The text of the BUYUNLOCKCODE.txt is:
Hi, your ID = JSOXXXXXXXX
All important files were encoded with RSA-1024 encryption algorithm.
There is the only way to restore them - purchase the unique unlock code.
Warning! Any attempt to recovering files without our "Special program" will cause data damage or complete data loss.
As we receive your payment, we will send special program and your unique code to unlock your system.
Guarantee: You can send one of the encrypted file by email and we decode it for free as proof of our abilities.
No sense to contact the police. Your payment must be made to the e-wallet. It's impossible to trace.
Don`t waste your and our time.
So, if you are ready to pay for recovering your files, please reply this email ChiuKhan@tom.com
Then we will send payment instructions.
Fabian Wosar of Emsisoft was kind enough to provide an installer and took a look at the ransomwares encryption routine for us. According to his analysis the malware encrypts your files using AES encryption where the AES key is then encrypted with an RSA key. The encryption routine is done through the FGint open source cryptographic library. Fabian also stated that the entire file is encrypted and that there is no way to decrypt the files without the decryption key.
When infected, the malware will scan all of the data files on your computer and encrypt any files that have the following extensions:
*.crt, *.xls, *.docx, *.doc, *.cer, *.key, *.pem, *.pgp, *.der, *.rtf, *.xlsm, *.xlsx, *.xlsb, *.txt, *.xlc, *.docm, *.ptb, *.qbb, *.qbw, *.qba, *.qbm, *.xlk,*.dbf, *.mdb, *.mdf, *.mde, *.accdb, *.text, *.jpg, *.jpeg, *.ppt, *.pdf, *.cdx, *.cdr, *.bpg, *.vbp, *.php, *.css, *.dbx, *.dbt, *.arw, *.dwg, *.dxf, *.dxg, *.eps, *.indd, *.odb, *.odm, *.nrw, *.ods, *.odp, *.odt, *.orf, *.pdd, *.pfx, *.kdc, *.nef, *.mef, *.mrw, *.crw, *.dng, *.raf, *.psd, *.rwl, *.srf, *.srw,*.wpd, *.odc, *.sql, *.pab, *.vsd, *.xsf, *.pps, *.wps, *.pptm, *.pptx, *.pst, *.zip, *.tar, *.rarWhen a file that matches one of the above files is detected, it will encrypt the file and then add .encoded.<unique id> to the end of the file name. For example, a file called example.txt would have its name changed to example.txt.encoded.JS8521121, where JS8521121 is the unique id associated with your infection. It will also create a BUYUNLOCKCODE.txt file in each folder that a file was encrypted. When it has finished encrypting your files it will display the C:\Users\User\AppData\Roaming\SunDevPackUpdate\BUYUNLOCKCODE.txt file and also change your wallpaper to display the following message:
Finally, it will add some registry entries that will delete the original installer and any malware executables that were created.
Update: The ransomware does not appear to delete the Shadow Volume Copies. So it may be possible to restore your encrypted files using a program like Shadow Explorer or Previous Versions. Information about how to do this can be found here in our CryptoWall guide.
If there is any further info that is discovered about this ransomware, we will be sure to publish it here.
Known BUYUNLOCKCODE Ransomware Files:
%AppData%\SunDevPackUpdate\ %AppData%\SunDevPackUpdate\BUYUNLOCKCODE.txt %AppData%\SunDevPackUpdate\pbinfoset.sww %AppData%\SunDevPackUpdate\wallpp.bmpKnown BUYUNLOCKCODE Ransomware Registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\bcdel cmd.exe /c del "%AppData%\SunDevPackUpdate\<random>.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\oldex cmd.exe /c del "path-to-installer\installer.exe" HKCU\Control Panel\Desktop\Wallpaper "%AppData%\SunDevPackUpdate\wallpp.bmp"