There is a decrypter that can help victims of the Unlock92 ransomware recover their files for free.
The decrypterUnlock92 is a new ransomware spotted by Malwarebytes security researcher S!Ri. The ransomware is from the same developer of the Kozy.Jozy ransomware that appeared over a week ago.
Security researcher Michael Gillespie created the decrypter.
While Kozy.Jozy used a strong RSA-2048 algorithm system that prevented researchers from cracking its encryption routine, it appears its author decided to make some modifications to Unlock92’s codebase that eventually weakened its defenses.
Users can visit the ID Ransomware service to detect with what type of ransomware they suffer from, but they can easily spot a Unlock92 infection based on the CRRRT extension it adds to each encrypted file.
Additionally, the ransomware also changes your wallpaper with a message that tells you to send an email to firstname.lastname@example.org.
When locking files, Unlock92 generates a random 64-character hexadecimal password for each infected user. Files end up encrypted with a symmetric AES encryption, and the above password is encrypted with RSA and sent to the criminal’s server. The ransomware targets the following file extensions:
.cd, .ldf, .mdf, .max, .dbf, .epf, .1cd, .md, .db, .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .ai, .bmp, .png, .cdr, .psd, .jpeg, .docx, .xlsx, .pptx, .accdb, .mdb, .rtf, .odt, .ods, .odb, .odg
Additionally, in spite of the fact the presence of a ransom note in Russian, the ransomware doesn’t use any type of geo filters.
Click here to download Gillespie’s Unlock92 decrypter.