Remove CuteRansomware (YuAlock)

Remove cuteRansomware (YuAlock)

D_E_C_R_Y_P_T.txt ransom note file of cuteRansomware YuAlock sensorstechforum

This article explains the issues that occur in case of infection with cuteRansomware also known as YuAlock. Below you will also find a complete guide on how to remove all malicious files from the infected system and how to potentially recover files encrypted by this ransomware.

The cuteRansomware that is also called YuAlock is a crypto virus that invades computer systems. An infection with this ransomware leads to the corruption files that store valuable data. In order that the threat could reach data encryption stage, it performs different malicious commands that cause heavy system modifications. At the end of the attack cuteRansomware displays a ransom message that attempts to trick you into contacting hackers.

Threat Summary

NameCuteRansomware (YuAlock)
TypeRansomware, Cryptovirus
Short DescriptionRansomware that utilizes strong cihper algorithm to modify the code of target files and make them unusable. Then it demands a ransom for their decryption.
SymptomsImportant files could not be opened. Their names display an uncommon extension at the end. A ransom message claims tha you could restore files only if you contact hackers.
Distribution MethodSpam Emails, Email Attachments, Corrupted Web Pages
Detection Tool See If Your System Has Been Affected by CuteRansomware (YuAlock)


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CuteRansomware (YuAlock).
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

cuteRansomware (YuAlock) – Distribution

At this point, there is no primary distribution method known to be used for the spread of cuteRansomware. So the guesses are that this ransomware also dubbed YuAlock could be distributed via common techniques such as malvertising, malspam, and freeware installers.

Malspam (spam email campaigns that deliver malware) is likely to be the main distribution vector utilized for the delivery of cuteRansomware’s payload. Most of these emails contain file attachments that according to their text messages need to be opened as soon as possible due to the importance of their data.

However, these files contain embedded malicious code that triggers the ransomware payload when you open them on your device. Another infection element that may appear in malspam emails is a clickable URL address. It may take the form of a button, in-text link, image, coupon voucher, etc. Such a link could be set to land on a corrupted web page that is configured to activate malicious scripts. The purpose of these scripts is to run the infection code on your system without your knowledge. That’s why it is of paramount importance to have a reliable anti-malware tool running on your system. Once activated such a tool is ready to detect all intrusive malware that attempts to infect the system. This could save you a lot of troubles, couldn’t it?

cuteRansomware (YuAlock) – Overview

When first started on the device cuteRansomware ties to access specific system directories in order to hijack legitimate processes and manipulate their functionalities. On one hand, this enables it to evade detection and fulfill the attack. On the other hand, manipulation of system resources could provide for the persistent presence of malicious files on the device.

As a result of malicious modifications applied under specific registry keys, this ransomware could become able to execute its infection files on each system start. This issue indicates that the registry sub-keys Run and RunOnce contain malicious values associated with ransomware files.

Once cuteRansomware/YuAlock completes all needed system changes it continues with data encryption stage (find more about it in the next paragraph). Soon after the virus is ready with the corruption of target files it drops the file D_E_C_R_Y_P_T.txt. As reported by security researchers this file contains a ransom message by hackers. All it reads is:

Your computer file has been encrypted with YuAlock.The other Ransomware requires a bit coin, but the Ransomware only needs to send a mail to recover the file …He’s not looking at the monitor seriously. Please smile a little Ha ha ha!

D_E_C_R_Y_P_T.txt ransom note file of cuteRansomware YuAlock sensorstechforum

In addition, as reported by EnigmaSoft, the cuteRansomware could also load the following window on your infected PC:

ransom image displayed by cuteransomware yualock virus

The message on it reveals that hackers expect you to pay 0.05 BTC within a specified period of time if you want them to send you the decrypter. It’s interesting to be mentioned that another devastating threat called

Bad Rabbit was detected to use the same window to scare its victims. However, there is no evidence of the same authors to be behind YuAlock ransomware attacks.

Another noticed coincidence is that back in July 2016 our team reported one more ransomware called

CuteRansomware. But since its samples indicate that it has completely different behavior, we believe that this new cuteRansomware/YuAlock belongs to another threat family.

cuteRansomware (YuAlock) – Encryption Process

When cuteRansomware is ready with all initial system modifications it activates its built-in encryption module to locate target files and encode them. At this point, there is no information about the exact cipher algorithm used by this crypto virus. However, once it changes the original code of target files they become inaccessible for an unspecified period of time.

One way for decrypting files is by paying hackers the demanded ransom. Our advice is to avoid doing this as you have no guarantee that their decryptor is working one. Only a single bug in their ransomware code could result in the generation of a completely inefficient decryption key.

Another way to restore encrypted files is with the help of alternative data recovery solutions such as Shadow Copy technology that is part of your Windows OS or specialized tools names of which are listed in step “Restore Files” form the guide below.

Eventually, when security experts conduct further analysis of the samples of this ransomware they may find out how to crack its code and release free decryption tool to help all infected users. We will update this article the moment this happens.

As of the types of data corrupted by YuAlock ransomware they may be all your:

  • Archives
  • Backups
  • Images
  • Videos
  • Music
  • Documents

Following encryption, they will appear as broken files with specific extension appended to its names.

Remove cuteRansomware/YuAlock and Restore Encrypted Files

The so-called cuteRansomware/YuAlock is a threat with highly complex code that plagues not only your files but your whole system. So infected system should be cleaned and secured properly before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove cuteRansomware/YuAlock. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should install and maintain a reliable anti-malware program. Additional security layer that could prevent the occurrence of ransomware attacks is

anti-ransomware tool.

Make sure to read carefully all the details mentioned in the step “Restore files” if you want to understand how to fix encrypted files without paying the ransom. Beware that before data recovery process you should back up all encrypted files to an external drive as this will prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share