Solved

Any legit software/apps that uses the ransomware extensions

Posted on 2016-09-14
7
205 Views
Last Modified: 2016-10-27
I plan to use tool to prevent following file extensions from being created but concerned
that it may impact legit software/apps.  Anyone know if there's any adverse impact.
We have implemented things that cause big disruptions which we now need to be careful.

Don't have a complete list of software we use but offhand, we hv MS Office Suite (incl Outlook),
a few users use media player/access Youtube (so not sure if preventing .mp3 from being
created will be an issue) & Adobe reader, archiving tools (winzip), various McAfee security
agents/tools in our PCs, DLP, Acronis, Checkpoint disk encryption, 2FA softwares.

Mostly on WIn 7 but may have some going to Win 10.

Below is the list of extensions :
.locky
.micro
.zepto
.axx
.cerber
.ecc
.crypt
.ezz
.r5a
.exx
.ccc
.crypz
.cryptowall
.enciphered
.cryptolocker
.mp3
.cryp1
.cerber2
.breaking_bad
.lol!
.crypted
.encrypted
.locked
.xxx
.LeChiffre
.rrk
.cerber3
.enigma
.ttt
.coverton
.crjoker
.encrypt
.good
.zcrypt
.wflx
.crinf
.keybtc@inbox
.surprise
.aaa
.ha3
.zyklon
.abc
.zzz
.EnCiPhErEd
.pdcr
.PoAr2w
.enc
.kkk
.xyz
.windows10
.pzdc
.odcodc
.payms
.crptrgr
.czvxce
.magic
.darkness
.kraken
.p5tkjw
.legion
.bin
.rdm
.fun
.bitstak
.73i87A
.kernel_time
.kernel_compl
.btc
.rokku
.SecureCrypte
.kernel_pid
.payrms
.kratos
.CCCRRRPPP
.kimcilware
.vvv
.paymst
.herbst
.pays
.rekt
.venusf
.paym
.paymts
.szf
.info
.fantom
.paymrss
.padcrypt
.razy
.purge
.a5zfn
.cry
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 240 total points
ID: 41797622
.bin
.mp3

These 2 stand out as obvious legitimate file extensions.

This site has a big list of file extensions: http://filext.com/alphalist.php?extstart=^A

http://filext.com/file-extension/locky
http://filext.com/file-extension/micro
http://filext.com/file-extension/zepto
http://filext.com/file-extension/axx
http://filext.com/file-extension/cerber
http://filext.com/file-extension/ecc
http://filext.com/file-extension/crypt
http://filext.com/file-extension/ezz
http://filext.com/file-extension/r5a
http://filext.com/file-extension/exx
http://filext.com/file-extension/ccc
http://filext.com/file-extension/crypz
http://filext.com/file-extension/cryptowall
http://filext.com/file-extension/enciphered
http://filext.com/file-extension/cryptolocker
http://filext.com/file-extension/mp3
http://filext.com/file-extension/cryp1
http://filext.com/file-extension/cerber2
http://filext.com/file-extension/breaking_bad
http://filext.com/file-extension/lol!
http://filext.com/file-extension/crypted
http://filext.com/file-extension/encrypted
http://filext.com/file-extension/locked
http://filext.com/file-extension/xxx
http://filext.com/file-extension/LeChiffre
http://filext.com/file-extension/rrk
http://filext.com/file-extension/cerber3
http://filext.com/file-extension/enigma
http://filext.com/file-extension/ttt
http://filext.com/file-extension/coverton
http://filext.com/file-extension/crjoker
http://filext.com/file-extension/encrypt
http://filext.com/file-extension/good
http://filext.com/file-extension/zcrypt
http://filext.com/file-extension/wflx
http://filext.com/file-extension/crinf
http://filext.com/file-extension/keybtc@inbox
http://filext.com/file-extension/surprise
http://filext.com/file-extension/aaa
http://filext.com/file-extension/ha3
http://filext.com/file-extension/zyklon
http://filext.com/file-extension/abc
http://filext.com/file-extension/zzz
http://filext.com/file-extension/EnCiPhErEd
http://filext.com/file-extension/pdcr
http://filext.com/file-extension/PoAr2w
http://filext.com/file-extension/enc
http://filext.com/file-extension/kkk
http://filext.com/file-extension/xyz
http://filext.com/file-extension/windows10
http://filext.com/file-extension/pzdc
http://filext.com/file-extension/odcodc
http://filext.com/file-extension/payms
http://filext.com/file-extension/crptrgr
http://filext.com/file-extension/czvxce
http://filext.com/file-extension/magic
http://filext.com/file-extension/darkness
http://filext.com/file-extension/kraken
http://filext.com/file-extension/p5tkjw
http://filext.com/file-extension/legion
http://filext.com/file-extension/bin
http://filext.com/file-extension/rdm
http://filext.com/file-extension/fun
http://filext.com/file-extension/bitstak
http://filext.com/file-extension/73i87A
http://filext.com/file-extension/kernel_time
http://filext.com/file-extension/kernel_compl
http://filext.com/file-extension/btc
http://filext.com/file-extension/rokku
http://filext.com/file-extension/SecureCrypte
http://filext.com/file-extension/kernel_pid
http://filext.com/file-extension/payrms
http://filext.com/file-extension/kratos
http://filext.com/file-extension/CCCRRRPPP
http://filext.com/file-extension/kimcilware
http://filext.com/file-extension/vvv
http://filext.com/file-extension/paymst
http://filext.com/file-extension/herbst
http://filext.com/file-extension/pays
http://filext.com/file-extension/rekt
http://filext.com/file-extension/venusf
http://filext.com/file-extension/paym
http://filext.com/file-extension/paymts
http://filext.com/file-extension/szf
http://filext.com/file-extension/info
http://filext.com/file-extension/fantom
http://filext.com/file-extension/paymrss
http://filext.com/file-extension/padcrypt
http://filext.com/file-extension/razy
http://filext.com/file-extension/purge
http://filext.com/file-extension/a5zfn
http://filext.com/file-extension/cry
0
 
LVL 34

Expert Comment

by:ste5an
ID: 41797632
hmm, you should test it or look at the actual code.

Cause when you block file creation based on that extension, then you may end without any files after a ransom ware attack.
Cause I would expect that the original file is either deleted before the encrypted file is saved or the original file is overwritten and then renamed.

So in the end, I don't think that this will increase security.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 190 total points
ID: 41797776
you probably can check this out which they are saying the same strategy and they stated some that may not be in your list for e.g.
.R16M01D05, .xrtn, .unbrecrypt_ID_*, .CTBL, .CTBL2, .HA3, .0x0, .bleep, .1999, .bleep, .hydracrypt_ID_*, .keybtc@inbox_com, .POSHKODER, .frtrss, .crjocker
But I am thinking you want to consider even restricting certain filename - those ransom notes though there can be false positive too, may be worth to test in staging
HELP_TO_SAVE_FILES.txt, BitCryptorFileList.txt, BUYUNLOCKCODE, YOUR_FILES_ARE_ENCRYPTED.HTML, Coin.Locker.txt, DECRYPT_INSTRUCTIONS.HTML, ReadDecryptFilesHere.txt, HOW_DECRYPT.TXT, READ IF YOU WANT YOUR FILES BACK.HTML, GetYouFiles.txt, HOW TO DECRYPT FILES.HTML, DECRYPT_INSTRUCTION.TXT, HELP_DECRYPT.TXT, HELP_YOURFILES.HTML, HowDecrypt.gif, Decrypt All Files *.bmp, cryptinfo.txt, DECRYPT_Readme.TXT.ReadMe, qwer.html, qwer2.html, Hellothere.txt, FILESAREGONE.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT_Readme.TXT.ReadMe, README_DECRYPT_HYDRA_ID_*.txt, DECRYPT_YOUR_FILES.HTML, KryptoLocker_README.txt, _Locky_recover_instructions.txt, DECRYPT_Readme.TXT.ReadMe, ATTENTION.RTF, how to get data.txt, IMPORTANT READ ME.txt, UnblockFiles.vbs, YOUR_FILES.url, exit.hhr.obleep, HOW_TO_DECRYPT.HTML, HOW-TO-DECRYPT-FILES.HTML, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, _H_e_l_p_RECOVER_INSTRUCTIONS+*.txt, DECRYPT_INSTRUCTIONS.HTML, README_DECRYPT_UMBRE_ID_*.txt, Help_Decrypt.txt, CryptLogFile.txt
http://www.bleepingcomputer.com/forums/t/589811/updated-list-of-ransomware-file-names-and-
http://www.bleepingcomputer.com/forums/t/606360/a-complete-list-of-ransomware-file-ext-and-readme-file-name/extensions/
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:sunhux
ID: 41797777
Thanks for the list of extensions: quite a thorough list which contains for
both Windows & Apple (& possibly other platforms?)

We've tested (been thru) it once with one ransomware & it helped: this feature of preventing
files of certain names/extension from being created is offered by a leading
security product so I guess they must have researched it.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 190 total points
ID: 41797783
With blacklist of file and its metadata and whitelisting of apps will reduce the exposure collectively. Also do the necessary filtering and scanning of the USB drives, email etc. The decoy has been mentioned before like TrapX CryptoTrap in case you are interested (pdf) http://deceive.trapx.com/rs/929-JEW-675/images/Product_Brief_TrapX_CryptoTrap.pdf
0
 

Assisted Solution

by:Sameh Gomaa
Sameh Gomaa earned 70 total points
ID: 41797820
0
 
LVL 34

Expert Comment

by:ste5an
ID: 41797831
Does this help preventing the encryption and/or deletion of the original files?
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question