Remove Uyari Ransomware and Restore .locked Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Uyari Ransomware and Restore .locked Files

STF-Uyari-ransomware-turkish-turkey-locked-encrypt-files-hiddentear-hidden-tear-crypltolocker-warning-ransom-note

Uyari is the name given to a new ransomware crypto-virus, which is believed to be targeting Turkish users as the ransom note is written in Turkish. That does not exclude the possibility of others being targeted and infected by the virus. Based on the latest HiddenTear project, in the ransom message the malware states it is CryptoLocker, much like the original CryptoWall ransomware. Uyari will encrypt files and add the .locked extension to them. Read the article through to see how you can remove the ransomware and possibly decrypt your files.

Threat Summary

NameUyari
TypeRansomware
Short DescriptionThe ransomware will encrypt all of your important files and display a ransom note, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with .locked extension appended to every file.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Uyari

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Uyari.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Uyari Ransomware – Distribution Method

Uyari ransomware might be using targeted attacks to infect users, mainly who speak Turkish, but other distribution methods are not an exclusion. It might also be distributed with various methods – it all depends what the cybercriminals decided to use as an entry point. Spam mail delivering letters with malicious attachments, exploit kits released for a software which still has a vulnerability or is not updated, social media and file-share networks – the possibilities are huge. Be very careful with what you do online and avoid suspicious emails, links, websites and the like. Do not give privileges to programs with an unknown origin.

Uyari Ransomware – A Closer Look

Uyari is the name of a ransomware, based on HiddenTear. It is named after the first word in the ransom note, which in English translates as “WARNING”. Believed to target Turkish users, because its ransom note is written in the Turkish language. This does not in any way exclude the possibility of other people to be targeted and infected by this crypto-virus. The ransom note also claims that the virus is CryptoLocker, much like the first CryptoWall ransomware did. The AVG malware researcher, Jakub Kroustek, has identified a sample as being part of HiddenTear after all.

Uyari ransomware creates the following files:

C:\Users\W7_MMD\.windowsServiceEngine

C:\Users\W7_MMD\Desktop\DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html

and the following registry entry, afterward:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServiceEngine

That tactic allows it to remain persistent and start with each boot of the Windows Operating System.

Next, the Uyari ransomware places the .locked file extension on encrypted files. After that operation is done, the file DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html is loaded and it contains the ransom message, written in Turkish. You can see a picture of it here:

STF-Uyari-ransomware-turkish-turkey-locked-encrypt-files-hiddentear-hidden-tear-crypltolocker-warning-ransom-note

The text from the ransom note reads:

UYARI

Tüm dosyalarınız cryptolocker virüsü tarafından şifrelenmiştir

Bilgisayarınızda AG sees disklerinde USB belleklerde Önemli olan dosyalarınız; fotoğraflar, videolar see kişisel Bilgiler cryptolocker virüsü şifrelenmiştir ile. Bizim şifreleme çözme yazılımını kurtarmak için satın almakdosyalarınızı tek yoldur. Aksi takdirde, tüm dosyalarınızı see harddiskinizi kaybedersiniz.

Dikkat: cryptolocker Virüs kaldırma işlemi şifrelenmiş dosyalara erişim sağlamaz.

• İlk olarak ’19EYGvwUgPvBmo3gXH9JpXe2YiT4cDk8d7′ bu bitcoin bitcoin adresine 2 yatırınız.
• Buradan bitcoin gönderimi yapabilirsiniz.
• Bitcoini gönderirken kısmına Açıklama şirketinizin Adını yazınız.
• Buradan bize mail yollayıp mailde of açıklamaya yazdığınız Sirket adınızı yazınız. (Gmail üzerinden mail atınız diğer mail istemcileri kabul edilmeyecektir.)
• Yukarıdaki Maddeler of Açıklama özellikle kısımlarına dikkat ediniz aksi takdirde bitconin veya mailin sizden geldiğine emin olamayız.
• İkisininde açıklamasına yazdığınız değerler ESIT olmalıdır. Bunlar tarafından kontrol bilgisayar edildiği için lütfen yazdıklarınızdan emin olunuz.

Bitcoin açıklamasına yazdığınız değer için Örnek;

ozsut Limited

Mail açıklamanızda ozsut Limited geçmelidir. Örnek;

Limited ozsut ADINA size ulaşıyorum kaldırmamız için lütfen cryptolocker virüsünü gerekli programı yollarmısınız.
İstediğiniz miktar BitCoin adresinize yollanmıştır.

Iyi çalışmalar.

Bu sayfa en iyi 1920x1080px çözünürlükte see veya üzerinde chrome mozilla görünür. Lütfen Internet Explorer ile açmayı denemeyiniz. EGER dosyalarınız açtıysanız bir kez daha şifrelenmiştir. Lütfen bizimle iletişime geçiniz.

A very rough English translation of that note look somewhere in the lines of the following:

WARNING

All your files are encrypted by Cryptolocker virus

On your computer, your files on the network Important drive and USB memory; photos, videos and Personal information is encrypted With Cryptolocker virus. Buy solving our encryption software is the only way to recover your data. Otherwise, you will lose all your files and hard.

Attention: Cryptolocker does not Provide access to encrypted files for virus removal.

• The first ’19eygvwugpvbmo3gxh9jpxe2yit4cdk8d7′ Bitcoin address Bitcoin.
• From here you can send in Bitcoin.
• Bitcoin sending the description of the type in the name of your company.
• Please enter your name companies send out That e-mail e-mail us here in the summer to explain. (Send mail through Gmail will not be accepted by other mail client.)
• Pay attention to the description above items, parts Especially That Can not Be sure Otherwise Bitcoin or e-mail came from you.
• The values you write the description Both of them Should be equal. Because They are controlled by computer, make sure what you Please write.

For example the value typed in the description of Bitcoin;

ozsut Limited

Mail your description must pass ozsut Limited. Sample;

I’m writing to you on Behalf of ozsut Limited Please yollarmıs Necessary cryptolocker program to remove the virus.
the has-been sent Desired amount to your Bitcoin address.

Good work.

This page will Appear on top in 1920x1080px resolution and chrome or mozilla. Please try to open Internet Explorer. If You have opened your file is encrypted eleven more. Please contact us.

From the ransom note, we can see that 2 Bitcoins is the wanted price for ransom payment, which equals to around 1,310 US dollars. Do not pay the crooks, as this will only endorse their actions and support criminal activity.

→.png, .accdb, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .zip, .gz, .tar , tib, .tmp, .frm, .dwg, pst, .psd, .ai, .svg, .gif, .bak, .db, .txt, .rar, .jpeg, .jpg, .pdf, .sql

Those are still the most crucial and personal files of users. They all get encrypted with the .locked extension. The Uyari ransomware will lock them using the AES 256-bit algorithm.

Uyari ransomware is not known if it erases the Shadow Volume Copies from the Windows operating system, but it is highly likely that it can do it.

Remove Uyari Ransomware and Restore .locked Files

If your computer machine got infected with the Uyari ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions guide outlaid down below.

Manually delete Uyari from your computer

Note! Substantial notification about the Uyari threat: Manual removal of Uyari requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Uyari files and objects.
2. Find malicious files created by Uyari on your PC.
3. Fix registry entries created by Uyari on your PC.

Automatically remove Uyari by downloading an advanced anti-malware program

1. Remove Uyari with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Uyari in the future
3. Restore files encrypted by Uyari
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.