decodeme666@tutanota_com (FilesBear Ransomware) — Comprehensive Response Guide Last revised 29-May-2024 Technical Breakdown: 1. File Extension & Renaming Patterns Confirmed Extension: .decodeme666@tutanota_com – a literal dot-followed-by-email style extension appended to every encrypted file. Renaming Convention: Original → <original-file-name>.<original-extension>.decodeme666@tutanota_com Examples: • AnnualReport.xlsx → AnnualReport.xlsx.decodeme666@tutanota_com • Invoice.pdf → Invoice.pdf.decodeme666@tutanota_com 2. Detection & Outbreak Timeline First Public Sightings: 08-Nov-2023…

Comprehensive Analysis: “Decipher*” Ransomware (Appears in the wild as any filename extension beginning with decipher, e.g., .decipher, .decipher2024, .decipherRSA, etc.) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed Extension Family: .decipher[0-9-]* Renaming Convention: Before encryption: Contract.docx After encryption: Contract.docx.decipher2024 Sometimes the prefix “decipherRSA” is added on high-value targets, e.g., Contract.docx.decipherRSA. No internal folder-name changes…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: |decc| – all encrypted files receive the short three-character suffix .decc immediately after the original extension (e.g., AnnualReport.xlsx.decc) Renaming Convention: Filename remains untouched; the ransomware simply appends .decc. No randomized prefixes, rot-17-style obfuscation, or threat actor ID is added. 2. Detection & Outbreak…

RANSOMWARE BRIEFING – File Extension “.dec” Linking observed activity to the GlobeImposter 2.0 (a.k.a. “Fake Globe / NCrypt”) family Technical Breakdown 1. File Extension & Renaming Patterns • Confirmation of File Extension: all encrypted files are appended with the over-write extension “.dec” (without an additional dot; e.g., report.xlsx → report.xlsx.dec). • Renaming Convention: GlobeImposter 2.0…

Definitive Guide to the “Debal” Ransomware Variant (*.debal) Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by Debal receive the single four-letter appendage .debal (lower-case). Renaming Convention: The malware does not prefix the original name; instead, it appends the extension directly to the existing filename, e.g.: Document.docx → Document.docx.debal…

DeathRansom Ransomware – Community Resource v1.1 compiled by the SOC-CERT Ransomware Research Group Technical Breakdown 1. File Extension & Renaming Patterns Confirmed Extension: .wctc (initial variants appended .deathransom in late-2021 but migrated to .wctc by early-2022) Renaming Convention: Victim filename Invoice_Oct_2024.xlsx becomes Invoice_Oct_2024.xlsx.id-[XXXXXXX].wctc, where the ID block is an 8-character hexadecimal string derived from the…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: the “DeathNote” ransomware family does not rely on a static suffix; instead it appends “.deathnote” immediately after the original file name and extension without deleting the original extension. Example: Contract_2024.docx → Contract_2024.docx.deathnote. Renaming Convention: The malware goes directory-by-directory in lexicographic order. Every new…

Technical & Practical Guide for the deathhiddentear v2 Ransomware (aka “.deathhiddentear2” variant) Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Every encrypted file is given the double-extension pattern .<original_extension>.deathhiddentear2 Example: QuarterlyReport.xlsx → QuarterlyReport.xlsx.deathhiddentear2 Renaming Convention: Files are renamed in-place via MoveFileExW, so users usually notice the change after encryption, not during.…

# DeathHiddenTear (deathhiddentear) Ransomware Play-sheet Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .locked, .pabluk*/,.kimchenyn*/, and .deathhiddentear (the last one most common in recent campaigns). Renaming Convention: Original name → [originalname].[originalextension].deathhiddentear Example: Budget_2025.xlsx becomes Budget_2025.xlsx.deathhiddentear. 2. Detection & Outbreak Timeline Approximate Start Date / Period: Fork of the open-source Hidden Tear…

deathgrip Ransomware Threat Dossier Compiled December 2024 — V1.1 — open–source crowd-sourced intel Technical Breakdown 1. File Extension & Renaming Patterns | Item | Detail | |—|—| | File Extension Confirmed | .deathgrip (always lowercase, no variant numbering) | | Renaming Convention | Original file → <original_name>.<original_ext>.<8_random_hex><8_random_hex>.deathgripExample: report.xlsx → report.xlsx.BF17A2CD1E849F72.deathgrip | | Deleted Shadow-Copies? |…