Jump to content

lukitus


Recommended Posts

The extension looks random.

There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames to include CTB-Locker, Crypt0L0cker, Magniber, GandCrab V5+, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, MrDec (Mr.Dec), SynAck, Maktub Locker, Alma Locker, Princess Locker, Princess Evolution, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants.

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's actual name and contents), samples of the encrypted files, possible filemarkers, the malware file itself responsible for the infection and information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection.  ID Ransomware can identify ransomwares with random extension and more accurately identifies ransomwares by filemarkers if applicable.

Based on infection rates we see, you are most likely infected with a variant of GandCrab V5.

  • GandCrab V5 (V5.0.1) will have a random 5 character extension (i.e. .fbkdp .ibagx .qikka) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. qikka-DECRYPT.html, eiuhtxjzs-DECRYPT.html).
  • GandCrab V5.0.2 and GandCrab V5.0.3 will have a random 5-9 character extension (i.e. .fnxfavh, .eiuhtxjzs, .ilrkdszxe) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. fnxfavh-DECRYPT.html, eiuhtxjzs-DECRYPT.html).
  • GandCrab V5.0.4+ will have a random 5-10 upper-case character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random upper-cased extension]-DECRYPT.txt (i.e. LUKIZQW-DECRYPT.txt, TKKLKM-DECRYPT.txt).
  • GandCrab V5.1+ will have a random 5-10 upper-case character extension appended to the end of the encrypted data filename.
  • GandCrab V5.2, like its predecessors, will also have a random 5-10 character extension appended to the end of the encrypted data filename.

If confirmed, Bitdefender released a free decrypter for GandCrab V1, V4 and up through V5.1+ recognizable by their extensions....GDCB, .KRAB and random 5-10 characters (i.e. .fbkdp .ibagx .qikka, .eiuhtxjzs9, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) respectively.


Files encrypted by GandCrab V5.2 are not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities like previous versions. The criminals released V5.2 after Bitdefender updated it's decrypter for V5.1 so it will not work on this latest version. Bitdefender confirmed that there is no decryption tool for GandCrab V5.2.

 

 

Link to comment
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...