Ransomware detects the drives on an system that is infected and starts encrypting the files within those drives. Ransomware usually adds an extension to the encrypted files, such as .aaa, .micro, .encrypted, .xyz, .locky, .crypt, .cryptolocker, .vault, or .petya, to show that the files have been encrypted — the file extension used is unique to the ransomware type. When the ransomware has completed file encryption, it creates and displays a file or files containing directions on how the victim can pay the ransom. If the victim pays the ransom, the threat actor may provide a cryptographic key that the victim can use to unlock the files.
09.20.19
