Remove Unlock92 Ransomware and Restore .CRRRT Files - How to, Technology and PC Security Forum |

Remove Unlock92 Ransomware and Restore .CRRRT Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


Unlock92 is the name given to a ransomware, which gives an email with the same name as a contact detail. The email is intended for negotiating with the cyber crooks behind it. The ransom note is written in Russian and does not give another system with Bitcoin payment as other ransomware. Unlock92 ransomware is very similar to another one – Kozy.Jozy. The extension the ransomware appends to encrypted files is .CRRRT. To remove the ransomware and see how to restore your data, you should read the whole article.

Update! The ransomware now creates an ORIG.jpg picture file with instructions and has a new extension added to encrypted files – .CCCRRRPPP.

Threat Summary

Short DescriptionThe ransomware will lock your files and display a ransom note in Russian, giving out a contact email.
SymptomsThe ransomware uses an AES algorithm and encrypts files putting .CRRRT as their additional extension.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Unlock92


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Unlock92.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Unlock92 Ransomware – Infection

Unlock92 ransomware is probably delivered with spam emails. Such emails often have files attached inside. If you open the attachment, the malware code gets inside your PC and infects it. Another way of getting infected might be via social media and file-sharing networks. They might have malicious files uploaded by the criminals. To avoid infection, be wary of what you click, open or download when you are online.

Unlock92 Ransomware – Technical Information

Unlock92 is a ransomware that a Malwarebytes researcher found yesterday (the 30th of June). The ransomware has this name because that is the email it points to in its ransom message, namely unlock92@india(.)com. The ransomware virus puts a 64-symbol hexadecimal password for every victim. Unlock92 ransomware looks almost the same as Kozy.Jozy ransomware looking at the ransom message and the files it seeks to encrypt.

After encryption, the Unlock92 ransomware creates a couple of files:

  • qqq.jpg
  • Key.bin

The Key.bin file is created in every directory with encrypted files and contains the RSA key, while qqq.jpg is the image with instructions for paying the ransom. That ransom note is written entirely in Russian.

You can see an image with the ransom note here:


The text from the ransom note is this:

Если вы хотите их восстановить то отправьте один из пострадавших файлов и файл Key.bin (из любой папки с зашифрованными файлами) на e-mail: UNLOCK92@INDIA.COM Если вы не получили ответа в течение суток то скачайте с сайта TOR браузер и зайдите с его помощью на сайт http://fnjmegsn7tbrrnkl.onion – там будет указан действующий почтовый ящик.
Iопытки самостоятельно расшифровать файлы приведут к их безвозвратной порче!

Translating the ransomware makes clear that the extortionists want to make you contact them on an email, where to talk about decryption. They want you to send one file along with the Key.bin file so they can give you your personalized decryption key. The ransom money amount is not given, so they might want a different price from everybody who contacts them. Do not pay the ransom as no guarantee exists that you will get your files back that way. Moreover, there are ways you can restore your files on your own, without any consequences, even if the ransom note states otherwise.

If you go to the website the ransomware points to in its ransom message, you will see the current contact email the cyber criminals use:


The Unlock92 ransomware is reported to utilize the AES algorithm for the encryption of files and RSA-2048 key left in a “Key.bin” file. The file extensions which the ransomware encrypts are the following:


→.psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg

When the encryption process completes, every file with an extension featured here found on your computer will have an additional extension appended to it – .CRRRT. You can see one such file in the small picture above, to the right.

Unlock92 ransomware is not reported to erase Shadow Volume Copies from Windows, but that probably is the case. Read the article to the end and see how to restore your files.

Remove Unlock92 Ransomware and Restore .CRRRT Encrypted Files

If your computer machine is infected with the Unlock92 ransomware, you should have a bit experience in malware removal. You should get rid of this ransomware as quickly as you can before it encrypts more files and spreads deeper over your network. The recommended action to take is for you to remove the ransomware effectively by following the step-by-step instructions guide given below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share