The new version of the popular among Russian users Unlock92 ransomware virus has been reported to be updated and now use the .kukaracha file extension which it adds to the files it encrypts. The Unlock92 ransomware then renders the files no longer openable by appending a file encryption cipher on them. This is done with the purpose to extort the average user for money in return for the files. Anyone who has been affected by the new version of Unlock92 should be careful and read the article to learn more about this threat and how to remove it and try to revert the files without having to pay the ransom payoff.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” in a text file or a .tta file. Changed file names and the file-extension .kukaracha has been used.|
|Detection Tool|| See If Your System Has Been Affected by Unlock92 |
Malware Removal Tool
|User Experience||Join our forum to Discuss Unlock92.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Unlock92 Ransomware – More Information
Distribution of Unlock92
To successfully infect the average user, the ransomware virus uses standard techniques – spam e-mails. The e-mails may resemble an order form an online retailer with your name on it, for example:
“Michael, you order has been confirmed. Please check the Invoice for reference below.
Amazon Sales Team”
The malicious file attachment, containing Unlock92 ransomware may contain several tools that allow the successful infection, for example:
- Malware obfuscator to conceal the malicious file from any firewalls or real-time shields of most widely used antivirus software.
- Exploit kit or a Trojan.downloader that connects to a remote host and downloads the ransom notes and the file-encryption program.
- File Joiners that combine the malicious file with macros of documents, like Microsoft Office or Adobe documents, to increase legitimacy.
Some of those tools used in combination guarantee that more users will be infected, given the spam e-mail message to be convincing.
After the user opens the malicious file, multiple executable files of different types and having different names may be dropped In key Windows folders, for example:
Unlock92 Ransomware – Post-Infection Analysis
After having infected the user, Unlock92 ransomware may initiate a procedure to modify the registry entries of the infected computer. Amongst the registry keys affected by this virus, may be a lot of subkeys, but the primary ones which Unlock92 might attack are the Run and RunOnce subkeys:
These registry keys may contain values with data added in them, which make the executable that encrypts files of Unlock92 to run when Windows starts up.
After this executable is ran, it may begin to encrypt user files. TO perform this procedure, the virus may execute a .bin type of file which is pre-programmed to hunt for variety of file often used file types to cipher, just like the older verison of Unlock92, using the .CCCRRRPPP.: and .CRRRT extensions:
→ .psd, .jpeg, .docx, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .cdr, .odb, .odg
After the encryption, this variant of Unlock92, adds the interesting file extension .kukaracha to the encoded files, making them look like the following:
In addition to this, Unlock92 ransomware may have new features added to it, such as the ability to destroy any backups, more specifically volume shadow copies on the compromised computer.
The virus may also drop two other files – a keynote.tta file and a .txt file which contains the ransom note and is most likely in Cyrillic.
Remove Unlock92 Ransomware and Restore .kukaracha Files
If you have been affected by this malware, the first action you should take is to disconnect your computer and copy the encrypted files to a flash drive or other external device. From there you may safely proceed to the removal of Unlock92 ransomware from your computer.
To remove Unlock92, bear in mind that you should follow the instructions below. In case you do not have the experience in manually removing ransomware, we advise you to use the help of an advanced anti-malware program which will take care of this for you.
After having removed Unlock 92 ransomware, you may use the alternative methods for restoring files mentioned in step “2.Restore Files Encrypted by Unlock92” below. They are not 100% guarantee you will restore the files, but are a good temporary solution until a real decryption is released, which is why we advise you to backup your data and try it on copies of the encrypted files.