Prevent Cyptolocker with FSRM

 

Hey There!

Ransomware has been blowing up in the news lately and the kind Veeamy McVeeamy Face has asked if I could do a quick blog post on how to help prevent Cryptolocker hitting your file shares with File Server Resource Manager.

If you have as little faith in your end users as I do in mine, then this should hopefully help minimize the damage done to your environment when someone thinks they have a fine from a government agency, or an email from the King of some South African country offering sweet sweet money. If they only just click this one link, it will all be theirs.

Now normally I would write a step-by-step guide on how to set this up. However to save you all some time there’s a handy script I’ve been using this to accomplish this quickly and painlessly for new clients when on-boarding them.

Available on GitHub here: https://github.com/nexxai/CryptoBlocker

To advocate why I choose to do this via script below are the 1012 file types currently known to be used by Cryptolocker and it’s variants:

 

*.~xdata~
*.b0ff
Galaperidol.exe
HOW_CAN_I_DECRYPT_MY_FILES.txt
*.xdata
Hello There! Fellow @kee User!.txt
*.kee
*.grux
Restore_your_files.txt
READ_ME.html
*.mordor
*.die
*.SaMsUnG
!#_DECRYPT_#!.inf
*.nuke55
*.onyon
*.blocked
!Please Read Me!.txt
!WannaDecryptor!.exe.lnk
*.DARKCRY
*.wincry
*.wncrypt
WannaCrypt 4.0.exe
t.wry
*.vCrypt1
*.theva
*.PAY
tor.exe
tasksche.exe
wcry.zip
taskhsvc.exe
taskse.exe
taskdl.exe
*.pky
*.eky
wcry.exe
Wannacry.exe
@WanaDecryptor@.*
*.slvpawned
*.WCRYT
*.WRNY
*.LOCKED.txt
*.wncryt
*.wnry
*.viki
RESTORE-12345-FILES.TXT
*.donation1@protonmail.ch.12345
*.block_file12
*.@decrypt2017
*.vdul
*.2cXpCihgsVxB3
*.son
loptr-*.htm
*.paycyka
*.medal
*.bagi
@Please_Read_Me@.txt
*.wncry
_!!!_README_!!!_*
_!!!_README_!!!_*_.hta
_!!!_README_!!!_*_ .txt
*.news
*.corrupted
HOW_TO_DECRYPT_FILES.html
*.shifr
DECRYPT_INFO.txt
*.FailedAccess
Cversions.2.db
*.helppme@india.com.*
ReadME_Decrypt_Help_*.html
*.fartplz
КАК_РАСШИФРОВАТЬ_ФАЙЛЫ.txt
* .vCrypt1
*.xncrypt
*.Lockify
*.htrs
*.cryptowin
*.owned
*.x0lzs3c
*.UIWIX
*.CRYPTOBOSS
*.loptr
*.jaff
*.bitkangoroo
*.cloud
zcrypt.exe
*.uk-dealer@sigaint.org
*_luck
*.decrypt2017
*.[admin@hoist.desi].*.WALLET
*.[crysis@life.com].*.WALLET
*.[SHIELD0@USA.COM].*.WALLET
#_RESTORING_FILES_#.TXT
*.haters
*.anon
*.amnesia
*.keepcalm
*.MIKOYAN
RESTORE_FILES.HTML
*.WWW
*.CRYPTED000007
*.HELPPME@INDIA.COM.ID83994902
HOW_RETURN_FILES.TXT
*.MAYA
*.CONTACT_TARINEOZA@GMAIL.COM
*.CRYPTOBYTE
*.AES
NOTE;!!!-ODZYSKAJ-PLIKI-!!!.TXT
INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt
*.ADR
*.NM4
DesktopOsiris.*
OSIRIS-*.*
redchip2.exe
*.LOLI
ATLAS_FILES.txt
*.whatthefuck
*.loveyouisreal
*.okokokokok
*.ranranranran
READ_IT_FOR_GET_YOUR_FILE.txt
*.psh
*.GETREKT
*.one
!!! READ THIS - IMPORTANT !!!.txt
*.aes_ni_0day
*.JEEPERS
PAYMENT-INSTRUCTIONS.TXT
*.LOCKOUT
*.ATLAS
*.FLATCHER3@INDIA.COM.000G
*.AES-NI
*.DEXTER
*.CONFICKER
*.ONION
*.[NO.TORP3DA@PROTONMAIL.CH].WALLET
*.LCKD
*.MOLE
*.RANSOM
*.lambda.l0cked
009-READ-FOR-DECCCC-FILESSS.html
_READ_THI$_FILE_*
*.I'WANT MONEY
*.gembok
!Decrypt-All-Files-*.txt
*.[GOFMEN17@YA.RU],CRP
*.SERP
*.kilit
0_HELP_DECRYPT_FILES.HTM
HUR_DEKRYPTERA_FILER.html
HUR_DEKRYPTERA_FILER.txt
*.LAMBDA.LOCKED
*.ADMIN@BADADMIN.XYZ
*.SKJDTHGHH
*.LOCK75
*.B10CKED
*.A95436@YA.RU
*.IWANT
*.Fuck_You
Recupere seus arquivos aqui.txt
READ TO UNLOCK FILES.salsa.*.html
*.SALSA222
*.NUMBERDOT
How Decrypt My Files.lnk
How_Decrypt_My_Files
*.CRADLE
*.ID-7ES642406.CRY
READ ME ABOUT DECRYPTION.txt
*.Do_not_change_the_file_name.cryp
*.pr0tect
*.android
*_READ_THIS_FILE_*_*
*.btcware
*drakosho_new@aol.com*
*.AngleWare
*.zorro
*.CIFGKSAFFSFYGHD
*.A9V9AHU4
*.payfordecrypt
OKU.TXT
ZINO_NOTE.TXT
*.ZINO
*.kirked
*.CRPTXXX
HOW_TO_FIX_!.TXT
*.[BRAINCRYPT@INDIA.COM].BRAINCRYPT
*.pizdec
*.REVENGE 
!!!READ_TO_UNLOCK!!!.TXT
*.openforyou@india.com
*.warn_wallet
*.nemo-hacks.at.sigaint.org
*.MATRIX
Crytp0l0cker.Upack.dll
Crytp0l0cker.dll
Crytp0l0cker.exe
decrypted_files.dat
padcryptUninstaller.exe
PadCrypt.exe
Vape Launcher.exe
READ_ME_!.txt
*.enjey
Aescrypt.exe
*.GG
*.[PINGY@INDIA.COM]
*.WORMKILLER@INDIA.COM.XTBL
*.CEBER3
IF_WANT_FILES_BACK_PLS_READ.html
*.iaufkakfhsaraf
_HELP_HELP_HELP_*
zXz.html
*.zXz
VictemKey_*_*
HVORDAN_DU_GENDANNER_FILER.html
HVORDAN_DU_GENDANNER_FILER.txt
HELP_ME_PLEASE.txt
!_RECOVERY_HELP_!.txt
PLEASE-READIT-IF_YOU-WANT.html
*.filegofprencrp
COME_RIPRISTINARE_I_FILE.*
fattura_*.js
*_steaveiwalker@india.com_
COMO_ABRIR_ARQUIVOS.txt
*info@kraken.cc_worldcza@email.cz
*.kr3
COMO_RESTAURAR_ARCHIVOS.txt
COMO_RESTAURAR_ARCHIVOS.html
*.ENCR
*.[File-Help@India.Com].mails
damage@india.com*
*.tmp.exe
What happen to my files.txt
*.jeepdayz@india.com
*.BarRax
*.damage
*.locked-*
*.jey
*.CRYPTOSHIEL
*.cfk
ASSISTANCE_IN_RECOVERY.txt
#_DECRYPT_ASSISTANCE_#.txt
*.lfk
_HELP_HELP_HELP_*.hta
_HELP_HELP_HELP_*.jpg
BTC_DECRYPT_FILES.txt
*.TheTrumpLockerp
*.TheTrumpLockerf
*.d4nk
*.x3mpro
READ-READ-READ.html
*.weencedufiles
*.jse
*.powned
[KASISKI]*
INSTRUCCIONES.txt
@_USE_TO_FIX_*.txt
*.happydayzz
*.hasp
001-READ-FOR-DECRYPT-FILES.html
DECRYPT_INFORMATION.html
Rans0m_N0te_Read_ME.txt
email-vpupkin3@aol.com*
*.hnyear
*.hnumkhotep@india.com.hnumkhotep
*.wowwhereismyfiles
*.decryptional
*.wowreadfordecryp
*.7zipper
*.youransom
*.gui
*.Harzhuangzi
*.encryptedyourfiles
*HERMES
[amanda_sofost@india.com].wallet
*.wcry
*.velikasrbija
*.razarac
*.serpent
*.msj
*.szesnl
_DECRYPT_INFO_szesnl.html
000-IF-YOU-WANT-DEC-FILES.html
*.evillock
*.letmetrydecfiles
*.yourransom
*.lambda_l0cked
*.gefickt
*.HakunaMatata
*.CRYPTOSHIELD
*.weareyourfriends
MERRY_I_LOVE_YOU_BRUCE.hta
How decrypt files.hta
unCrypte@outlook.com*
decipher_ne@outlook.com*
*.potato
*.otherinformation
*.vxLock
*.rdmk
*.paytounlock
TRY-READ-ME-TO-DEC.html
EMAIL_*_recipient.zip
*.sage
*garryweber@protonmail.ch
LEER_INMEDIATAMENTE.txt
*.killedXXX
*.doomed
*.sifreli
*.MERRY
000-No-PROBLEM-WE-DEC-FILES.html
*.noproblemwedecfiles
WE-MUST-DEC-FILES.html
*.powerfulldecrypt
*.stn
*bingo@opensourcemail.org
*.id-3044989498_x3m
*.x3m
READ_ME_TO_DECRYPT_YOU_INFORMA.jjj
*.wuciwug
*.kencf
*.file0locked
file0locked.js
CryptoRansomware.exe
*.VBRANSOM
_HELP_Recover_Files_.html
*.oops
*.deria
*.RMCM1
*.Locked-by-Mafia
*.кибер разветвитель
*-filesencrypted.html
decrypt_Globe*.exe
*.hnumkhotep
DecryptFile.txt
*.L0CKED
NFS-e*1025-7152.exe
firstransomware.exe
HELP-ME-ENCED-FILES.html
*.helpmeencedfiles
*EdgeLocker*.exe 
*.edgel
*.XBTL
*.firecrypt
YOUR_FILES_ARE_DEAD.hta
*.MRCR1
*.PEGS1
*.RARE1
*.airacropencrypted!
*[cryptsvc@mail.ru].*
WHERE-YOUR-FILES.html
*.Whereisyourfiles
*opentoyou@india.com
C-email-*-*.odcodc
*.maktub
*.hush
*.bript
_*_README.hta
_*_README.jpg
HOW_OPEN_FILES.hta
*.gangbang
GJENOPPRETTING_AV_FILER.html
GJENOPPRETTING_AV_FILER.txt
!!! HOW TO DECRYPT FILES !!!.txt
*.braincrypt
INSTRUCTION RESTORE FILE.TXT
*.lesli
Survey Locker.exe
!!!!!ATENÇÃO!!!!!.html
Receipt.exe
WindowsApplication1.exe
HWID Lock.exe
VIP72.exe
DALE_FILES.TXT
*.DALE
*.8637
*.kok
HOW_TO_RESTORE_YOUR_DATA.html
*.paymrts
*.paymds
RESTORE_CORUPTED_FILES.HTML
READ@My.txt
Cyber SpLiTTer Vbs.exe
*.flyper
000-PLEASE-READ-WE-HELP.html
*.helpdecrypt@india.com
*.VforVendetta
popcorn_time.exe
*.filock
*.wallet
*_.rmd
*.uDz2j8mv
OSIRIS-*.htm
DesktopOsiris.htm
*[cryptservice@inbox.ru]*
*.no_more_ransom
bahij2@india.com
*.lovewindows
*.osiris
*.R.i.P
Important!.txt
!_HOW_TO_RESTORE_*.txt
HOW_TO_RESTORE_FILES.txt
_README_*.hta
*.Zzzz
*[lavandos@dr.com].wallet
*.coin
*.crypted_file
*.EncrypTile
*.hcked
_README_.hta
Runsome.exe
Payment_Advice.mht
lblBitcoinInfoMain.txt
lblFinallyText.txt
lblMain.txt
*.hannah
*.vindows
How to decrypt your files.jpg
How to decrypt your files.txt
How to get data back.txt
*.zycrypt
*.sgood
*.zzzzz
xort.txt
DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html
HOWTO_RECOVER_FILES_*.TXT
HELP_RESTORE_FILES_*.TXT
Recovery+*.html
Recovery+*.txt
_H_e_l_p_RECOVER_INSTRUCTIONS+*.png
_H_e_l_p_RECOVER_INSTRUCTIONS+*.html
help_recover_instructions+*.html
help_recover_instructions+*.BMP
_how_recover+*.html
_how_recover+*.txt
ThxForYurTyme.txt
_HOW_TO_Decrypt.bmp
_RECOVER_INSTRUCTIONS.ini
###-READ-FOR-HELLPP.html
rtext.txt
DECRYPTION INSTRUCTIONS.txt
decrypt explanations.html
_WHAT_is.html
_HOWDO_text.html
readme_liesmich_encryptor_raas.txt
_Adatok_visszaallitasahoz_utasitasok.txt
How to restore files.hta
locked.bmp
README_TO_RECURE_YOUR_FILES.txt
Your files encrypted by our friends !!!.txt
ATTENTION.url
@WARNING_FILES_ARE_ENCRYPTED.*.txt
README!!!.txt
# README.hta
!Recovery_*.html
YourID.txt
recover.bmp
recover.txt
README HOW TO DECRYPT YOUR FILES.HTML
READ_IT.txt
*.lock93
*.!emc
*.adk
svchosd.exe
*.aesir
*.CHIP
*.happy
*.angelamerkel
*.razy1337
*.zendr4
*.dharma
*.locked3
*.duhust
*.exploit
*_crypt
*_help_instruct*.*
*!DMAlock*
*.GSupport3
*.rnsmwr
*.dCrypt
ransomed.html
*.Alcatraz
*_WHAT_is.html
readme.hta
*.96e2
*.thor
*.dxxd
*.usr0
*.shit
*.coded
*.raid10
*.realfs0ciety*
*.rip
*.okean*
*.globe
*.nuclear55
*.1txt
*.kostya
*.k0stya
*.comrade
*.exotic
*.fuck
*.Yakes
*.Zimbra
email-salazar_slytherin10@yahoo.com.ver-*.id-*-*.randomname-*
*._AiraCropEncrypted!
README_RECOVER_FILES_*.txt
README_RECOVER_FILES_*.png
README_RECOVER_FILES_*.html
*.~HL*
Sarah_G@ausi.com___*
*.zc3791
*.venusp
*.shino
*.bleepYourFiles
*.crashed
*.amba
*.7h9r
*.已加密
*.암호화됨
*.b5c6
*.ap19
*.a19
_*_HOWDO_text.html
*_HOWDO_text.bmp
*_HOWDO_text.html
*.odin
*.zypto*
zzzzzzzzzzzzzzzzzyyy
zycrypt.*
*decrypt your file*.*
*_nullbyte*
*.bart
*.axx
_H_e_l_p_RECOVER_INSTRUCTIONS+*.txt
HOW-TO-DECRYPT-FILES.HTML
HOW_TO_DECRYPT.HTML
exit.hhr.obleep
UnblockFiles.vbs
README_DECRYPT_HYDRA_ID_*.txt
DECRYPT_Readme.TXT.ReadMe
Decrypt All Files *.bmp
HowDecrypt.gif
HELP_YOURFILES.HTML
HOW TO DECRYPT FILES.HTML
BUYUNLOCKCODE
BitCryptorFileList.txt
*.crjocker
*.POSHKODER
*.hydracrypt_ID_*
*.CTBL2
*.unbrecrypt_ID_*
*.padcrypt
*.rekt
*.CCCRRRPPP
*.SecureCrypte
*.windows10
*.pdcr
*.keybtc@inbox
*.breaking_bad
*.cryptowall
*.xorist
*.crypt1
How_to_decrypt_your_files.jpg
How_to_restore_files.hta
*.cerber3
*.a5zfn
*.purge
*.fantom
*.cerber2
!readme.*
Como descriptografar seus arquivos.txt
*.C0rp0r@c@0Xr@
*.domino
*cerber2
*.cawwcca
how_to_unlock*.*
!Recovery_*.txt
Read_this_file.txt
*.legion
*.encoderpass
*.cryptolocker
*.7z.encrypted
ATTENTION!!!.txt
HELP_DECRYPT.lnk
how to decrypt aes files.lnk
restore_files.txt
HowDecrypt.txt
$RECYCLE.BIN.{*-*-*-*}
*.heisenberg
*.breaking bad
*.razy
*.Venusf
.~
*.payfornature@india.com.crypted
winclwp.jpg
wie_zum_Wiederherstellen_von_Dateien.txt
tox.html
strongcrypt.bmp
qwer2.html
qwer.html
pronk.txt
paycrypt.bmp
maxcrypt.bmp
how_decrypt.gif
how to get data.txt
help_recover_instructions*.txt
help_recover_instructions*.html
help_recover_instructions*.bmp
help-file-decrypt.enc
enigma_encr.txt
enigma.hta
default432643264.jpg
default32643264.bmp
decypt_your_files.html
de_crypt_readme.txt
de_crypt_readme.html
de_crypt_readme.bmp
cryptinfo.txt
crjoker.html
_how_recover*.txt
_how_recover*.html
_Locky_recover_instructions.bmp
_H_e_l_p_RECOVER_INSTRUCTIONS*.txt
_H_e_l_p_RECOVER_INSTRUCTIONS*.png
_H_e_l_p_RECOVER_INSTRUCTIONS*.html
_HELP_instructions.txt
_HELP_instructions.bmp
_DECRYPT_INFO_*.html
Your files encrypted by our friends !!! txt
Your files are locked !.txt
Your files are locked !!.txt
Your files are locked !!!.txt
Your files are locked !!!!.txt
YOUR_FILES_ARE_LOCKED.txt
YOUR_FILES_ARE_ENCRYPTED.TXT
YOUR_FILES_ARE_ENCRYPTED.HTML
YOUGOTHACKED.TXT
UNLOCK_FILES_INSTRUCTIONS.txt
UNLOCK_FILES_INSTRUCTIONS.html
SIFRE_COZME_TALIMATI.html
SHTODELATVAM.txt
Read Me (How Decrypt) !!!!.txt
RESTORE_FILES_*.txt
RESTORE_FILES_*.*
READ_THIS_TO_DECRYPT.html
README_HOW_TO_UNLOCK.TXT
README_HOW_TO_UNLOCK.HTML
README_DECRYPT_UMBRE_ID_*.txt
README_DECRYPT_UMBRE_ID_*.jpg
README_DECRYPT_HYRDA_ID_*.txt
READ ME FOR DECRYPT.txt
READ IF YOU WANT YOUR FILES BACK.html
Payment_Instructions.jpg
ONTSLEUTELINGS_INSTRUCTIES.html
OKSOWATHAPPENDTOYOURFILES.TXT
MENSAGEM.txt
KryptoLocker_README.txt
Instructionaga.txt
ISTRUZIONI_DECRITTAZIONE.html
INSTRUCTIONS_DE_DECRYPTAGE.html
INSTRUCCIONES_DESCIFRADO.html
INSTALL_TOR.URL
IMPORTANT.README
IMPORTANT READ ME.txt
Howto_RESTORE_FILES.html
How to decrypt your data.txt
How to decrypt LeChiffre files.html
Help Decrypt.html
Hacked_Read_me_to_decrypt_files.html
HOW_TO_UNLOCK_FILES_README_*.txt
HOW_TO_RESTORE_FILES.html
HOW_DECRYPT.URL
HOW_DECRYPT.TXT
HOW_DECRYPT.HTML
HOWTO_RECOVER_FILES_*.*
HOW TO DECRYPT FILES.txt
HELP_YOUR_FILES.html
HELP_YOUR_FILES.PNG
HELP_TO_SAVE_FILES.bmp
HELP_RESTORE_FILES_*.*
HELP_DECRYPT.URL
HELP_DECRYPT.PNG
HELP_DECRYPT.HTML
GetYouFiles.txt
File Decrypt Help.html
FILES_BACK.txt
ENTSCHLUSSELN_HINWEISE.html
DecryptAllFiles*.txt
DESIFROVANI_POKYNY.html
DECRYPT_YOUR_FILES.txt
DECRYPT_YOUR_FILES.HTML
DECRYPT_ReadMe1.TXT
DECRYPT_INSTRUCTIONS.html
DECRYPT_INSTRUCTION.URL
DECRYPT_INSTRUCTION.HTML
DECRYPTION_HOWTO.Notepad
Comment débloquer mes fichiers.txt
BUYUNLOCKCODE.txt
AllFilesAreLocked*.bmp
4-14-2016-INFECTION.TXT
*_ryp
*_HELP_instructions.html
*.xcrypt
*.unavailable
*.szf
*.porno.pornoransom
*.plauge17
*.neitrino
*.kimcilware.locked
*.iwanthelpuuu
*.herbst
*.helpdecrypt@ukr.net
*.h3ll
*.gws.porno
*.fuckyourdata
*.encrypted.locked
*.cryptz
*.crypttt
*.cripttt
*.criptokod
*.criptiko
*.btc.kkk.fun.gws
*.aga
*._ryp
*.Where_my_files.txt
*.Read_Me.Txt
*.RSplited
*.KEYZ.KEYH0LES
*.How_To_Get_Back.txt
*.How_To_Decrypt.txt
*.Contact_Here_To_Recover_Your_Files.txt
*.31392E30362E32303136_*
# DECRYPT MY FILES #.vbs
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.html
!Where_are_my_files!.html
!!!README!!!*.rtf
!!!-WARNING-!!!.txt
!!!-WARNING-!!!.html
*.magic_software_syndicate
*maestro@pizzacrypts.info
*.crypt
*.bitstak
*.wflx
*.CRRRT
howtodecryptaesfiles.txt
!satana!.txt
*.akaibvn
*.cRh8
*.YTBL
*.krypted
*.tzu
*.6FKR8d
*.sshxkej
*.eclr
*.epic
*.paybtcs
*.AFD
*.paymst
*.payms
*.isis
*.zepto
*.bart.zip
*.kratos
*.31342E30362E32303136*
*.SecureCrypted
*.crptrgr
*.rtyrtyrty
!DMALOCK3.0*
*.evil
*.crypt38
*.asdasdasd
*.ded
*.bloccato
*.canihelpyou
*.crypz
decrypt-instruct*.*
*files_are_encrypted.*
*decryptmyfiles*.*
help_instructions.*
*-recover-*.*
de_crypt_readme.*
*!recover!*.*
*recover}-*.*
*rec0ver*.*
_help_instruct*.*
*_recover_*.*
*+recover+*.*
*warning-!!*.*
*decrypt my file*.*
help_file_*.*
recovery+*.*
readme_for_decrypt*.*
install_tor*.*
readme_decrypt*.*
howtodecrypt*.*
howto_restore*.*
how_to_recover*.*
how_recover*.*
how_to_decrypt*.*
how to decrypt*.*
help_restore*.*
help_your_file*.*
help_recover*.*
help_decrypt*.*
decrypt_instruct*.*
cryptolocker.*
*recover_instruction*.*
*.hydracrypt_ID*
*gmail*.crypt
*.cryptotorlocker*
*.xxx
*.xyz
*.xtbl
*.xort
*.xrtn
*.vvv
*.vscrypt
*.trun
*.ttt
*.surprise
*.troyancoder@qq_com
*.sport
*.scl
*.ryp
*.sanction
*.RRK
*.rokku
*.remind
*.relock@qq_com
*.RDM
*.RADAMANT
*.R5A
*.R4A
*.PoAr2w
*.pizda@qq_com
*.p5tkjw
*.oplata@qq_com
*.oshit
*.oor
*.one-we_can-help_you
*.OMG!
*.nochance
*.nalog@qq_com
*.micro
*.LOL!
*.locky
*.locked
*.LeChiffre
*.kraken
*.korrektor
*.kkk
*.kimcilware
*.KEYZ
*.keybtc@inbox_com
*.KEYHOLES
*.justbtcwillhelpyou
*.infected
*.helpdecrypt@ukr_net
*.hb15
*.ha3
*.gruzin@qq_com
*.gws
*.fun
*.fucked
*.enigma
*.encryptedped
*.encryptedRSA
*.encryptedAES
*.Encrypted
*.encrypt
*.encedRSA
*.EnCiPhErEd
*.dyatel@qq_com
*.czvxce
*.darkness
*.ctbl
*.CrySiS
*.CryptoTorLocker2015!
*.crypted
*.cry
*.crjoker
*.crinf
*.crime
*.coverton
*.code
*.clf
*.chifrator@qq_com
*.cerber
*.cbf
*.btcbtcbtc
*.btc-help-you
*.btc
*.bloc
*.better_call_saul
*.AES256
*.{CRYPTENDBLACKDC}
*.73i87A
*.zzz
*.abc
*.aaa
vault.txt
vault.key
recovery_key.txt
vault.hta
message.txt
recovery_file.txt
confirmation.key
enc_files.txt
last_chance.txt
*.vault
*want your files back.*
*.frtrss
*.exx
*.ezz
*.ecc
*help_restore*.*
*how_to_recover*.*
*restore_fi*.*
*ukr.net*
*qq_com*
*keemail.me*
*decipher*
*install_tor*.*
*@india.com*
*@gmail_com_*
*.*obleep
*.*exx
*.*locked
*.*nochance
*.*kraken
*.*kb15
*.*darkness
*.*crypto
*.*cry
_Locky_recover_instructions.txt
help_recover_instructions+*.txt
recoverfile*.txt
Howto_Restore_FILES.TXT
recoveryfile*.txt
_how_recover.txt
howrecover+*.txt
restorefiles.txt
howto_recover_file.txt
HowtoRESTORE_FILES.txt
RECOVERY_FILE*.txt
RECOVERY_FILES.txt
help_decrypt_your_files.html
HELPDECYPRT_YOUR_FILES.HTML
IHAVEYOURSECRET.KEY
SECRET.KEY
SECRETIDHERE.KEY
READTHISNOW!!!.TXT
IAMREADYTOPAY.TXT
HELLOTHERE.TXT
FILESAREGONE.TXT
DECRYPT_ReadMe.TXT
Read.txt
About_Files.txt
_secret_code.txt
ReadDecryptFilesHere.txt
Coin.Locker.txt
HOW_TO_DECRYPT_FILES.TXT
DECRYPT_INSTRUCTION.TXT
encryptor_raas_readme_liesmich.txt
Help_Decrypt.txt
YOUR_FILES.url
How_To_Recover_Files.txt
YOUR_FILES.HTML
INSTRUCCIONES_DESCIFRADO.TXT
DECRYPT_INSTRUCTIONS.TXT
HELP_TO_SAVE_FILES.txt
DecryptAllFiles.txt
HELP_RECOVER_FILES.txt
HELP_RESTORE_FILES.txt
HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_YOUR_FILES.TXT
HELPDECRYPT.TXT
*.CTB2
*.SUPERCRYPT
*.magic
*.1999
*.toxcrypt
*.bleep
*.0x0
*.good
*.R16M01D05
*.pzdc
*.XRNT
*.crypto
*.ccc
*.da_vinci_code
*.payransom
*.KEYH0LES
oor.*
*.zyklon
*.zcrypt
*.Z81928819
*.Silent
*.RSNSlocked
*.RAD
*.porno
*.pornoransom
*.odcodc
_ryp
*.helpdecrypt@ukr*.net
*.only-we_can-help_you
*.cryp1
*.fileiscryptedhard
*.blocatto
*.8lock8
*.777