Unlock26 Ransomware is a newly-generated ransomware which was released on Tuesday, February 19, 2017. This malware encrypts computer users’ files and asks them to pay for the ransom. If your computer is infected with the malware, it’s difficult to decrypt the encrypted files so far. This post provides some information of Unlock26 Ransomware and gives you instructions to remove it.
About Unlock26 Ransomware
Unlock26 Ransomware is malware that attacks users’ machines and appends their files with a .locked-[XXX] extension, which was found to launch on Sunday, February 19, 2017. It was named after unlock26ozqwoyfv[.]hiddenservice[.]net/?signature=[UNIQUE IDENTIFIER], which is the payment portal presented to victims after the infection invades the PC and completes its work. Windows operating systems are the target of this threat. Thanks to David Montenegro, a new Ransomware-as-a-Service (RaaS) portal (also called Dot-Ransomware) is discovered to go live the same day.
According to BleepingComputer, if a user registers on the service, he will be able to download two files: core.exe and builder.zip. The former is the benign ransomware payload and the latter is an archive containing the builder and usage instructions.
The builder is a minimal CLI(command-line interface) tool that allows users to customize ransom price, targeted file types, the type of encryption and the Bitcoin address where to send the crook’s 50% cut.
Unlike Spora ransomware, Osiris Ransomware and Cerber 4 Ransomware and other file-encryption ransomware, this malware doesn’t list the decryption price in the payment site, but shows a math function instead: 6.e-002 BTC. It’s weird that the cybercriminals don’t inform the victims on the amount they have to pay because ransomware is typically created to encrypt certain file types on infected systems and force users to pay the ransom to get a decrypt key. Usually, ransom prices vary depending on the ransomware variant. For example, Cerber 4 ransomware asks users to pay a special price of 1 bitcoin (about $607) to purchase the decryptor if they make the payment within 5 days. Beyond that time, the price will increase up to 2 bitcoins (about $1214). However, Unlock26 doesn’t tell users the exact ransom and it features a very minimal and direct style, with few instructions and simple-designed ransom notes and ransom payment portal. It can customize the ransom amount, even set special decryption prices per country.
Once the ransomware arrives on the machine, it starts to scan and decrypt users’ files using a public AES-256 key that is downloaded from the ‘Command and Control’ servers on the TOR network. It appends each locked file with a .locked-[XXX] extension and users won’t be able to load the content of those infected files. Victims may get an alert from Windows telling that the files are not recognized and may be corrupted.
Victims will discover a ransom note named ReadMe-XXX.html which simple instructions that ask them to access one of four Tor-to-Web proxy URLs to unlock the data.
Users have to click on the links provided in the page so as to get access to the payment portal because the links hide a signature that allows crooks to distinguish between infected hosts. If users type the visible URLs manually in a browser, they won’t fail to visit the payment site. It’s supposed that cybercriminals use these signatures to display unique Bitcoin addresses for each user accessing the payment site. The few instructions on the payment site may let those victims who are computer novice have no idea what to do next. Thus, it’s believed that the ransomware is still under development.
Note: If your computer is infected with this malware, we do not encourage you to pay the ransom because you may suffer from both money and data loss. It’s suggested that you use a reliable anti-malware program to find and remove Unlock26 Ransomware completely. Then try to recover the locked files in a safe environment.
Unlock26 Ransomware Infection
Like other ransomware, Unlock26 is also usually distributed via spam emails. Cybercriminals send out spam, phishing e-mails containing infected attachments or links to malicious websites. Typically, the emails pretend to be others (often well-known companies) and trick you into believing that they are trustworthy. For example, it may pretend to be from a shipping company like DHL or FedEx and tell you that they tried to deliver a package to you, but failed for some reason. Or it may draw your attention to its content for a variety of reasons. If you feel curious and want to know what it refer to and then click on the links or attachments contained in the email, malware like Unlock26 will be able to get downloaded and installed on your machine.
Is it possible to decrypt files locked by Unlock26 Ransomware?
Unluckily, the answers is no. There is no decryptor tool that can effectively decrypt the files encrypted by Unlock26 now. Since the ransomware locks users’ files using AES-265 and RSA encryption method, it’s difficult for victims to recover their files without paying the ransom. The files can be decrypted with corresponding private keys provided by cybercriminals.
But you can still try using system restore or ShadowExplorer to recover previous versions of the encrypted files. In some cases, they may work. Before restoring the files, you need to delete the malware from the system. This makes sure that the file recovery process is in safe environment.
No comments:
Post a Comment