Ransomware Common Extension Files: A Comprehensive Overview

ransomware techhyme

Ransomware is a malicious software that encrypts a victim’s data, holding it hostage until a ransom is paid to the attackers. One of the key identifiers of ransomware attacks is the file extension appended to the encrypted files. Attackers often use specific extensions to differentiate their ransomware variants and to instill fear in their victims.

In this article, we present a tabular overview of some common ransomware extension files, helping users recognize potential threats and take appropriate preventive measures.

Ransomware Extension Description Date of First Appearance
.locky Associated with Locky ransomware February 2016
.cerber Linked to Cerber ransomware March 2016
.cryptowall Associated with CryptoWall ransomware April 2014
.wannacry Linked to the infamous WannaCry ransomware May 2017
.zepto Associated with Zepto ransomware June 2016
.dharma Linked to Dharma/Crysis ransomware November 2016
.gandcrab Associated with GandCrab ransomware January 2018
.ryuk Linked to Ryuk ransomware August 2018
.phobos Associated with Phobos ransomware December 2018
.sodinokibi Linked to Sodinokibi/REvil ransomware April 2019
.contih Associated with Conti ransomware July 2020
.babuklocker Linked to Babuk Locker ransomware January 2021

Understanding the Common Ransomware Extensions

  1. .locky: Locky ransomware was one of the first major ransomware families to use this extension. It caused widespread damage in 2016 through malicious email attachments.
  2. .cerber: Cerber ransomware is known for its audio ransom notes and was a significant threat in 2016 and 2017.
  3. .cryptowall: CryptoWall was one of the early prominent ransomware strains. It used advanced encryption techniques and demanded payment through Bitcoin.
  4. .wannacry: The WannaCry ransomware garnered global attention in 2017 for its massive-scale attacks, exploiting a Windows vulnerability.
  5. .zepto: Zepto is a variant of Locky ransomware, utilizing a different extension while employing similar attack methods.
  6. .dharma: Dharma, also known as Crysis, has been active since 2016 and is notorious for targeting businesses and organizations.
  7. .gandcrab: GandCrab was a prevalent ransomware-as-a-service (RaaS) that operated on a subscription model, causing extensive damage.
  8. .ryuk: Ryuk ransomware is often deployed in targeted attacks against high-value targets, demanding large ransom payments.
  9. .phobos: Phobos ransomware emerged as a successor to Dharma, and it shares some similarities with the older variant.
  10. .sodinokibi: Also known as REvil, Sodinokibi is a high-profile ransomware that gained notoriety for targeting large enterprises.
  11. .contih: Conti ransomware is used by cybercriminals in targeted attacks against organizations, aiming for large ransom payouts.
  12. .babuklocker: Babuk Locker is a relatively newer ransomware that has gained attention for its attacks on various industries.


Recognizing the file extensions associated with common ransomware strains is crucial in identifying potential threats and preventing devastating attacks. However, it is essential to remember that ransomware is continuously evolving, and attackers may employ new extensions or variations.

To protect against ransomware attacks, it is crucial to implement robust security measures, regularly back up important data, keep software up-to-date, and educate users about the dangers of phishing and suspicious downloads. By staying informed and vigilant, users and organizations can fortify their defenses against ransomware threats and mitigate potential damage effectively.

You may also like:

Related Posts

Leave a Reply