Remove BuyUnlockCode Ransomware and Restore .Encoded Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove BuyUnlockCode Ransomware and Restore .Encoded Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by BuyUnlockCode and other threats.
Threats such as BuyUnlockCode may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

ransomware-virusRansomware variant was reported to affect an increasing number of users, called BuyUnlockCode has been identified to infect PCs on a global scale. The ransomware uses a strong RSA – 1024 cipher to encrypt the files and an AES cipher to encrypt the decryption keys. This makes the encrypted files unable to be opened unless the affected users pay the ransom money. Instructions on payment are left behind as a wallpaper and a text file, as usual with most ransomware viruses. Infected users are strongly advised not to pay any ransom to cyber-criminals, because it is no guarantee they will get the files back. Instead, it is advisable to remove the ransomware and try other methods to restore the files, such as the ones provided in this article.

Threat Summary

NameBuyUnlockCode
TypeRansomware
Short DescriptionThe ransomware encrypts files with the RSA-1024 cipher and the decryption key with AES algorithm and asks a ransom payment for decryption of the files.
SymptomsFiles are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a BUYUNLOCKCODE.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by BuyUnlockCode

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss BuyUnlockCode Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BuyUnlockCode Ransomware – How Is It Spread

To infect users, the malicious files of BuyUnlockCode may be distributed via:

  • Obfuscated files.
  • Malicious JavaScript.
  • Exploit Kits.
  • Drive-by Downloads.
  • Via fake Java Updates.

Users have reported encountering spam e-mails such as this one:

spam-email-sensorstechforum

It is strongly recommended to avoid such e-mails or to at least check their content for malware. One method to do this and prevent further attacks is via VirusTotal services.

BuyUnlockCode Ransomware – Description

Once executed on the malicious computer, BuyUnlockCode ransomware has been identified by cyber-threat researchers to create the following malicious files in the following Windows folders:

In %AppData%\SunDevPackUpdate\:
BUYUNLOCKCODE.txt
pbinfoset.sww
SunDevPackUpdate\wallpp.bmp

After creating the malicious files, BuyUnlockCode ransomware, creates values in the Windows Registry Editor which run the encryption process on Windows start up and change the wallpaper with its own:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\bcdel cmd.exe /c del “%AppData%\SunDevPackUpdate\.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\oldex cmd.exe /c del “path-to-installer\installer.exe”
HKCU\Control Panel\Desktop\Wallpaper “%AppData%\SunDevPackUpdate\wallpp.bmp” Source: Bleeping Computer

After doing so, the ransomware begins to encrypt user files. It looks for files that have the following extensions:

→ .crt, .xls, .docx, .doc, .cer, .key, .pem, .pgp, .der, .rtf, .xlsm, .xlsx, .xlsb, .txt, .xlc, .docm, .ptb, .qbb, .qbw, .qba, .qbm, .xlk,.dbf, .mdb, .mdf, .mde, .accdb, .text, .jpg, .jpeg, .ppt, .pdf, .cdx, .cdr, .bpg, .vbp, .php, .css, .dbx, .dbt, .arw, .dwg, .dxf, .dxg, .eps, .indd, .odb, .odm, .nrw, .ods, .odp, .odt, .orf, .pdd, .pfx, .kdc, .nef, .mef, .mrw, .crw, .dng, .raf, .psd, .rwl, .srf, .srw,.wpd, .odc, .sql, .pab, .vsd, .xsf, .pps, .wps, .pptm, .pptx, .pst, .zip, .tar, .rar Source: Bleeping Computer

The encrypted files have the .encoded extension added to them, for example:

→ New Text Document.txt.encoded.{Alpha-numerical ID Here}

After encryption the wallpaper of the infected user PC is changed to the following:

buyunlockcode-ransowmare-wallpaper-background-sensorstechforum

It also automatically opens the “BUYUNLOCKCODE.txt” file to notify the user with the following message:

→ “Hi, your ID = {Random Alpha-numerical ID}
All important files were encoded with RSA-1024 encryption algorithm.
There is the only way to restore them – purchase the unique unlock code.BUYUNLOCKCODE-txt-ransom-note-sensorstechforum
Warning! Any attempt to recovering files without our “Special program” will cause data damage or complete data loss.
As we receive your payment, we will send special program and your unique code to unlock your system.
Guarantee: You can send one of the encrypted file by email and we decode it for free as proof of our abilities.
No sense to contact the police. Your payment must be made to the e-wallet. It’s impossible to trace.
Don`t waste your and our time.
So, if you are ready to pay for recovering your files, please reply this email [email protected]
Then we will send payment instructions.” Source: Affected Users

Remove BuyUnlockCode Ransomware and Restore the Encrypted Files

To remove BuyUnlockCode from your computer, you should follow the removal instructions below. Since infections with this malware can be different and make different changes to your PC, experts advise using an advanced anti-malware software for maximum effectiveness.

If you want to directly decrypt your files, unfortunately, it is impossible, because there is no decrypter released just yet. However, you may want to try the alternative methods to get your files back listed in the instructions below. They may not be 100% effective, but they may work for at least a portion of your data.

Note! Your computer system may be affected by BuyUnlockCode and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as BuyUnlockCode.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove BuyUnlockCode follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove BuyUnlockCode files and objects
2. Find files created by BuyUnlockCode on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by BuyUnlockCode

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...