Monaki Ransomware Uses Unusual Renaming Pattern
Monaki ransomware is a new strain of file-encrypting malware that does not belong to any particular larger ransomware family.
While Monaki will encrypt most file types and extensions just like other ransomware variants, it does one thing differently. Instead of changing the files' extensions and appending its own, it appends a string before the original file name.
Once a file is encrypted by Monaki, it will be renamed to include "Lock." in front of its original name and extension. This will turn a file called "image.jpg" into "Lock.image.jpg". The vast majority of other ransomware variants will do the name change using a new extension, not a prefix to the file name, which makes Monaki somewhat unique.
The ransomware is also unusual in the fact that its authors expect to be contacted through Discord - a very unusual platform for ransomware operators. In addition to this, the ransomware also asks for just $100 in Bitcoin as ransom. The malware also does not generate a ransom note, it simply changes the system wallpaper to just three lines of text that reads:
Your files are encrypted by monaki
To decrypt your files message me on discord: monaki#0001
The price of decryption is 100 USD in Bitcoin