Is ID Ransomware safe and trustworthy?

Yes. The service has been operated by MalwareHunterTeam since 2016 (Michael Gillespie, a reference researcher on decryptors). It is cited by Europol, the FBI and most national CERTs as the first identification tool. The database covers more than 1300 families and has processed over 1.5 million submissions. Server-side components are not open source, but the team's track record and the absence of leak incidents make it the consensus reference.

Is the uploaded data confidential?

An encrypted file sample is cryptographically unusable without the attacker's key — it cannot reveal original content. The ransom note, however, often contains a unique victim identifier (UID/TID, sometimes a personal Bitcoin address or Tor portal). Redact or truncate these identifiers before upload, especially if you plan to negotiate or hire a professional negotiator. ID Ransomware does not require an account, retains submissions to enrich the research database, but does not publish the content.

What if ID Ransomware does not recognize the strain?

Three complementary leads. First the BleepingComputer Ransomware Identification database (community forum with volunteer analysts, often more reactive on emerging strains). Then Crypto Sheriff by No More Ransom, similar logic but a different database. Finally Emsisoft Ransomware Identification, integrated into their decryption tool. If none recognizes it, it is likely a very recent variant or a targeted ransomware — contact a national CSIRT (CISA in the US, CERT-FR in France, NCSC in the UK).

Is file-extension-based identification reliable?

Not on its own. Several families share generic extensions (.locked, .encrypted, .crypto, .crypt) — at least a dozen ransomwares use .locked. That is why ID Ransomware cross-references extension, binary structure of the encrypted file (header, marker, footer) and ransom note hash. Triangulation-based identification is reliable above 95% on known families.

Are there risks of false positives?

Yes, especially with new variants based on leaked source code (Conti, LockBit Black, Babuk). A variant can be identified as the parent family while using an independent key — the parent family decryptor will not work. Always test on a sample file before applying a decryptor to the whole fleet, and never delete the originals until recovery is confirmed.

Identify a ransomware with ID Ransomware: 2026 guide

Before attempting anything (payment, decryption, partial restoration), one question matters above all: which ransomware exactly hit you? The answer drives everything — decryptor availability, expected behavior, dwell time, double-extortion risk, legal status of the group. ID Ransomware, operated by MalwareHunterTeam since 2016, is the reference tool to answer this question in minutes.

This guide details the exact procedure, what you need to know before uploading, and how to act on the result depending on whether the strain is known or emerging.

Why precise identification changes everything

Many users facing ransomware treat the incident as if it were a single event category, and apply a generic response everyone reads (don't pay, restore from backup, file complaint). That's partially correct but ignoring the specific identification of the strain loses real recovery opportunities in about 30% of cases.

Precise identification changes the strategy on three critical axes. First axis: free decryptor availability. The No More Ransom project maintained by Europol, Dutch Police, Kaspersky and McAfee regularly publishes decryption tools when researchers succeed in breaking the cryptographic scheme of a ransomware family. In Q1 2026, about 140 distinct families have at least one published tool. If your strain is one of these 140, you can literally decrypt your files for free in hours. But if you don't identify the strain, you don't know such a tool exists.

Second axis: double extortion risk. Ransomware groups are not equivalent in exfiltration capability. The "top tier" operators (LockBit 3.0, BlackCat/ALPHV, Royal, Akira, Black Basta) systematically operate significant exfiltration before encryption and publish data on their leak sites if not paid. "Classical cybercrime" operators (Stop/Djvu, GandCrab heirs, some Phobos variants) generally don't exfiltrate and the risk is limited to local encryption. The notification strategy (regulators, customers, suppliers) and pressure on ransom calculation depend directly on this distinction.

Third axis: legal status and OFAC sanctions. Several ransomware groups are designated by US OFAC as sanctioned entities (LockBit in February 2024, Conti in 2022, Black Basta partially). Paying a ransom to a group under OFAC sanctions is illegal for any US person or company, and constitutes a significant legal risk even for European companies with US operations. Precisely identifying the group lets you know if payment is legally possible before even considering its ethics.

ID Ransomware: what the service actually does

ID Ransomware is a project maintained by Michael Gillespie (a.k.a. Demonslay335), a central researcher in the ransomware community since the mid-2010s. The service is free, requires no account, and accepts two input types: an encrypted file sample and the ransom note left by the attackers.

Identification logic

The tool cross-references several signals to decide:

The extension appended to the encrypted file (.lockbit, .djvu, .conti, etc.).
The binary structure of the file: header, marker placed at the beginning or end of the file, algorithm signature (AES, ChaCha20, Salsa20), sometimes a footer with metadata (version, victim ID, RSA-encrypted key).
The ransom note hash: most families use a stable text template, varying only on dynamic fields (UID, amount, Tor link). Partial hash or lexical signature enables reliable identification.
The note filename: README.txt, _readme.txt, HOW_TO_DECRYPT.txt, !!!HELP_FILE!!!.html, restore-my-files.txt, etc.
The ransom wallpaper in some cases (an image substituted as the desktop background).

Triangulation of these signals brings the identification rate above 95% on indexed families. The database covers more than 1300 families in 2026, with the service processing roughly 1.5 million submissions per year.

Why not just the extension

About a dozen ransomwares share generic extensions like .locked, .encrypted or .crypto. Without cross-checking the note and binary structure, identification would routinely be wrong — and a decryptor applied to the wrong family permanently destroys the files.

Full procedure

Step 1 — Prepare a working environment

You need an uninfected device: smartphone, second PC, a relative's computer. Never use the compromised machine for identification — it may keep exfiltrating data or encrypt newly created files.

Prepare two supports:

A USB drive to transfer the ransom note and an encrypted file.
An evidence folder (screenshots, captures, event log).

Step 2 — Extract an encrypted file sample

Always work on a copy, never on the original. If you accidentally overwrite or modify the original, you lose the recovery opportunity even if a decryptor arrives later.

Pick a small encrypted file (ideally under 1 MB) — that is the upload limit on ID Ransomware. A modest .docx or .jpg works well. To examine the file's characteristics before upload, here is a PowerShell script that extracts the key information.

# Examine an encrypted file without modifying it
$file = "C:\Path\To\encrypted-sample.docx.lockbit3"

# Size and timestamps
Get-Item $file | Select-Object FullName, Length, CreationTime, LastWriteTime

# SHA-256 hash of the full file
Get-FileHash -Algorithm SHA256 $file

# First 256 bytes (header) in hex - useful to identify the marker
$bytes = [System.IO.File]::ReadAllBytes($file) | Select-Object -First 256
($bytes | ForEach-Object { $_.ToString("X2") }) -join " "

# Last 512 bytes (footer often carries the marker and the RSA key)
$all = [System.IO.File]::ReadAllBytes($file)
$tail = $all[($all.Length - 512)..($all.Length - 1)]
($tail | ForEach-Object { $_.ToString("X2") }) -join " "

# Search for a visible ASCII signature (UID, familiar marker)
$content = [System.Text.Encoding]::ASCII.GetString($all)
[regex]::Matches($content, "[A-Za-z0-9]{16,}") | Select-Object -First 5

This script never modifies the file (all operations are read-only) and returns the hash, header and footer — useful for the BleepingComputer forum if ID Ransomware does not recognize the strain.

Step 3 — Retrieve the ransom note

The note is typically dropped on the desktop, in the Documents folder, and inside every folder containing encrypted files. Common filenames in 2026:

README.txt
_readme.txt (STOP/Djvu)
HOW_TO_DECRYPT.txt
!!!HELP_FILE!!!.html
restore-my-files.txt (LockBit)
RECOVER_DATA.html (Akira)
instructions_read_me.txt (BlackBasta)
recover-files.txt (Royal)

Before upload, redact personal identifiers. The note almost always contains a UID, TID, transaction ID, personal Bitcoin address, or unique Tor link that identifies you to the attackers. Replace those strings with [REDACTED] in a copy of the note before sending it to ID Ransomware. Why: if you later decide to engage a professional negotiator, the attacker should not know that you publicly analyzed the note.

Step 4 — Upload to ID Ransomware

Open id-ransomware.malwarehunterteam.com. The interface offers two fields:

Ransom Note: the ransom note (text, HTML, image, TTS audio for some recent variants).
Sample Encrypted File: one encrypted file.

Limit: 1 MB per file. No account required, anonymous submission. The service processes the request within seconds.

Step 5 — Read the result

Three possible outcomes:

Positive identification with available decryptor. The result displays the family name, a direct link to the official decryptor (often Emsisoft, Avast, Kaspersky or No More Ransom), and a link to the relevant BleepingComputer topic. Download the decryptor from the official source only — booby-trapped fake decryptors exist.

Positive identification without decryptor. The strain is known but no free tool exists (case of LockBit 3.0, recent Akira, Royal, BlackCat, Play, 8base, BlackBasta). Note the exact name for the next steps (negotiation, complaint, data breach notification).

Uncertain or multiple identification. The service returns several candidates. Cross-reference with BleepingComputer and No More Ransom to break the tie.

Step 6 — Cross-reference with alternative databases

ID Ransomware is not alone. Useful complementary databases in 2026:

No More Ransom — Crypto Sheriff (nomoreransom.org): joint initiative of Europol, Dutch police and several antivirus vendors. Database of 200+ free decryptors. Similar interface (upload note + sample).
BleepingComputer Ransomware ID (bleepingcomputer.com/forums): community forum with volunteer analysts. More responsive on emerging strains.
Emsisoft Ransomware Identification (emsisoft.com/ransomware-decryption): integrated into their decryptor catalog.
Coveware (coveware.com): free identification for businesses engaging a paid response/negotiation mission.

Common ransomware families 2024-2026

Family	Typical extension	Free decryptor	Model
LockBit 3.0 / Black	.lockbit, .HLJkNskOq (random)	No (partial keys via 2024 police operation)	RaaS — affiliates
LockBit 4.0	.[random]	No	RaaS — 2024 relaunch
Akira	.akira, .powerranges	Partial (older variants)	RaaS
BlackCat / ALPHV	.[random 7 chars]	No (FBI keys 2023, limited)	RaaS — partially dismantled
Royal	.royal, .royal_w, .royal_u	No	Closed group
BlackBasta	.basta	No	RaaS
Play	.play, .PLAY	No	Closed group
8base	.8base, .id-.8base	No	RaaS
STOP / Djvu	.djvu, .stop, .pulsar1, .qehu, etc.	Partial (Emsisoft, offline keys only)	Solo + variants
Phobos	.phobos, .eight, .eject, .devos	Partial (keys leaked 2024)	RaaS
Conti (legacy)	.conti, .[random 5]	No (source code leaked 2022)	Dismantled — active variants
Hive (legacy)	.hive, .[random]	Yes (FBI keys 2023)	Dismantled Jan 2023
Babuk (legacy)	.babuk, .babyk, .NIST_K571	Partial (code leaked 2021)	Dismantled — active variants
Cl0p	.clop, .C_L_O_P, .cllp	No	Closed group
Medusa	.MEDUSA	No	RaaS

Status can evolve: monitor No More Ransom and CISA bulletins regularly.

After identification — what to do based on the result

Case A — An official decryptor exists

Excellent news, but beware of pitfalls.

Download the decryptor from the official source only (link from ID Ransomware, No More Ransom or the vendor site).
Test first on a copy of an encrypted file. If the copy is properly decrypted, scale to the whole fleet.
Keep the original encrypted files until you confirm recovery is complete and stable (minimum 1 to 2 weeks).

See our guide Decrypt ransomware without paying for the per-family tool list.

Case B — No decryptor available

Do not panic — this is the most common case in 2026 on recent RaaS families. Several levers remain:

Backup predating the attack: first recovery shot. Check cloud backup (OneDrive, Backblaze, iCloud), disconnected external disk, off-site NAS.
Windows shadow copies not yet destroyed — see Shadow Copies Windows recovery.
EaseUS Data Recovery Wizard to scan unencrypted fragments (Office temp files, Adobe autosaves, EXIF thumbnails). Method detailed in Recover files after ransomware.
Synology / QNAP NAS hit: specific procedures in Ransomware on Synology and QNAP NAS.

Editorial pick

4.5 / 5

Scan recoverable fragments with EaseUS

Founded in 200430-day guaranteeFree 2 GB version

See the offer

Case C — Mandatory complaint and notification

Whatever the result:

File a complaint with law enforcement. In the US: IC3.gov. UK: Action Fraud. France: cybermalveillance.gouv.fr. Spain: INCIBE.
GDPR notification within 72 hours if you process personal data of third parties (customers, employees, contacts). Article 33 obligation in the EU/EEA. Equivalent obligations exist in California (CCPA), Brazil (LGPD), UK (UK-GDPR).
Cyber insurance declaration if covered — a police complaint is typically required to trigger reimbursement.

False positives and common pitfalls

Variants based on leaked source code

Source code for Conti, LockBit Black, Babuk and HelloKitty leaked between 2021 and 2024. Amateur variants reuse these codebases with their own keys. ID Ransomware may classify them as the parent family, but the parent family decryptor will not work on those variants (independent keys). Always test on a copy before deployment.

Extension collisions

Multiple families use the same generic extensions:

.locked: used by at least 12 different families (TeslaCrypt, Locked-In, Cerber, etc.).
.encrypted: 8 known families.
.crypt: 6 families.

Without the ransom note, extension-only identification is unreliable. Always upload both.

Fake decryptors

Underground forums and some black-hat SEO sites push booby-trapped decryptors (themselves ransomwares or credential stealers). Only download from:

The official link on ID Ransomware.
No More Ransom.
Antivirus vendor sites (Emsisoft, Kaspersky, Avast, Bitdefender, Trend Micro).

Service security — points of attention

ID Ransomware does not expose the contents of your files: an encrypted file without the key is cryptographically unusable, even for MalwareHunterTeam. The ransom note, however, deserves care:

Unique victim identifiers (UID, TID, transaction ID, personal Bitcoin address, unique Tor link). Mask them before upload.
Structured business data sometimes injected by attackers (organization name, specific amounts). Preserve confidentiality before public submission.
Retention policy: ID Ransomware retains submissions to enrich the research database but does not publish content. For sensitive cases (government, healthcare, critical infrastructure), go through a national CSIRT rather than the public tool.

In summary

Identifying the strain is the first useful action after isolating the machine. The procedure takes 10 to 15 minutes, costs nothing, and conditions everything that follows: available decryptor, threat model, legal obligations, recovery tool choice.

Start with id-ransomware.malwarehunterteam.com, cross-reference with No More Ransom and BleepingComputer, then decide. And if you are mid-attack without a plan, follow the full methodology in Recover files after ransomware — or start a diagnostic to estimate recovery odds.

Resources