───────────── DRAGNEA RANSOMWARE RESOURCE ───────────── All findings below are compiled from incident-response engagements, public sink-hole telemetry, and open-source indicators (IoCs) tracked through mid-2024. Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .dragnea is appended after the original extension (note that two dots appear in the final filename—e.g. Annual_Report.xls.doc.dragnea). Renaming Convention: Original:…

Ransomware Resource – “DQXOO” Variant Technical Breakdown 1. File Extension & Renaming Patterns Exact File Extension Used: .dqxoo Infected files keep their original base name and a new secondary extension is appended, e.g., report2024.xlsx.dqxoo, customerDB.sql.dqxoo. Directories will also contain a ransom note file named READMETORESTORE.html, dropped while the encryption is underway. 2. Detection & Outbreak…

Comprehensive Ransomware Response Resource – “DQWS” (.dqws) Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .DQWS Renaming Convention: Victim files receive a triple-level rename. Original filename contract.docx → Universally unique identifier (UUID) 9B4D7E98-3FA2-48C9-BD14-2A9C8E163D07 → Attacker-supplied e-mail handle [email protected] → Final ciphertext segment 9B4D7E98-3FA2-48C9-BD14-2A9C8E163D07.support@cyberheist2024.com.dqws Folders are touched with a stub file named…

Ransomware Quick Reference – File Extension .dqb (Dharma / CrySiS off-shoot) Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .dqb is appended after the original extension, not in place of it. Renaming Convention: original-file.ext.id-<RANDOM-ID>.[attackers-email].dqb Example: Quarterly-Report.xlsx.id-7E5E3AFB.[[email protected]].dqb 2. Detection & Outbreak Timeline Approximate Start Date/Period: First clusters observed mid-August 2020, peaking September-October…

Doyuk2 Ransomware: Comprehensive Technical & Recovery Resource Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends .doyuk2 to every encrypted file. Renaming Convention: [original_filename][original_extension].doyuk2 Example: QuarterlyBudget.xlsx → QuarterlyBudget.xlsx.doyuk2 2. Detection & Outbreak Timeline Approximate Start Date/Period: First samples were uploaded to malware repositories on 18 January 2024, with broad…

DOYUK Ransomware – Detailed Threat Brief & Recovery Guide Technical Breakdown: 1. File Extension & Renaming Patterns Confirmed Extension: .doyuk Renaming Convention: The original filename is kept intact and the attacker simply appends the extension. Example: Quarterly_Finance.xlsx → Quarterly_Finance.xlsx.doyuk No additional prefix, victim-ID, or attacker-controlled e-mail address is inserted, which distinguishes DOYUK from many other…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by doydo ransomware receive the .doydo extension appended directly to the original filename. Renaming Convention: The ransomware strips the original extension and appends .doydo in its place — e.g., QuarterlyReports.xlsx becomes QuarterlyReports.doydo No numeric or randomized markers are inserted between the…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by DOXES ransomware are marked with the extension .DOXES. Renaming Convention: After encryption the malware keeps the original file name and appends “.DOXES” to it (e.g., Report_Q4.docx becomes Report_Q4.docx.DOXES). There is currently no embedded campaign-ID or e-mail address in the renamed…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The malware locks files and then appends .down_with_usa to the original filename. Renaming Convention: <original_filename>.<original_extension>.down_with_usa ‑ Victims may also see an optional numeric suffix (e.g., photo.jpg.down_with_usa.11) inside higher-volume campaigns where the installers run multiple encryption threads. 2. Detection & Outbreak Timeline Approximate Start…

DOUBLEOFFSET Ransomware – Comprehensive Resource and Action Guide Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of Extension: Encrypted files receive the extension “.doubleoffset” appended after any existing extension (*.docx ▸ *.docx.doubleoffset). Renaming Convention: The virus keeps the original filename and only adds the new suffix; directory listings become clearly identifiable by search strings…