The Anti-virus Times

Wednesday, November 29, 2017

News stories about encryption ransomware often indicate the types of files that can be encrypted by a specific ransomware species. Few people examine these file-type lists even though they may contain interesting information.

Let's see what criminals are after.

• Popular office document formats (.ppt(x), .doc(x), .xls(x), .sxi, .sxw, .odt, .hwp);
• Archives (.zip, .rar, .tar, .bz2);
• Media files (.mp4, .mkv);
• Emails and email database files (.eml, .msg, .ost, .pst, .edb);
• Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd);
• Source code (.php, .java, .cpp, .pas, .asm);
• Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes);
• Images, drawings, designs… (.vsd, .odg, .raw, .nef, .svg, .psd);
• Virtual machines (.vmx, .vmdk, .vdi).

Here we can see document, image, and database formats… This list is by no means complete—it changes depending on what specific encryption ransomware strain is involved. Let's see what we can learn from this screenshot.

Tib is an extension for Acronis Backup files. Encryption ransomware will delete your data backups.

We already mentioned that encryption ransomware strives to delete Windows shadow copies, but those copies aren't the only way data is backed up. And criminals are aware of that.