Remove BuyUnlockCode Ransomware and Restore .Encoded Files - How to, Technology and PC Security Forum |

Remove BuyUnlockCode Ransomware and Restore .Encoded Files

ransomware-virusRansomware variant was reported to affect an increasing number of users, called BuyUnlockCode has been identified to infect PCs on a global scale. The ransomware uses a strong RSA – 1024 cipher to encrypt the files and an AES cipher to encrypt the decryption keys. This makes the encrypted files unable to be opened unless the affected users pay the ransom money. Instructions on payment are left behind as a wallpaper and a text file, as usual with most ransomware viruses. Infected users are strongly advised not to pay any ransom to cyber-criminals, because it is no guarantee they will get the files back. Instead, it is advisable to remove the ransomware and try other methods to restore the files, such as the ones provided in this article.

Threat Summary

Short DescriptionThe ransomware encrypts files with the RSA-1024 cipher and the decryption key with AES algorithm and asks a ransom payment for decryption of the files.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a BUYUNLOCKCODE.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by BuyUnlockCode


Malware Removal Tool

User ExperienceJoin our forum to Discuss BuyUnlockCode Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BuyUnlockCode Ransomware – How Is It Spread

To infect users, the malicious files of BuyUnlockCode may be distributed via:

  • Obfuscated files.
  • Malicious JavaScript.
  • Exploit Kits.
  • Drive-by Downloads.
  • Via fake Java Updates.

Users have reported encountering spam e-mails such as this one:


It is strongly recommended to avoid such e-mails or to at least check their content for malware. One method to do this and prevent further attacks is via VirusTotal services.

BuyUnlockCode Ransomware – Description

Once executed on the malicious computer, BuyUnlockCode ransomware has been identified by cyber-threat researchers to create the following malicious files in the following Windows folders:

In %AppData%\SunDevPackUpdate\:

After creating the malicious files, BuyUnlockCode ransomware, creates values in the Windows Registry Editor which run the encryption process on Windows start up and change the wallpaper with its own:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\bcdel cmd.exe /c del “%AppData%\SunDevPackUpdate\.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\oldex cmd.exe /c del “path-to-installer\installer.exe”
HKCU\Control Panel\Desktop\Wallpaper “%AppData%\SunDevPackUpdate\wallpp.bmp” Source: Bleeping Computer

After doing so, the ransomware begins to encrypt user files. It looks for files that have the following extensions:

→ .crt, .xls, .docx, .doc, .cer, .key, .pem, .pgp, .der, .rtf, .xlsm, .xlsx, .xlsb, .txt, .xlc, .docm, .ptb, .qbb, .qbw, .qba, .qbm, .xlk,.dbf, .mdb, .mdf, .mde, .accdb, .text, .jpg, .jpeg, .ppt, .pdf, .cdx, .cdr, .bpg, .vbp, .php, .css, .dbx, .dbt, .arw, .dwg, .dxf, .dxg, .eps, .indd, .odb, .odm, .nrw, .ods, .odp, .odt, .orf, .pdd, .pfx, .kdc, .nef, .mef, .mrw, .crw, .dng, .raf, .psd, .rwl, .srf, .srw,.wpd, .odc, .sql, .pab, .vsd, .xsf, .pps, .wps, .pptm, .pptx, .pst, .zip, .tar, .rar Source: Bleeping Computer

The encrypted files have the .encoded extension added to them, for example:

→ New Text Document.txt.encoded.{Alpha-numerical ID Here}

After encryption the wallpaper of the infected user PC is changed to the following:


It also automatically opens the “BUYUNLOCKCODE.txt” file to notify the user with the following message:

→ “Hi, your ID = {Random Alpha-numerical ID}
All important files were encoded with RSA-1024 encryption algorithm.
There is the only way to restore them – purchase the unique unlock code.BUYUNLOCKCODE-txt-ransom-note-sensorstechforum
Warning! Any attempt to recovering files without our “Special program” will cause data damage or complete data loss.
As we receive your payment, we will send special program and your unique code to unlock your system.
Guarantee: You can send one of the encrypted file by email and we decode it for free as proof of our abilities.
No sense to contact the police. Your payment must be made to the e-wallet. It’s impossible to trace.
Don`t waste your and our time.
So, if you are ready to pay for recovering your files, please reply this email
Then we will send payment instructions.” Source: Affected Users

Remove BuyUnlockCode Ransomware and Restore the Encrypted Files

To remove BuyUnlockCode from your computer, you should follow the removal instructions below. Since infections with this malware can be different and make different changes to your PC, experts advise using an advanced anti-malware software for maximum effectiveness.

If you want to directly decrypt your files, unfortunately, it is impossible, because there is no decrypter released just yet. However, you may want to try the alternative methods to get your files back listed in the instructions below. They may not be 100% effective, but they may work for at least a portion of your data.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share