DoubleLocker Ransomware Guide (.CCC) Last updated: June 2024 Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: ±.CCC (case–insensitive; sometimes .ccc or .ccc1 on subsequent re-runs after reboot). Renaming Convention: Original filename is transformed into Base64 (URL-safe) then hex-encoded, keeping the original plaintext extension visible only as an extra marker. Example: Report_2024_Q1.docx…

DotMap Ransomware Threat Brief – 2024 Public Edition Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends “.dotmap” (case-insensitive on Windows, lower-case on *nix when Samba shares are hit). Renaming Convention: Original file is first copied to a 0-byte placeholder with the original file name, then the encrypted copy…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The “Dorra” strain appends the extension .dorra to every file it encrypts. Renaming Convention:  - Original name: Quarterly_Report_Q2.xlsx  - After encryption: Quarterly_Report_Q2.xlsx.dorra There is no additional e-mail address or ransom ID inserted into the filename; the .dorra suffix alone is used. 2. Detection…

Doppled Ransomware – Technical & Field Playbook Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: Every encrypted file receives the double extension .doppled appended after the original extension. Example: presentation.pptx → presentation.pptx.doppled Renaming Convention: • Files keep their full original path and name—only the final additional extension is new. • Directories…

DoppelPaymer Ransomware – Comprehensive Technical & Recovery Guide Compiled for defenders, responders, and the wider community Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: • .locked is the primary appended extension. • Numbered extensions (.locked1, .locked2, .locked3,…) appear on successive attacks to track campaign waves. Renaming Convention: Files: original-name.ext.locked e.g., Report.xlsx…

DOPLES Ransomware Playbook Last updated: 2024-06-13 Technical Breakdown | Attribute | Value | |———–|——-| | Confirmed File Extension | .doples (lower-case) | | Renaming Convention | [original_name][36-byte_hex_ID].doples Example: AnnualReport.xlsx.D3AC9F…FB642CE.doples | | Related Aliases | DOPLES Virus, STOP/Djvu variant (“DOPLES build”) | 1. File Extension & Renaming Patterns The payload appends “.doples” as the final extension.…

Ransomware Threat Advisory – DOP (.dop) Variant (last updated: 2024-06-XX) ─────────────────────────────── Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension: “.dop” (lowercase appended, no dot separator before the original extension). • Renaming Convention: Original files are copied to an in-memory buffer, encrypted, then the original is overwritten. The new file is…

Technical Breakdown of the “DOOMED” Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by this family receive the extension “.DOOMED” written in uppercase, appended directly after the original extension with no added separator. Example: invoice.xlsx → invoice.xlsx.DOOMED Renaming Convention: – Filename and original extension are preserved in full. – A…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by the DOOK ransomware receive the double extension .crypt.DOOK (example: Quarterly_Report.xlsx.crypt.DOOK). Renaming Convention: Files are encrypted, then renamed in-place. The directory basename is left intact; only the extension is appended. Folders also receive a marker file called ===_HOW_TO_RESTORE_FILES_===.txt in every directory…

DONUT Ransomware Intelligence Guide File extension: .donut Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of file extension: The ransomware appends .donut to every encrypted file (e.g., AnnualReport.docx.donut, ClientDB.bak.donut). • Renaming convention: – Original filename is preserved but the new extension is appended. – Directory sweep is performed alphabetically; no random prefix or…