delete.me Comprehensive Ransomware Profile & Community Defense Guide Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: .delete.me (lowercase) Renaming Convention: Original filename first, immediately followed by the extension – no additional ransom token or email address is appended. Example: QuarterlyReport.xlsx → QuarterlyReport.xlsx.delete.me. No directory-level changes; the sample preserves full path but…

Ransomware Advisory: .dehd (STOP/DJVU variant) Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .dehd Renaming Convention: Original FileName → OriginalFileName.jpg.dehd Folder icons left alongside ransom notes named _readme.txt 2. Detection & Outbreak Timeline Approximate Start Date/Period: Late January 2023 (appears sporadically on VirusTotal uploads starting 27 Jan 2023); surge in public…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: defray777 Renaming Convention: Files are renamed in the pattern originalfilename.extension.defray777. There is no random ID or e-mail string before the .defray777 suffix, in contrast to some older Defray variants (e.g., .[[email protected]].defray). A desktop wallpaper named README_TO_RESTORE_FILES_[random-3-digit].bmp is also dropped and automatically set. 2.…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files affected by Defray are appended with “.defray” (in lower‐case). Renaming Convention: The malware does not change the original file name; it simply adds the suffix “.defray”—e.g., QuarterlyReport.xlsx becomes QuarterlyReport.xlsx.defray. Folders hit by the ransomware receive a dropper note “FILES.TXT” alongside each encrypted…

Contributor Note: The following profile is based on the latest open-source telemetry (VT + Any.Run), victim reports exchanged in incident-response channels (Reddit /r/ransomware, BleepingComputer), and cryptographic analysis dated April-2024. Any timestamps are in UTC. Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of Extension: The ransomware appends the exact 9-character lower-case string “.defi1328” to…

Understanding and Mitigating the defi* Ransomware Campaign (last updated 15.09.2023) Technical Breakdown 1. File Extension & Renaming Patterns Exact extension used during encryption The operators append .defi (strictly lowercase, 4 characters) as the final suffix. Renaming convention → Original file Report_2023.xls becomes Report_2023.xls.defi (no additional e-mail addresses, no SHA-256 IDs in the name). 2. Detection…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The defender ransomware appends the literal extension .defender to every encrypted file, e.g., Budget2024.xlsx.defender. Renaming Convention: In addition to the double extension, the malware places the infection ID and the attacker’s TOR-payment address before the final .defender, producing names such as: Q8X9K3Y2_ContactUs_3fa4u7l4.onion.defender where…

Ransomware Variant: .deepindeep Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension: .deepindeep (all lower-case, two sequential instances of “deep”). Oddly, some lateral-movement scripts have been observed inserting an extra period or appending a random 4-digit hash (document.pdf.deepindeep.3a7b) to deter mass-rename scripts, but the canonical form remains .deepindeep. • Renaming Convention:…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The ransomware appends the literal string “.deep” (lowercase) to every encrypted file, e.g., Report.docx.deep. Renaming Convention: No base-name changes, rotation of character cases, or directory shifts are performed—the original filename is preserved, followed by the .deep extension in a single append operation. 2.…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .deeep Renaming Convention: Files are renamed in the pattern original_name.ext.id-XXXXXXXX.[[email protected]].deeep where XXXXXXXX is an 8-digit host identifier. Folders receive a text file named info.hta that auto-launches via the Windows HTML registry handler every time the folder is opened. 2. Detection & Outbreak Timeline…