Remove Unlock92 Ransomware and Restore .CRRRT Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove Unlock92 Ransomware and Restore .CRRRT Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Unlock92 and other threats.
Threats such as Unlock92 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

STF-unlock92-ransomware-unlock-92-ransom-note

Unlock92 is the name given to a ransomware, which gives an email with the same name as a contact detail. The email is intended for negotiating with the cyber crooks behind it. The ransom note is written in Russian and does not give another system with Bitcoin payment as other ransomware. Unlock92 ransomware is very similar to another one – Kozy.Jozy. The extension the ransomware appends to encrypted files is .CRRRT. To remove the ransomware and see how to restore your data, you should read the whole article.

Update! The ransomware now creates an ORIG.jpg picture file with instructions and has a new extension added to encrypted files – .CCCRRRPPP.

Threat Summary

NameUnlock92
TypeRansomware
Short DescriptionThe ransomware will lock your files and display a ransom note in Russian, giving out a contact email.
SymptomsThe ransomware uses an AES algorithm and encrypts files putting .CRRRT as their additional extension.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Unlock92

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Unlock92.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Unlock92 Ransomware – Infection

Unlock92 ransomware is probably delivered with spam emails. Such emails often have files attached inside. If you open the attachment, the malware code gets inside your PC and infects it. Another way of getting infected might be via social media and file-sharing networks. They might have malicious files uploaded by the criminals. To avoid infection, be wary of what you click, open or download when you are online.

Unlock92 Ransomware – Technical Information

Unlock92 is a ransomware that a Malwarebytes researcher found yesterday (the 30th of June). The ransomware has this name because that is the email it points to in its ransom message, namely [email protected](.)com. The ransomware virus puts a 64-symbol hexadecimal password for every victim. Unlock92 ransomware looks almost the same as Kozy.Jozy ransomware looking at the ransom message and the files it seeks to encrypt.

After encryption, the Unlock92 ransomware creates a couple of files:

  • qqq.jpg
  • Key.bin

The Key.bin file is created in every directory with encrypted files and contains the RSA key, while qqq.jpg is the image with instructions for paying the ransom. That ransom note is written entirely in Russian.

You can see an image with the ransom note here:

STF-unlock92-ransomware-unlock-92-ransom-note

The text from the ransom note is this:

ВАШИ ФАЙЛЫ БЫЛИ ЗАШИФРОВАНЫ!
Если вы хотите их восстановить то отправьте один из пострадавших файлов и файл Key.bin (из любой папки с зашифрованными файлами) на e-mail: [email protected] Если вы не получили ответа в течение суток то скачайте с сайта https://www.torproject.org/download/download-easy.html.en TOR браузер и зайдите с его помощью на сайт http://fnjmegsn7tbrrnkl.onion – там будет указан действующий почтовый ящик.
Iопытки самостоятельно расшифровать файлы приведут к их безвозвратной порче!

Translating the ransomware makes clear that the extortionists want to make you contact them on an email, where to talk about decryption. They want you to send one file along with the Key.bin file so they can give you your personalized decryption key. The ransom money amount is not given, so they might want a different price from everybody who contacts them. Do not pay the ransom as no guarantee exists that you will get your files back that way. Moreover, there are ways you can restore your files on your own, without any consequences, even if the ransom note states otherwise.

If you go to the website the ransomware points to in its ransom message, you will see the current contact email the cyber criminals use:

STF-unlock92-ransomware-unlock-92-india-com-website

The Unlock92 ransomware is reported to utilize the AES algorithm for the encryption of files and RSA-2048 key left in a “Key.bin” file. The file extensions which the ransomware encrypts are the following:

STF-unlock92-ransomware-unlock-92-india-encrypted-crrrt-file

→.psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg

When the encryption process completes, every file with an extension featured here found on your computer will have an additional extension appended to it – .CRRRT. You can see one such file in the small picture above, to the right.

Unlock92 ransomware is not reported to erase Shadow Volume Copies from Windows, but that probably is the case. Read the article to the end and see how to restore your files.

Remove Unlock92 Ransomware and Restore .CRRRT Encrypted Files

If your computer machine is infected with the Unlock92 ransomware, you should have a bit experience in malware removal. You should get rid of this ransomware as quickly as you can before it encrypts more files and spreads deeper over your network. The recommended action to take is for you to remove the ransomware effectively by following the step-by-step instructions guide given below.

Note! Your computer system may be affected by Unlock92 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Unlock92.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Unlock92 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Unlock92 files and objects
2. Find files created by Unlock92 on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Unlock92

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...