Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove BuyUnlockCode Ransomware and Restore .Encoded Files

ransomware-virusRansomware variant was reported to affect an increasing number of users, called BuyUnlockCode has been identified to infect PCs on a global scale. The ransomware uses a strong RSA – 1024 cipher to encrypt the files and an AES cipher to encrypt the decryption keys. This makes the encrypted files unable to be opened unless the affected users pay the ransom money. Instructions on payment are left behind as a wallpaper and a text file, as usual with most ransomware viruses. Infected users are strongly advised not to pay any ransom to cyber-criminals, because it is no guarantee they will get the files back. Instead, it is advisable to remove the ransomware and try other methods to restore the files, such as the ones provided in this article.

Threat Summary

Name BuyUnlockCode
Type Ransomware
Short Description The ransomware encrypts files with the RSA-1024 cipher and the decryption key with AES algorithm and asks a ransom payment for decryption of the files.
Symptoms Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a BUYUNLOCKCODE.txt file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by BuyUnlockCode

Download

Malware Removal Tool

User Experience Join our forum to Discuss BuyUnlockCode Ransomware.

BuyUnlockCode Ransomware – How Is It Spread

To infect users, the malicious files of BuyUnlockCode may be distributed via:

  • Obfuscated files.
  • Malicious JavaScript.
  • Exploit Kits.
  • Drive-by Downloads.
  • Via fake Java Updates.

Users have reported encountering spam e-mails such as this one:

spam-email-sensorstechforum

It is strongly recommended to avoid such e-mails or to at least check their content for malware. One method to do this and prevent further attacks is via VirusTotal services.

BuyUnlockCode Ransomware – Description

Once executed on the malicious computer, BuyUnlockCode ransomware has been identified by cyber-threat researchers to create the following malicious files in the following Windows folders:

In %AppData%\SunDevPackUpdate\:
BUYUNLOCKCODE.txt
pbinfoset.sww
SunDevPackUpdate\wallpp.bmp

After creating the malicious files, BuyUnlockCode ransomware, creates values in the Windows Registry Editor which run the encryption process on Windows start up and change the wallpaper with its own:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\bcdel cmd.exe /c del “%AppData%\SunDevPackUpdate\.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\oldex cmd.exe /c del “path-to-installer\installer.exe”
HKCU\Control Panel\Desktop\Wallpaper “%AppData%\SunDevPackUpdate\wallpp.bmp” Source: Bleeping Computer

After doing so, the ransomware begins to encrypt user files. It looks for files that have the following extensions:

→ .crt, .xls, .docx, .doc, .cer, .key, .pem, .pgp, .der, .rtf, .xlsm, .xlsx, .xlsb, .txt, .xlc, .docm, .ptb, .qbb, .qbw, .qba, .qbm, .xlk,.dbf, .mdb, .mdf, .mde, .accdb, .text, .jpg, .jpeg, .ppt, .pdf, .cdx, .cdr, .bpg, .vbp, .php, .css, .dbx, .dbt, .arw, .dwg, .dxf, .dxg, .eps, .indd, .odb, .odm, .nrw, .ods, .odp, .odt, .orf, .pdd, .pfx, .kdc, .nef, .mef, .mrw, .crw, .dng, .raf, .psd, .rwl, .srf, .srw,.wpd, .odc, .sql, .pab, .vsd, .xsf, .pps, .wps, .pptm, .pptx, .pst, .zip, .tar, .rar Source: Bleeping Computer

The encrypted files have the .encoded extension added to them, for example:

→ New Text Document.txt.encoded.{Alpha-numerical ID Here}

After encryption the wallpaper of the infected user PC is changed to the following:

buyunlockcode-ransowmare-wallpaper-background-sensorstechforum

It also automatically opens the “BUYUNLOCKCODE.txt” file to notify the user with the following message:

→ “Hi, your ID = {Random Alpha-numerical ID}
All important files were encoded with RSA-1024 encryption algorithm.
There is the only way to restore them – purchase the unique unlock code.BUYUNLOCKCODE-txt-ransom-note-sensorstechforum
Warning! Any attempt to recovering files without our “Special program” will cause data damage or complete data loss.
As we receive your payment, we will send special program and your unique code to unlock your system.
Guarantee: You can send one of the encrypted file by email and we decode it for free as proof of our abilities.
No sense to contact the police. Your payment must be made to the e-wallet. It’s impossible to trace.
Don`t waste your and our time.
So, if you are ready to pay for recovering your files, please reply this email ChiuKhan@tom.com
Then we will send payment instructions.” Source: Affected Users

Remove BuyUnlockCode Ransomware and Restore the Encrypted Files

To remove BuyUnlockCode from your computer, you should follow the removal instructions below. Since infections with this malware can be different and make different changes to your PC, experts advise using an advanced anti-malware software for maximum effectiveness.

If you want to directly decrypt your files, unfortunately, it is impossible, because there is no decrypter released just yet. However, you may want to try the alternative methods to get your files back listed in the instructions below. They may not be 100% effective, but they may work for at least a portion of your data.

Manually delete BuyUnlockCode from your computer

Note! Substantial notification about the BuyUnlockCode threat: Manual removal of BuyUnlockCode requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove BuyUnlockCode files and objects
2.Find malicious files created by BuyUnlockCode on your PC
3.Fix registry entries created by BuyUnlockCode on your PC

Automatically remove BuyUnlockCode by downloading an advanced anti-malware program

1. Remove BuyUnlockCode with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by BuyUnlockCode in the future
3. Restore files encrypted by BuyUnlockCode
Optional: Using Alternative Anti-Malware Tools
Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.