Dr.Web Ransomware – Community Resource Sheet ⚠️ Reader Beware – *.drweb is NOT a ransomware strain at all. “.drweb” is simply the temporary appended marker that the legitimate, Russian-made AV product “Dr.Web” adds while it is quarantining or disinfecting a different ransomware family (most often Trojan.Encoder.xxx, aka Trojan.Encoder.3953, the Dr.Web internal name for PHOBOS/DHARMA). Consequently,…

Technical Breakdown 1. File Extension & Renaming Patterns Exact extension appended: .drume (lower-case) Renaming convention: – Files keep their original names and only have .drume appended. – Example: Quarterly-Report.xlsx becomes Quarterly-Report.xlsx.drume – No e-mail address, random bytes, or victim-ID inserted in the name (this differentiates Drume from strains such as Phobos/Dharma). 2. Detection & Outbreak…

Technical Breakdown – “droprapid” Ransomware (file-marker: “.droprapid”) 1. File Extension & Renaming Patterns Confirmation of File Extension: The malware appends exactly “.droprapid” – always lower-case, no space, no randomised suffix. Renaming Convention: – Original name is always preserved, extension appended (e.g. Invoice_April.xlsx.droprapid). – Deeper-level folders are NOT renamed; only the file names (plus the new…

“.drop” Ransomware – Community Resource Sheet Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .drop Renaming Convention: Cleans original file name → [original_name].drop No e-mail, user-ID, or random hex string is appended – the single 4-byte extension is the only change (this helps it hide in long directory listings). 2. Detection…

DRUK / “drlk” Ransomware – Community Threat Brief (Updated June 2025) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmation of file extension: .drlk (lower-case, four characters, appended verbatim). Renaming convention: Original name → <original_name>.<original_extension>.drlk Example: 2025-Budget.xlsx becomes 2025-Budget.xlsx.drlk The malware does not scramble the base file name, which helps quick triage in large file-shares.…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware now known as “Drik” appends the extension .drik to every encrypted file. Renaming Convention: After encryption, each original filename is preserved and only the extension is appended. For example: • Invoice202405.xlsx becomes → Invoice202405.xlsx.drik • userprofile.jpg becomes → userprofile.jpg.drik No additional…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The current ransomware family appends .driedsister to every encrypted file. Example: report.xlsx.driedsister, invoice.pdf.driedsister. Renaming Convention: Each file keeps its original filename and native extension (e.g., “.docx”), The .driedsister suffix is simply appended. Folders will not be renamed, but a ransom note named README-[REDACTED].txt…

Technical Breakdown: Dream Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: Every file is appended with “.dream” after its original extension (e.g., report.xlsx.dream, client_backup.sql.dream). Renaming Convention: Original → [basename].[ext].dream No additional random prefix, hex string, or e-mail address is pre-pended, which is a noticeable stylistic difference from many other strains. 2. Detection…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends “.drcrm” (case-insensitive) to every encrypted file. Renaming Convention: The malware keeps the original filename but adds a shrill prefix and final extension in this layout: <original_name>.id-<8-hex-chars>.[<attacker_email>].drcrm Example: Report_2024.xlsx → Report_2024.xlsx.id-A4F1D237.[[email protected]].drcrm 2. Detection & Outbreak Timeline Approximate Start Date/Period: First public…

Technical Breakdown 1. File Extension & Renaming Patterns • Confirmed Extension: All encrypted files are given the suffix .dragonforce_encrypted – the trojan does not add a new secondary extension; it replaces the original suffix entirely. Example: Project_Q3.xlsx becomes Project_Q3.dragonforce_encrypted. • Renaming Convention: Locate interesting file by extension list (*.docx, *.xlsx, *.pdf, *.dwg, …). In-place AES-256-CBC…