A new ransomware was spotted by MalwareBytes security researcher S!Ri today that encrypts victims files and asks them to contact the criminals at UNLOCK92@INDIA.COM.
The ransomware generates a random 64-character hexadecimal password for each victim, and encrypts files with AES. This password is encrypted with RSA and sent to the criminal's server. Encrypted files have the extension ".CRRRT" appended to them. A file called key.bin is left on the desktop with the public RSA key.
The following image is set as the victim's background, saved as "qqq.jpg" on the desktop.
The following extensions are targeted.
.cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg
If you or someone you know has been infected by this ransomware, please post here.
I do not recommend paying the ransom on this one.
Decrypter to unlock files for free: http://www.bleepingcomputer.com/download/unlock92decrypter/
New variant: .[email@example.com].block confirmed by Demonslay335 (Michael Gillespie) in this topic.
Michael Gillespie discovered a new version of the Unlock92 ransomware that switched its encryption algorithm to RSA-2048 and now uses the encrypted extension of .CCCRRRPPP. Due to these changes, the ransomware is unfortunately no longer able to be decrypted for free.
Edited by quietman7, 01 January 2018 - 03:52 PM.