{
	"id": "3c1a2160-24d6-435a-9a44-93b822758cf6",
	"created_at": "2026-04-06T00:13:21.198346Z",
	"updated_at": "2026-04-10T03:21:11.660198Z",
	"deleted_at": null,
	"sha1_hash": "d06a79d6eab8f4aa51a7e35c2999068c9caf1578",
	"title": "Ransomware identification for the judicious analyst TechBlog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 143045,
	"plain_text": "Ransomware identification for the judicious analyst TechBlog\r\nBy Karsten Hahn\r\nPublished: 2021-02-25 · Archived: 2026-04-05 15:34:23 UTC\r\nWhen facing a ransomware infection, it helps to be familiar with some tools as well as key points to identify ransomware\r\ncorrectly.\r\nMost ransomware is fire-and-forget malware. The majority of ransomware families do not remain on the system after they\r\nhave done their deed, and delete the malicious binaries. The system's owner is left with encrypted data and the ransom\r\nmessage. Web services for ransomware identification like id-ransomware might not be an option if customer data is of a\r\nconfidential nature. Even though the files are encrypted, they can contain information about the customer's system or might\r\nbe recoverable by third parties.\r\nIdentification vs detection\r\nMalware detection is a simple yes- or no-answer to the question: Is this file malicious?\r\nOr in case of ransomware detection: Is this file ransomware? Identification on the other hand will provide an aswer to the\r\nquestion: Which malware or ransomware family is this?\r\nFor antivirus software it is usually enough to detect malware in order to prevent infections. But as soon as there was an\r\ninfection, identification helps to determine the next steps for cleaning the system, reversing the damage (if possible) and\r\npreventing infections that use the same infection vector.\r\nOnce the ransomware family is identified, you are able to answer the following questions:\r\nDoes the ransomware encrypt data (files or HDD)?\r\nIs the encrypted data decryptable for free (by third-party decrypters)?\r\nAre the threat actors able to decrypt the files after payment?\r\nIf the data cannot be decrypted, can it be recovered by other means like file recovery software?\r\nHow did the ransomware get onto the system and how can we prevent this from happening again?\r\nDoes the ransomware typically arrive in combination with other malware that may have done additional damage (like\r\nstealing credentials)?\r\nTypes of ransomware\r\nThe first interesting question to answer is what type of ransomware attacked the system. Most commonly people associate\r\nfile encrypters with the term ransomware but there are more ways for malware to hold something for ransom. Ransomware\r\nis every malware that prevents access to the whole system, part of the system or data, or pretends to do so, and asks for some\r\nkind of payment from the system's user to revert the changes.\r\n1. File encrypter\r\nThe file encrypter typically searches for files on the system based on their file extensions, encrypts each file one by one and\r\nrenames it, e.g., by adding an extension.\r\nThe file encrypter will often use persistence mechanisms for the duration of the encryption process. In case the user turns off\r\nthe system midst of encrypting, the file encrypter will continue the process after restart.\r\nSome file encrypters use password protected archives to encrypt and store files, e.g., CryptoHost.\r\n2. Disk encrypter\r\nThis kind of ransomware will usually infect the master boot record, thus rendering the operating system unbootable. In\r\naddition they encrypt the data on disk or the master file table. There aren't many families out there that do this. Some known\r\nones are Petya, Mamba (aka HDDCryptor) and some very old ones from the DOS era like the AIDS virus. Since there are\r\nonly a few of them, identification should be comparably easy.\r\n3. Wiper\r\nSometimes ransomware developers create bugs in the encrypting portion or key storing functions that make it impossible for\r\nthem or anyone else to decrypt the data. They may damage data instead of encrypting it or make the retrieval of the key(s)\r\nimpossible, e.g., Ordinypt.\r\nCreating a wiper that poses as file or disc encrypter may also be done on purpose if the actual goal is to damage a business\r\nand threat actors want to hide their intent. Some believe Petna aka NonPetya to be one of those wipers.\r\nhttps://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nPage 1 of 6\n\nIdentifying this type of ransomware is of particular interest, since paying the ransom in these cases (should this option be\r\nconsidered viable) would be pointless as there are no files to decrypt or recover..\r\n4. Fake encrypter\r\nThe fake encrypter will pretend to encrypt files without actually doing it. One common way is to just rename files, e.g. by\r\nadding ransomware-typical extensions to them, so that users are fooled into believing that their files are encrypted. As\r\nWindows decides based on file extensions which program it uses to open a file, changing the extension will make it seem\r\nlike the files are \"not working anymore\". Restoring the file extension will also restore the functionality of the file. Others,\r\nlike RansomPrank, just tell the user that the files were encrypted, without doing anything to the files.\r\nRansomware simulators, which are used to demonstrate an infection and to train staff, mostly fall into this category but those\r\nshouldn't actually infect systems in the wild.\r\n5. Screenlocker\r\nScreenlockers are often overlooked in discussions about ransomware. They seem less dangerous, less interesting, and less\r\ndamaging. From a technical standpoint they are indeed less damaging because the locking mechanism can be reversed\r\nwhereas decryption of data or recovery of wiped data is not always possible. For non tech-savvy users, however,\r\nscreenlockers still pose a substantial threat. This is especially evident and tragic in those cases where people committed\r\nsuicide due to a screenlocker infection (e.g., case1, case2).\r\nVery common is the screenlocker combined with tech support scam, where the screenlocker may look like a fake blue screen\r\nand show a tech support number that is supposedly from Microsoft. The scammers who pose as Microsoft technicians will\r\nthen proceed to show the user that their system is damaged and ask for payment in order to repair it (as demonstrated in this\r\nexample).\r\nSome ransomware families are screenlocker and file encrypter hybrids, that means they lock the screen and also encrypt\r\nfiles on the system. If they are pure screenlockers, it is usually all you need to know to reverse the damage.\r\nRansomware identification checklist\r\nThere are a few key points that you can use for ransomware identification.\r\nRansom messages\r\nTypical ways to deliver a ransom message are:\r\ngraphical user interface (e.g. Jigsaw), may lock the screen\r\ntext or html file, sometimes opened automatically after encryption\r\nimage file, often put as wallpaper\r\ncontact email in encrypted file extensions\r\npop-up after trying to open an encrypted file (e.g. CrypVault)\r\nvoice message (e.g. Cerber)\r\nRansomware may use several of these ways to deliver the ransom message. However in some cases, systems infected with\r\nransomware do not display a ransom note. The ransomware may have been stopped before it could place the notes. Some\r\nantivirus programs detect ransom note files as malicious and clean them from the system. Last but not least, certain buggy\r\nransomware families encrypt their own ransom note files, thus leaving no way to contact the criminals for payment.\r\nThe following ransom note contents are interesting for identification:\r\nransomware name\r\nlanguage, structure, typical phrases, artwork\r\ncontact email\r\nformat of the user id (if it exists)\r\nransom demand, e.g., digital currency, gift cards\r\npayment address in case of digital currency\r\nsupport chat or support page\r\nIf the ransom message contains the name of the ransomware or has a well recognizable look (e.g. due to artwork), it might\r\nseem like an easy case for identification. However, if a certain strain of ransomware is successful and well known, other\r\nthreat actors also want a piece of that pie and copycat the successful families. Cryptolocker, Locky and WannaCry have an\r\nuncountable number of copycats. GlobeImposter even got its name from starting out as a copycat of Globe ransomware.\r\nTorrentLocker started as a copycat of CryptoLocker and had imitators of its own (e.g. CryptoFortress) after becoming\r\nsuccessful. Such copycats are almost never perfect imitators: for instance, one way to distinguish Globe and GlobeImposter\r\nransom notes is the different format of the user ID.\r\nhttps://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nPage 2 of 6\n\nThe typical ransom payment is done via Bitcoin. Unusual payment methods like Amazon giftcards (TrueCrypter) or unusual\r\ncurrency like Ethereum (HC7) may reduce the set of possible ransomware families substantially.\r\nCertain contact emails are typical for specific ransomware strains, but some ransomware families may have numerous\r\npossible contact emails because they are created with builders.\r\nA sophisticated support page or even chat system is only available for a handful of ransomware families. PadCrypt was the\r\nfirst ransomware to offer chat support. Spora is also known for its elaborate support system which includes a chat (an\r\ninteresting report of Spora's chat messages was published here).\r\nAffected files\r\nA few years ago, around 2014-2015 it was possible to identify file encrypting ransomware strains solely on the file extension\r\nthat they used to mark encrypted files. There were almost no overlaps with other families, only occasional copycats like\r\nPClock.\r\nIn November 2015 CryptoWall 4.0 was released and scrambled file names of encrypted files instead of just adding an\r\nextension. Other ransomware families started doing the same, e.g., Locky and CryptXXX. That and the increasing number\r\nof ransomware families which use the same extensions (e.g. \".lock\" and \".locky\" are very common), and the custom\r\nextensions created by Ransomware-as-a-Service (RaaS) and ransomware based on open source projects (e.g. HiddenTear),\r\nmakes identification solely based on file extensions a wild guess. Other factors should be taken into account.\r\nRansomware decrypters have to determine which files have been encrypted before they can apply decryption. If they cannot\r\nor don't want to rely on the extension, they use file markers instead. E.g., Hermes ransomware encrypted files have the string\r\n\"HERMES\" in them. Others append or prepend whole data structures to encrypted files, and may save a file specific\r\nencrypted key in there. The ransomware marker may serve to denote the beginning of the file structure. Some ransomware\r\nfamilies create a separate text file with a list of all encrypted files on the system. An example is the LST file of older Spora\r\nvariants.\r\nMost file encrypters target files based on their file extension and location. Usually they keep a whitelist for locations they\r\nwon't encrypt and a blacklist of targeted file extensions. Typically they will include document, picture, video, database,\r\narchive, backup and text file extensions. It is notable if ransomware also encrypts executable and library files, even more so\r\nif encrypted files are turned into executables as it is the case with VirLock and ACCFISA. VirLock is not only a file\r\nencrypter, but also a screenlocker and a polymorphic virus. ACCFISA puts files into self-extracting SFX RAR archives\r\nwhich are password protected.\r\nIn some cases ransomware applies their own icon for encrypted files. CrypVault did this using the image of a lock for their\r\nicon.\r\nTo summarize the key points for ransomware identification based on affected files:\r\nfile renaming scheme of encrypted files: including extension and base name\r\nfile corruption vs encryption\r\nwhich files are targeted for encryption?\r\ndo encrypted files have their own icon?\r\nfile markers\r\nexistence of file listings, key files or other data files used by ransomware\r\nTime of Infection\r\nThe time of infection should be compared to the time frame when certain ransomware was actually active in the wild. E.g.\r\nCryptoLocker is dead since OperationTovar in May 2014. Any self-proclaimed CryptoLocker infection after that date is a\r\ncopycat.\r\nEntropy and byteplot visualization\r\nhttps://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nPage 3 of 6\n\nFile visualization is especially useful when it comes to potentially encrypted contents. Secure encryption algorithms strive to\r\nmake encrypted data look like randomly generated data in order to not expose any patterns of the key or the plain text. One\r\nway to express this randomness is entropy. The meaning of entropy, in particular Shannon's entropy, is described by Billouin\r\nas \"a measure of the lack of detailed information [. . . ]. The greater is the information, the smaller will be the entropy\"\r\n[Bri04, p. 193] Compressed data, encrypted data and randomly generated data have high entropy, whereas data with patterns\r\nand repetition have a low entropy.\r\nUsing entropy visualization, we are able to distinguish encrypted from non-encrypted areas as well as potentially appended\r\nor prepended data in ransomware encrypted files. PortexAnalyzer creates this visualization by assigning the brightness value\r\nof a pixel based on the local entropy of that area. A high entropy area will have a bright pixel and a low entropy area a dark\r\npixel.\r\nThe byteplot assigns the actual byte value to the brigthness value of a pixel. Using HSL (hue, saturation, lightness) as color\r\nmodel, the byte value is assigned to the L (lightness) portion of the pixel. Additionally, certain ranges of byte values are\r\ncolored in certain way using the H (hue) portion of the pixel. PortexAnalyzer colors characters in visible ASCII range in\r\nblue, invisible characters in ASCII range are colored green, and byte values outside of ASCII range are yellow. Areas full of\r\nzero bytes are simply black in the byteplot. In combination with the entropy image, we can, e.g., distinguish if a zero\r\nentropy area is full of zero bytes or another repeated byte value. The latter may happen to zero byte areas if a\r\nmonoalphabetic substitution cipher was applied.\r\nPortexAnalyzer is able to create a PNG image of the byteplot and the local entropy in a file using the -p or --picture switch.\r\nAlthough PortexAnalyzer is a PE analysis tool, it will happily create the visualizations for non-PE files that can be applied\r\nto them.\r\nIn regards to supposedly ransomware encrypted files, the entropy and byteplot visualization may tell us:\r\nif the file was fully encrypted\r\nif the file has a header or appended information\r\nif there are readable strings in the file\r\nif the file was wiped\r\nif the encryption is weak (e.g. XOR with a short key, ECB mode)\r\nTo do so successfully, I recommend that the files used for analysis had (previous to encryption) a file format that doesn't use\r\ntoo much compression. Otherwise you won't be able to distinguish between high entropy areas due to encryption or due to\r\nthe compressed areas in the file. JPEG and ZIP files are unfit for that reason whereas most office document formats have\r\nlow entropy areas, string areas and overall a recognizable structure to them, making them supreme candidates for analysis\r\nvia visualization.\r\nAdditionally it is recommended to have at least one small and one large file for analysis. Appended or prepended structures\r\nby the ransomware may be too small in large files to be visible in the image. On the other hand, some ransomware families\r\ndon't encrypt the whole file if it is too large so they can be faster in encrypting all targeted files.\r\nInfection vector\r\nGiven the nature of how a lot of ransomware infections unfold, it might be difficult to identify the initial infection vector. If\r\nthis information is available, though, it can be valuable for identification. Below are typical infection vectors and examples\r\nfor well-known ransomware families that use them. Depending on the infection vector, it might be possible to obtain the\r\nactual ransomware sample which makes identification easier.\r\nemail attachment: GlobeImposter 2 using Blank Slate malspam campaign, GandCrab\r\ninsecure remote desktop protocol (RDP): GlobeImposter, Dharma, GandCrab\r\nsoftware downloads and cracks: GandCrab, STOPRansomware, GarrantyDecrypt\r\nnetwork propagation (worm): WannaCry, Petna via EternalBlue\r\nself-propagation (virus): Virlock\r\ninfection via removable drives (worm): Spora uses LNK files to spread from and to removable drives\r\ncomorbid infection: Trickbot delivering Ryuk, njRAT backdoor delivering Lime ransomware\r\nEmail attachments, RDP and software downloads are quite common ways to deliver ransomware. But there has been an\r\nuptick in using exploits since WannaCry. Ransomware that infects files on the other hand is rare.\r\nWorm functionality to spread via removable drives like USB thumb drives is mostly an additional way to infect other\r\nsystems but not the main one.\r\nComorbid infections are different malware families that appear together, e.g., because one malware family will download\r\nthe other after infection as it is done by Trickbot. The actual infection vector is thus the one for the malware that infected the\r\nsystem first. Ransomware is often the last malware in the food chain because it shows itself to the user and makes it likely\r\nthat the system will be cleaned afterwards.\r\nhttps://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nPage 4 of 6\n\nOdd cases\r\nSome cases might seem very odd at first but after you heard about them once, you should be able to recognize them.\r\nFile corruption\r\nFile corruption may look like the result of a file encrypter at first. There is no known ransomware so far that creates file\r\nnames which look similar to corrupted files. See the picture below to get an idea how file corruption looks like. The section\r\nabout entropy and byteplot visualization may also help to distinguish encrypted files from non-encrypted corrupted files.\r\nThese files have not been encrypted by ransomware. They are corrupted. Source:\r\nhttps://www.reddit.com/r/antivirus/comments/a3pqmy/anyone_knows_which_type_of_these_virus_are_and/\r\nSuperinfection\r\nWhen coming across a system affected by ransomware, you may even face a superinfection. In those cases, the system was\r\ninitially infected by one ransomware and subsequently by other ransomwares, too. It may be superinfected by the same\r\nransomware, and sometimes by different ransomware families. In other words: files that were already encrypted by one\r\nransomware are encrypted again by another ransomware. File decryption for these cases is complicated and may not be\r\npossible at all, given the potential for misidentification. The signs of ransomware superinfection are:\r\nmultiple ransomware file extensions for encrypted files\r\ndifferent ransom notes with different naming schemes\r\nsome ransom notes are encrypted, some are not\r\nHere are some file name examples for actual superinfections that we have seen in the wild (we altered the user ids):\r\nRansomware File Names\r\nAmnesia and\r\nDharma\r\nHOW TO RECOVER ENCRYPTED FILES.TXT.id_2478862464_fgb15ft4pqanyji7.onion\r\n9g0000000009U8WGvoaZXhE0l7BF59iYLh61kswFEDis7+Grf8ZuT0mIYpsyLztp8fNSDZiOBLE.22222@protonmail.ch.22222.id_2\r\nDharma and\r\nBTCamant\r\nAR_letter.doc.id-E5CE84C2.[mk.kitana@aol.com].wallet.BTC\r\nCrySis and\r\nACCDFISA\r\nv2.0\r\nassert.dmp.id-6C618ADD.{radxlove7@india.com}.xtbl(!!-to-get-password-email-id-1819340399-to-lathelp16@gmail.com-!!).exe\r\nIn the first example, Amnesia encrypted the files first, then Dharma. Decryption of these files has to be done in reverse order\r\nof the infection. So for this example Dharma decryption must be applied before the Amnesia decryption.\r\nhttps://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nPage 5 of 6\n\nInfection markers applied by anti-ransomware products\r\nSometimes systems may show typical markers of a ransomware infection without actually being infected. This may happen\r\nif anti-ransomware products apply vaccines for systems. Vaccines are markers that cause a malware to abort infecting the\r\nsystem. Usually these markers indicate for the malware that the system is already infected. So the malware terminates\r\nbecause it tries to avoid a superinfection. Especially if several antivirus products are used, one may identify the vaccine of\r\nthe other product as an infection.\r\nAn example of such a case is in this beepingcomputer thread. The user is afraid of having a Locky infection because the\r\nregistry key HKCU\\Software\\Locky is on their system and re-appears after deletion. It turns out that this registry entry was\r\nactually a vaccine which was applied by Bitdefender's Crypto-Ransomware Vaccine.\r\nUseful tools and sites\r\nAt a time were the amount of ransomware families was still manageable, a group of ransomware researchers (started by\r\nMosh) made a collective effort to note down ransomware families, their extensions, file names and other useful information.\r\nThe result is this Ransomware Overview in a Google sheet. The sheer amount of new ransomware families made it\r\nimpossible to keep up the work. For that reason the sheet is out of date by now but it might still be useful for older\r\ninfections.\r\nAmigo-A has a large collection of ransomware IOCs on id-ransomware.blogspot.com. The site is in Russian, very thorough\r\nand up-to-date.\r\nA great source for ransomware information is Bleepingcomputer. They not only have a weekly report on new ransomware\r\ndiscoveries, but also support to identify ransomware infections and provide help with decryption or recovery if possible. If\r\nyou have no database with collected ransomware information on your own, searching on Google via\r\n\"inurl:Bleepingcomputer\" might be very useful to you.\r\nMichael Gillespie has published some tools to deal with ransomware infections. There is CryptoSearch which allows to find,\r\nmove or copy ransomware encrypted files to a backup location and may also be used to clean the system from ransom notes\r\nand encrypted files. CryptoTester helps to analyze encrypted files.\r\nRansomware identification services are ID-Ransomware by MalwareHunterTeam and NoMoreRansom.org.\r\nPortexAnalyzer was used in this article to create entropy and byteplot visualizations of files.\r\nBook references\r\n[Bri04] Léon Brillouin. Science and Information Theory. Courier Dover Publications, 2004.\r\nSource: https://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nhttps://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-for-the-judicious-analyst"
	],
	"report_names": [
		"31666-ransomware-identification-for-the-judicious-analyst"
	],
	"threat_actors": [],
	"ts_created_at": 1775434401,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d06a79d6eab8f4aa51a7e35c2999068c9caf1578.pdf",
		"text": "https://archive.orkl.eu/d06a79d6eab8f4aa51a7e35c2999068c9caf1578.txt",
		"img": "https://archive.orkl.eu/d06a79d6eab8f4aa51a7e35c2999068c9caf1578.jpg"
	}
}