Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Ransomcuck Ransomware and Decrypt .ransomcuck .cuck Files

ransomcuck-ransomware-ransom-note-sensorstechforumRansomware virus, resembling very much TeslaCrypt and Locky ransomware, named Ransomcuck has been reported to lock affected users’ files using the AES and RSA encryption algorithms. The virus uses the .ransomcuck and .cuck file extensions after it enciphers the files of an infected computer. It then, leaves several ransom notes and users who have become victims of this virus are strongly advised not to pay any money requested by the cyber-criminals in those notes. Since this is a very devastating threat, at the moment, we strongly advise removing it and trying to decrypt encrypted files using the alternative methods in this article while an actual decryptor is released.

Threat Summary

NameRansomcuck
TypeRansomware
Short DescriptionThe ransomware seeks to encrypt files that are often used. You are given a deadline to pay, otherwise the price rises.
SymptomsThe ransomware encrypts files, changing thier extensions to .cuck or .ransomcuck. After that it shows a ransom note as your desktop background and in a pop-up window on your desktop.
Distribution MethodSpam Emails, File Sharing Networks, Executable Files
Detection Tool See If Your System Has Been Affected by Ransomcuck

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ransomcuck.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ransomcuck Virus – How Does It Infect

To conduct an attack, Ransomcuck’ malicious payload needs to be dropped on the targeted computer. This can happen in two main ways – via a malicious file that is disguised to trick users into opening it or via a malicious URL that may cause automatic download and execution on the victim PC.

Whatever the case may be, the virus may be spread via spam e-mail messages that may contain both – the URLs or malicious attachments. Once it has been sent out massively to a pre-programmed list of e-mail addresses the messages containing the malicious files may vary. For example, one spam message may claim that the user has paid for an order and provide an “Invoice” which could be the malicious file. But there may also be messages, saying the user has been added as a friend on Facebook with a fake “See More” button that instead of leading to Facebook, may transfer the user to a malicious web link that can cause the infection

Ransomcuck Ransomware In Detail

Once Ransomcuck has been executed on your computer, it may directly drop and execute it’s files without any permission and without you noticing. The malicious files may be more than just one .exe file, and they may be located in the following key Windows folders:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %Local%
  • %SystemDrive%
  • %System32%

The malicious files of Ransomcuck may contain different names, for example:

ransomcuck-ransomware-malicious-files-names-sensorstechofrum

Once the Ransomcuck virus is on your computer, it may also attack the Run and RunOnce registry keys, creating value strings with the location of the file encryptor and the ransom notes, so that they are executed every time you start Windows.

After the primary encryption module of the Ransomcuck malware infection has been executed, the virus may look for a variety of file types to encrypt. It looks primarily for files that are important and often used, such as:

  • Documents.
  • Databases.
  • Audio files.
  • Video files.
  • Files associated with often used programs, like Photoshop, for example.
  • Presentations.
  • Images.

The Ransomcuck virus is very clever in its actions, skipping important Windows folders to encrypt files in them because this may damage your operating system.

To encrypt the files of it’s victims, the Ransomcuck virus uses the .cuck or .ransomcuck file extensions after the files. Files encrypted by this ransomware, look like the following and cannot be opened by any software:

ransomcuck-cuck-file-encrypted-decrypt-sensorstechforum-com

This is because the Ransomcuck virus uses two of the strongest encryption algorithms out there to scramble the structure code of the files – AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) ciphers. The AES cipher is being used for one and only purpose to encrypt the files themselves, generating a unique decryption key. This decryption key is then saved and encrypted with the RSA algorithm, and then this information is sent either via TCP or UDP traffic to the servers of the cyber-criminals, making them the only ones in power to unencrypt the files.

Related Article: Ransomware Encryption Explained – Why Is It So Effective?

After encryption, this virus then leaves behind on the %Desktop% two files:

  • How_to_Recover_ Files.html
  • How_to_Recover_ Files.txt

The files are reported to contain the following ransom note:

→“All files including videos, photos, and documents on your computer have been encrypted by this software.
help_Recover_your_files_txt-ransomcuck-ransomware-sensorstechforum-comEncryption was produced using a unique key specific to your computer. The only way to obtain your files back is to decrypt them using the unique key specific to your computer.
Your unique key is stored on a TOR server which will automatically destroy itself after 2 weeks. After that, no one will be able to restore your files.
If this program is altered in any way without ransom being payed, your files will be lost forever. A file has been created on the desktop with the exact same instructions.
Your files will be automatically decrypted once the payment is received.
This program automatically communicates with the server and will decrypt your files once the payment has been received.”

Ransomcuck Virus – Conclusion, Removal, and File Restoration Alternatives

Malware researchers believe that this virus has been created by the same coder who was behind the DetoxCrypto virus. Since they are constantly working and on the lookout for a free decryption method, it is NOT advisable to pay any ransom money to the criminals who are behind this virus. Instead, we advise you to remove it, using the instructions below and try alternative methods to decrypt your files. Bear in mind that for maximum effectiveness while removing Ransomcuck, experts recommend using an advanced anti-malware program. Some alternative techniques can be found in step “3.Restore files encrypted by Ransomcuck” below. These temporary solutions may not be as effective as the actual decryption key, but they are a good method while you wait for a free decryption to be released. We suggest you to check this article often since we are going to update it as soon as there is a free decryptor available.

Manually delete Ransomcuck from your computer

Note! Substantial notification about the Ransomcuck threat: Manual removal of Ransomcuck requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Ransomcuck files and objects.
2. Find malicious files created by Ransomcuck on your PC.
3. Fix registry entries created by Ransomcuck on your PC.

Automatically remove Ransomcuck by downloading an advanced anti-malware program

1. Remove Ransomcuck with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Ransomcuck in the future
3. Restore files encrypted by Ransomcuck
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By Ransomcuck Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.