Let’s travel together.

exlorer.exe in Windows Server 2012 r2

Are there any obvious file extensions appended to your encrypted data files? If so, what is the extension? Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>], _ID_<id***>_<email>) preceding the extension? Some types of ransomware will completely rename, encrypt or even scramble file names while others do not append any extensions.
Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?
Actual ransomware usually will have obvious indications (signs of infection)…it typically targets and encrypts data files so you cannot open them locally (and on any connected drives at the time of infection), in most cases it appends an obvious extension (sometimes random or with an id and/or email address) to the end or beginning of encrypted filenames, demands a ransom payment by dropping ransom notes in every directory or affected folder where data has been encrypted and sometimes changes Windows wallpaper. In rare cases the criminals will send victims an email with the ransom demands as reported here.

Windows Insider MVP 2017-2020
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you’d like to consider a donation, click 38WxTfO.gif

Comments are closed.