fefg Ransomware – Community Threat Guide (Variant tied to the file extension “.fefg”) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension added: .fefg (lower-case) Renaming convention: Original → <original_name>.<original_ext>.fefg Example: QuarterlyReport.xlsx becomes QuarterlyReport.xlsx.fefg No e-mail address, no UID, no random number string – the double-extension is the only visible marker. Desktop wallpaper swapped…

Technical Breakdown: FEEDC Ransomware (aka “D0n#t-J$sThr3at3nM3 v1”) 1. File Extension & Renaming Patterns Confirmation of File Extension: .FEEDC (upper-case, six characters) Renaming Convention: – Original name → <original_name>.<original_ext>.id-<5-digit victim-ID>.[attacker.email].FEEDC – Example: QuarterlyReport.xlsx becomes QuarterlyReport.xlsx.id-48137.[[email protected]].FEEDC – The e-mail address in brackets is used for negotiation and changes per campaign (tutanota.com, cock.li, aol.com, protonmail.ch have all been…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files are appended with “.fedasot” (lower-case, no dot prefix inside the ransom note, but the Windows extension itself is simply fedasot). Renaming Convention: Original filename + “.fedasot” (e.g., “AnnualReport.xlsx” becomes “AnnualReport.xlsx.fedasot”). No e-mail address or victim-ID is embedded in the new name, a…

fdfk22 Ransomware Deep-Dive & Recovery Playbook Last revised: June 2024 TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Extension appended: .fdfk22 (lower-case, no space, always at the end of the original file name). Renaming convention: Re-writes the file in place, then calls MoveFileExW so the original name is preserved and the extension is simply tacked…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files encrypted by the “fdfk” ransomware are given the secondary extension .fdfk (e.g., Project2025.xlsx becomes Project2025.xlsx.fdfk). Renaming Convention: No prefix or e-mail address is prepended; the malware simply appends .fdfk to each file name, leaving the original name intact. Inside every folder that…

Ransomware Brief – “FDCZ” Extension (Last revised: 11 June 2025) Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: .fdcz Renaming convention: Original name is preserved, the string “.fdcz” is simply appended (e.g., 2025-Invoices.xlsx → 2025-Invoices.xlsx.fdcz). No e-mail address, random ID, or additional token is inserted—behaviour identical to the STOP/Djvu branch it belongs to.…

Ransomware Brief – Extension “.fdcv” Last compiled: 2024-06-20 Confidence level: MEDIUM-HIGH (still-evolving cluster) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmation of file extension: Every encrypted file receives a second, lower-case extension “.fdcv”. Example: Project.xlsx → Project.xlsx.fdcv Renaming convention observed so far: – Original file name is kept intact (no random prefix / suffix).…

“.fct” Ransomware – Community Threat Brief Last updated: 24-Jun-2024 Technical Breakdown 1. File Extension & Renaming Pattern Confirmed file marker: .fct (lower-case) Renaming convention: Original name is kept, the extension is simply appended – e.g. Project.docx → Project.docx.fct No e-mail address, victim-ID, or random hex string is inserted. Desktop icon overlay: Icon disappears; files show…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: The “fcrypt” strain appends “.fcrypt” as a 6-byte, lower-case extension to every file it encrypts (e.g., Invoice.xlsx → Invoice.xlsx.fcrypt). Renaming Convention: In addition to the new extension, the malware often rewrites the original file name with a “marking” structure: [original name][original extension].fcrypt This…

Ransomware Resource: “.fcp” (alias “File Creep”) Technical Breakdown 1. File Extension & Renaming Patterns Extension confirmed: “.fcp” (lower-case, appended with no space). Renaming convention: Original path → photo.jpg → photo.jpg.fcp One iteration has been reported where folders receive an extra “LOCKED-” prefix (e.g., C:\Users\Finance) become C:\Users\LOCKED-Finance) but this behaviour is inconsistent. 2. Detection & Outbreak…