Does ransomware change file extension?

Ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files and restore access. One of the most common things ransomware does is change file extensions as part of the encryption process.

What is ransomware?

Ransomware is a form of malware that employs encryption to hold a victim’s information at ransom. A user’s data is encrypted so that they can no longer access it, and the attackers demand ransom money in exchange for decryption. Ransom amounts are typically demanded in cryptocurrency, such as Bitcoin, so that transactions are difficult to trace. Victims without adequate data backups may end up paying the ransom as it may be the only way to regain access to their files and data. However, even if the ransom is paid, there is no guarantee the attackers will uphold their end of the deal and provide a decryption key.

Some of the most common types of ransomware include:

  • Crypto ransomware: Encrypts files and demands ransom payment
  • Locker ransomware: Locks users out of their devices or computers
  • Doxxware: Threatens to publish sensitive stolen data online unless ransom is paid

Ransomware has become a major threat in recent years, infecting computers worldwide and targeting businesses, hospitals, and individuals. Attacks involve tricking users into downloading the malicious software, which can happen through phishing emails containing infected links or attachments, compromised websites, and unpatched software vulnerabilities that allow the ransomware to spread.

What does ransomware do?

When ransomware infects a system, it will go through the following general steps:

  1. Infiltration: The malware first infiltrates the victim’s computer system, often through social engineering like a phishing email or compromised website.
  2. Communication: The ransomware communicates back to the command and control server operated by the hackers to inform them it has infected a system.
  3. Search and encrypt: The ransomware starts scanning connected devices, servers, and files, looking for data to encrypt. Encryption algorithms lock up documents, multimedia files, archives, databases, and other data.
  4. Payment demand: With the files encrypted, the ransomware displays a ransom note demanding payment, usually in the form of cryptocurrency like Bitcoin, in exchange for the decryption key.
  5. Data destruction: If the victim does not pay the ransom, some ransomware is programmed to start irreversibly deleting or corrupting encrypted files after a certain period of time.

By encrypting critical files and data, ransomware can cripple a business or individual user, preventing access to important information and disrupting operations. This gives the attackers significant leverage to demand high ransom payments which many victims end up paying, further fueling the profitable ransomware criminal ecosystem.

How does ransomware encrypt files?

There are a few steps ransomware takes to encrypt files:

  1. The ransomware generates encryption keys – This involves creating one or more cryptographic keys that will be used to lock files.
  2. Files are mapped for encryption – The ransomware scans the infected system, mapping out files, folders, drives, and connected devices to target for encryption.
  3. Files are encrypted – Using the encryption algorithm and encryption keys, the ransomware starts encrypting files, effectively scrambling them so they are inaccessible.
  4. Encryption keys are hidden – The keys generated to encrypt files are hidden away securely where only the ransomware creators can access them.

Advanced encryption algorithms like AES, RSA, and others are used to encrypt files in a way that makes them inaccessible without the right decryption key. The encryption is designed to be irreversible without this key.

Some ransomware encrypts files one at a time while others will encrypt multiple files simultaneously for faster encryption. The time it takes to encrypt files depends on their number and size as well as system resources.

Why does ransomware change file extensions?

As part of the encryption process, most ransomware will change the file extensions of encrypted files. There are a few reasons ransomware authors do this:

  • Hide the original file type: By changing a file’s extension, it obscures the original file format. For example, a file named “document.docx” encrypted by ransomware might become “document.crypt”. This hides the fact it is a Word document.
  • Prevent access: Changing the file extension can prevent programs and operating systems from identifying and opening the file properly. This enhances the encryption and blocking access to files.
  • Indicate encryption: The new extension shows the user that the files have been encrypted by ransomware and are inaccessible.
  • Simplify tracking: It allows the ransomware to easily track and identify encrypted files by searching for the new file extension.

The new extension often uses a name related to encryption like .crypt, .encrypted, .lock or includes the name of the ransomware family like .ryuk. This renaming process is done automatically and affects most file types including documents, images, databases, archives, videos, and more.

What are some examples of ransomware file extensions?

Here are some examples of renamed file extensions created by different ransomware families when they encrypt files:

Original File Type Encrypted File Extension Ransomware Family
.docx .crypt Cryptolocker
.pdf .locky Locky
.jpg .ryuk Ryuk
.xlsx .encrypted Generic
.mp4 .xyz Cerber
.doc .vvv Cerber
.ppt .krab Kraken Cryptor

As you can see, some ransomware families like Locky and Ryuk will rename files to include the malware name while others use more generic terms like .encrypted or .crypt. However, the end result is the same – the original file extension is changed to prevent access to the now encrypted file.

Can you recover encrypted files changed by ransomware?

Recovering files that have had the extensions changed by ransomware encryption is difficult without paying the ransom or having backups, however there some potential options:

  • Ransomware decryptors: For some ransomware families, security researchers have developed decryption tools that can recover files by essentially cracking their encryption. However, these are not available for most ransomware variants.
  • Backups: Having an unaffected backup of your files from before the ransomware attack provides the means to restore your original unencrypted files and extensions.
  • Cloud storage: If files were also synced to cloud storage, and this cloud backup was not affected, you may be able to restore the original versions from there.
  • File recovery tools: Anti-virus tools or data recovery software sometimes can partially recover files by looking for remnants left on the system, but this is not guaranteed.
  • Paying the ransom: You can pay the ransom demand and hope the attackers provide you with the legitimate decryption key, but this is risky with no guarantees.

Prevention is the best protection against ransomware encryption and changing of file extensions. This includes keeping regular backups, avoiding suspicious links/attachments, keeping software updated, using security tools, restricting user permissions, and training staff on cybersecurity best practices.

Can you tell if ransomware changed a file extension?

There are a few indicators that can signal ransomware encrypted your files and changed the extensions:

  • Files on your system suddenly have unknown extensions different from their originals like .crypt, .lock, .encrypted, etc.
  • Opening files results in error messages saying the file type is unavailable or corrupted.
  • A ransom note has appeared demanding payment and mentioning file encryption.
  • Files have been renamed with strings of random characters while retaining an unfamiliar extension.
  • The file icons have changed to a generic icon rather than their application icon.
  • You cannot open or access files that were previously accessible.

You may also experience system crashes, sluggish performance, and other issues if ransomware is still actively encrypting files in the background. If you notice any signs of ransomware infection, immediately disconnect your device from any networks and backups and try to determine the scope of the infection.

How to protect against ransomware changing file extensions

Here are some tips to safeguard your system against file-encrypting ransomware attacks:

  • Maintain offline backups of your important files to enable restoration if infected.
  • Be careful opening email attachments even from known senders.
  • Exercise caution when downloading files from the internet.
  • Keep your operating system, software, and security tools up-to-date with the latest patches.
  • Use antivirus and anti-ransomware software to detect and block malicious programs.
  • Disable file extensions that allow macros if not required.
  • Restrict user permissions to limit access and prevent infections from spreading.
  • Educate employees on cybersecurity best practices and how to identify risks.
  • Segment your network to limit lateral movement if a system is compromised.
  • Have an incident response plan in place you can enact if faced with a ransomware attack.

Taking preventive measures is key to avoiding having your files encrypted and file extensions changed by ransomware. However, also be sure to regularly back up your critical data offline. That way if a ransomware attack does occur, you have options available aside from paying the criminals.


In summary, ransomware frequently changes the file extensions of encrypted files as part of its extortion process. By renaming files with new extensions, ransomware hinders access, identifies encrypted data, and attempts to hide the original file types being impacted. While these renamed extensions are difficult to reverse without the decryption key or backups, paying the ransom demand is risky with no guarantee of file recovery. Thorough backups, security precautions, and employee education provide the best protections against having your business or personal data encrypted and held for ransom.