._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777 random(x5) [filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters] *filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13} .id-[ID]_[EMAIL_ADDRESS] .id-%ID%_garryweber@protonmail.ch (.*).encoded.([A-Z0-9]{9}) decipher_ne@outlook.com_[encrypted_filename] unCrypte@outlook.com_[encrypted_filename] id[_ID]email_xerx@usa.com.scl [A-F0-9]{8}_luck .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl .email[supl0@post.com]id[\[[a-z0-9]{16}\]].lesli *filename*.email[*email*]_id[*id*].rdmk name_crypt..extension grfg.wct.CRYPTOSHIELD no filename change no filename change no filename change ., e.g., 27p9k967z.x1nep .id-[id].[email].bip .([a-z]{6,7}) ..(dharma|wallet|zzzzz) .id-%ID%.[moneymaker2@india.com].wallet Encrypt the extension using ROT-23 random.exotic .. e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg .locked, e.g., bill.!ID!8MMnF!ID!.locked !___[EMAILADDRESS]_.crypt removes extensions [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky hydracrypt_ID_[\w]{8} <6 random characters> .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}) [base64].kraken ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris [a-z]{4,6} .([a-zA-Z0-9]{4}) C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc email-[params].cbf dummy_file.encrypted.[extension] test.cry_jpg .locked file name[ID-000QQQ.hacker@AOL.com].phobos %random%.EnCrYpTeD [a-z]{4,6},[0-9] .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\w]{4,12} locked-.[a-zA-Z]{4} appending .abcde to the original file name (e.g., filename.txt.abcde) umbrecrypt_ID_[VICTIMID] .id-########.decryptformoney@india.com.xtbl .[email_address].DHARMA