marker – Community Briefing (Last reviewed: 2024-06-XX) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: .dts (not to be confused with the DTS audio container format). Renaming convention: Original name → <original_name>.<id-8hex>.<attacker_email_1>.<attacker_email_2>.dts Example: Project.xlsx becomes Project.xlsx.1AC403E7.[[[email protected]]](mailto:[email protected]).[[[email protected]]](mailto:[email protected]).dts In some clusters only one e-mail address is used, so the pattern…

Technical Breakdown File Extension & Renaming Patterns • Confirmation of File Extension: “.dtbc” (lower-case, four characters, appended as a second extension – e.g. invoice.xlsx.dtbc). • Renaming Convention: Original file name is preserved, only the extra suffix is added. No e-mail address, random string, or campaign ID is inserted in the file name itself, which is…

Ransomware Profile: .dst Extension (Community-use cheat-sheet – last updated 2024-06) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmed extension appended: .dst (lower-case, 3 chars, preceded by a dot). Renaming convention: – Original file invoice.xlsx → invoice.xlsx.dst (simple suffix, NO e-mail or ID stub). – Folder-level marker: HOW_TO_BACK_FILES.txt (exact spelling) dropped in every directory. –…

DSEC Ransomware – Community Resource Sheet Last updated: 25 June 2025 Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: .dsec (lower-case, four characters, appended after the original extension). Example: annual_report.xlsx → annual_report.xlsx.dsec No prefix or e-mail address is added to the name (differs from variants such as .locked-[ID]@proton.me). Dropped marker file: DECRYPT-FILES.dsec.txt (sometimes…

Ransomware Resource Sheet Variant: “ds335” (extension .ds335) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmed file extension: .ds335 (lowercase) is appended to every encrypted object; the original extension is NOT removed, e.g. Project.xlsx.ds335. Renaming convention: <original_name>.<original_ext>.ds335 – no e-mail, no random UID, no victim-ID prefix. Dropped marker files: README_TO_RESTORE.txt (sometimes HOW_TO_DECRYPT.hta) is placed in…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .drycry (lowercase) is appended as a secondary extension – e.g. Annual_Budget.xlsx.drycry, project_mng.mdb.drycry, Client_DB.sql.drycry. Renaming Convention: Files keep their original base-name and first extension; only the final .drycry tag is added. No e-mail address, random ID, or ransom-token inside the filename itself. 2. Detection…