Jump to content

Request: List of wildcard file masks of known ransomware fallout


a raccoon
 Share

Recommended Posts

Hello folks,

I am looking to compile a list of known file masks to search for ransomware fallout files -- files that were encrypted by ransomware and given a unique filename and extension.  Each ransomware strain typically has their own unique template pattern when they rename encrypted files to a new name, for example, *.[*].[*].makop would be a wildcard file mask of the afflicted file_name.txt.[ABC12345].[[email protected]].makop

This list to be included as a community bookmark in the popular windows freeware program Everything by VoidTools software to assist users in locating the fallout of ransomware on their computers and networks.  This way users can attempt to located affected files, whether they are aware of previous ransomware infection or not.  Sometimes ransomware fallout will survive years later inside file backups, archives and even continually shared on networks and file servers.

Bonus points.  It would be cool if these file masks could be broken up into 2 categories -- randomware strains with known decryption tools, and those without as of today.  But this part isn't terribly necessary.

Globbing wildcard patterns and/or Regular Expression patterns both welcome.

 

Link to comment
Share on other sites

Darn shame, too.

Helping people to discover ransomware'd files would certainly drive more users and customers toward your solutions.

Enabling technicians to quickly discover that a user has ransomware'd files during their normal course of work would benefit everyone.

I look forward to your reconsideration on the matter.

Link to comment
Share on other sites

Identifying ransomware encrypted files on a target system is more complex than a set of regex & wildcard patterns.  There is ransomware that will not alter the file name.  Identifying those files requires a different approach.  You also have ransomware families that masquerade as another ransomware family.  Identifying those files and the ransomware family requires a different approach as well.

Link to comment
Share on other sites

Thanks ShadowPuterDude,

Indeed, those are valid concerns and would require fingerprinting the file header or footer for a better ID.

Mainly I need to keep an eye out for ransomware encrypted files (fallout) in my archives of billions of files, so these file masks would be a great first step.  File type validation is the next step. (which also solves for locating stenographically hidden data)

Are you sure the information I'm requesting is not already community shared and GPL licensed, as opposed to propriety?  And why all the pearl clutching?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...