Unlock92 Ransomware V2.0 seen in the wild
The Dell Sonicwall Threat Research team has received reports of yet another ransomware. Unlock92 ransomware was first seen barely two months ago and security researchers were quick to jump on it to find flaws in its implementation and create a decryption tool to help victims restore files. But cybercriminals immediately caught on and released a new version where files are encrypted with a randomly generated RSA-2048 key.
Unlock92 arrives as a seemingly harmless Microsoft Office file and may use the following icons:
Figure 1: Unlock92 purports to be a harmeless Word document or Excel spreadsheet
Upon execution, it spawns the corresponding legimate MS Office executable to launch that application:
Figure 2: Unlock92 launches the legitimate MS Excel program
Figure 3: Unlock92 launches the legitimate MS Word program
Also seen in figure 3 above is Unlock92 spawning cmd.exe. It runs the net view command to find the list of domains, computers, or shared resources accessible from the victim's machine.
Figure 4: Unlock92 runs the net view command
Upon successful infection, Unlock92 encrypts the victim's file and adds a ".blocked" extension to them.
Figure 5: Example of encrypted files in a victim's machine
It also adds a copy of the instruction file and keyvalue.bin file to all the directories in the system as seen in Figure 5 above. The private key is encrypted with a RSA-2048 public key and saved as a file named keyvalue.bin. These files are also added to the Startup menu so they are launched automatically when you start Windows.They are also pinned to the Start and Program menus so the victim will never miss them.
Figure 6: Instruction file and keyvalue.bin files pinned to Start/Program menus
The instruction file whose file name translates to "!!!!!!!! How to recover files !!!!!!!" reads:
"Your files are encrypted with RSA- 2048 algorithm cryptographically . If you want to recover them, send one of the encrypted files and keyvalue.bin file to the e-mail address: email@example.com If you do not receive a reply within 24 hours, then download the TOR browser from www.torproject.com and visit the following website: hxxp://ezxxxxxxxxxxxxxx.onion - the most current email address will be listed there. It is not possible to visit this website without a TOR browser. Attempts to self-recover files may irreversibly damage them!"
Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Unlock92.A (Trojan)