List of ransomware extensions

block multiple servers

filescrn filegroup export /file:C:\filegroup.xml /filegroup:filegroupname
filescrn filegroup import /file:C:\filegroup.xml /filegroup:filegroupname


Output:
C:\Windows\system32>filescrn filegroup import /remote:SERVER /file:\\server\share\FileScreeningTest\file.xml /filegroup:"Ransomware File Group" /overwrite

This tool is deprecated and may be removed in future releases of Windows. Please
 use the Windows PowerShell cmdlets in the FileServerResourceManager module to a
dminister File Server Resource Manager functionality.

File groups imported successfully.
C:\Windows\system32>ver

Microsoft Windows [Version 6.3.9600]

C:\Windows\system32>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft Windows Server 2012 R2 Datacenter
OS Version:                6.3.9600 N/A Build 9600

Research:
https://technet.microsoft.com/en-ca/library/cc788027.aspx
https://technet.microsoft.com/en-ca/library/cc788048.aspx

block.ps

$servers = 
("server1",
"server2",
"server3")

foreach ($server in $servers) {
    echo $server
    filescrn filegroup import /remote:$server /file:\\server\share\FileListedAbove.xml /filegroup:"Ransomware File Group" /overwrite
}

block.xml

<?xml version="1.0" ?>
<Root >
<Header DatabaseVersion = '2.0' >
</Header><QuotaTemplates ></QuotaTemplates>
<DatascreenTemplates ></DatascreenTemplates>
<FileGroups >
<FileGroup Name = 'Ransomware%sFile%sGroup' Id = '{DC7085CC-D915-438A-B7BC-7015DD846010}' Description = '' >
<Members >
<Pattern PatternValue = '*.0x0' ></Pattern>
<Pattern PatternValue = '*.1999' ></Pattern>
<Pattern PatternValue = '*.*obleep' ></Pattern>
<Pattern PatternValue = '*.LOL!' ></Pattern>
<Pattern PatternValue = '*.aaa' ></Pattern>
<Pattern PatternValue = '*.abc' ></Pattern>
<Pattern PatternValue = '*.bleep' ></Pattern>
<Pattern PatternValue = '*.ccc' ></Pattern>
<Pattern PatternValue = '*.ctbl' ></Pattern>
<Pattern PatternValue = '*.ctb2' ></Pattern>
<Pattern PatternValue = '*.crinf' ></Pattern>
<Pattern PatternValue = '*.crjoker' ></Pattern>
<Pattern PatternValue = '*.diablo6' ></Pattern>
<Pattern PatternValue = '*.Lukitus' ></Pattern>
<Pattern PatternValue = '*.cry' ></Pattern>
<Pattern PatternValue = '*.crypto*' ></Pattern>
<Pattern PatternValue = '*.cryptotorlocker*' ></Pattern>
<Pattern PatternValue = '*.darkness' ></Pattern>
<Pattern PatternValue = '*.ecc' ></Pattern>
<Pattern PatternValue = '*.enc' ></Pattern>
<Pattern PatternValue = '*.EnCiPhErEd' ></Pattern>
<Pattern PatternValue = '*.zepto' ></Pattern>
<Pattern PatternValue = '*.crypt1' ></Pattern> 
<Pattern PatternValue = '*.encrypted*' ></Pattern>
<Pattern PatternValue = '*.exx' ></Pattern>
<Pattern PatternValue = '*.ezz' ></Pattern>
<Pattern PatternValue = '*.frtrss' ></Pattern>
<Pattern PatternValue = '*.good' ></Pattern>
<Pattern PatternValue = '*.ha3' ></Pattern>
<Pattern PatternValue = '*.hydracrypt*' ></Pattern>
<Pattern PatternValue = '*.kb15' ></Pattern>
<Pattern PatternValue = '*.kraken' ></Pattern>
<Pattern PatternValue = '*.lechiffre' ></Pattern>
<Pattern PatternValue = '*.locky' ></Pattern>
<Pattern PatternValue = '*.magic' ></Pattern>
<Pattern PatternValue = '*.micro' ></Pattern>
<Pattern PatternValue = '*.nochance' ></Pattern>
<Pattern PatternValue = '*.omg!' ></Pattern>
<Pattern PatternValue = '*.r16M*' ></Pattern>
<Pattern PatternValue = '*.r5a' ></Pattern>
<Pattern PatternValue = '*.rdm' ></Pattern>
<Pattern PatternValue = '*.rrk' ></Pattern>
<Pattern PatternValue = '*.supercrypt' ></Pattern>
<Pattern PatternValue = '*.toxcrypt' ></Pattern>
<Pattern PatternValue = '*.ttt' ></Pattern>
<Pattern PatternValue = '*.vault' ></Pattern>
<Pattern PatternValue = '*.vvv' ></Pattern>
<Pattern PatternValue = '*.xxx' ></Pattern>
<Pattern PatternValue = '*.xrnt' ></Pattern>
<Pattern PatternValue = '*.xtbl' ></Pattern>
<Pattern PatternValue = '*.xyz' ></Pattern>
<Pattern PatternValue = '*.zzz' ></Pattern>
<Pattern PatternValue = '*@gmail_com_*' ></Pattern>
<Pattern PatternValue = '*@india.com*' ></Pattern>
<Pattern PatternValue = '*gmail*.crypt' ></Pattern>
<Pattern PatternValue = '*install_tor*.*' ></Pattern>
<Pattern PatternValue = '*keemail.me*' ></Pattern>
<Pattern PatternValue = '*qq_com*' ></Pattern>
<Pattern PatternValue = '*restore_fi*.*' ></Pattern>
<Pattern PatternValue = '*ukr.net*' ></Pattern>
<Pattern PatternValue = '*want%syour%sfiles%sback.*' ></Pattern>
<Pattern PatternValue = 'DECRYPT_HELP.*' ></Pattern>
<Pattern PatternValue = 'HELP_YOUR_FILES.*' ></Pattern>
<Pattern PatternValue = 'confirmation.key' ></Pattern>
<Pattern PatternValue = 'cryptolocker.*' ></Pattern>
<Pattern PatternValue = 'decrypt_instruct*.*' ></Pattern>
<Pattern PatternValue = 'djqfu*.*' ></Pattern>
<Pattern PatternValue = 'enc_files.txt' ></Pattern>
<Pattern PatternValue = 'help_decrypt*.*' ></Pattern>
<Pattern PatternValue = 'helpdecrypt*.*' ></Pattern>
<Pattern PatternValue = 'help_recover*.*' ></Pattern>
<Pattern PatternValue = 'help_restore*.*' ></Pattern>
<Pattern PatternValue = 'help_your_file*.*' ></Pattern>
<Pattern PatternValue = 'how%sto%sdecrypt*.*' ></Pattern>
<Pattern PatternValue = 'how_decrypt*.*' ></Pattern>
<Pattern PatternValue = 'how_recover*.*' ></Pattern>
<Pattern PatternValue = 'how_to_decrypt*.*' ></Pattern>
<Pattern PatternValue = 'how_to_recover*.*' ></Pattern>
<Pattern PatternValue = 'howto_restore*.*' ></Pattern>
<Pattern PatternValue = 'howto_restore_file*.*' ></Pattern>
<Pattern PatternValue = 'howtodecrypt*.*' ></Pattern>
<Pattern PatternValue = 'install_tor*.*' ></Pattern>
<Pattern PatternValue = 'instructions_xxxx.png' ></Pattern>
<Pattern PatternValue = 'last_chance.*' ></Pattern>
<Pattern PatternValue = 'message.txt' ></Pattern>
<Pattern PatternValue = 'readme_decrypt*.*' ></Pattern>
<Pattern PatternValue = 'readme_for_decrypt*.*' ></Pattern>
<Pattern PatternValue = 'recovery_file.txt' ></Pattern>
<Pattern PatternValue = 'recovery_key.txt' ></Pattern>
<Pattern PatternValue = '*recover_instructions.txt' ></Pattern>
<Pattern PatternValue = 'restore_fi.*' ></Pattern>
<Pattern PatternValue = 'vault.hta' ></Pattern>
<Pattern PatternValue = 'vault.key' ></Pattern>
<Pattern PatternValue = 'vault.txt' ></Pattern>
<Pattern PatternValue = 'HELP_TO_DECRYPT_YOUR_FILES.txt' ></Pattern>
<Pattern PatternValue = 'HELP_TO_SAVE_FILES.txt' ></Pattern>
<Pattern PatternValue = 'DecryptAllFiles.txt' ></Pattern>
<Pattern PatternValue = 'DECRYPT_INSTRUCTIONS.TXT' ></Pattern>
<Pattern PatternValue = 'INSTRUCCIONES_DESCIFRADO.TXT' ></Pattern>
<Pattern PatternValue = 'How_To_Recover_Files.txt' ></Pattern>
<Pattern PatternValue = 'YOUR_FILES.HTML' ></Pattern>
<Pattern PatternValue = 'YOUR_FILES.url' ></Pattern>
<Pattern PatternValue = 'encryptor_raas_readme_liesmich.txt' ></Pattern>
<Pattern PatternValue = 'Help_Decrypt.txt' ></Pattern>
<Pattern PatternValue = 'DECRYPT_INSTRUCTION.TXT' ></Pattern>
<Pattern PatternValue = 'HOW_TO_DECRYPT_FILES.TXT' ></Pattern>
<Pattern PatternValue = 'ReadDecryptFilesHere.txt' ></Pattern>
<Pattern PatternValue = 'Coin.Locker.txt' ></Pattern>
<Pattern PatternValue = '_secret_code.txt' ></Pattern>
<Pattern PatternValue = 'DECRYPT_ReadMe.TXT' ></Pattern>
<Pattern PatternValue = 'FILESAREGONE.TXT' ></Pattern>
<Pattern PatternValue = 'IAMREADYTOPAY.TXT' ></Pattern>
<Pattern PatternValue = 'HELLOTHERE.TXT' ></Pattern>
<Pattern PatternValue = 'READTHISNOW!!!.TXT' ></Pattern>
<Pattern PatternValue = 'SECRETIDHERE.KEY' ></Pattern>
<Pattern PatternValue = 'IHAVEYOURSECRET.KEY' ></Pattern>
<Pattern PatternValue = 'SECRET.KEY' ></Pattern>
<Pattern PatternValue = 'RECOVERY_FILES.txt' ></Pattern>
<Pattern PatternValue = 'RECOVERY_FILE*.txt' ></Pattern>
<Pattern PatternValue = 'HowtoRESTORE*.txt' ></Pattern>
<Pattern PatternValue = 'howto_recover_file.txt' ></Pattern>
<Pattern PatternValue = 'restorefiles.txt' ></Pattern>
<Pattern PatternValue = 'howrecover+*.txt' ></Pattern>
<Pattern PatternValue = '_how_recover.txt' ></Pattern>
<Pattern PatternValue = 'recoveryfile*.txt' ></Pattern>
<Pattern PatternValue = 'recoverfile*.txt' ></Pattern>
<Pattern PatternValue = 'Howto_Restore_FILES.TXT' ></Pattern>
<Pattern PatternValue = 'help_recover_instructions+*.txt' ></Pattern>
<Pattern PatternValue = '_Locky_recover_instructions.txt' ></Pattern>

</Members>
<NonMembers ></NonMembers>

</FileGroup></FileGroups></Root>

List of ransomware extensions

File extensions appended to files: 
.ecc, .ezz, .exx, .zzz, .xyz, .aaa, *.cryp1, .abc, .ccc, .vvv, *.zepto, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .diablo6, .Lukitus, .locky or 6-7 length extension consisting of random characters.

Known ransom note files: 
HELPDECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, Coin.Locker.txt _secret_code.txt, About_Files.txt, Read.txt, ReadMe.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles.txt FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY IHAVEYOURSECRET.KEY, SECRET.KEY, HELPDECYPRT_YOUR_FILES.HTML, help_decrypt_your_files.html HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE[random].txt HowtoRESTORE_FILES.txt, HowtoRestore_FILES.txt, howto_recover_file.txt, restorefiles.txt, howrecover+[random].txt, _how_recover.txt, recoveryfile[random].txt, recoverfile[random].txt recoveryfile[random].txt, Howto_Restore_FILES.TXT, help_recover_instructions+[random].txt, _Locky_recover_instructions.txt
Note: The [random] represents random characters which some ransom notes names may include.