Solved

Any legit software/apps that uses the ransomware extensions

Posted on 2016-09-14
7
137 Views
Last Modified: 2016-10-27
I plan to use tool to prevent following file extensions from being created but concerned
that it may impact legit software/apps.  Anyone know if there's any adverse impact.
We have implemented things that cause big disruptions which we now need to be careful.

Don't have a complete list of software we use but offhand, we hv MS Office Suite (incl Outlook),
a few users use media player/access Youtube (so not sure if preventing .mp3 from being
created will be an issue) & Adobe reader, archiving tools (winzip), various McAfee security
agents/tools in our PCs, DLP, Acronis, Checkpoint disk encryption, 2FA softwares.

Mostly on WIn 7 but may have some going to Win 10.

Below is the list of extensions :
.locky
.micro
.zepto
.axx
.cerber
.ecc
.crypt
.ezz
.r5a
.exx
.ccc
.crypz
.cryptowall
.enciphered
.cryptolocker
.mp3
.cryp1
.cerber2
.breaking_bad
.lol!
.crypted
.encrypted
.locked
.xxx
.LeChiffre
.rrk
.cerber3
.enigma
.ttt
.coverton
.crjoker
.encrypt
.good
.zcrypt
.wflx
.crinf
.keybtc@inbox
.surprise
.aaa
.ha3
.zyklon
.abc
.zzz
.EnCiPhErEd
.pdcr
.PoAr2w
.enc
.kkk
.xyz
.windows10
.pzdc
.odcodc
.payms
.crptrgr
.czvxce
.magic
.darkness
.kraken
.p5tkjw
.legion
.bin
.rdm
.fun
.bitstak
.73i87A
.kernel_time
.kernel_compl
.btc
.rokku
.SecureCrypte
.kernel_pid
.payrms
.kratos
.CCCRRRPPP
.kimcilware
.vvv
.paymst
.herbst
.pays
.rekt
.venusf
.paym
.paymts
.szf
.info
.fantom
.paymrss
.padcrypt
.razy
.purge
.a5zfn
.cry
0
Comment
Question by:sunhux
7 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 240 total points
ID: 41797622
.bin
.mp3

These 2 stand out as obvious legitimate file extensions.

This site has a big list of file extensions: http://filext.com/alphalist.php?extstart=^A

http://filext.com/file-extension/locky
http://filext.com/file-extension/micro
http://filext.com/file-extension/zepto
http://filext.com/file-extension/axx
http://filext.com/file-extension/cerber
http://filext.com/file-extension/ecc
http://filext.com/file-extension/crypt
http://filext.com/file-extension/ezz
http://filext.com/file-extension/r5a
http://filext.com/file-extension/exx
http://filext.com/file-extension/ccc
http://filext.com/file-extension/crypz
http://filext.com/file-extension/cryptowall
http://filext.com/file-extension/enciphered
http://filext.com/file-extension/cryptolocker
http://filext.com/file-extension/mp3
http://filext.com/file-extension/cryp1
http://filext.com/file-extension/cerber2
http://filext.com/file-extension/breaking_bad
http://filext.com/file-extension/lol!
http://filext.com/file-extension/crypted
http://filext.com/file-extension/encrypted
http://filext.com/file-extension/locked
http://filext.com/file-extension/xxx
http://filext.com/file-extension/LeChiffre
http://filext.com/file-extension/rrk
http://filext.com/file-extension/cerber3
http://filext.com/file-extension/enigma
http://filext.com/file-extension/ttt
http://filext.com/file-extension/coverton
http://filext.com/file-extension/crjoker
http://filext.com/file-extension/encrypt
http://filext.com/file-extension/good
http://filext.com/file-extension/zcrypt
http://filext.com/file-extension/wflx
http://filext.com/file-extension/crinf
http://filext.com/file-extension/keybtc@inbox
http://filext.com/file-extension/surprise
http://filext.com/file-extension/aaa
http://filext.com/file-extension/ha3
http://filext.com/file-extension/zyklon
http://filext.com/file-extension/abc
http://filext.com/file-extension/zzz
http://filext.com/file-extension/EnCiPhErEd
http://filext.com/file-extension/pdcr
http://filext.com/file-extension/PoAr2w
http://filext.com/file-extension/enc
http://filext.com/file-extension/kkk
http://filext.com/file-extension/xyz
http://filext.com/file-extension/windows10
http://filext.com/file-extension/pzdc
http://filext.com/file-extension/odcodc
http://filext.com/file-extension/payms
http://filext.com/file-extension/crptrgr
http://filext.com/file-extension/czvxce
http://filext.com/file-extension/magic
http://filext.com/file-extension/darkness
http://filext.com/file-extension/kraken
http://filext.com/file-extension/p5tkjw
http://filext.com/file-extension/legion
http://filext.com/file-extension/bin
http://filext.com/file-extension/rdm
http://filext.com/file-extension/fun
http://filext.com/file-extension/bitstak
http://filext.com/file-extension/73i87A
http://filext.com/file-extension/kernel_time
http://filext.com/file-extension/kernel_compl
http://filext.com/file-extension/btc
http://filext.com/file-extension/rokku
http://filext.com/file-extension/SecureCrypte
http://filext.com/file-extension/kernel_pid
http://filext.com/file-extension/payrms
http://filext.com/file-extension/kratos
http://filext.com/file-extension/CCCRRRPPP
http://filext.com/file-extension/kimcilware
http://filext.com/file-extension/vvv
http://filext.com/file-extension/paymst
http://filext.com/file-extension/herbst
http://filext.com/file-extension/pays
http://filext.com/file-extension/rekt
http://filext.com/file-extension/venusf
http://filext.com/file-extension/paym
http://filext.com/file-extension/paymts
http://filext.com/file-extension/szf
http://filext.com/file-extension/info
http://filext.com/file-extension/fantom
http://filext.com/file-extension/paymrss
http://filext.com/file-extension/padcrypt
http://filext.com/file-extension/razy
http://filext.com/file-extension/purge
http://filext.com/file-extension/a5zfn
http://filext.com/file-extension/cry
0
 
LVL 33

Expert Comment

by:ste5an
ID: 41797632
hmm, you should test it or look at the actual code.

Cause when you block file creation based on that extension, then you may end without any files after a ransom ware attack.
Cause I would expect that the original file is either deleted before the encrypted file is saved or the original file is overwritten and then renamed.

So in the end, I don't think that this will increase security.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 190 total points
ID: 41797776
you probably can check this out which they are saying the same strategy and they stated some that may not be in your list for e.g.
.R16M01D05, .xrtn, .unbrecrypt_ID_*, .CTBL, .CTBL2, .HA3, .0x0, .bleep, .1999, .bleep, .hydracrypt_ID_*, .keybtc@inbox_com, .POSHKODER, .frtrss, .crjocker
But I am thinking you want to consider even restricting certain filename - those ransom notes though there can be false positive too, may be worth to test in staging
HELP_TO_SAVE_FILES.txt, BitCryptorFileList.txt, BUYUNLOCKCODE, YOUR_FILES_ARE_ENCRYPTED.HTML, Coin.Locker.txt, DECRYPT_INSTRUCTIONS.HTML, ReadDecryptFilesHere.txt, HOW_DECRYPT.TXT, READ IF YOU WANT YOUR FILES BACK.HTML, GetYouFiles.txt, HOW TO DECRYPT FILES.HTML, DECRYPT_INSTRUCTION.TXT, HELP_DECRYPT.TXT, HELP_YOURFILES.HTML, HowDecrypt.gif, Decrypt All Files *.bmp, cryptinfo.txt, DECRYPT_Readme.TXT.ReadMe, qwer.html, qwer2.html, Hellothere.txt, FILESAREGONE.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT_Readme.TXT.ReadMe, README_DECRYPT_HYDRA_ID_*.txt, DECRYPT_YOUR_FILES.HTML, KryptoLocker_README.txt, _Locky_recover_instructions.txt, DECRYPT_Readme.TXT.ReadMe, ATTENTION.RTF, how to get data.txt, IMPORTANT READ ME.txt, UnblockFiles.vbs, YOUR_FILES.url, exit.hhr.obleep, HOW_TO_DECRYPT.HTML, HOW-TO-DECRYPT-FILES.HTML, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, _H_e_l_p_RECOVER_INSTRUCTIONS+*.txt, DECRYPT_INSTRUCTIONS.HTML, README_DECRYPT_UMBRE_ID_*.txt, Help_Decrypt.txt, CryptLogFile.txt
http://www.bleepingcomputer.com/forums/t/589811/updated-list-of-ransomware-file-names-and-
http://www.bleepingcomputer.com/forums/t/606360/a-complete-list-of-ransomware-file-ext-and-readme-file-name/extensions/
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:sunhux
ID: 41797777
Thanks for the list of extensions: quite a thorough list which contains for
both Windows & Apple (& possibly other platforms?)

We've tested (been thru) it once with one ransomware & it helped: this feature of preventing
files of certain names/extension from being created is offered by a leading
security product so I guess they must have researched it.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 190 total points
ID: 41797783
With blacklist of file and its metadata and whitelisting of apps will reduce the exposure collectively. Also do the necessary filtering and scanning of the USB drives, email etc. The decoy has been mentioned before like TrapX CryptoTrap in case you are interested (pdf) http://deceive.trapx.com/rs/929-JEW-675/images/Product_Brief_TrapX_CryptoTrap.pdf
0
 

Assisted Solution

by:Sameh Gomaa
Sameh Gomaa earned 70 total points
ID: 41797820
0
 
LVL 33

Expert Comment

by:ste5an
ID: 41797831
Does this help preventing the encryption and/or deletion of the original files?
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now