Remove Unlckr Ransomware and Restore Files - How to, Technology and PC Security Forum |

Remove Unlckr Ransomware and Restore Files

This article will help you remove Unlckr ransomware from your computer and will show you how to restore files encrypted with .cr or other file extensions.

Ransomware viruses have kept evolving over the last few years. One example of an evolved virus is the Unlckr ransomware which comes from the previously discovered in 2016 Unlock92 virus. The objective of this type of malware is to encrypt the files on your computer using a sophisticated encryption algorithm and then hold them for ransom. The end goal is for the victim to pay a hefty ransom fee by contacting [email protected] – the e-mail address of the cyber-criminals behind this virus. If you have become an unfortunate victim of this ransomware virus, we urge you to read the following article.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer and asks to contact [email protected]
SymptomsFiles are encrypted with a random file extension added, possibly serving as a unique identifier for the infection. A ransom note dropped in Russian, named !_ИНСТРУКЦИЯ_!.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Unlckr


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Unlckr.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Distribution Methods of Unlckr Ransomware

This virus may use a combination of different tools to help it be spread:

Exploit kits.
Malicious macros.
Spam bots or spamming services.
A pre-set list of e-mail addresses of potential victims.
A pre-set list of e-mails to spam from.

All of these tactics may result in the Unlckr ransomware to be spread via e-mail spam messages that contain deceptive messages. One example may be an e-mail that pretends to be from PayPal and claims there is suspicious activity on your PayPal account. From there, the e-mail may contain either a suspicious web link in it or an e-mail attachment which is actually a loader that drops the malicious files on your computer.

The same loader strategy may be applied if the suspicious web link or file is uploaded online as a fake program, activator of some sort or anything you might be looking to download.

Unlckr Ransomware – Analysis

When an infection takes place, the first stage of activity of Unlckr virus is to connect to multiple remote hosts:

  • n3r2kuzhw2h7x6j5.onion
  • bf6rqotof6hgyueo.onion

The actual servers behind the ransomware virus are the ones which may receive the IP address and other system information from the infected computer. Then, the ransomware may modify the Windows Registry editor, more specifically Unlckr may target the following registry keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This is done with the purpose to run automatically on system start-up.

Among the activity of Unlckr ransomware may be to delete the shadow volume copies on the infected machine. This happens when the virus assumes administrative privileges by which it inserts commands as administrator, similar to the following in Windows Command prompt:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The virus also does not forget to notify the victim, by dropping a ransom note in Russian, that is named !_ИНСТРУКЦИЯ_!.txt:

Your files have been encrypted using the crypto-resistant RSA-2048 algorithm. If you want to return them, send one of the encrypted files and file yourkey.ttp to e-mail: [email protected]
If you do not receive a response within 24 hours or the letter is returned with an error, download the TOR browser from and use it to go to the site http://n3r2kuzhw2h7x6j5.onion – there you will see the current mailbox.
Attempts to repair files yourself can irretrievably ruin them! Source:

All points out to this virus being created solely for Russian-speaking users.

Unlckr Virus – The Encryption Process

The encryption by this ransomware virus is performed via what is believed to be RSA-2048 cipher, which is the strongest possible cipher. However, this may be false information on behalf of the ransom note of the virus, because Unlock92 which it derives from uses the AES cipher. Whatever the case may be, both algorithms can also be used in combination – AES to encrypt your files and RSA to further append a unique lock key to them, making it even more impossible to decode them. One strong indicator that the Unclkr virus uses the RSA encryption algorithm is that the virus generates the following files after encryption:

  • Yourkey.ttp
  • Your_key.rsa

The Unclkr ransomware looks only for specific files on your computer that it makes no longer openable. These files are believed to be some of the below-mentioned commonly used file types:

→ .psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg

After the encryption process is complete, Unlckr adds a custom file extension that may be completely random. The files may look like the following:

Remove Unlckr Ransomware and Restore Data

For the removal of this ransomware virus, we recommend you to follow the instructions below. But bear in mind that manual removal of Unlckr may be a tricky process because the virus may have corrupted multiple system files, the removal of which may damage Windows. This is the main reason why security experts strongly advise to use a ransomware-specific tool that scans for the objects of all types related to Unlckr and removes them from your computer automatically.

For the moment, there is no free decrypter for Unlckr ransomware virus. However, we advise you to track this post since we will update with more information to come, if such is released. In the meantime, do not despair. You can try and recover a portion of your files, like some of our users usually do and backup the rest for when a decrypter is released. The methods for this are alternative and they may not recover 100% of your files, but are still worth the try. You can find them in step “2. Restore files encrypted by Unlckr” below. Make sure to do a backup of the encrypted files before trying them out.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share