Marilyn Wilkinson, March 2024

Ransomware Extensions: Everything You Need to Know

Ransomware is a serious risk, with businesses being attacked every few seconds. Every day, hackers infiltrate a company’s systems and demand millions of dollars to return the data. One key sign that you’ve been hit by ransomware is the change in your file names. Suddenly, they get a new extension that wasn’t there before. 

This article will walk you through what ransomware extensions mean, how they can help you identify the ransomware, and most importantly, how you can defend your organization.

What Are Ransomware Extensions?

Ransomware extensions are unique suffixes added to the names of encrypted files. 

When ransomware infects your organization’s system, it encrypts your files, making them inaccessible. And then it modifies the file names by adding specific extensions.

For instance, if you had a file named “quarterly_report.docx”, a ransomware attack might change it to “quarterly_report.docx.locky” or “quarterly_report.docx.wannacry,” depending on the type of ransomware. 

What Do Ransomware Extensions Mean?

Ransomware extensions are a clear indicator that your files have been compromised—a bit like a cybercriminal’s signature.

The extension can sometimes hint at the ransomware variant responsible for the attack. This information can help cybersecurity professionals identify the malware. For example, a .locky extension points to the Locky ransomware.

What Are Some Common Ransomware Extensions?

Some of the most notorious extensions come from well-known strains like .wannacry, .locky, and .badrabbit.  However, there are many more.

Here are some of the most common ransomware extensions and what they mean. If your system has already been infected, you can use this list to recognize which type of ransomware you’re dealing with:

  • .wannacry – The WannaCry ransomware is known for its rapid global spread and significant impact on various sectors
  • .locky – Locky ransomware is famous for its aggressive encryption strategy
  • .cryptolocker – CryptoLocker, one of the first and most well-known types of ransomware, uses this extension, paving the way for many that followed
  • .petya – Petya ransomware encrypts entire disk partitions, making it particularly destructive
  • .badrabbit – Bad Rabbit ransomware, encrypts files and is known for its targeted attacks
  • .notpetya or .nopetya – A more virulent derivative of Petya, NotPetya ransomware, significantly disrupts infected systems 
  • .ryuk – Ryuk ransomware targets large organizations and appends this extension to encrypted files, demanding ransom in cryptocurrency
  • .djvu – A variant of the STOP ransomware, which has been highly active in encrypting personal data and demanding payment for decryption
  • .phobos – Phobos ransomware has been known for its rapid encryption speed and appending extensions like .phobos, .deimos, or .epic to filenames
  • .dharma – Dharma (or CrySiS) ransomware variants continue to evolve, using extensions like .dharma, .wallet, and .java among others
  • .cont – Used by Conti ransomware, a successor of Ryuk that has targeted healthcare organizations and government agencies
  • .nephilim – Nephilim ransomware, which adds its own extension and then demands a ransom, has targeted various sectors with sensitive information
  • .avaddon – Avaddon ransomware spread through phishing campaigns and encrypted files with the .avaddon extension
  • .makop – Makop ransomware, known for its custom encryption method 
  • .ransomexx – RansomExx (also known as Defray777) targets high-profile entities 
  • .egregor – Egregor ransomware, which emerged as a significant threat by targeting corporations with customized ransom notes and file extensions.
  • .hellokitty – HelloKitty ransomware targets individuals and corporate networks

Why Do Attackers Use Ransomware Extensions?

Extensions do more than just signal a successful attack, they are part of the cybercriminal’s psychological game. 

By clearly marking which files have been encrypted, they remind the victim of what they stand to lose unless they pay up. This alteration of files adds to the urgency and fear, pushing individuals or companies towards considering the ransom payment. 

What Should You Do If You Notice Ransomware Extensions?

Discovering ransomware extensions on your files can be alarming, as it signals that your data has been compromised. It’s crucial to act promptly to mitigate the damage and begin the recovery process. 

It’s important to understand that simply removing or changing the extension back to its original state won’t unlock your files. The encryption used in these attacks is sophisticated and can only be undone with a unique decryption key, which the attackers hold, or with specialized decryption tools.

If your system has been infiltrated by ransomware, you should consult your organization’s incident response plan to decide the next steps. Here are the steps that you will generally need to carry out after an attack:

  1. Disconnect from the Source: Immediately isolate the compromised device or server by disconnecting it from your network. This helps prevent the spread of the ransomware to other devices and systems. However, be sure to avoid destroying any data that will be important for forensics.  
  2. Assess the Situation: With the immediate threat contained, identify the ransomware variant you’re dealing with and consider your next steps and available tools. Your incident response plan should outline the contingency measures you can take to mitigate the damage.
  3. Communicate with Leadership: Inform all relevant departments and stakeholders, including leadership, legal, PR, and HR, to coordinate your internal and external communication strategy.
  4. Determine Your Response Strategy: Carefully consider your options. It’s usually not a good idea to pay the ransom because it encourages attackers to strike again. And there’s no guarantee they will return your data. Instead, your incident response plan should include all relevant stakeholders, departments, and any potential third parties (such as forensic investigators and incident response retainers). This will help you find out which area of business has been exploited and put in processes and policies to eliminate the threat.
  5. Restore Data and Patch Up Vulnerabilities: Recover affected files and investigate the breach’s entry point to prevent future incidents.

Prevention Is the Best Defense Against Ransomware Extensions

Don’t wait until you see ransomware extensions in your network. Prevention is the best form of ransomware protection. And these days, it’s not a question of if attackers will strike, but when. So it’s essential to be prepared. 

ProLion’s CryptoSpike automatically blocks ransomware extensions to prevent malicious software from infecting your system. It also identifies suspicious behavior and prevents the hacker from accessing your network. And with ProLion DataAnalyzer, you get the right tools to assess your current data. 

In the unlikely event an attack is successful, ProLion can help you restore the specific files you need. Single-file restoration is faster and more reliable than traditional backups and can help you get back on track right away. 
To learn more about how you can protect your organization from ransomware attacks, read the free whitepaper or get in touch with our team.