Unlock92 Ransomware V2.0 seen in the wild (Sep 9, 2016)

The Dell Sonicwall Threat Research team has received reports of yet another ransomware. Unlock92 ransomware was first seen barely two months ago and security researchers were quick to jump on it to find flaws in its implementation and create a decryption tool to help victims restore files. But cybercriminals immediately caught on and released a new version where files are encrypted with a randomly generated RSA-2048 key.

Infection Cycle:

Unlock92 arrives as a seemingly harmless Microsoft Office file and may use the following icons:

Figure 1: Unlock92 purports to be a harmeless Word document or Excel spreadsheet

Upon execution, it spawns the corresponding legimate MS Office executable to launch that application:

Figure 2: Unlock92 launches the legitimate MS Excel program

Figure 3: Unlock92 launches the legitimate MS Word program

Also seen in figure 3 above is Unlock92 spawning cmd.exe. It runs the net view command to find the list of domains, computers, or shared resources accessible from the victim’s machine.

Figure 4: Unlock92 runs the net view command

Upon successful infection, Unlock92 encrypts the victim’s file and adds a “.blocked” extension to them.

Figure 5: Example of encrypted files in a victim’s machine

It also adds a copy of the instruction file and keyvalue.bin file to all the directories in the system as seen in Figure 5 above. The private key is encrypted with a RSA-2048 public key and saved as a file named keyvalue.bin. These files are also added to the Startup menu so they are launched automatically when you start Windows.They are also pinned to the Start and Program menus so the victim will never miss them.

Figure 6: Instruction file and keyvalue.bin files pinned to Start/Program menus

The instruction file whose file name translates to “!!!!!!!! How to recover files !!!!!!!” reads:

"Your files are encrypted with RSA- 2048 algorithm cryptographically . If you want to recover them, send one of the encrypted files and keyvalue.bin file to the e-mail address: unlock92@india.com If you do not receive a reply within 24 hours, then download the TOR browser from www.torproject.com and visit the following website: hxxp://ezxxxxxxxxxxxxxx.onion - the most current email address will be listed there. It is not possible to visit this website without a TOR browser. Attempts to self-recover files may irreversibly damage them!"

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

• GAV: Unlock92.A (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.