Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unlock92 Ransomware Support Topic (.CRRRT / UNLOCK92@INDIA.COM)


  • Please log in to reply
19 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 30 June 2016 - 06:46 PM

A new ransomware was spotted by MalwareBytes security researcher S!Ri today that encrypts victims files and asks them to contact the criminals at UNLOCK92@INDIA.COM.
 
The ransomware generates a random 64-character hexadecimal password for each victim, and encrypts files with AES. This password is encrypted with RSA and sent to the criminal's server. Encrypted files have the extension ".CRRRT" appended to them. A file called key.bin is left on the desktop with the public RSA key.
 
The following image is set as the victim's background, saved as "qqq.jpg" on the desktop.
 
CmMHi_DWgAAxVLa.jpg
 
 
The following extensions are targeted.

.cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg

 
If you or someone you know has been infected by this ransomware, please post here.
 
 I do not recommend paying the ransom on this one.  :wink:
 
Decrypter to unlock files for free: http://www.bleepingcomputer.com/download/unlock92decrypter/

 

Update: 07/09/16

Michael Gillespie discovered a new version of the Unlock92 ransomware that switched its encryption algorithm to RSA-2048 and now uses the encrypted extension of .CCCRRRPPP.  Due to these changes, the ransomware is unfortunately no longer able to be decrypted for free.
The Week in Ransomware - July 15 2016 news article
 

Edited by quietman7, 28 September 2017 - 04:16 PM.
added update

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 01 July 2016 - 12:18 AM

I am releasing a decrypter for this ransomware, available here: https://download.bleepingcomputer.com/demonslay335/Unlock92Decrypter.zip

 

CmQUY7cUsAA-jcF.jpg

CmQUZziUsAEvCOj.jpg

CmQUawZUcAAtsqO.jpg

 

To generate the key and IV, you will need an encrypted PNG file (*.png.CRRRT); the smaller the file, the better. This may take some time, but shouldn't be more than an hour for a small file on most machines - my i7 can tear through a 1KB file and find the key in a few minutes. Simply load it into the brute-forcer, and let it go. Once it finds a key, click "Confirm Password", then select a folder to decrypt. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 July 2016 - 02:16 AM

Demonslay335,

it's not a xorist, by chance?


Edited by al1963, 01 July 2016 - 02:21 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 01 July 2016 - 08:25 AM

Nope, completely different infection, different coding language even. If it was Xorist, I wouldn't bother making a decrypter and just let Fabian handle it. :)


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 06 July 2016 - 04:18 PM

I have seen submissions for a new variant of this ransomware. Unfortunately, my decrypter does not work, so I will need a sample in order to analyze it for changes.

 

The new extension is ".CCCRRRPPP", and the ransom note appears to be "ORID.jpg", pictured below with the exact same email address and Tor address.

 

Cmtg7BSXYAAQlK6.jpg

 

If anyone has been hit by this ransomware, please submit malicious files suspected to be involved here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Amigo-A

Amigo-A

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:07:05 AM

Posted 07 July 2016 - 09:19 AM

Demonslay335,

 

I added a link to this topic for information and assistance. 


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#7 kars123

kars123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 09 July 2016 - 09:51 AM

I sent the infected files. Waiting for the results. Anything else?


Edited by kars123, 09 July 2016 - 09:52 AM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 09 July 2016 - 09:55 AM

I sent the infected files. Waiting for the results. Anything else?

 

I need the malware itself. Please scan your system for any malicious files, or if you have an email or download that caused it. I do not know exactly how this one is distributed, but it is most likely a malicious download from a website, or an email attachment. You may scan with HitmanPro and MalwareBytes to find anything suspicious, also look in %TEMP% and %APPDATA%.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 kars123

kars123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 09 July 2016 - 10:17 AM

I sent a virus in the archive. It was a attached file in email



#10 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 09 July 2016 - 10:59 AM

I sent a virus in the archive. It was a attached file in email

 

Thanks. It is definitely the encryptor, I will be taking a closer look at it later today.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 09 July 2016 - 01:03 PM

I'm afraid the new variant does not look to be decryptable. I will release more details later, but they completely switched everything up. It now uses RSA-2048 to encrypt files with a randomly generated key pair; the private key is stored on the system, but is mangled with math, and then encrypted with a static public RSA key.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 kars123

kars123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 10 July 2016 - 10:05 AM

I'm afraid the new variant does not look to be decryptable. I will release more details later, but they completely switched everything up. It now uses RSA-2048 to encrypt files with a randomly generated key pair; the private key is stored on the system, but is mangled with math, and then encrypted with a static public RSA key.

 

 

It's very sad. But thanks for trying.



#13 kars123

kars123

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 15 July 2016 - 02:34 AM

I managed to recover 90% of my files using the program ShadowExplorer 0.9.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 PM

Posted 15 July 2016 - 04:21 AM

Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using native Windows Previous Versions or a program like Shadow Explorer...but it never hurts to try in case the malware did not do what it was supposed to do. It is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:05 PM

Posted 01 August 2016 - 02:33 PM

I have acquired a new sample of this one that uses the extension ".blocked", and the ransom note "!!!!!!!!Как восстановить файлы!!!!!!!.txt" with the following contents.
 

Ваши файлы зашифрованы с использованием криптостойкого алгоритма RSA-2048.
Если хотите их вернуть отправьте один из зашифрованных файлов и файл keyvalue.bin на e-mail: unlock92@india.com
Если вы не получили ответа в течение суток то скачайте с сайта www.torproject.con браузер  TOR и с его помощью зайдите на сайт:
http://fnjmegsn7tbrrnkl.onion -  там будет указан действующий почтовый ящик. Без браузера TOR зайти на этот сайт невозможно.
Попытки самостоятельного восстановления файлов могут безвозвратно их испортить!

 
I'm afraid this one is also not decryptable, as their claims are still true. Files are encrypted with a randomly generated RSA-2048 public key, and the private key is encrypted with a static RSA-2048 public key and saved as keyvalue.bin. Files can only be decrypted with the use of the criminal's private key.


Edited by Demonslay335, 01 August 2016 - 02:36 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users