Comprehensive Ransomware Brief: DilmaLocker (.dilma) Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of file extension: Encrypted files are appended with the single static extension .dilma. Renaming convention: Keeps the entire original file name and simply tacks ‑-.dilma on the end. Example: HR On-Boarding.docx becomes HR On-Boarding.docx.dilma. No hexadecimal IDs, random strings, or e-mails…

DILLER13 Ransomware Deep-Dive & Recovery Playbook Community Edition – Version 2024-06-12 Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .DILLER13 (upper-case is default, but lowercase .diller13 has also been recorded in older variants). Renaming Convention: files are RENAMED, not merely appended. Example transformation for the user file Project_Calc.xlsx → Project_Calc.xlsx.[<8HEX-ID>].DILLER13 The…

Cyber-threat Intelligence Resource Ransomware Variant: [email protected] 1. Technical Breakdown 1.1 File Extension & Renaming Patterns • Confirmation: Every encrypted file has an additional extension “[email protected]” appended after the original extension. Example: 2024_budget.xlsx → [email protected] • Renaming Convention: – Uses the e-mail address literally, including the @ symbol. – No second-level extension (e.g., no “.LOCK” or…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .locked (occasionally appended alongside recursively-generated .id-[unique-ID].digisom{number} extensions, e.g., invoice.pdf → invoice.pdf.id-FB2E3452.[e-mail].digisom7) Renaming Convention: Uses two separate passes. ① Original file is duplicated and hard-linked, then renamed into the <filename>.id-<UUID>.[<contact-email>].digisom<increment> pattern. ② The final .locked extension is appended, leaving victims with triple-level file names…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .DIE (in uppercase and most current samples also drop the lowercase .die as a secondary marker). Renaming Convention: Original file Annual-Report.docx becomes Annual-Report.docx.DIE (single extension wrapping, no randomised prefix/uid). When opting for a secondary copy of the ransom-note, an additional zero-byte file is…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .dice (all lowercase, preceded by a decimal point). Renaming Convention: – Files are renamed in the pattern: originalfilename.ext.dice – Example: Quarterly-Report.xlsx becomes Quarterly-Report.xlsx.dice – Directory attributes and modification timestamps remain intact (this is helpful for forensic recovery snapshots). 2. Detection & Outbreak Timeline…

================================================================= Community Resource: The “.dian” Ransomware (Threat alias: DianLocker / DianCryptor) ## Technical Breakdown 1. File Extension & Renaming Patterns • Exact extension: .dian (lower-case, leading dot, 4 letters). • Renaming convention: Original filename → <original_name>.<original_ext>.<email>.<ID>.dian Examples found in-the-wild: • Q4_Sales.xlsx → Q4_Sales.xlsx.[[email protected]][28A7E2C7].dian • backup.bak → backup.bak.[[email protected]][E9C41AF3].dian 2. Detection & Outbreak Timeline • First public…

Technical Breakdown of the Diamond Ransomware (Extension 「.diamond」) 1. File Extension & Renaming Patterns Confirmed File Extension: .diamond The variant writes a literal “.diamond” suffix behind the victim’s original extension—e.g., Quarterly-Report.xlsx → Quarterly-Report.xlsx.diamond. Renaming Rules: • Case-insensitive .diamond is always appended exactly one time. • Original filename, base extension, and Unicode characters are preserved (unlike…

Technical Breakdown: DIABLO6 (.diablo6) 1. File Extension & Renaming Patterns Confirmation of File Extension: .diablo6 The malware appends “.diablo6” directly to every file it touches (no dot leader). Example: Invoice_2024-06.xlsx ⇒ Invoice_2024-06.xlsxdiablo6. Renaming Convention: All files in local drives + mapped + removable + network shares are renamed in place immediately after encryption. Directory names…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends “.DHLP” (all-caps and without a preceding dot). Each encrypted file ends with the victim’s own filename followed directly by “.DHLP” (e.g., Report_2024.xlsx.DHLP, Budget2024.pdf.DHLP). Renaming Convention: The malware does not re-write the original file name; it merely adds the new extension…