Ransomware Protection

Hi everyone

It exist some way to limit the attack vector of a ransomware, like appblocker or software restriction but today I wanted to talk a new way I found.


This new tip use a file screen that scan for know ransomware extension and block any user that write such file.

There is a list of know file screened: 

https://fsrm.experiant.ca/

Script exmple that watch for the file creation and it do an email alert:

https://github.com/nexxai/CryptoBlocker/blob/master/DeployCryptoBlocker.ps1

A reference of how to disable a useraccount in powershell

A small howto and script:

https://gallery.technet.microsoft.com/scriptcenter/protect-your-file-server-f3722fce
Tip got there

Raw file screened (list retrieved june 2017)

{“api”:{“version”:1,”format”:”json”,”file_group_count”:1147},”lastUpdated”:{“date”:”2017-06-28 19:23:24.000000″,”timezone_type”:3,”timezone”:”America\/Edmonton”},”filters”:[“*.gankLocked”,”perfc.dll”,”perfc.dat”,”perfc”,”*.ipygh”,”*.via”,”dllhost.dat”,”FE04.tmp”,”027cc450ef5f8c5f653329641ec1fed9*.*”,”petwrap.exe”,”*.lamo”,”File_Encryption_Notice.txt”,”*.suppose666″,”*.mention9823″,”*.breeding123″,”*.sux”,”*.cfm”,”*.Wana Decrypt0r Trojan-Syria Editi0n”,”Paxynok.html”,”*.pscrypt”,”*.a990″,”Tempimage.jpg”,”*.Tesla”,”WannaCry.TXT”,”*.kuntzware”,”*.nsmf”,”*.Facebook”,”*.pizdosik”,”*.[resque@plague.desi].scarab”,”*.sux.AES128″,”*.cspider”,”*.[teroda@bigmir.net].masterteroda@bigmir.net”,”*.zbt”,”*.MOLE02″,”your_key.rsa”,”OkuBeni.txt”,”*@*.blocking”,”*.ogre”,”*.tax”,”StrutterGear.exe”,”ReadMe_Important.txt”,”Sifre_Coz_Talimat.html”,”*.whycry”,”!READ.htm”,”!_\u0418\u041d\u0421\u0422\u0420\u0423\u041a\u0426\u0418\u042f_!.txt”,”*.cr020801″,”*.cerber6″,”*.netn6″,”*.rnsmwre”,”*.ghost”,”*.scarab”,”IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT”,”*.R4bb0l0ck”,”*.TraNs”,”#HOW_TO_UNRIP#.txt”,”*.BeethoveN”,”* .tdelf”,”*.spectre”,”mood-ravishing-hd-wallpaper-142943312215.jpg”,”Blooper.exe”,”SintaLocker.exe”,”SintaRun.py”,”*.switch”,”*.payforunlock”,”HOW TO RECOVER ENCRYPTED FILES.TXT”,”README_FOR_DECRYPT.txt”,”*.dolphin”,”*.dviide”,”*.sVn”,”*.R3K7M9″,”*.BMCODE”,”*.zilla”,”*.RaaS”,”*.resurrection”,”*.lost”,”*.ram”,”*.master”,”*.brickr”,”READ_DECRYPT_FILES.txt”,”*.ramen”,”*.TRMT”,”*.gommemode”,”*.andonio”,”*.phantom”,”*.r3store”,”Read me for help thanks.txt”,”*.imsorry”,”help_to_decrypt.txt”,”*.YYTO”,”*.read_to_txt_file.yyto”,”*.beep”,”*.666″,”AArI.jpg”,”*.crying”,”*.antihacker2017″,”*.theworldisyours”,”*.spora”,”*.sexy”,”*.realfs0ciety@sigaint.org.fs0ciety”,”*.pays”,”*.payrms”,”*.paymts”,”*.paymrss”,”*.paym”,”*.lol”,”*.madebyadam”,”*.locklock”,”*.lcked”,”*.kyra”,”*.kernel_time”,”*.kernel_pid”,”*.kernel_complete”,”*.ifuckedyou”,”*.grt”,”*.crypte”,”*.cbu1″,”*-webmafia@asia.com_donald@trampo.info”,”*.beef”,”*.write_us_on_email”,”*.LIGHTNING”,”*.xfile”,”DECRYPTION.TXT”,”*.oled”,”*.wtdi”,”*.4rwcry4w”,”*.Encrypted_By_VMola.com”,”*.wlu”,”Restore_maysomware_files.html”,”*.maysomware”,”*.damoclis”,”*.decrypter@tutanota.com”,”*.VisionCrypt”,”*.pwned”,”how_to_back_files.html”,”*.hNcrypt”,”*.~xdata~”,”*.b0ff”,”Galaperidol.exe”,”HOW_CAN_I_DECRYPT_MY_FILES.txt”,”*.xdata”,”Hello There! Fellow @kee User!.txt”,”*.kee”,”*.grux”,”Restore_your_files.txt”,”READ_ME.html”,”*.mordor”,”*.die”,”*.SaMsUnG”,”!#_DECRYPT_#!.inf”,”*.nuke55″,”*.onyon”,”*.blocked”,”!Please Read Me!.txt”,”!WannaDecryptor!.exe.lnk”,”*.DARKCRY”,”*.wincry”,”*.wncrypt”,”WannaCrypt 4.0.exe”,”t.wry”,”*.vCrypt1″,”*.theva”,”*.PAY”,”tor.exe”,”tasksche.exe”,”wcry.zip”,”taskhsvc.exe”,”taskse.exe”,”taskdl.exe”,”*.pky”,”*.eky”,”wcry.exe”,”Wannacry.exe”,”@WanaDecryptor@.*”,”*.slvpawned”,”*.WCRYT”,”*.WRNY”,”*.LOCKED.txt”,”*.wncryt”,”*.wnry”,”*.viki”,”RESTORE-12345-FILES.TXT”,”*.donation1@protonmail.ch.12345″,”*.block_file12″,”*.@decrypt2017″,”*.vdul”,”*.2cXpCihgsVxB3″,”*.son”,”loptr-*.htm”,”*.paycyka”,”*.medal”,”*.bagi”,”@Please_Read_Me@.txt”,”*.wncry”,”_!!!_README_!!!_*”,”_!!!_README_!!!_*_.hta”,”_!!!_README_!!!_*_ .txt”,”*.news”,”*.corrupted”,”HOW_TO_DECRYPT_FILES.html”,”*.shifr”,”DECRYPT_INFO.txt”,”*.FailedAccess”,”Cversions.2.db”,”*.helppme@india.com.*”,”ReadME_Decrypt_Help_*.html”,”*.fartplz”,”\u041a\u0410\u041a_\u0420\u0410\u0421\u0428\u0418\u0424\u0420\u041e\u0412\u0410\u0422\u042c_\u0424\u0410\u0419\u041b\u042b.txt”,”* .vCrypt1″,”*.xncrypt”,”*.Lockify”,”*.htrs”,”*.cryptowin”,”*.owned”,”*.x0lzs3c”,”*.UIWIX”,”*.CRYPTOBOSS”,”*.loptr”,”*.jaff”,”*.bitkangoroo”,”*.cloud”,”zcrypt.exe”,”*.uk-dealer@sigaint.org”,”*_luck”,”*.decrypt2017″,”*.[admin@hoist.desi].*.WALLET”,”*.[crysis@life.com].*.WALLET”,”*.[SHIELD0@USA.COM].*.WALLET”,”#_RESTORING_FILES_#.TXT”,”*.haters”,”*.anon”,”*.amnesia”,”*.keepcalm”,”*.MIKOYAN”,”RESTORE_FILES.HTML”,”*.WWW”,”*.CRYPTED000007″,”*.HELPPME@INDIA.COM.ID83994902″,”HOW_RETURN_FILES.TXT”,”*.MAYA”,”*.CONTACT_TARINEOZA@GMAIL.COM”,”*.CRYPTOBYTE”,”*.AES”,”NOTE;!!!-ODZYSKAJ-PLIKI-!!!.TXT”,”INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt”,”*.ADR”,”*.NM4″,”DesktopOsiris.*”,”OSIRIS-*.*”,”redchip2.exe”,”*.LOLI”,”ATLAS_FILES.txt”,”*.whatthefuck”,”*.loveyouisreal”,”*.okokokokok”,”*.ranranranran”,”READ_IT_FOR_GET_YOUR_FILE.txt”,”*.psh”,”*.GETREKT”,”*.one”,”!!! READ THIS – IMPORTANT !!!.txt”,”*.aes_ni_0day”,”*.JEEPERS”,”PAYMENT-INSTRUCTIONS.TXT”,”*.LOCKOUT”,”*.ATLAS”,”*.FLATCHER3@INDIA.COM.000G”,”*.AES-NI”,”*.DEXTER”,”*.CONFICKER”,”*.ONION”,”*.[NO.TORP3DA@PROTONMAIL.CH].WALLET”,”*.LCKD”,”*.MOLE”,”*.RANSOM”,”*.lambda.l0cked”,”009-READ-FOR-DECCCC-FILESSS.html”,”_READ_THI$_FILE_*”,”*.I’WANT MONEY”,”*.gembok”,”!Decrypt-All-Files-*.txt”,”*.[GOFMEN17@YA.RU],CRP”,”*.SERP”,”*.kilit”,”0_HELP_DECRYPT_FILES.HTM”,”HUR_DEKRYPTERA_FILER.html”,”HUR_DEKRYPTERA_FILER.txt”,”*.LAMBDA.LOCKED”,”*.ADMIN@BADADMIN.XYZ”,”*.SKJDTHGHH”,”*.LOCK75″,”*.B10CKED”,”*.A95436@YA.RU”,”*.IWANT”,”*.Fuck_You”,”Recupere seus arquivos aqui.txt”,”READ TO UNLOCK FILES.salsa.*.html”,”*.SALSA222″,”*.NUMBERDOT”,”How Decrypt My Files.lnk”,”How_Decrypt_My_Files”,”*.CRADLE”,”*.ID-7ES642406.CRY”,”READ ME ABOUT DECRYPTION.txt”,”*.Do_not_change_the_file_name.cryp”,”*.pr0tect”,”*.android”,”*_READ_THIS_FILE_*_*”,”*.btcware”,”*drakosho_new@aol.com*”,”*.AngleWare”,”*.zorro”,”*.CIFGKSAFFSFYGHD”,”*.A9V9AHU4″,”*.payfordecrypt”,”OKU.TXT”,”ZINO_NOTE.TXT”,”*.ZINO”,”*.kirked”,”*.CRPTXXX”,”HOW_TO_FIX_!.TXT”,”*.[BRAINCRYPT@INDIA.COM].BRAINCRYPT”,”*.pizdec”,”*.REVENGE”,”!!!READ_TO_UNLOCK!!!.TXT”,”*.openforyou@india.com”,”*.warn_wallet”,”*.nemo-hacks.at.sigaint.org”,”*.MATRIX”,”Crytp0l0cker.Upack.dll”,”Crytp0l0cker.dll”,”Crytp0l0cker.exe”,”decrypted_files.dat”,”padcryptUninstaller.exe”,”PadCrypt.exe”,”Vape Launcher.exe”,”READ_ME_!.txt”,”*.enjey”,”Aescrypt.exe”,”*.GG”,”*.[PINGY@INDIA.COM]”,”*.WORMKILLER@INDIA.COM.XTBL”,”*.CEBER3″,”IF_WANT_FILES_BACK_PLS_READ.html”,”*.iaufkakfhsaraf”,”_HELP_HELP_HELP_*”,”zXz.html”,”*.zXz”,”VictemKey_*_*”,”HVORDAN_DU_GENDANNER_FILER.html”,”HVORDAN_DU_GENDANNER_FILER.txt”,”HELP_ME_PLEASE.txt”,”!_RECOVERY_HELP_!.txt”,”PLEASE-READIT-IF_YOU-WANT.html”,”*.filegofprencrp”,”COME_RIPRISTINARE_I_FILE.*”,”fattura_*.js”,”*_steaveiwalker@india.com_”,”COMO_ABRIR_ARQUIVOS.txt”,”*info@kraken.cc_worldcza@email.cz”,”*.kr3″,”COMO_RESTAURAR_ARCHIVOS.txt”,”COMO_RESTAURAR_ARCHIVOS.html”,”*.ENCR”,”*.[File-Help@India.Com].mails”,”damage@india.com*”,”*.tmp.exe”,”What happen to my files.txt”,”*.jeepdayz@india.com”,”*.BarRax”,”*.damage”,”*.locked-*”,”*.jey”,”*.CRYPTOSHIEL”,”*.cfk”,”ASSISTANCE_IN_RECOVERY.txt”,”#_DECRYPT_ASSISTANCE_#.txt”,”*.lfk”,”_HELP_HELP_HELP_*.hta”,”_HELP_HELP_HELP_*.jpg”,”BTC_DECRYPT_FILES.txt”,”*.TheTrumpLockerp”,”*.TheTrumpLockerf”,”*.d4nk”,”*.x3mpro”,”READ-READ-READ.html”,”*.weencedufiles”,”*.jse”,”*.powned”,”[KASISKI]*”,”INSTRUCCIONES.txt”,”@_USE_TO_FIX_*.txt”,”*.happydayzz”,”*.hasp”,”001-READ-FOR-DECRYPT-FILES.html”,”DECRYPT_INFORMATION.html”,”Rans0m_N0te_Read_ME.txt”,”email-vpupkin3@aol.com*”,”*.hnyear”,”*.hnumkhotep@india.com.hnumkhotep”,”*.wowwhereismyfiles”,”*.decryptional”,”*.wowreadfordecryp”,”*.7zipper”,”*.youransom”,”*.gui”,”*.Harzhuangzi”,”*.encryptedyourfiles”,”*HERMES”,”[amanda_sofost@india.com].wallet”,”*.wcry”,”*.velikasrbija”,”*.razarac”,”*.serpent”,”*.msj”,”*.szesnl”,”_DECRYPT_INFO_szesnl.html”,”000-IF-YOU-WANT-DEC-FILES.html”,”*.evillock”,”*.letmetrydecfiles”,”*.yourransom”,”*.lambda_l0cked”,”*.gefickt”,”*.HakunaMatata”,”*.CRYPTOSHIELD”,”*.weareyourfriends”,”MERRY_I_LOVE_YOU_BRUCE.hta”,”How decrypt files.hta”,”unCrypte@outlook.com*”,”decipher_ne@outlook.com*”,”*.potato”,”*.otherinformation”,”*.vxLock”,”*.rdmk”,”*.paytounlock”,”TRY-READ-ME-TO-DEC.html”,”EMAIL_*_recipient.zip”,”*.sage”,”*garryweber@protonmail.ch”,”LEER_INMEDIATAMENTE.txt”,”*.killedXXX”,”*.doomed”,”*.sifreli”,”*.MERRY”,”000-No-PROBLEM-WE-DEC-FILES.html”,”*.noproblemwedecfiles”,”WE-MUST-DEC-FILES.html”,”*.powerfulldecrypt”,”*.stn”,”*bingo@opensourcemail.org”,”*.id-3044989498_x3m”,”*.x3m”,”READ_ME_TO_DECRYPT_YOU_INFORMA.jjj”,”*.wuciwug”,”*.kencf”,”*.file0locked”,”file0locked.js”,”CryptoRansomware.exe”,”*.VBRANSOM”,”_HELP_Recover_Files_.html”,”*.oops”,”*.deria”,”*.RMCM1″,”*.Locked-by-Mafia”,”*.\u043a\u0438\u0431\u0435\u0440 \u0440\u0430\u0437\u0432\u0435\u0442\u0432\u0438\u0442\u0435\u043b\u044c”,”*-filesencrypted.html”,”decrypt_Globe*.exe”,”*.hnumkhotep”,”DecryptFile.txt”,”*.L0CKED”,”NFS-e*1025-7152.exe”,”firstransomware.exe”,”HELP-ME-ENCED-FILES.html”,”*.helpmeencedfiles”,”*EdgeLocker*.exe”,”*.edgel”,”*.XBTL”,”*.firecrypt”,”YOUR_FILES_ARE_DEAD.hta”,”*.MRCR1″,”*.PEGS1″,”*.RARE1″,”*.airacropencrypted!”,”*[cryptsvc@mail.ru].*”,”WHERE-YOUR-FILES.html”,”*.Whereisyourfiles”,”*opentoyou@india.com”,”C-email-*-*.odcodc”,”*.maktub”,”*.hush”,”*.bript”,”_*_README.hta”,”_*_README.jpg”,”HOW_OPEN_FILES.hta”,”*.gangbang”,”GJENOPPRETTING_AV_FILER.html”,”GJENOPPRETTING_AV_FILER.txt”,”!!! HOW TO DECRYPT FILES !!!.txt”,”*.braincrypt”,”INSTRUCTION RESTORE FILE.TXT”,”*.lesli”,”Survey Locker.exe”,”!!!!!ATEN\u00c7\u00c3O!!!!!.html”,”Receipt.exe”,”WindowsApplication1.exe”,”HWID Lock.exe”,”VIP72.exe”,”DALE_FILES.TXT”,”*.DALE”,”*.8637″,”*.kok”,”HOW_TO_RESTORE_YOUR_DATA.html”,”*.paymrts”,”*.paymds”,”RESTORE_CORUPTED_FILES.HTML”,”READ@My.txt”,”Cyber SpLiTTer Vbs.exe”,”*.flyper”,”000-PLEASE-READ-WE-HELP.html”,”*.helpdecrypt@india.com”,”*.VforVendetta”,”popcorn_time.exe”,”*.filock”,”*.wallet”,”*_.rmd”,”*.uDz2j8mv”,”OSIRIS-*.htm”,”DesktopOsiris.htm”,”*[cryptservice@inbox.ru]*”,”*.no_more_ransom”,”bahij2@india.com”,”*.lovewindows”,”*.osiris”,”*.R.i.P”,”Important!.txt”,”!_HOW_TO_RESTORE_*.txt”,”HOW_TO_RESTORE_FILES.txt”,”_README_*.hta”,”*.Zzzz”,”*[lavandos@dr.com].wallet”,”*.coin”,”*.crypted_file”,”*.EncrypTile”,”*.hcked”,”_README_.hta”,”Runsome.exe”,”Payment_Advice.mht”,”lblBitcoinInfoMain.txt”,”lblFinallyText.txt”,”lblMain.txt”,”*.hannah”,”*.vindows”,”How to decrypt your files.jpg”,”How to decrypt your files.txt”,”How to get data back.txt”,”*.zycrypt”,”*.sgood”,”*.zzzzz”,”xort.txt”,”DOSYALARINIZA ULA\u015eMAK \u0130\u00c7\u0130N A\u00c7INIZ.html”,”HOWTO_RECOVER_FILES_*.TXT”,”HELP_RESTORE_FILES_*.TXT”,”Recovery+*.html”,”Recovery+*.txt”,”_H_e_l_p_RECOVER_INSTRUCTIONS+*.png”,”_H_e_l_p_RECOVER_INSTRUCTIONS+*.html”,”help_recover_instructions+*.html”,”help_recover_instructions+*.BMP”,”_how_recover+*.html”,”_how_recover+*.txt”,”ThxForYurTyme.txt”,”_HOW_TO_Decrypt.bmp”,”_RECOVER_INSTRUCTIONS.ini”,”###-READ-FOR-HELLPP.html”,”rtext.txt”,”DECRYPTION INSTRUCTIONS.txt”,”decrypt explanations.html”,”_WHAT_is.html”,”_HOWDO_text.html”,”readme_liesmich_encryptor_raas.txt”,”_Adatok_visszaallitasahoz_utasitasok.txt”,”How to restore files.hta”,”locked.bmp”,”README_TO_RECURE_YOUR_FILES.txt”,”Your files encrypted by our friends !!!.txt”,”ATTENTION.url”,”@WARNING_FILES_ARE_ENCRYPTED.*.txt”,”README!!!.txt”,”# README.hta”,”!Recovery_*.html”,”YourID.txt”,”recover.bmp”,”recover.txt”,”README HOW TO DECRYPT YOUR FILES.HTML”,”READ_IT.txt”,”*.lock93″,”*.!emc”,”*.adk”,”svchosd.exe”,”*.aesir”,”*.CHIP”,”*.happy”,”*.angelamerkel”,”*.razy1337″,”*.zendr4″,”*.dharma”,”*.locked3″,”*.duhust”,”*.exploit”,”*_crypt”,”*_help_instruct*.*”,”*!DMAlock*”,”*.GSupport3″,”*.rnsmwr”,”*.dCrypt”,”ransomed.html”,”*.Alcatraz”,”*_WHAT_is.html”,”readme.hta”,”*.96e2″,”*.thor”,”*.dxxd”,”*.usr0″,”*.shit”,”*.coded”,”*.raid10″,”*.realfs0ciety*”,”*.rip”,”*.okean*”,”*.globe”,”*.nuclear55″,”*.1txt”,”*.kostya”,”*.k0stya”,”*.comrade”,”*.exotic”,”*.fuck”,”*.Yakes”,”*.Zimbra”,”email-salazar_slytherin10@yahoo.com.ver-*.id-*-*.randomname-*”,”*._AiraCropEncrypted!”,”README_RECOVER_FILES_*.txt”,”README_RECOVER_FILES_*.png”,”README_RECOVER_FILES_*.html”,”*.~HL*”,”Sarah_G@ausi.com___*”,”*.zc3791″,”*.venusp”,”*.shino”,”*.bleepYourFiles”,”*.crashed”,”*.amba”,”*.7h9r”,”*.\u5df2\u52a0\u5bc6″,”*.\uc554\ud638\ud654\ub428″,”*.b5c6″,”*.ap19″,”*.a19″,”_*_HOWDO_text.html”,”*_HOWDO_text.bmp”,”*_HOWDO_text.html”,”*.odin”,”*.zypto*”,”zzzzzzzzzzzzzzzzzyyy”,”zycrypt.*”,”*decrypt your file*.*”,”*_nullbyte*”,”*.bart”,”*.axx”,”_H_e_l_p_RECOVER_INSTRUCTIONS+*.txt”,”HOW-TO-DECRYPT-FILES.HTML”,”HOW_TO_DECRYPT.HTML”,”exit.hhr.obleep”,”UnblockFiles.vbs”,”README_DECRYPT_HYDRA_ID_*.txt”,”DECRYPT_Readme.TXT.ReadMe”,”Decrypt All Files *.bmp”,”HowDecrypt.gif”,”HELP_YOURFILES.HTML”,”HOW TO DECRYPT FILES.HTML”,”BUYUNLOCKCODE”,”BitCryptorFileList.txt”,”*.crjocker”,”*.POSHKODER”,”*.hydracrypt_ID_*”,”*.CTBL2″,”*.unbrecrypt_ID_*”,”*.padcrypt”,”*.rekt”,”*.CCCRRRPPP”,”*.SecureCrypte”,”*.windows10″,”*.pdcr”,”*.keybtc@inbox”,”*.breaking_bad”,”*.cryptowall”,”*.xorist”,”*.crypt1″,”How_to_decrypt_your_files.jpg”,”How_to_restore_files.hta”,”*.cerber3″,”*.a5zfn”,”*.purge”,”*.fantom”,”*.cerber2″,”!readme.*”,”Como descriptografar seus arquivos.txt”,”*.C0rp0r@c@0Xr@”,”*.domino”,”*cerber2″,”*.cawwcca”,”how_to_unlock*.*”,”!Recovery_*.txt”,”Read_this_file.txt”,”*.legion”,”*.encoderpass”,”*.cryptolocker”,”*.7z.encrypted”,”ATTENTION!!!.txt”,”HELP_DECRYPT.lnk”,”how to decrypt aes files.lnk”,”restore_files.txt”,”HowDecrypt.txt”,”$RECYCLE.BIN.{*-*-*-*}”,”*.heisenberg”,”*.breaking bad”,”*.razy”,”*.Venusf”,”.~”,”*.payfornature@india.com.crypted”,”winclwp.jpg”,”wie_zum_Wiederherstellen_von_Dateien.txt”,”tox.html”,”strongcrypt.bmp”,”qwer2.html”,”qwer.html”,”pronk.txt”,”paycrypt.bmp”,”maxcrypt.bmp”,”how_decrypt.gif”,”how to get data.txt”,”help_recover_instructions*.txt”,”help_recover_instructions*.html”,”help_recover_instructions*.bmp”,”help-file-decrypt.enc”,”enigma_encr.txt”,”enigma.hta”,”default432643264.jpg”,”default32643264.bmp”,”decypt_your_files.html”,”de_crypt_readme.txt”,”de_crypt_readme.html”,”de_crypt_readme.bmp”,”cryptinfo.txt”,”crjoker.html”,”_how_recover*.txt”,”_how_recover*.html”,”_Locky_recover_instructions.bmp”,”_H_e_l_p_RECOVER_INSTRUCTIONS*.txt”,”_H_e_l_p_RECOVER_INSTRUCTIONS*.png”,”_H_e_l_p_RECOVER_INSTRUCTIONS*.html”,”_HELP_instructions.txt”,”_HELP_instructions.bmp”,”_DECRYPT_INFO_*.html”,”Your files encrypted by our friends !!! txt”,”Your files are locked !.txt”,”Your files are locked !!.txt”,”Your files are locked !!!.txt”,”Your files are locked !!!!.txt”,”YOUR_FILES_ARE_LOCKED.txt”,”YOUR_FILES_ARE_ENCRYPTED.TXT”,”YOUR_FILES_ARE_ENCRYPTED.HTML”,”YOUGOTHACKED.TXT”,”UNLOCK_FILES_INSTRUCTIONS.txt”,”UNLOCK_FILES_INSTRUCTIONS.html”,”SIFRE_COZME_TALIMATI.html”,”SHTODELATVAM.txt”,”Read Me (How Decrypt) !!!!.txt”,”RESTORE_FILES_*.txt”,”RESTORE_FILES_*.*”,”READ_THIS_TO_DECRYPT.html”,”README_HOW_TO_UNLOCK.TXT”,”README_HOW_TO_UNLOCK.HTML”,”README_DECRYPT_UMBRE_ID_*.txt”,”README_DECRYPT_UMBRE_ID_*.jpg”,”README_DECRYPT_HYRDA_ID_*.txt”,”READ ME FOR DECRYPT.txt”,”READ IF YOU WANT YOUR FILES BACK.html”,”Payment_Instructions.jpg”,”ONTSLEUTELINGS_INSTRUCTIES.html”,”OKSOWATHAPPENDTOYOURFILES.TXT”,”MENSAGEM.txt”,”KryptoLocker_README.txt”,”Instructionaga.txt”,”ISTRUZIONI_DECRITTAZIONE.html”,”INSTRUCTIONS_DE_DECRYPTAGE.html”,”INSTRUCCIONES_DESCIFRADO.html”,”INSTALL_TOR.URL”,”IMPORTANT.README”,”IMPORTANT READ ME.txt”,”Howto_RESTORE_FILES.html”,”How to decrypt your data.txt”,”How to decrypt LeChiffre files.html”,”Help Decrypt.html”,”Hacked_Read_me_to_decrypt_files.html”,”HOW_TO_UNLOCK_FILES_README_*.txt”,”HOW_TO_RESTORE_FILES.html”,”HOW_DECRYPT.URL”,”HOW_DECRYPT.TXT”,”HOW_DECRYPT.HTML”,”HOWTO_RECOVER_FILES_*.*”,”HOW TO DECRYPT FILES.txt”,”HELP_YOUR_FILES.html”,”HELP_YOUR_FILES.PNG”,”HELP_TO_SAVE_FILES.bmp”,”HELP_RESTORE_FILES_*.*”,”HELP_DECRYPT.URL”,”HELP_DECRYPT.PNG”,”HELP_DECRYPT.HTML”,”GetYouFiles.txt”,”File Decrypt Help.html”,”FILES_BACK.txt”,”ENTSCHLUSSELN_HINWEISE.html”,”DecryptAllFiles*.txt”,”DESIFROVANI_POKYNY.html”,”DECRYPT_YOUR_FILES.txt”,”DECRYPT_YOUR_FILES.HTML”,”DECRYPT_ReadMe1.TXT”,”DECRYPT_INSTRUCTIONS.html”,”DECRYPT_INSTRUCTION.URL”,”DECRYPT_INSTRUCTION.HTML”,”DECRYPTION_HOWTO.Notepad”,”Comment d\u00e9bloquer mes fichiers.txt”,”BUYUNLOCKCODE.txt”,”AllFilesAreLocked*.bmp”,”4-14-2016-INFECTION.TXT”,”*_ryp”,”*_HELP_instructions.html”,”*.xcrypt”,”*.unavailable”,”*.szf”,”*.porno.pornoransom”,”*.plauge17″,”*.neitrino”,”*.kimcilware.locked”,”*.iwanthelpuuu”,”*.herbst”,”*.helpdecrypt@ukr.net”,”*.h3ll”,”*.gws.porno”,”*.fuckyourdata”,”*.encrypted.locked”,”*.cryptz”,”*.crypttt”,”*.cripttt”,”*.criptokod”,”*.criptiko”,”*.btc.kkk.fun.gws”,”*.aga”,”*._ryp”,”*.Where_my_files.txt”,”*.Read_Me.Txt”,”*.RSplited”,”*.KEYZ.KEYH0LES”,”*.How_To_Get_Back.txt”,”*.How_To_Decrypt.txt”,”*.Contact_Here_To_Recover_Your_Files.txt”,”*.31392E30362E32303136_*”,”# DECRYPT MY FILES #.vbs”,”# DECRYPT MY FILES #.txt”,”# DECRYPT MY FILES #.html”,”!Where_are_my_files!.html”,”!!!README!!!*.rtf”,”!!!-WARNING-!!!.txt”,”!!!-WARNING-!!!.html”,”*.magic_software_syndicate”,”*maestro@pizzacrypts.info”,”*.crypt”,”*.bitstak”,”*.wflx”,”*.CRRRT”,”howtodecryptaesfiles.txt”,”!satana!.txt”,”*.akaibvn”,”*.cRh8″,”*.YTBL”,”*.krypted”,”*.tzu”,”*.6FKR8d”,”*.sshxkej”,”*.eclr”,”*.epic”,”*.paybtcs”,”*.AFD”,”*.paymst”,”*.payms”,”*.isis”,”*.zepto”,”*.bart.zip”,”*.kratos”,”*.31342E30362E32303136*”,”*.SecureCrypted”,”*.crptrgr”,”*.rtyrtyrty”,”!DMALOCK3.0*”,”*.evil”,”*.crypt38″,”*.asdasdasd”,”*.ded”,”*.bloccato”,”*.canihelpyou”,”*.crypz”,”decrypt-instruct*.*”,”*files_are_encrypted.*”,”*decryptmyfiles*.*”,”help_instructions.*”,”*-recover-*.*”,”de_crypt_readme.*”,”*!recover!*.*”,”*recover}-*.*”,”*rec0ver*.*”,”_help_instruct*.*”,”*_recover_*.*”,”*+recover+*.*”,”*warning-!!*.*”,”*decrypt my file*.*”,”help_file_*.*”,”recovery+*.*”,”readme_for_decrypt*.*”,”install_tor*.*”,”readme_decrypt*.*”,”howtodecrypt*.*”,”howto_restore*.*”,”how_to_recover*.*”,”how_recover*.*”,”how_to_decrypt*.*”,”how to decrypt*.*”,”help_restore*.*”,”help_your_file*.*”,”help_recover*.*”,”help_decrypt*.*”,”decrypt_instruct*.*”,”cryptolocker.*”,”*recover_instruction*.*”,”*.hydracrypt_ID*”,”*gmail*.crypt”,”*.cryptotorlocker*”,”*.xxx”,”*.xyz”,”*.xtbl”,”*.xort”,”*.xrtn”,”*.vvv”,”*.vscrypt”,”*.trun”,”*.ttt”,”*.surprise”,”*.troyancoder@qq_com”,”*.sport”,”*.scl”,”*.ryp”,”*.sanction”,”*.RRK”,”*.rokku”,”*.remind”,”*.relock@qq_com”,”*.RDM”,”*.RADAMANT”,”*.R5A”,”*.R4A”,”*.PoAr2w”,”*.pizda@qq_com”,”*.p5tkjw”,”*.oplata@qq_com”,”*.oshit”,”*.oor”,”*.one-we_can-help_you”,”*.OMG!”,”*.nochance”,”*.nalog@qq_com”,”*.micro”,”*.LOL!”,”*.locky”,”*.locked”,”*.LeChiffre”,”*.kraken”,”*.korrektor”,”*.kkk”,”*.kimcilware”,”*.KEYZ”,”*.keybtc@inbox_com”,”*.KEYHOLES”,”*.justbtcwillhelpyou”,”*.infected”,”*.helpdecrypt@ukr_net”,”*.hb15″,”*.ha3″,”*.gruzin@qq_com”,”*.gws”,”*.fun”,”*.fucked”,”*.enigma”,”*.encryptedped”,”*.encryptedRSA”,”*.encryptedAES”,”*.Encrypted”,”*.encrypt”,”*.encedRSA”,”*.EnCiPhErEd”,”*.dyatel@qq_com”,”*.czvxce”,”*.darkness”,”*.ctbl”,”*.CrySiS”,”*.CryptoTorLocker2015!”,”*.crypted”,”*.cry”,”*.crjoker”,”*.crinf”,”*.crime”,”*.coverton”,”*.code”,”*.clf”,”*.chifrator@qq_com”,”*.cerber”,”*.cbf”,”*.btcbtcbtc”,”*.btc-help-you”,”*.btc”,”*.bloc”,”*.better_call_saul”,”*.AES256″,”*.{CRYPTENDBLACKDC}”,”*.73i87A”,”*.zzz”,”*.abc”,”*.aaa”,”vault.txt”,”vault.key”,”recovery_key.txt”,”vault.hta”,”message.txt”,”recovery_file.txt”,”confirmation.key”,”enc_files.txt”,”last_chance.txt”,”*.vault”,”*want your files back.*”,”*.frtrss”,”*.exx”,”*.ezz”,”*.ecc”,”*help_restore*.*”,”*how_to_recover*.*”,”*restore_fi*.*”,”*ukr.net*”,”*qq_com*”,”*keemail.me*”,”*decipher*”,”*install_tor*.*”,”*@india.com*”,”*@gmail_com_*”,”*.*obleep”,”*.*exx”,”*.*locked”,”*.*nochance”,”*.*kraken”,”*.*kb15″,”*.*darkness”,”*.*crypto”,”*.*cry”,”_Locky_recover_instructions.txt”,”help_recover_instructions+*.txt”,”recoverfile*.txt”,”Howto_Restore_FILES.TXT”,”recoveryfile*.txt”,”_how_recover.txt”,”howrecover+*.txt”,”restorefiles.txt”,”howto_recover_file.txt”,”HowtoRESTORE_FILES.txt”,”RECOVERY_FILE*.txt”,”RECOVERY_FILES.txt”,”help_decrypt_your_files.html”,”HELPDECYPRT_YOUR_FILES.HTML”,”IHAVEYOURSECRET.KEY”,”SECRET.KEY”,”SECRETIDHERE.KEY”,”READTHISNOW!!!.TXT”,”IAMREADYTOPAY.TXT”,”HELLOTHERE.TXT”,”FILESAREGONE.TXT”,”DECRYPT_ReadMe.TXT”,”Read.txt”,”About_Files.txt”,”_secret_code.txt”,”ReadDecryptFilesHere.txt”,”Coin.Locker.txt”,”HOW_TO_DECRYPT_FILES.TXT”,”DECRYPT_INSTRUCTION.TXT”,”encryptor_raas_readme_liesmich.txt”,”Help_Decrypt.txt”,”YOUR_FILES.url”,”How_To_Recover_Files.txt”,”YOUR_FILES.HTML”,”INSTRUCCIONES_DESCIFRADO.TXT”,”DECRYPT_INSTRUCTIONS.TXT”,”HELP_TO_SAVE_FILES.txt”,”DecryptAllFiles.txt”,”HELP_RECOVER_FILES.txt”,”HELP_RESTORE_FILES.txt”,”HELP_TO_DECRYPT_YOUR_FILES.txt”,”HELP_YOUR_FILES.TXT”,”HELPDECRYPT.TXT”,”*.CTB2″,”*.SUPERCRYPT”,”*.magic”,”*.1999″,”*.toxcrypt”,”*.bleep”,”*.0x0″,”*.good”,”*.R16M01D05″,”*.pzdc”,”*.XRNT”,”*.crypto”,”*.ccc”,”*.da_vinci_code”,”*.payransom”,”*.KEYH0LES”,”oor.*”,”*.zyklon”,”*.zcrypt”,”*.Z81928819″,”*.Silent”,”*.RSNSlocked”,”*.RAD”,”*.porno”,”*.pornoransom”,”*.odcodc”,”_ryp”,”*.helpdecrypt@ukr*.net”,”*.only-we_can-help_you”,”*.cryp1″,”*.fileiscryptedhard”,”*.blocatto”,”*.8lock8″,”*.777″]}

Advertisements
This entry was posted in microsoft. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s