exlorer.exe in Windows Server 2012 r2


Is there any evidence file extensions added to your encrypted data files? If so, what is the extension? Is there a .[email], a Identification number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or one Identification number with an e-mail address (.id-BCBEF350.[], .identifier[7A9B748C-1104].[], _ID__) preceding the extension? Some types of ransomware will rename, encrypt, or even scramble file names completely, while others will not add any extensions.

Did you find any ransom notes? If so, what is the real name of the ransom demand?
Can you provide (copy and paste) the ransom note content in your next answer?
Have the cybercriminals provided a e-mail address to whom to send the payment? If so, what is the email address?

Actual ransomware will typically have obvious indications (signs of infection) … it usually targets and encrypts data files so that you cannot open them locally (and on connected drives at the time of infection), in most cases it adds an obvious extension (sometimes random or with an identifier and / or an email address) at the end or at the beginning of the names of encrypted files, demands ransom payment by dropping ransom notes in every affected directory or folder where data has been encrypted and sometimes changes Windows wallpaper. In rare cases, criminals will send victims an email with the ransom demands as reported here.

Windows Insider MVP 2017-2020
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, unified network of trusted instructors and eliminators

If I was helpful and you would like to consider a donation, click 38WxTfO.gif


Comments are closed.