Remove Unlock 92 Ransomware – Restore @LOCKED Files

Remove Unlock 92 Ransomware – Restore @LOCKED Files

This article will aid you remove Unlock 92 Ransomware effectively. Follow the removal instructions at the end.

A new Unlock92 ransomware variant has been discovered which encrypts the target data with the @LOCKED extension. The collected samples have been collected from a campaign which is probably the test release. It’s very possible that future atttacks will happen soon if they prove successful. Our article will guide users into finding out if they have been infected and how they can attempt to remove the active infections.

Threat Summary

NameUnlock 92 ransomware
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension @Locked to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Unlock 92 ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Unlock 92 ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

@Locked Unlock 92 Ransomware – Distribution

The Unlock92 ransomware is delivered using the most popular malware spread tactics. So far the captured strains do not indicate which is the primary method.

Virus sample belonging to the Unlock92 ransomware family are spread through email SPAM messages — they are designed to look like legitimate messages sent by popular Internet services or sites that the targets may use. The virus files may be either directly attached or linked in the body contents.

A similar mechanism is the creation of fake download sites. They may look like familiar vendor download sites or popular Internet sites, the malicious actors may use similar sounding domain names, contents and certificates.

Unlock92 ransomware code can be embedded in infected payloads of which there are two popular types. The first one is the malicious document — the hackers can embed scripts that can lead to the virus delivery. The dangerous fact here is that any of the popular types can be infected with the macros: spreadsheets, presentations, text files and databases. When opened a notification prompt will appear asking the users to enable the built-in code. The other type is the malicious application installer — the hackers will take the legitimate setup files of popular applications and modify them with the virus code.

The ransomware samples associated with the Unlock92 virus may be spread through peer-to-peer networks such as BitTorrent — they can spread both the stand-alone files and the infected payloads.

In other cases the hackers can also utilize malicious web plugins that are used as the payload delivery mechanism. They are advertised as useful additions to the web browsers and are made compatible with the most popular ones. They are uploaded to their relevant plugin repositories with fake user reviews and developer credentials.

@Locked Unlock 92 Ransomware – Information

The @Locked Unlock 92 ransomware is a recent release of the Unlock 92 malware family. So far the captured samples are very limited in number which is an indication that they are a test release or that the large-scale campaign has not been launched yet. We assume that this virus will follow the typical behavior execution pattern.

The attacks may begin with the start of the data collection module which will automatically start to collect data from the infected computers. It can either be used to construct the unique victim ID or to expose the identity of the victim users owning the machines. The information that is to be used by the virus is mainly composed of details about the installed hardware components, operating system values and user settings. On the other hand data that can directly reveal details about the owners is made up of their name, phone number, address, location and any found account credentials. As the virus can access the whole operating system this includes also all user-installed applications. Web browsers for example can be harvested for any stored credentials.

Following this the harvested data can be used by the stealth protection module. It is used to detect, bypass or entirely security services and systems. This includes anti-virus programs, sandbox/debug environments and virtual machine hosts. When this step is complete the @Locked Unlock 92 ransomware will have the ability to control the infected systems — this includes the possibility of starting up several processes, to hook up to others and manipulate the task manager.

At this point of the infection process the malicious engine will be able to modify the Windows Registry by creating entries belonging to itself or modifying existing ones. When registry values to the operating system are modified this can lead to severe performance issues and malfunctions. Modified strings belonging to any third-party software can cause them to behave in a non-intended way.

A related process launched by most ransomware is the persistent installation — it will reprogram the infected system so that the virus code will be launched every time the computer is powered on. This action may also prevent access to the recovery boot menu which is used in several manual recovery instructions.

To make recovery more difficult the @Locked Unlock 92 ransomware may delete sensitive user data — System Restore Points and Shadow Volume Copies. If a network connection is established to a hacker server then it is usually done so in order to report the infection. However in some cases this can lead to a Trojan deployment. This would allow the criminals to spy on the users, harvest their files and take over control of the machine at any given time.

@Locked Unlock 92 Ransomware – Encryption Process

Like previous versions of this malware family the @Locked Unlock 92 ransomware encrypts user data with a strong cipher. In accordance with the typical practices a built-in list of target files, an example one may include the following:

  • Archives
  • Backups
  • Databases
  • Images
  • Videos
  • Music

The files will be renamed according to the following template .@LOCKED. The randomly-generated sequence of characters may be based on the individual victim ID. The accompaying ransomware note is also created using a similar formula: “.@LOCKED”, their contents reads the following:

Ваши файлы зашифрованы.
Если хотите их вернуть отправьте один из зашифрованных файлов на e-mail: [email protected]
Если вы не получили ответа в течение суток то скачайте с сайта браузер TOR
и с его помощью зайдите на сайт: http://n3r2kuzhw2hx6j5.onion (
– с любого другого браузера без использования TOR)
– там будет указан действующий почтовый ящик.
Попытки самостоятельного восстановления файлов могут безвозвратно их испортить!

Your files have been encrypted.
If you want to restore files, send one more file us to the e-mail: [email protected]
Only in case you do not receive a response from the first email address
withit 24 hours, please use use TOR browser from and see current
e-mail in http://n3r2kuzhw2hx6j5.onion ( – from any other browser w/o using a TOR)
Using another tools could corrupt your files, in case of using third party
software we dont give guarantees that full recovery is possible so use it on
your own risk.

Remove Unlock 92 Ransomware and Restore @Locked Files

If your computer got infected with the Unlock 92 Ransomware ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share