The first 10k characters or so are encrypted and the rest of the file is left alone.
Then an additional 36 characters are added to the end of the file which will be part of the key (probably for the decryptor you don't get when you pay lol).
However, I really WOULD NOT rename your files unless you back them all up or you'll end up in a real mess.
Looking at the logs, one IP had been hitting us every 3 or 4 seconds for over 6 months so it took over 5 million attempts to guess the password.
I am usually switched on and notice these things but I have been so busy it got overlooked. I have blocked some IP's now and changed the password length and RDP port and attacks have stopped.
However, I never overlook backups. That is always priority.
A few points that helped us on our cloud based server from this attack.
1) The websites and other logs are on a separate partitioned attached block storage volume (attached as drives E and F not the IIS default of c:/inetpub ) When the virus got hold we just detached the drive to minimise impact.
2) We have learnt from experience to never host MySQL on a host machine and consequently host MySQL on a different OS and an ubuntu machine - so it was never touched. We had millions of rows of data across 120 tables that would have been a nightmare to restore plus around 100-150k rows are added daily.
3) This meant we simply restored the server from a working image a few days old, re-attached the block storage drive attached a backup of this and copied files across, changed the MySQL passwords and basically most services were back up within around 45 minutes.
We just had to restore some websites as they were outdated. We have actually only lost around 40 hours of work (from a live work in progress that had not yet been backed up that week). Hopefully a decryption can recover it or we will need to start again.
Hopefully you all can get your files restored, but backup your server and data, have a contingency plan for events like this - and build and spread your configuration carefully to minimise impact.