![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Are there any obvious file extensions appended to your encrypted data files? If so, what is the extension? Is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>], _ID_<id***>_<email>) preceding the extension?
The .adobe extension has been used by both Dharma (CrySiS) Ransomware and STOP (Djvu) Ransomware. The Dharma (CrySiS) variant will have an <id>-<id*** (8 random hex char)>.[<email>] followed by the .adobe extension. ID Ransomware accurately detects by filemarkers. The extension with two e's at the end (.adobee is only related to STOP (Djvu) Ransomware and leaves ransom notes named _openme.txt as explained here.
- .id-EE6A4622.[******@foxmail.com].adobe = Dharma (CrySiS)
- <filename>.<extension>.adobe = STOP (Djvu)
- <filename>.<extension>.adobee = STOP (Djvu)
Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
.
You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. Please provide a link to the ID Ransomware results.
.
When dealing with ransomware, recovering one, two encrypted or even a few files by renaming them or removing (deleting) the extension is sometimes possible especially with very large files where the ransomware only performs partial encryption (as explained here and here) or if the malware encryption process went went awry or was interrupted but in most cases doing so does not always work. In fact, it often can result in additional problems with file corruption and complicate possible decryption should a future free solution ever becomes available. Most crypto malware experts recommend that you do not tamper with the encrypted files.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 22%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
