diff --git a/modules/signatures/windows/ransomware_fileextensions.py b/modules/signatures/windows/ransomware_fileextensions.py
index 931b2259..49232466 100644
--- a/modules/signatures/windows/ransomware_fileextensions.py
+++ b/modules/signatures/windows/ransomware_fileextensions.py
@@ -1,9 +1,9 @@
 from lib.cuckoo.common.abstracts import Signature
 
 
-class RansomwareExtensions(Signature):
-    name = "ransomware_extensions"
-    description = "Appends known ransomware file extensions to files that have been encrypted"
+class RansomwareExtensionsKnown(Signature):
+    name = "ransomware_extensions_known"
+    description = "Appends known ransomware file extension to files that have been encrypted"
     severity = 3
     families = []
     categories = ["ransomware"]
@@ -22,7 +22,6 @@ def run(self):
             (".*\.cerber$", ["Cerber"]),
             (".*\.cerber2$", ["Cerber"]),
             (".*\.cerber3$", ["Cerber"]),
-            (".*\.encrypt$", ["multi-family"]),
             (".*\.R5A$", ["7ev3n"]),
             (".*\.R4A$", ["7ev3n"]),
             (".*\.herbst$", ["Herbst"]),
@@ -55,8 +54,6 @@ def run(self):
             (".*\.aesir$", ["Locky"]),
             (".*\.zzzzz$", ["Locky"]),
             (".*\.osiris$", ["Locky"]),
-            (".*\.locked$", ["multi-family"]),
-            (".*\.encrypted$", ["multi-family"]),
             (".*dxxd$", ["DXXD"]),
             (".*\.~HL[A-Z0-9]{5}$", ["HadesLocker"]),
             (".*\.exotic$", ["Exotic"]),
@@ -150,3 +147,34 @@ def run(self):
                 return True
 
         return False
+
+
+
+class RansomwareExtensionsGeneric(Signature):
+    name = "ransomware_extensions_generic"
+    description = "Appends generic ransomware file extension to files that have been encrypted"
+    severity = 3
+    categories = ["ransomware"]
+    authors = ["Kevin Ross", "bartblaze"]
+    minimum = "1.2"
+    ttps = ["T1486"]  # MITRE v6,7,8
+    mbcs = ["OB0008", "E1486"]
+    mbcs += ["OC0001", "C0015"]  # micro-behaviour
+
+    def run(self):
+        indicators = {
+            r".*\.encrypt$": "encrypt",
+            r".*\.locked$": "locked",
+            r".*\.encrypted$": "encrypted",
+        }
+
+        for pattern, extension in indicators.items():
+            results = self.check_write_file(pattern=pattern, regex=True, all=True)
+            if results and len(results) > 15:
+                self.description = (
+                    "Appends a generic '%s' ransomware file extension to files that have been encrypted"
+                    % extension
+                )
+                return True
+
+        return False