Detection & Evasion

What file extensions does ransomware leave or change?

Many ransomware families rename encrypted files with a distinctive extension (such as .locky, .crypt, or family-specific strings) and drop ransom notes like README.txt or _DECRYPT_INSTRUCTIONS.html. These artifacts can be useful indicators, but they are unreliable as a detection method.

Modern variants increasingly encrypt files in place without changing extensions, or use intermittent encryption that leaves files looking normal. That is why Elastio detects ransomware by inspecting inside the file rather than relying on extensions or filenames, producing a deterministic verdict even when no visible marker exists.

Last updated May 27, 2026

Related terms

Deep File Inspection Indicator of Compromise (IOC)

Related Elastio resources

BlogRansomware's Return to Encryption Case studyDefeating Stealth Ransomware with Deep File Inspection

See how Elastio proves clean recovery

Elastio hunts for ransomware inside your live, replicated, and backup data and pinpoints the last recovery point proven clean.

Explore the platform Request a demo

Related questions

What is antivirus (AV)?What is next-generation antivirus (NGAV)?What is endpoint protection (EPP)?What is extended detection and response (XDR)?What is artificial intelligence (AI) in security?What is machine learning (ML) in security?

PreviousWhat is ransomware prevention?NextWhat is antivirus (AV)?