Windows 10: What happens if you rename a file extension to a ransomware extension?

Hi,So I was reading about the SOVA ransomware when suddenly I started wondering about what would happen if I changed the file extension of a safe file to a ransomware's file extension for example, picture.jpg converts to picture.djvu, the extension for one of the oldest variants of the STOP ransomware. Obviously, Google didn't show anything related to my doubt.I believe that the file won't actually become corrupt and wouldn't infect other files. Any insights? Thanks,Joe13 B- 2.0PS: apologies if this shouldn't be in the V&M forum, but I felt it's more apt.

:)

 

Bug in massive file extension renaming

I'm found a wrong behavior in changing the file extension for more than one file.

Having selected many file by the standard win10 file browser (Win10 v1909), I try to change the extension in one shot (by F2 key, by context menu, by Ribbon too).

The regular box (on the file name to rename it) is opened and I can change/add the extension.

When I press Return, all the selected file are renamed (I need to take care just of ext, not about name)

The behavior I expect is to see the new extension on all files.

Instead, previous ext is manteined and it is duplicated. The new extension simply discarted.

Esample on two files, selected and pressing F2 on the first one
(3).delme
(4).delme

Case "A": Changing/sustitution of current ext ".delme" by ".xml", they remains:

(3).delme

(4).delme

case "B" : Adding the further extension ".xml" (to abtain "(3).delme.xml"), they became:
(3).delme.delme
(4).delme.delme

Then, I suppose is not possible a massive file renaming for just extensions.

 

Files encrypted by TeslaCrypt (.vvv extension) ransomware

You're computer is infected with a newer variant of
TeslaCrypt/Alpha Crypt.

The following is a copy/paste of another reply of quietman7 MS MVP in another Bleeping Computer thread:

http://www.bleepingcomputer.com/forums/t/598923/cryptolocker-telsadecoder/

QUOTE

You are dealing with a newer variant of
TeslaCrypt/Alpha Crypt. TeslaCrypt includes several known versions with various extensions for encrypted files to include: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc., .vvv...as described

here. Some of the new variants are
disguised as CryptoWall.

Any files that are encrypted with the newer variant of TeslaCrypt will have the
.exx, .xyz, .zzz, .aaa,
.abc, .ccc or .vvv extension appended to the end of the filename. The .aaa/.abc/.ccc/.vvv variants leave .html, .txt, files (ransom notes) with names like RECOVERY_FILE_*****.txt, restore_files_*****.txt, recover_file_*****.txt,
HOWTO_RESTORE_FILES_*****.txt, howto_recover_file_*****.txt, _how_recover_*****.txt, how_recover+***.txt (where * are random characters). More information in these BC news articles:

• New TeslaCrypt version adds .VVV extension to encrypted filenames.
• New TeslaCrypt version with .CCC extension Released

A repository of all current knowledge regarding TeslaCrypt,
Alpha Crypt and newer variants is provided by
Grinler (aka
Lawrence Abrams), in this topic:
TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:

• TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files
  encrypted by TeslaCrypt

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.

• New TeslaCrypt version that uses the .EXX extension Support & Discussion

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from
our crypto malware experts since they may not see this thread.

UNQUOTE

===================================================================

Also please see the replies of
RickCP

here:
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/files-encrypted-by-teslacrypt-ransomware/77b05496-fb09-4e01-ab36-db92213dd825?page=2&msgId=c26b605a-420f-40bc-9541-584492bab180

and

here:
http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/ransomhtmltescryptd/163bb48e-4932-4296-bc0c-18e25732e2a8?msgId=db3497db-8c32-4241-9c9c-4e08bf793457

Cheers,

J

Later EDIT: Pls see RickCP's UPDATED INFO (January 2016) here:
http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/files-encrypted-by-teslacrypt-vvv-extension/77b05496-fb09-4e01-ab36-db92213dd825?page=2&msgId=0c010b83-a5a8-441f-8950-a268dd83ea18

 

Files encrypted by Extension (.ghfghfghfgh) ransomware

Globe Ransomware will leave files (ransom notes) named How to restore files.hta but it uses a different extension so you may be dealing with a new variant or something entirely new.

I suggest you read and follow these instructions...How to Post a Topic Asking for Help With
Ransomware

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted
here with a link to the new topic you start asking for assistance. Doing that will be helpful with
analyzing and investigating by our crypto experts.

These are some
common folder variable locations malicious executables and .dlls hide:

%SystemDrive%\ (C:\)

%SystemRoot%\ (C:\Windows, %WinDir%\)

%Temp%\

%AllUserProfile%\

%UserProfile%\

%AppData%\

%LocalAppData%\

%ProgramData%\