Once infiltrated, Extractor encrypts various files and appends the names of each compromised file with the ".xxx" extension. For example, "sample.jpg" is renamed to "sample.jpg.xxx". Extractor then creates a text file ("ReadMe_XXX.txt"), placing it in each folder containing the encrypted files.
The text file contains a short message stating that files are encrypted and that the victim must contact Extractor's developers to restore them. It is currently unknown whether Extractor uses symmetric or asymmetric cryptography, however, in any case, decryption without a unique key is impossible. This key is stored on a remote server controlled by cyber criminals (Extractor's developers) and victims are encouraged to pay a ransom to receive it.
Message presented within Extractor text file:
Hello, I crypted all your important data I stored the crypted data in your hard disk. If you want to become your data back, send me an email containing your computer Number. Your computer Number - e-mail: email@example.com