Ransomware extensions are special file suffixes added to encrypted files. Think of them as a hacker’s calling card which is a clear proof that your files have been hijacked.
Stay malware-free with reliable antivirus
Don't compromise your Data and Privacy. TotalAV is a top-notch antivirus program that handles various viruses, trojans, and other malware that may target your devices. It will safeguard your devices and enhance your system performance.
These extensions serve several purposes: they alert victims that their files are no longer usable, create fear and urgency, and prevent standard software from opening the affected files.
By clearly labeling what’s been encrypted, they constantly remind victims of what’s at stake – unless they pay the ransom.
Here are some of the most common ransomware file extensions:
| File Extension | Ransomware Name(s) | Description |
|---|---|---|
| .wannacry | WannaCry | Known for its rapid global spread and impact on various sectors. |
| .locky | Locky | Famous for aggressive encryption. |
| .cryptolocker | CryptoLocker | One of the earliest and most well-known ransomware types. |
| .petya | Petya | Encrypts entire disk partitions. |
| .badrabbit | Bad Rabbit | Known for targeted attacks. |
| .notpetya / .nopetya | NotPetya | A more virulent variant of Petya. |
| .ryuk | Ryuk | Targets large organizations, demands crypto ransoms. |
| .djvu | STOP/Djvu | Actively encrypts personal files. |
| .phobos | Phobos | Known for fast encryption, also uses .deimos and .epic. |
| .dharma | Dharma/CrySiS | Uses various extensions; spreads via RDP and email. |
| .cont | Conti | Successor of Ryuk, targets health/government. |
| .nephilim | Nephilim | Targets sensitive sectors. |
| .avaddon | Avaddon | Spread via phishing, DDoS threats. |
| .makop | Makop | Custom encryption; claims false data theft. |
| .ransomexx | RansomExx (Defray777) | Targets high-profile entities. |
| .egregor | Egregor | Targets corporations, uses custom ransom notes. |
| .hellokitty | HelloKitty | Targets individuals and corporate networks. |
| .ABYSS | Abyss | Corporate-focused ransomware. |
| .akira | Akira | Demands large ransoms. |
| Random 8-char | Alpha | Uses “MYDATA” DLS for leaks. |
| .avdn | Avaddon | Same as above, alternate extension. |
| HELLO/HELP+numbers | Black Turtle | Occasionally affects individuals. |
| .blackcat | BlackCat | Targets infrastructure. |
| .blackmatter | BlackMatter | High-profile, shut down in 2021. |
| .hydra | BlackSuit | Demands large ransoms. |
| .newbot | BO Team | Targets large entities. |
| .clop | Clop | Sophisticated exploits. |
| .conti | Conti | Duplicate of .cont (merged above). |
| .ELCTRONIC | Electronic | Appends ID and email to filenames. |
| .elibe | Elibe | Discovered via VirusTotal. |
| .crypt | GlobeImposter 2.0 | Uses JavaScript, pirated sites. |
| .haron | Haron | Spin-off from Avaddon. |
| .hive | Hive | Targets vulnerable healthcare systems. |
| .lethal | Lethal Lock | Uses registry for persistence. |
| .lockbit | Lockbit | Incentivizes insider attacks. |
| .matrix | Matrix | RDP-based access. |
| .MEOW | Meow | Targets misconfigured databases. |
| .newlive.team | New Live Team | Demands Bitcoin. |
| .lalo | New Ran | Business-focused. |
| .nightcrow | Night Crow | Public sector target. |
| (none given) | NoName | Targets NATO-aligned countries. |
| .ping | Ping | Targets multimedia and data files. |
| .quantum | Quantum | Fast encryption, phishing-based. |
| .schrodingercat | Schrodingercat | Corporate target, unique extension format. |
| .snet | SNet | Spread via spam and cracked software. |
| .revil | Sodinokibi (REvil) | Highly widespread. |
| .tprc | Tprc | Dual payload (encryption + data theft). |
| .unkno | Unkno | Government and education targets. |
| .xam | Xam | Ransomware-as-a-Service (RaaS). |
Identifying the file extension used by ransomware can help determine its type or family, allowing you to take the right steps for removal and recovery.