Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Unlock92 Ransomware and Restore .CRRRT Files

STF-unlock92-ransomware-unlock-92-ransom-note

Unlock92 is the name given to a ransomware, which gives an email with the same name as a contact detail. The email is intended for negotiating with the cyber crooks behind it. The ransom note is written in Russian and does not give another system with Bitcoin payment as other ransomware. Unlock92 ransomware is very similar to another one – Kozy.Jozy. The extension the ransomware appends to encrypted files is .CRRRT. To remove the ransomware and see how to restore your data, you should read the whole article.

Update! The ransomware now creates an ORIG.jpg picture file with instructions and has a new extension added to encrypted files – .CCCRRRPPP.

Threat Summary

NameUnlock92
TypeRansomware
Short DescriptionThe ransomware will lock your files and display a ransom note in Russian, giving out a contact email.
SymptomsThe ransomware uses an AES algorithm and encrypts files putting .CRRRT as their additional extension.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Unlock92

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Unlock92.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Unlock92 Ransomware – Infection

Unlock92 ransomware is probably delivered with spam emails. Such emails often have files attached inside. If you open the attachment, the malware code gets inside your PC and infects it. Another way of getting infected might be via social media and file-sharing networks. They might have malicious files uploaded by the criminals. To avoid infection, be wary of what you click, open or download when you are online.

Unlock92 Ransomware – Technical Information

Unlock92 is a ransomware that a Malwarebytes researcher found yesterday (the 30th of June). The ransomware has this name because that is the email it points to in its ransom message, namely [email protected](.)com. The ransomware virus puts a 64-symbol hexadecimal password for every victim. Unlock92 ransomware looks almost the same as Kozy.Jozy ransomware looking at the ransom message and the files it seeks to encrypt.

After encryption, the Unlock92 ransomware creates a couple of files:

  • qqq.jpg
  • Key.bin

The Key.bin file is created in every directory with encrypted files and contains the RSA key, while qqq.jpg is the image with instructions for paying the ransom. That ransom note is written entirely in Russian.

You can see an image with the ransom note here:

STF-unlock92-ransomware-unlock-92-ransom-note

The text from the ransom note is this:

ВАШИ ФАЙЛЫ БЫЛИ ЗАШИФРОВАНЫ!
Если вы хотите их восстановить то отправьте один из пострадавших файлов и файл Key.bin (из любой папки с зашифрованными файлами) на e-mail: [email protected] Если вы не получили ответа в течение суток то скачайте с сайта https://www.torproject.org/download/download-easy.html.en TOR браузер и зайдите с его помощью на сайт http://fnjmegsn7tbrrnkl.onion – там будет указан действующий почтовый ящик.
Iопытки самостоятельно расшифровать файлы приведут к их безвозвратной порче!

Translating the ransomware makes clear that the extortionists want to make you contact them on an email, where to talk about decryption. They want you to send one file along with the Key.bin file so they can give you your personalized decryption key. The ransom money amount is not given, so they might want a different price from everybody who contacts them. Do not pay the ransom as no guarantee exists that you will get your files back that way. Moreover, there are ways you can restore your files on your own, without any consequences, even if the ransom note states otherwise.

If you go to the website the ransomware points to in its ransom message, you will see the current contact email the cyber criminals use:

STF-unlock92-ransomware-unlock-92-india-com-website

The Unlock92 ransomware is reported to utilize the AES algorithm for the encryption of files and RSA-2048 key left in a “Key.bin” file. The file extensions which the ransomware encrypts are the following:

STF-unlock92-ransomware-unlock-92-india-encrypted-crrrt-file

→.psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg

When the encryption process completes, every file with an extension featured here found on your computer will have an additional extension appended to it – .CRRRT. You can see one such file in the small picture above, to the right.

Unlock92 ransomware is not reported to erase Shadow Volume Copies from Windows, but that probably is the case. Read the article to the end and see how to restore your files.

Remove Unlock92 Ransomware and Restore .CRRRT Encrypted Files

If your computer machine is infected with the Unlock92 ransomware, you should have a bit experience in malware removal. You should get rid of this ransomware as quickly as you can before it encrypts more files and spreads deeper over your network. The recommended action to take is for you to remove the ransomware effectively by following the step-by-step instructions guide given below.

Manually delete Unlock92 from your computer

Note! Substantial notification about the Unlock92 threat: Manual removal of Unlock92 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Unlock92 files and objects.
2. Find malicious files created by Unlock92 on your PC.
3. Fix registry entries created by Unlock92 on your PC.

Automatically remove Unlock92 by downloading an advanced anti-malware program

1. Remove Unlock92 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Unlock92 in the future
3. Restore files encrypted by Unlock92
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.