A crypto-virus, called CryptoWire has surfaced during Autumn, 2016 and now it has resurfaced with a successor variant, calling itself UltraLocker. The virus most likely uses AES encryption algorithm to render the files of the victims no longer usable and ads a pop-up notification message in the form of a little program that notifies the victim the files are corrupted. Once those files have already been corrupted, the ransomware virus aims to perform several different activities to notify the user and give him instructions to buy 1000$ worth of bitcoins and pay them to decrypt files. In case you have become a victim of UltraLocker CryptoWire variant, we advise you not to contact the [email protected] address for decryption, but to focus on reading this article and learning how to remove UltraLocker virus and try to restore the encrypted files.
|Short Description||The ransomware encrypts files with the AES cipher and asks a ransom payoff for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a lockscreen.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by UltraLocker |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryptoWire Ransomware.|
|Data Recovery Tool||Stellar Phoenix Data Recovery Technician’s License Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does The UltraLocker Virus Infect
Just like it’s first ransomware variant, CryptoWire uses advanced distribution techniques to spread. It may use a vast array of tools that combined together result in a successful infection.
- Malicious .htm, .html, .hta and other types of files.
- Obfuscators that conceal the virus from any security programs on the computer of the victim.
- File joiners that could combine the malware with legitimate documents and execute it via malicious macros. (docx, pdf, xls, etc.)
- Malicious servers to command the operation and monitor it.
- Tools that are being used in order to assist the malware
Some or all of these tools, if combined together make for the perfect infection by UltraLocker ransomware and make it possible to spread the virus using e-mail, social media accounts and even comments on various sites that support third-party links of all character. It is even possible to become infected as a result of adware on your computer that causes the infection via malvertising you web links.
UltraLocker Ransomware – Post-Infection Actions
After infecting the computer, the UltraLocker ransomware uses an advanced combination of lockscreen notification and techniques that encrypt the files on compromised computer. To do the encryption, the virus may act in an obfuscated manner so that the user does not even notice what is happening during encryption.
First, the virus drops one or more malicious files onto crucial Windows folders, for example:
After this the UltraLocker malware may begin to inject malicious scripts in key windows services, such as:
In addition to this, the virus may use critical Windows processes to perform activities of it’s own interest, such as:
- To establish coms with the C&C(Command servers) belonging to the cyber-crooks.
- To execute commands that delete backups, such as the “vssadmin delete shadows” as administrator.
To begin to modify keys and registry subkeys that add values in the Windows Registry Editor. Such may be utilized to lock the screen on the compromised computer or begin encrypting files on system boot.
All of these processes add together for the preparation for the actual damage done by UltraLocker ransomware, which is to encrypt the files of the user PC, using the Advanced Encryption Standard otherwise known as AES encryption algorithm. The files which this virus targets may vary, but they all come down to the following types:
- Audio files.
- Microsoft Office documents.
- Adobe .PDF files.
- Files associated with often used programs.
- Database files and database support files.
After the encryption is complete, the user sees the occasional decryption instructions screen:
What is also typical about the UltraLocker threat is that not only it uses AES and has a lockscreen software-like feature. The ransomware also has other capabilities, as advertised on GitHub. Here are some of those:
- It can encrypt remote drives and cloud service databases, like USB drives, OneDrive databases, Dropbox files, etc.
- It can encrypt all files, no matter the extension, besides crucial Windows files that will break Windows.
- It can avoid heuristic scans by antivirus programs.
- It can check the domain of the victim’s computer and if the computer is in an organization, increase the ransom payoff.
How To Get Rid of UltraLocker Virus and Try to Decrypt Encrypted Files
In order to successfully remove UltraLocker, it is strongly advisable to focus on removing all aspects of the virus using the instructions below. They are divided by manual and automatic removal instructions. In case you lack the sufficient experience in manual, removal, then we would recommend what experts often advise – to follow the automatic instructions and download and use an advanced anti-malware program. Such will help remove the UltraLocker ransomware swiftly and completely.
After having removed this threat, you may want to try and use the alternative tools which we have suggested and that can help you recover at least some of your files encrypted by UltraLocker. However, bear in mind that these tools in step “2. Restore files encrypted by UltraLocker” are not tested on your infection specifically and this is why you should also backup the encrypted files.