Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .dex Renaming Convention: Files are renamed in the pattern <original filename>.<original extension>.<unique_victim_id>.dex e.g., Annual_Report.xlsx.0A1B2C3D.dex 2. Detection & Outbreak Timeline Approximate Start Date/Period: First samples appeared on underground Russian-speaking forums in late March 2023. Major wave detected in-the-wild on 14 July 2023 targeting SMEs…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .dewd (lowercase, preceded by a 36-character victim ID that looks like a lower-hex Universal Unique Identifier, e.g. picture.jpg → picture.jpg.{305c1f45-b0d9-4e2b-b1b7-0f50df347456}.dewd). Renaming Convention: Adds a folder-wide random capitalised ransom note file called !_DECRYPT_FILES_!*.txt (or !_DECRYPT_FILES_!*.hta) to every directory. Preserves the original filename between the…

UNOFFICIAL CYBERSECURITY COMMUNITY GUIDE Ransomware “Dewar” – December 2023 Variant Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension: “.dewar” – Lower-case only. • Renaming Convention: – Original filename → <random 8 hex> followed by “.dewar”. Example: invoice.xlsx → A42F7BE1.dewar – The hex prefix is deterministic (generated with SHA-256 truncated to…

Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: The devoscpu ransomware appends “.devoscpu” to every encrypted file. Example: Project_Report.docx → Project_Report.docx.devoscpu Renaming Convention: – Files keep their original names/path except for the single-tier extension that is simply added (no base-name obfuscation or base-64 IDs). – Folders are not renamed; only their…

Ransomware Report: DEVOS Strain (.DEVOS extension) Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .devos (lower-case, appended after the original file extension) Renaming Convention: Each encrypted file is renamed in the pattern filename.ext.id-[8-10-digits].[[email protected]].devos Examples: ReportQ4.xlsx.id-2901695130.[[email protected]].devos Backup.sql.id-71025398.[[email protected]].devos Multiple contact e-mail addresses may appear, separated by periods, e.g., [[email protected]].[[email protected]].devos.…

⚙️ Technical Breakdown – DEVON (.devon) Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: .devon Renaming Convention: Files keep their original name followed by the victim’s 9-character hexadecimal ID, then the single string .devon. Example: Annual_Report_2024.xlsx → Annual_Report_2024.xlsx.1b3f5a7c2.devon 2. Detection & Outbreak Timeline First Spotted in the Wild: Late-August 2021 (initial telemetry…

Technical Breakdown – devoe Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: Each encrypted file gains the “.devoe” suffix appended after the original extension. Example: document.docx becomes document.docx.devoe Renaming Convention: The malware also renames affected folders and the desktop wallpaper to alert the victim. Internally, directories containing .devoe files may be tagged…

Ransomware Intelligence Brief – DEVINN (.DEVINN / .devinn) 1. Technical Breakdown 1.1 File Extension & Renaming Patterns Confirmation: Files encrypted by DEVINN receive the double extension .DEVINN (upper-case has been observed most often). Renaming Convention: Original: Quarterly-Report.xlsx After encryption: Quarterly-Report.xlsx.DEVINN Sub-folders receive a ransom note named !READ_ME.TXT. 1.2 Detection & Outbreak Timeline First Sightings: Late-February…

Technical Breakdown – “DEVIL” Ransomware 1. File Extension & Renaming Patterns Confirmation of File Extension: Victims observe the double extension “.devil” appended to every encrypted file (e.g., Budget2024.xlsx.devil, CustomerDB.sql.devil). Renaming Convention: Files retain their original base names with one level of directory tree preserved (to let operators spot high-value shares); the malware does not overwrite…

Defending Against deviczz Ransomware A Practical Guide for the Cybersecurity Community Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .deviczz (added to every encrypted file). Renaming Convention: – Victim file: Report_Q1_2024.xlsx – After encryption: Report_Q1_2024.xlsx.deviczz – Some campaigns also prepend a prefix (e.g., ID-[8-char-ID]_Report_Q1_2024.xlsx.deviczz). – Subfolders placed inside a root seed…