Unlock92 ransomware - How to remove

The 30th of June became the marked date when the Unlock92 ransomware emerged from a virus production machine. It mostly targets Russian-speaking countries. A lot of questions regarding this infection appeared inRussian and that just proves the fact that crooks behind Unlock92 managed to successfully target the virus attack.

Why is the name of this ransomware so straightforward? Probably because the contract provided in the letter of demands, suggest to contact unlock92@india(.)com email address. Actually, the constructed message resembled the one, provided by Kozy.Jozy virus. Unfortunately, Shadow Volume Copies are said to be potentially threaten by Unlock92 ransomware. Also, this virus design a 64-symbol hexademical passwords for every infected individual.

Update of 22nd of May, 2018: Unlock92 2.0 is out

It seems like a new version of Unlcok92 is out and it is dubbed Unlock 92 2.0. Some changes of major importance come along this update – new version of the virus employs .CDRPT extension and it is no longer possible to decrypt those files.

If you have been infected with the first version of the virus you are lucky – it’s not that complicated to decrypt those files and remove the virus itself. Unfortunately, Unlock92 2.0 is much more threatful and as for now, there is absolutely no way to get your files back. As specified by cyber security researcher Michael (which was first to discover Unlock92 and 2.0 version) the second version can use “.blocked” as alternative extension and the ransom note now is named “!!!!!!!!Как восстановить файлы!!!!!!!” even though the text itself remains the same.

Operation Methods of Unlock92 ransomware

Unlock92 virus has been regarded to be a little different from other ransomware viruses. It chose to proceed with the AES algorithm for encryption of the files, but also employs the powerful RSA-2048 encryption code, which can be found in the file called Key.bin. This file is created in every folder. Furthermore, Unlock92 ransomware creates a file called qqq.jpg that stands as the ransom note for victims. It looks like this in Russian:

ВАШИ ФАЙЛЫ БЫЛИ ЗАШИФРОВАНЫ!
Если вы хотите их восстановить то отправьте один из пострадавших файлов и файл Key.bin (из любой папки с зашифрованными файлами) на e-mail: [email protected] Если вы не получили ответа в течение суток то скачайте с сайта https://www.torproject.org/download/download-easy.html.en TOR браузер и зайдите с его помощью на сайт http://fnjmegsn7tbrrnkl.onion – там будет указан действующий почтовый ящик.
Iопытки самостоятельно расшифровать файлы приведут к их безвозвратной порче!

Translation of this message:

‘Your files have been encrypted!
If you want to restore them, send one of the affected files and Key.bin file (from any folder with encrypted files) to e-mai1: [email protected] If you have not received a response within a day then download from the site [homepage for the TOR Browser] TOR browser and use it to open the website [site on the TOR network] – there will be indicated the current mailbox.
Attempts to decrypt the files independently will lead to irreparable damages!’

But before Unlock92 virus can start claiming and demanding, it has to encrypt files. It proceeds with the detailed scan of your computer system and tries to determine which files should be corrupted. Then, virus starts to encrypt the selected data with the AES algorithm. Text files might be the first to go as it has been reported that Unlock92 targets them firstly. However, the ransomware can encode various types of files: CD, .LDF, .MDF, .MAX, .DBF, .EPF, .1CD, .MD, .DB, .PDF, .PPT, .XLS, .DOC, .ARJ, .TAR, .7Z, .RAR, .ZIP, .TIF, .JPG, .AI, .BMP, .PNG, .CDR, .PSD, .JPEG, .DOCX, .XLSX, .PPTX, .ACCDB, .MDB, .RTF, .ODT, .ODS, .ODB, .ODG. The unavailable pieces of data will have an extension, appended to them: .CRRRT.

How to Decrypt Files Encrypted by Unlock92 Ransomware

Hackers will ask to contact them via the provided email address. They will demand people to send one encrypted file, together with the Key.bin. All in order to give you an unique decryption key. The amount of ransom is not identified but our guess is that the sum of money differs for individual victims. We do not recommend to pay the ransom: you might not even get your files back and spend money completely without any purpose. Usually, ransomware infections like Unlock92 virus demands 1 BITCOIN (about 670 dollars). Our advice would be to store personal data in backup storages for the future. Now you can use the free Unlock92Decrypter application by Michael Gillespie that helps victims to revive their files.

Here’s a video explanation about how it should be done, so if you have little to none experience with computers, you will be still able to pull this trick off:

How Unlock92 Ransomware is Spread

Unlock92 virus might have been distributed via infected spam emails. These letters usually contain attachments that might implant malicious codes into your computer system. Avoid opening and downloading the content that is distributed through your email accounts as they are not enough secured. Also, social media sites might also have something to do with the distribution of Unlock92 ransomware. Do not open random entries that you might have been tagged at. Develop a more immune browsing habits as infections are lurking on every corner. To make your life a little easier, security researchers have created such anti-malware tools: Spyhunter and Hitman. They will efficiently take care of your intruder.

Update of the 13th of March, 2017. Unlock92 ransomware has emerged with a slightly different sample: now, instead of the old ransom note, it features a file called READ_ME_!.txt.

 

Automatic Malware removal tools