The Unlock92 ransomware, which appeared at the star of July but was quickly cracked, has silently reappeared in the middle of August. It has been targeting victims ever since staying under the radar.
The ransomware was in the media’s attention only for a second as the researchers managed to crack it very quickly and create a free decryptor to recover victims` files.
Even though their first attempt was a failure, the crooks behind Unlock92 didn’t give up and continued working on their product. As a result, the ransomware came back with new versions, using much stronger encryption algorithms, on which the free decryptor didn’t work.
However, looking at the bigger picture, we may say that the Unlock92`s first version was a mistake or a test maybe. The same people behind Unlock92 have previously developed the Kozy.Jozy ransomware, which relied on a strong RSA-2048 encryption system to lock victims` data.
After their first version was cracked, the developers have ported the same RSA-2048 system in Unlock92`s current variant. This means that the first versions used weak encryption by mistake or the developers did it on purpose as a test, as it is quite clear that the group is fully capable of creating stronger encryption like in Kozy.Jozy.
The earlier weak version can be easily recognized by the “CRRRT” extension they append at the end of encrypted data. These latest variants, on the other hand, append the “CCCRRRPPP” or the “LOCKED” extensions.
The independent security researcher, MalwareHunterTeam, who has been following the Unlock92 activity from the very beginning, said that its creators are very active, regularly releasing newer versions of the ransomware.
“They are very active. Every 1-2 days there’s a new sample.” – he said – “The actor(s) behind this have not given up after a few samples like most of skids. Actually, if you don’t count the big ones like Locky, Cerber, CryptXXX, and the ransomware kits, you won’t find much ransomware projects which keep going for months like this.”
Aside from MalwareHunterTeam, others have also noticed the increased activity of Unlock92. The Dell Sonicwall Threat Research team spotted the rising number of Unlock92 infections and even issued an alert on September 9th.
At this point, the ransomware is targeting only Russian users. All ransom notes are only available in Russian, including all the TXT files the ransomware leaves on infected computers, the user’s Desktop and his Start Menu.
Below is a rough translation of the Unlock92 ransom note:
“Your files are encrypted with RSA- 2048 algorithm cryptographically . If you want to recover them, send one of the encrypted files and keyvalue.bin file to the e-mail address: firstname.lastname@example.org If you do not receive a reply within 24 hours, then download the TOR browser from www.torproject.com and visit the following website: hxxp://ezxxxxxxxxxxxxxx.onion – the most current email address will be listed there. It is not possible to visit this website without a TOR browser. Attempts to self-recover files may irreversibly damage them! ”
The fact that Unlock92 is currently hitting only Russian-speaking users is not at all calming. Given the fact that a crook would need about five seconds to alter the ransomware`s code to lift geo-targeting filters, this threat could go from Russian to global in no time.