Solved

Any legit software/apps that uses the ransomware extensions

Posted on 2016-09-14
7
162 Views
Last Modified: 2016-10-27
I plan to use tool to prevent following file extensions from being created but concerned
that it may impact legit software/apps.  Anyone know if there's any adverse impact.
We have implemented things that cause big disruptions which we now need to be careful.

Don't have a complete list of software we use but offhand, we hv MS Office Suite (incl Outlook),
a few users use media player/access Youtube (so not sure if preventing .mp3 from being
created will be an issue) & Adobe reader, archiving tools (winzip), various McAfee security
agents/tools in our PCs, DLP, Acronis, Checkpoint disk encryption, 2FA softwares.

Mostly on WIn 7 but may have some going to Win 10.

Below is the list of extensions :
.locky
.micro
.zepto
.axx
.cerber
.ecc
.crypt
.ezz
.r5a
.exx
.ccc
.crypz
.cryptowall
.enciphered
.cryptolocker
.mp3
.cryp1
.cerber2
.breaking_bad
.lol!
.crypted
.encrypted
.locked
.xxx
.LeChiffre
.rrk
.cerber3
.enigma
.ttt
.coverton
.crjoker
.encrypt
.good
.zcrypt
.wflx
.crinf
.keybtc@inbox
.surprise
.aaa
.ha3
.zyklon
.abc
.zzz
.EnCiPhErEd
.pdcr
.PoAr2w
.enc
.kkk
.xyz
.windows10
.pzdc
.odcodc
.payms
.crptrgr
.czvxce
.magic
.darkness
.kraken
.p5tkjw
.legion
.bin
.rdm
.fun
.bitstak
.73i87A
.kernel_time
.kernel_compl
.btc
.rokku
.SecureCrypte
.kernel_pid
.payrms
.kratos
.CCCRRRPPP
.kimcilware
.vvv
.paymst
.herbst
.pays
.rekt
.venusf
.paym
.paymts
.szf
.info
.fantom
.paymrss
.padcrypt
.razy
.purge
.a5zfn
.cry
0
Comment
Question by:sunhux
7 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 240 total points
ID: 41797622
.bin
.mp3

These 2 stand out as obvious legitimate file extensions.

This site has a big list of file extensions: http://filext.com/alphalist.php?extstart=^A

http://filext.com/file-extension/locky
http://filext.com/file-extension/micro
http://filext.com/file-extension/zepto
http://filext.com/file-extension/axx
http://filext.com/file-extension/cerber
http://filext.com/file-extension/ecc
http://filext.com/file-extension/crypt
http://filext.com/file-extension/ezz
http://filext.com/file-extension/r5a
http://filext.com/file-extension/exx
http://filext.com/file-extension/ccc
http://filext.com/file-extension/crypz
http://filext.com/file-extension/cryptowall
http://filext.com/file-extension/enciphered
http://filext.com/file-extension/cryptolocker
http://filext.com/file-extension/mp3
http://filext.com/file-extension/cryp1
http://filext.com/file-extension/cerber2
http://filext.com/file-extension/breaking_bad
http://filext.com/file-extension/lol!
http://filext.com/file-extension/crypted
http://filext.com/file-extension/encrypted
http://filext.com/file-extension/locked
http://filext.com/file-extension/xxx
http://filext.com/file-extension/LeChiffre
http://filext.com/file-extension/rrk
http://filext.com/file-extension/cerber3
http://filext.com/file-extension/enigma
http://filext.com/file-extension/ttt
http://filext.com/file-extension/coverton
http://filext.com/file-extension/crjoker
http://filext.com/file-extension/encrypt
http://filext.com/file-extension/good
http://filext.com/file-extension/zcrypt
http://filext.com/file-extension/wflx
http://filext.com/file-extension/crinf
http://filext.com/file-extension/keybtc@inbox
http://filext.com/file-extension/surprise
http://filext.com/file-extension/aaa
http://filext.com/file-extension/ha3
http://filext.com/file-extension/zyklon
http://filext.com/file-extension/abc
http://filext.com/file-extension/zzz
http://filext.com/file-extension/EnCiPhErEd
http://filext.com/file-extension/pdcr
http://filext.com/file-extension/PoAr2w
http://filext.com/file-extension/enc
http://filext.com/file-extension/kkk
http://filext.com/file-extension/xyz
http://filext.com/file-extension/windows10
http://filext.com/file-extension/pzdc
http://filext.com/file-extension/odcodc
http://filext.com/file-extension/payms
http://filext.com/file-extension/crptrgr
http://filext.com/file-extension/czvxce
http://filext.com/file-extension/magic
http://filext.com/file-extension/darkness
http://filext.com/file-extension/kraken
http://filext.com/file-extension/p5tkjw
http://filext.com/file-extension/legion
http://filext.com/file-extension/bin
http://filext.com/file-extension/rdm
http://filext.com/file-extension/fun
http://filext.com/file-extension/bitstak
http://filext.com/file-extension/73i87A
http://filext.com/file-extension/kernel_time
http://filext.com/file-extension/kernel_compl
http://filext.com/file-extension/btc
http://filext.com/file-extension/rokku
http://filext.com/file-extension/SecureCrypte
http://filext.com/file-extension/kernel_pid
http://filext.com/file-extension/payrms
http://filext.com/file-extension/kratos
http://filext.com/file-extension/CCCRRRPPP
http://filext.com/file-extension/kimcilware
http://filext.com/file-extension/vvv
http://filext.com/file-extension/paymst
http://filext.com/file-extension/herbst
http://filext.com/file-extension/pays
http://filext.com/file-extension/rekt
http://filext.com/file-extension/venusf
http://filext.com/file-extension/paym
http://filext.com/file-extension/paymts
http://filext.com/file-extension/szf
http://filext.com/file-extension/info
http://filext.com/file-extension/fantom
http://filext.com/file-extension/paymrss
http://filext.com/file-extension/padcrypt
http://filext.com/file-extension/razy
http://filext.com/file-extension/purge
http://filext.com/file-extension/a5zfn
http://filext.com/file-extension/cry
0
 
LVL 33

Expert Comment

by:ste5an
ID: 41797632
hmm, you should test it or look at the actual code.

Cause when you block file creation based on that extension, then you may end without any files after a ransom ware attack.
Cause I would expect that the original file is either deleted before the encrypted file is saved or the original file is overwritten and then renamed.

So in the end, I don't think that this will increase security.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 190 total points
ID: 41797776
you probably can check this out which they are saying the same strategy and they stated some that may not be in your list for e.g.
.R16M01D05, .xrtn, .unbrecrypt_ID_*, .CTBL, .CTBL2, .HA3, .0x0, .bleep, .1999, .bleep, .hydracrypt_ID_*, .keybtc@inbox_com, .POSHKODER, .frtrss, .crjocker
But I am thinking you want to consider even restricting certain filename - those ransom notes though there can be false positive too, may be worth to test in staging
HELP_TO_SAVE_FILES.txt, BitCryptorFileList.txt, BUYUNLOCKCODE, YOUR_FILES_ARE_ENCRYPTED.HTML, Coin.Locker.txt, DECRYPT_INSTRUCTIONS.HTML, ReadDecryptFilesHere.txt, HOW_DECRYPT.TXT, READ IF YOU WANT YOUR FILES BACK.HTML, GetYouFiles.txt, HOW TO DECRYPT FILES.HTML, DECRYPT_INSTRUCTION.TXT, HELP_DECRYPT.TXT, HELP_YOURFILES.HTML, HowDecrypt.gif, Decrypt All Files *.bmp, cryptinfo.txt, DECRYPT_Readme.TXT.ReadMe, qwer.html, qwer2.html, Hellothere.txt, FILESAREGONE.TXT, HOW TO DECRYPT FILES.TXT, DECRYPT_Readme.TXT.ReadMe, README_DECRYPT_HYDRA_ID_*.txt, DECRYPT_YOUR_FILES.HTML, KryptoLocker_README.txt, _Locky_recover_instructions.txt, DECRYPT_Readme.TXT.ReadMe, ATTENTION.RTF, how to get data.txt, IMPORTANT READ ME.txt, UnblockFiles.vbs, YOUR_FILES.url, exit.hhr.obleep, HOW_TO_DECRYPT.HTML, HOW-TO-DECRYPT-FILES.HTML, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.txt, _H_e_l_p_RECOVER_INSTRUCTIONS+*.txt, DECRYPT_INSTRUCTIONS.HTML, README_DECRYPT_UMBRE_ID_*.txt, Help_Decrypt.txt, CryptLogFile.txt
http://www.bleepingcomputer.com/forums/t/589811/updated-list-of-ransomware-file-names-and-
http://www.bleepingcomputer.com/forums/t/606360/a-complete-list-of-ransomware-file-ext-and-readme-file-name/extensions/
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:sunhux
ID: 41797777
Thanks for the list of extensions: quite a thorough list which contains for
both Windows & Apple (& possibly other platforms?)

We've tested (been thru) it once with one ransomware & it helped: this feature of preventing
files of certain names/extension from being created is offered by a leading
security product so I guess they must have researched it.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 190 total points
ID: 41797783
With blacklist of file and its metadata and whitelisting of apps will reduce the exposure collectively. Also do the necessary filtering and scanning of the USB drives, email etc. The decoy has been mentioned before like TrapX CryptoTrap in case you are interested (pdf) http://deceive.trapx.com/rs/929-JEW-675/images/Product_Brief_TrapX_CryptoTrap.pdf
0
 

Assisted Solution

by:Sameh Gomaa
Sameh Gomaa earned 70 total points
ID: 41797820
0
 
LVL 33

Expert Comment

by:ste5an
ID: 41797831
Does this help preventing the encryption and/or deletion of the original files?
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Performance logs and alerts 6 30
Security perspectives to assess for APIs 1 39
Black Berry Link fails to start 4 28
Internet Explorer crashes on exit 4 30
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question