Remove Uyari Ransomware and Restore .locked Files - How to, Technology and PC Security Forum |

Remove Uyari Ransomware and Restore .locked Files


Uyari is the name given to a new ransomware crypto-virus, which is believed to be targeting Turkish users as the ransom note is written in Turkish. That does not exclude the possibility of others being targeted and infected by the virus. Based on the latest HiddenTear project, in the ransom message the malware states it is CryptoLocker, much like the original CryptoWall ransomware. Uyari will encrypt files and add the .locked extension to them. Read the article through to see how you can remove the ransomware and possibly decrypt your files.

Threat Summary

Short DescriptionThe ransomware will encrypt all of your important files and display a ransom note, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with .locked extension appended to every file.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Uyari


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Uyari.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Uyari Ransomware – Distribution Method

Uyari ransomware might be using targeted attacks to infect users, mainly who speak Turkish, but other distribution methods are not an exclusion. It might also be distributed with various methods – it all depends what the cybercriminals decided to use as an entry point. Spam mail delivering letters with malicious attachments, exploit kits released for a software which still has a vulnerability or is not updated, social media and file-share networks – the possibilities are huge. Be very careful with what you do online and avoid suspicious emails, links, websites and the like. Do not give privileges to programs with an unknown origin.

Uyari Ransomware – A Closer Look

Uyari is the name of a ransomware, based on HiddenTear. It is named after the first word in the ransom note, which in English translates as “WARNING”. Believed to target Turkish users, because its ransom note is written in the Turkish language. This does not in any way exclude the possibility of other people to be targeted and infected by this crypto-virus. The ransom note also claims that the virus is CryptoLocker, much like the first CryptoWall ransomware did. The AVG malware researcher, Jakub Kroustek, has identified a sample as being part of HiddenTear after all.

Uyari ransomware creates the following files:



and the following registry entry, afterward:


That tactic allows it to remain persistent and start with each boot of the Windows Operating System.

Next, the Uyari ransomware places the .locked file extension on encrypted files. After that operation is done, the file DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html is loaded and it contains the ransom message, written in Turkish. You can see a picture of it here:


The text from the ransom note reads:


Tüm dosyalarınız cryptolocker virüsü tarafından şifrelenmiştir

Bilgisayarınızda AG sees disklerinde USB belleklerde Önemli olan dosyalarınız; fotoğraflar, videolar see kişisel Bilgiler cryptolocker virüsü şifrelenmiştir ile. Bizim şifreleme çözme yazılımını kurtarmak için satın almakdosyalarınızı tek yoldur. Aksi takdirde, tüm dosyalarınızı see harddiskinizi kaybedersiniz.

Dikkat: cryptolocker Virüs kaldırma işlemi şifrelenmiş dosyalara erişim sağlamaz.

• İlk olarak ’19EYGvwUgPvBmo3gXH9JpXe2YiT4cDk8d7′ bu bitcoin bitcoin adresine 2 yatırınız.
• Buradan bitcoin gönderimi yapabilirsiniz.
• Bitcoini gönderirken kısmına Açıklama şirketinizin Adını yazınız.
• Buradan bize mail yollayıp mailde of açıklamaya yazdığınız Sirket adınızı yazınız. (Gmail üzerinden mail atınız diğer mail istemcileri kabul edilmeyecektir.)
• Yukarıdaki Maddeler of Açıklama özellikle kısımlarına dikkat ediniz aksi takdirde bitconin veya mailin sizden geldiğine emin olamayız.
• İkisininde açıklamasına yazdığınız değerler ESIT olmalıdır. Bunlar tarafından kontrol bilgisayar edildiği için lütfen yazdıklarınızdan emin olunuz.

Bitcoin açıklamasına yazdığınız değer için Örnek;

ozsut Limited

Mail açıklamanızda ozsut Limited geçmelidir. Örnek;

Limited ozsut ADINA size ulaşıyorum kaldırmamız için lütfen cryptolocker virüsünü gerekli programı yollarmısınız.
İstediğiniz miktar BitCoin adresinize yollanmıştır.

Iyi çalışmalar.

Bu sayfa en iyi 1920x1080px çözünürlükte see veya üzerinde chrome mozilla görünür. Lütfen Internet Explorer ile açmayı denemeyiniz. EGER dosyalarınız açtıysanız bir kez daha şifrelenmiştir. Lütfen bizimle iletişime geçiniz.

A very rough English translation of that note look somewhere in the lines of the following:


All your files are encrypted by Cryptolocker virus

On your computer, your files on the network Important drive and USB memory; photos, videos and Personal information is encrypted With Cryptolocker virus. Buy solving our encryption software is the only way to recover your data. Otherwise, you will lose all your files and hard.

Attention: Cryptolocker does not Provide access to encrypted files for virus removal.

• The first ’19eygvwugpvbmo3gxh9jpxe2yit4cdk8d7′ Bitcoin address Bitcoin.
• From here you can send in Bitcoin.
• Bitcoin sending the description of the type in the name of your company.
• Please enter your name companies send out That e-mail e-mail us here in the summer to explain. (Send mail through Gmail will not be accepted by other mail client.)
• Pay attention to the description above items, parts Especially That Can not Be sure Otherwise Bitcoin or e-mail came from you.
• The values you write the description Both of them Should be equal. Because They are controlled by computer, make sure what you Please write.

For example the value typed in the description of Bitcoin;

ozsut Limited

Mail your description must pass ozsut Limited. Sample;

I’m writing to you on Behalf of ozsut Limited Please yollarmıs Necessary cryptolocker program to remove the virus.
the has-been sent Desired amount to your Bitcoin address.

Good work.

This page will Appear on top in 1920x1080px resolution and chrome or mozilla. Please try to open Internet Explorer. If You have opened your file is encrypted eleven more. Please contact us.

From the ransom note, we can see that 2 Bitcoins is the wanted price for ransom payment, which equals to around 1,310 US dollars. Do not pay the crooks, as this will only endorse their actions and support criminal activity.

→.png, .accdb, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .zip, .gz, .tar , tib, .tmp, .frm, .dwg, pst, .psd, .ai, .svg, .gif, .bak, .db, .txt, .rar, .jpeg, .jpg, .pdf, .sql

Those are still the most crucial and personal files of users. They all get encrypted with the .locked extension. The Uyari ransomware will lock them using the AES 256-bit algorithm.

Uyari ransomware is not known if it erases the Shadow Volume Copies from the Windows operating system, but it is highly likely that it can do it.

Remove Uyari Ransomware and Restore .locked Files

If your computer machine got infected with the Uyari ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions guide outlaid down below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share