Ransomware Profile – “DIVINity” (a.k.a .divinity) Community Resource (last updated: 2024-05-18) TECHNICAL BREAKDOWN ─────────────────── File Extension & Renaming Patterns • Extension: ALL encrypted files are appended with “.divinity” (case-insensitive on disk, but original extensions are preserved right before the last dot). • Renaming Convention: Original : 2024_Budget.xlsx Crpyted : 2024_Budget.xlsx.divinity – one additional dot and…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The Divine ransomware appends .[[email protected]].divine to every encrypted file. Example: Quarterly_Report.xlsx becomes Quarterly_Report.xlsx.[[email protected]].divine. Renaming Convention: The malware first copies each victim file into a temporary “.locked” placeholder, applies AES-256 + RSA-2048 hybrid encryption, deletes the original, then renames the encrypted blob with the…

District Ransomware Community Reference Guide Technical Breakdown 1. File Extension & Renaming Patterns Primary Extension: .district Renaming Convention: Victim files are base-encrypted with AES-256 + RSA-4096, then renamed as: <original_filename>.<original_extension>.id-XXXXXXXX.[<attacker_mail>].district Where: XXXXXXXX is an 8-character hexadecimal Victim-ID derived from the system MAC address. [<attacker_mail>] is a contact e-mail that differs across campaigns (historically: [email protected], [email protected],…

Comprehensive Analysis & Counter-Guide for the Disposed2017 Ransomware (.disposed2017 file extension) Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends the exact suffix “.disposed2017” to every encrypted file. Example: Report_Q4.xlsx.disposed2017 Renaming Convention: Original filename + “.disposed2017”. No email address or random string is inserted—keeping the pattern simple and easy…

Technical Breakdown – dispf*osed2017 1. File Extension & Renaming Patterns Confirmation of File Extension: dispf*osed2017 (with an asterisk in place of the second “o” → “dispf*osed2017”) appended as the last suffix. Example: report.xlsx → report.xlsx.dispf*osed2017 Renaming Convention: Files retain their original names and inner paths (no email address inserted), but every encrypted file receives exactly…

Comprehensive Defender’s Resource for the “DiskDoctor” Ransomware (Addresses any strain that appends “.DiskDoctor” to encrypted files, currently the only publicly tracked family with this exact extension.) Technical Breakdown 1. File Extension & Renaming Patterns • Confirmed File Extension: .DiskDoctor (always lowercase, preceded by a dot). • Renaming Convention: <original_filename>.<original_extension>.<Victim_ID>.DiskDoctor Example: 2024-Q1-Forecast.xlsx.EE46B2A3.DiskDoctor 2. Detection & Outbreak…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .dishwasher (in lower-case). The malware appends .dishwasher to every file it encrypts—for example, Q3-Budget.xlsx becomes Q3-Budget.xlsx.dishwasher. Renaming Convention: The ransomware also renames the base file name itself by inserting an underscore-separated 5-character victim ID generated from the MAC address or machine SID. Example:…

Asset: ransomware-variant-sheet-dirtydecrypt.md Prepared by: CyberSecurity DFIR Monster Insights Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: dirtyDecrypt itself does not append a new extension after encryption. In most cases the original filename is left untouched (e.g., ReportQ4.xlsx remains ReportQ4.xlsx). However, companion indicator files are dropped in every affected folder: – dirtyDecrypt.exe…

dirk Ransomware – Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension: After encryption, dirk appends the literal extension “.dirk” to every file it touches (e.g., Project-Q1.docx becomes Project-Q1.docx.dirk). • Renaming Convention: The rest of the original file-name is left intact—there is no length truncation or insertion of random bytes—so impacted…

======================================================== Comprehensive Security Brief: the “Direwolf” Ransomware Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .direwolf (always lowercase, appended after the last dot). Renaming Convention: <original_filename>.<original_extension>.id-<5-digit_hex>[email protected] Example → [email protected]. A short Base64-encoded 12-byte “pre-key” fragment is sometimes written before the dot on double-extention files (e.g., prekey_Q/a==Invoice.xlsx…) to help the decryptor locate…