Remove Uyari Ransomware and Restore .locked Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove Uyari Ransomware and Restore .locked Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Uyari and other threats.
Threats such as Uyari may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

STF-Uyari-ransomware-turkish-turkey-locked-encrypt-files-hiddentear-hidden-tear-crypltolocker-warning-ransom-note

Uyari is the name given to a new ransomware crypto-virus, which is believed to be targeting Turkish users as the ransom note is written in Turkish. That does not exclude the possibility of others being targeted and infected by the virus. Based on the latest HiddenTear project, in the ransom message the malware states it is CryptoLocker, much like the original CryptoWall ransomware. Uyari will encrypt files and add the .locked extension to them. Read the article through to see how you can remove the ransomware and possibly decrypt your files.

Threat Summary

NameUyari
TypeRansomware
Short DescriptionThe ransomware will encrypt all of your important files and display a ransom note, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with .locked extension appended to every file.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Uyari

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Uyari.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Uyari Ransomware – Distribution Method

Uyari ransomware might be using targeted attacks to infect users, mainly who speak Turkish, but other distribution methods are not an exclusion. It might also be distributed with various methods – it all depends what the cybercriminals decided to use as an entry point. Spam mail delivering letters with malicious attachments, exploit kits released for a software which still has a vulnerability or is not updated, social media and file-share networks – the possibilities are huge. Be very careful with what you do online and avoid suspicious emails, links, websites and the like. Do not give privileges to programs with an unknown origin.

Uyari Ransomware – A Closer Look

Uyari is the name of a ransomware, based on HiddenTear. It is named after the first word in the ransom note, which in English translates as “WARNING”. Believed to target Turkish users, because its ransom note is written in the Turkish language. This does not in any way exclude the possibility of other people to be targeted and infected by this crypto-virus. The ransom note also claims that the virus is CryptoLocker, much like the first CryptoWall ransomware did. The AVG malware researcher, Jakub Kroustek, has identified a sample as being part of HiddenTear after all.

Uyari ransomware creates the following files:

C:\Users\W7_MMD\.windowsServiceEngine

C:\Users\W7_MMD\Desktop\DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html

and the following registry entry, afterward:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServiceEngine

That tactic allows it to remain persistent and start with each boot of the Windows Operating System.

Next, the Uyari ransomware places the .locked file extension on encrypted files. After that operation is done, the file DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html is loaded and it contains the ransom message, written in Turkish. You can see a picture of it here:

STF-Uyari-ransomware-turkish-turkey-locked-encrypt-files-hiddentear-hidden-tear-crypltolocker-warning-ransom-note

The text from the ransom note reads:

UYARI

Tüm dosyalarınız cryptolocker virüsü tarafından şifrelenmiştir

Bilgisayarınızda AG sees disklerinde USB belleklerde Önemli olan dosyalarınız; fotoğraflar, videolar see kişisel Bilgiler cryptolocker virüsü şifrelenmiştir ile. Bizim şifreleme çözme yazılımını kurtarmak için satın almakdosyalarınızı tek yoldur. Aksi takdirde, tüm dosyalarınızı see harddiskinizi kaybedersiniz.

Dikkat: cryptolocker Virüs kaldırma işlemi şifrelenmiş dosyalara erişim sağlamaz.

• İlk olarak ’19EYGvwUgPvBmo3gXH9JpXe2YiT4cDk8d7′ bu bitcoin bitcoin adresine 2 yatırınız.
• Buradan bitcoin gönderimi yapabilirsiniz.
• Bitcoini gönderirken kısmına Açıklama şirketinizin Adını yazınız.
• Buradan bize mail yollayıp mailde of açıklamaya yazdığınız Sirket adınızı yazınız. (Gmail üzerinden mail atınız diğer mail istemcileri kabul edilmeyecektir.)
• Yukarıdaki Maddeler of Açıklama özellikle kısımlarına dikkat ediniz aksi takdirde bitconin veya mailin sizden geldiğine emin olamayız.
• İkisininde açıklamasına yazdığınız değerler ESIT olmalıdır. Bunlar tarafından kontrol bilgisayar edildiği için lütfen yazdıklarınızdan emin olunuz.

Bitcoin açıklamasına yazdığınız değer için Örnek;

ozsut Limited

Mail açıklamanızda ozsut Limited geçmelidir. Örnek;

Limited ozsut ADINA size ulaşıyorum kaldırmamız için lütfen cryptolocker virüsünü gerekli programı yollarmısınız.
İstediğiniz miktar BitCoin adresinize yollanmıştır.

Iyi çalışmalar.

Bu sayfa en iyi 1920x1080px çözünürlükte see veya üzerinde chrome mozilla görünür. Lütfen Internet Explorer ile açmayı denemeyiniz. EGER dosyalarınız açtıysanız bir kez daha şifrelenmiştir. Lütfen bizimle iletişime geçiniz.

A very rough English translation of that note look somewhere in the lines of the following:

WARNING

All your files are encrypted by Cryptolocker virus

On your computer, your files on the network Important drive and USB memory; photos, videos and Personal information is encrypted With Cryptolocker virus. Buy solving our encryption software is the only way to recover your data. Otherwise, you will lose all your files and hard.

Attention: Cryptolocker does not Provide access to encrypted files for virus removal.

• The first ’19eygvwugpvbmo3gxh9jpxe2yit4cdk8d7′ Bitcoin address Bitcoin.
• From here you can send in Bitcoin.
• Bitcoin sending the description of the type in the name of your company.
• Please enter your name companies send out That e-mail e-mail us here in the summer to explain. (Send mail through Gmail will not be accepted by other mail client.)
• Pay attention to the description above items, parts Especially That Can not Be sure Otherwise Bitcoin or e-mail came from you.
• The values you write the description Both of them Should be equal. Because They are controlled by computer, make sure what you Please write.

For example the value typed in the description of Bitcoin;

ozsut Limited

Mail your description must pass ozsut Limited. Sample;

I’m writing to you on Behalf of ozsut Limited Please yollarmıs Necessary cryptolocker program to remove the virus.
the has-been sent Desired amount to your Bitcoin address.

Good work.

This page will Appear on top in 1920x1080px resolution and chrome or mozilla. Please try to open Internet Explorer. If You have opened your file is encrypted eleven more. Please contact us.

From the ransom note, we can see that 2 Bitcoins is the wanted price for ransom payment, which equals to around 1,310 US dollars. Do not pay the crooks, as this will only endorse their actions and support criminal activity.

→.png, .accdb, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .zip, .gz, .tar , tib, .tmp, .frm, .dwg, pst, .psd, .ai, .svg, .gif, .bak, .db, .txt, .rar, .jpeg, .jpg, .pdf, .sql

Those are still the most crucial and personal files of users. They all get encrypted with the .locked extension. The Uyari ransomware will lock them using the AES 256-bit algorithm.

Uyari ransomware is not known if it erases the Shadow Volume Copies from the Windows operating system, but it is highly likely that it can do it.

Remove Uyari Ransomware and Restore .locked Files

If your computer machine got infected with the Uyari ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions guide outlaid down below.

Note! Your computer system may be affected by Uyari and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Uyari.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Uyari follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Uyari files and objects
2. Find files created by Uyari on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Uyari

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...