Remove UCCU Ransomware and Restore The .uccu Encrypted Files - How to, Technology and PC Security Forum |

Remove UCCU Ransomware and Restore The .uccu Encrypted Files

fix-your-malware-problem-sensorstechforumRansomware virus reported to set the .uccu file extension on the files it has encrypted has been detected in different places around the globe. It is a mystery what “uccu” stands for, but one detail is confirmed – this specific ransomware uses a strong AES encryption algorithm. In addition to that the virus, has a very wide scope of the type of files it encrypts and its origins are so far a mystery. All users who have been affected by UCCU Ransomware should NOT pay any ransom money requested in its note and remove the virus using an advanced anti-malware tool. To revert any .uccu files, so far a decryptor has not been developed, but you can check this article for alternative solutions regarding partial file restoration.

Threat Summary

Short DescriptionThe ransomware encrypts files with the strong AES cipher and asks a ransom payment for decryption.
SymptomsFiles are enciphered and become inaccessible. A ransom note with instructions for paying the ransom may appear on the user’s computer.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by UCCU


Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

UCCU Ransomware – Methods of Infection

For UCCU Ransomware to successfully infect users with high success rate, it may use several tools that assist in the process of masking its files and slipping past undetected:

  • Program obfuscators.
  • Exploit Kits.
  • Redirecting URLs.
  • Malicious JavaScript codes.
  • File archives.

Such tools not only allow for the malicious executable to run with escalated privileges and unnoticed but they also give the cyber-criminals many possibilities, like spreading it via spam e-mails with web links like the example below:

UCCU Ransomware – In Depth Analysis

As soon as its payload is dropped on the infected computer, it may be located in one of the following Windows folders:

  • %AppData%
  • %Documents%
  • %User’s Profile%
  • %Roaming%
  • %Local%

The executable of the malware may have the following rather vulgar name:


In addition to that, UCCU Ransomware may create a registry entry in the RUN and RUNONCE keys for the “f*ckgod_jesu_crypt” executable file to start along with Windows and begin encrypting files. The Run and RunOnce keys in which this value string may be located are the following:


In addition to that, UCCU may delete the Shadow Copies of the infected computer, by executing the vssadmin command with one of its many parameters, for example:

vssadmin delete shadows /for={Volume of the drive, for example C:} /all

The encryption process has a wide scope of files which are targeted. The most used file extensions are encrypted, but the ransomware evades the file extensions which contain important files that can break Windows. The file types targeted are the following:

.png .3dm .3g2 .3gp .aaf .accdb .aep .aepx .aet .ai .aif .arw .as .as3 .asf .asp .asx .avi .bay .bmp .cdr .cer .class .cpp .CR2 .crt .CRW .cs .csv .db .dbf .dcr .der .dng .doc .docx .docb .docm .dot .dotm .dotx .dwg .dxf .dxg .efx .eps .erf .fla .flv .idml .iff .indb .indd .indl .indt .inx .jar .java .jpeg .jpg .kdc .m3u .m3u8 .m4u .max .mdb .mdf .mef .mid .mov .mp4 .mpa .mp3 .mpeg .mpg .mrw .msg .NEF .nrw .odb ODC-.odm .odp .ods .odt .orf .p12 .P7B .p7c .pdb .pdf .pef .pem .pfx .php .plb .pmd .pot .potm .potx .ppam .ppj .pps .ppsm .ppsx .ppt .pptm .pptx .prel .prproj .ps .psd .pst .ptx .r3d .ra .raf .rar .raw .rb .rtf .rw2 .rwl .sdf .sldm .sldx .sql .sr2 .srf .srw .svg .swf .tif .vcf .vob .wav .wb2 .wma .wmv .wpd .x3f .xla WPS-.xlam .xlk .xll .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xqx .zip Source:

In addition to that, the ransomware may perform other activities, like:

  • Hide the encrypted files from the user.
  • Leave a .txt file, picture or an HTML file which contain instructions on how to pay the ransom in Bitcoin.

Remove UCCU Ransomware and Restore Your Encoded Files

To fully delete this ransomware virus from your computer, we advise you to take into consideration that it may have also created other files on your computer when manually removing it. For maximum effectiveness, experts recommend using a more automatic approach – an advanced anti-malware scanner which will automatically, safely and effectively eradicated UCCU Ransomware from your PC.

If you wish to decrypt your files, follow this article – we will update it at its start (above) as soon as there is a working decryptor released for free. In the meantime, you may want to try using the methods in step “3. Restore files encrypted by UCCU” below. They are no guarantee that you will get any files back, but some users have reported recovering at least a minimal portion of the files using them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share