• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Any legit software/apps that uses the ransomware extensions

I plan to use tool to prevent following file extensions from being created but concerned
that it may impact legit software/apps.  Anyone know if there's any adverse impact.
We have implemented things that cause big disruptions which we now need to be careful.

Don't have a complete list of software we use but offhand, we hv MS Office Suite (incl Outlook),
a few users use media player/access Youtube (so not sure if preventing .mp3 from being
created will be an issue) & Adobe reader, archiving tools (winzip), various McAfee security
agents/tools in our PCs, DLP, Acronis, Checkpoint disk encryption, 2FA softwares.

Mostly on WIn 7 but may have some going to Win 10.

Below is the list of extensions :
.locky
.micro
.zepto
.axx
.cerber
.ecc
.crypt
.ezz
.r5a
.exx
.ccc
.crypz
.cryptowall
.enciphered
.cryptolocker
.mp3
.cryp1
.cerber2
.breaking_bad
.lol!
.crypted
.encrypted
.locked
.xxx
.LeChiffre
.rrk
.cerber3
.enigma
.ttt
.coverton
.crjoker
.encrypt
.good
.zcrypt
.wflx
.crinf
.keybtc@inbox
.surprise
.aaa
.ha3
.zyklon
.abc
.zzz
.EnCiPhErEd
.pdcr
.PoAr2w
.enc
.kkk
.xyz
.windows10
.pzdc
.odcodc
.payms
.crptrgr
.czvxce
.magic
.darkness
.kraken
.p5tkjw
.legion
.bin
.rdm
.fun
.bitstak
.73i87A
.kernel_time
.kernel_compl
.btc
.rokku
.SecureCrypte
.kernel_pid
.payrms
.kratos
.CCCRRRPPP
.kimcilware
.vvv
.paymst
.herbst
.pays
.rekt
.venusf
.paym
.paymts
.szf
.info
.fantom
.paymrss
.padcrypt
.razy
.purge
.a5zfn
.cry
0
sunhux
Asked:
sunhux
4 Solutions
 
LearnctxEngineerCommented:
.bin
.mp3

These 2 stand out as obvious legitimate file extensions.

This site has a big list of file extensions: http://filext.com/alphalist.php?extstart=^A

http://filext.com/file-extension/locky
http://filext.com/file-extension/micro
http://filext.com/file-extension/zepto
http://filext.com/file-extension/axx
http://filext.com/file-extension/cerber
http://filext.com/file-extension/ecc
http://filext.com/file-extension/crypt
http://filext.com/file-extension/ezz
http://filext.com/file-extension/r5a
http://filext.com/file-extension/exx
http://filext.com/file-extension/ccc
http://filext.com/file-extension/crypz
http://filext.com/file-extension/cryptowall
http://filext.com/file-extension/enciphered
http://filext.com/file-extension/cryptolocker
http://filext.com/file-extension/mp3
http://filext.com/file-extension/cryp1
http://filext.com/file-extension/cerber2
http://filext.com/file-extension/breaking_bad
http://filext.com/file-extension/lol!
http://filext.com/file-extension/crypted
http://filext.com/file-extension/encrypted
http://filext.com/file-extension/locked
http://filext.com/file-extension/xxx
http://filext.com/file-extension/LeChiffre
http://filext.com/file-extension/rrk
http://filext.com/file-extension/cerber3
http://filext.com/file-extension/enigma
http://filext.com/file-extension/ttt
http://filext.com/file-extension/coverton
http://filext.com/file-extension/crjoker
http://filext.com/file-extension/encrypt
http://filext.com/file-extension/good
http://filext.com/file-extension/zcrypt
http://filext.com/file-extension/wflx
http://filext.com/file-extension/crinf
http://filext.com/file-extension/keybtc@inbox
http://filext.com/file-extension/surprise
http://filext.com/file-extension/aaa
http://filext.com/file-extension/ha3
http://filext.com/file-extension/zyklon
http://filext.com/file-extension/abc
http://filext.com/file-extension/zzz
http://filext.com/file-extension/EnCiPhErEd
http://filext.com/file-extension/pdcr
http://filext.com/file-extension/PoAr2w
http://filext.com/file-extension/enc
http://filext.com/file-extension/kkk
http://filext.com/file-extension/xyz
http://filext.com/file-extension/windows10
http://filext.com/file-extension/pzdc
http://filext.com/file-extension/odcodc
http://filext.com/file-extension/payms
http://filext.com/file-extension/crptrgr
http://filext.com/file-extension/czvxce
http://filext.com/file-extension/magic
http://filext.com/file-extension/darkness
http://filext.com/file-extension/kraken
http://filext.com/file-extension/p5tkjw
http://filext.com/file-extension/legion
http://filext.com/file-extension/bin
http://filext.com/file-extension/rdm
http://filext.com/file-extension/fun
http://filext.com/file-extension/bitstak
http://filext.com/file-extension/73i87A
http://filext.com/file-extension/kernel_time
http://filext.com/file-extension/kernel_compl
http://filext.com/file-extension/btc
http://filext.com/file-extension/rokku
http://filext.com/file-extension/SecureCrypte
http://filext.com/file-extension/kernel_pid
http://filext.com/file-extension/payrms
http://filext.com/file-extension/kratos
http://filext.com/file-extension/CCCRRRPPP
http://filext.com/file-extension/kimcilware
http://filext.com/file-extension/vvv
http://filext.com/file-extension/paymst
http://filext.com/file-extension/herbst
http://filext.com/file-extension/pays
http://filext.com/file-extension/rekt
http://filext.com/file-extension/venusf
http://filext.com/file-extension/paym
http://filext.com/file-extension/paymts
http://filext.com/file-extension/szf
http://filext.com/file-extension/info
http://filext.com/file-extension/fantom
http://filext.com/file-extension/paymrss
http://filext.com/file-extension/padcrypt
http://filext.com/file-extension/razy
http://filext.com/file-extension/purge
http://filext.com/file-extension/a5zfn
http://filext.com/file-extension/cry
0
 
ste5anSenior DeveloperCommented:
hmm, you should test it or look at the actual code.

Cause when you block file creation based on that extension, then you may end without any files after a ransom ware attack.
Cause I would expect that the original file is either deleted before the encrypted file is saved or the original file is overwritten and then renamed.

So in the end, I don't think that this will increase security.
0
 
btanExec ConsultantCommented:
you probably can check this out which they are saying the same strategy and they stated some that may not be in your list for e.g.
.R16M01D05, .xrtn, .unbrecrypt_ID_*, .CTBL, .CTBL2, .HA3, .0x0, .bleep, .1999, .bleep, .hydracrypt_ID_*, .keybtc@inbox_com, .POSHKODER, .frtrss, .crjocker
But I am thinking you want to consider even restricting certain filename - those ransom notes though there can be false positive too, may be worth to test in staging
HELP_TO_SAVE_FILES.txt, BitCryptorFileList.txt, BUYUNLOCKCODE, YOUR_FILES_ARE_ENCRYPTED.HTML, Coin.Locker.txt, DECRYPT_INSTRUCTIONS.HTML, ReadDecryptFilesHere.txt, HOW_DECRYPT.TXT, READ IF YOU WANT YOUR FILES BACK.HTML, GetYouFiles.txt, HOW TO DECRYPT FILES.HTML, DECRYPT_INSTRUCTION.TXT, HELP_DECRYPT.TXT, HELP_YOURFILES.HTML, HowDecrypt.gif, Decrypt All Files *.bmp, cryptinfo.txt, DECRYPT_Readme.TXT.ReadMe, qwer.html, qwer2.html, Hellothere.txt, FILESAREGONE.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT_Readme.TXT.ReadMe, README_DECRYPT_HYDRA_ID_*.txt, DECRYPT_YOUR_FILES.HTML, KryptoLocker_README.txt, _Locky_recover_instructions.txt, DECRYPT_Readme.TXT.ReadMe, ATTENTION.RTF, how to get data.txt, IMPORTANT READ ME.txt, UnblockFiles.vbs, YOUR_FILES.url, exit.hhr.obleep, HOW_TO_DECRYPT.HTML, HOW-TO-DECRYPT-FILES.HTML, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, _H_e_l_p_RECOVER_INSTRUCTIONS+*.txt, DECRYPT_INSTRUCTIONS.HTML, README_DECRYPT_UMBRE_ID_*.txt, Help_Decrypt.txt, CryptLogFile.txt
http://www.bleepingcomputer.com/forums/t/589811/updated-list-of-ransomware-file-names-and-
http://www.bleepingcomputer.com/forums/t/606360/a-complete-list-of-ransomware-file-ext-and-readme-file-name/extensions/
0
 
sunhuxAuthor Commented:
Thanks for the list of extensions: quite a thorough list which contains for
both Windows & Apple (& possibly other platforms?)

We've tested (been thru) it once with one ransomware & it helped: this feature of preventing
files of certain names/extension from being created is offered by a leading
security product so I guess they must have researched it.
0
 
btanExec ConsultantCommented:
With blacklist of file and its metadata and whitelisting of apps will reduce the exposure collectively. Also do the necessary filtering and scanning of the USB drives, email etc. The decoy has been mentioned before like TrapX CryptoTrap in case you are interested (pdf) http://deceive.trapx.com/rs/929-JEW-675/images/Product_Brief_TrapX_CryptoTrap.pdf
0
 
ste5anSenior DeveloperCommented:
Does this help preventing the encryption and/or deletion of the original files?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Tackle projects and never again get stuck behind a technical roadblock.
Join Now