What is UltraLocker Ransomware?

UltraLocker ransomware is a computer virus that encrypts personal files and claims “the only way you can recover your files it to buy a decryption key.”

Table of Contents

Overview

Names Distribution
UltraLocker virus, UltraLocker ransomware Email, Exploit Kits, Social Media

UltraLocker is predominantly distributed by malicious emails that contain deceptive links or attachments. The email attachments or files downloaded by the links will typically consist of a.zip file or fake Microsoft Word document file. If files from the .zip file are manually extracted it will unpack a file such as a JavaScript file. When the JavaScript file is manually executed by the user or another file is opened it will cause the malware to spread across the machine.

Targeted File Extensions

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

This ransomware is an open-source program spawned from the “proof of concept” project on Hencrypts files that match certain file extensions with RSA-2048 and AES-128 ciphers. The encryption process will render the files inaccessible to the user one successful. The files encrypted by the virus are given the .sage file extension and SAGE file type, and the file name will become randomized or given a pattern such as [unique_id][identifier].sage. Ransom notes named !Recovery_[6_random_characters].html and !Recovery_[6_random_characters]_.txt will then be placed in every folder the virus encrypted files in and on Windows desktop. In addition, Windows desktop or wallpaper will change to an image of the ransom note and an image file of the ransom note will also be left in every folder the virus encrypted files in.

Screenshot

UltraLocker

Ransom Note Example

Not your language? Use hxxps://translate.google.com
WARNING!
YOUR DOCUMENTS, DATABASES, PROJECT FILES, AUDIO AND VIDEO CONTENT AND OTHER CRITICAL FILES HAVE BEEN ENCRYPTED WITH A PERSISTENT MILITARY-GRADE CRYPTO ALGORITHM
How did this happen?
Specially for your PC was generated personal 4096 bit RSA key, both public and private. All your files have been encrypted with the public key. Decrypting of your files is only possible with the help of the private key and de-crypt program.....
What do I do?...
Don't wait for a miracle and the price doubled!Start obtaining Bitcoin now and restore your data easy way! If you HAVE REALLY VALUABLE DATA, you better NOT WASTE YOUR TIME, because there is NO OTHER WAY to get your files, EXCEPT MAKE A PAYMENT.Your personal ID:..
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 - hxxp://qbxeaekvg7o3lxnn.onion.to
2 - hxxp://qbxeaekvg7o3lxnn.onion.cab
3 - hxxp://qbxeaekvg7o3lxnn.onion.city
What should you do with these addresses?
1. Take a look at the first address (in this case it is
hxxp://qbxeaekvg7o3lxnn.onion.to);
2. Select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. Release the left mouse button and press the right one;
4. Select "Copy" in the appeared menu;
5. Run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. Move the mouse cursor to the address bar of the browser (this is the place where the site address is written);
7. Click the right mouse button in the field where the site address is written;
8. Select the button "Insert" in the appeared menu;
9. Then you will see the address hxxp://qbxeaekvg7o3lxnn.onion.to appeared there;
10. Press ENTER;
11. The site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.If for some reason the site cannot be opened check the connection to the Internet. Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available:
1. Run your Internet browser (if you do not know what it is run the Internet Explorer);
2. Enter or copy the address hxxps://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER;
3. Wait for the site loading;
4. On the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 
5. Run Tor Browser;
6. Connect with the button "Connect" (if you use the English version);
7. A normal Internet browser window will be opened after the initialization;
8. type or copy the address hxxp://qbxeaekvg7o3lxnn.onion in this browser address bar;
9. Press ENTER;
10. The site should be loaded; if for some reason the site is not loading wait for a moment and try again
!!! IMPORTANT !!!
Be sure to copy your personal ID and the instruction link to your notepad not to lose them.

Wallpaper Note Example

ATTENTION!
UltraLocker encrypted all your files!
All your files, images, videos, and databases were encrypted and made inaccessible by software known as UltraLocker.
You have no chance to restore the files without our help. But if you follow our instructions files can be restored easily. Instructions on how to get your files back are stored on every disk, in your documents and on your desktop. Look for files !Recovery_47UdPQ.txt and !Recovery_47UdPQ.html If you can’t find files, use the program “Tor Browser” (you can find it in Google) to access to (onion) web site http://qbxeaekvg7o3lxnn.onion to get your instructions.

The ransom note left on the computer by this ransomware contains information about what happened to the files, links to pages on Wikipedia, and steps to download and install Tor Browser in order to visit a web address and pay a ransom.

It is suggested to avoid paying ransomware authors to decrypt your files. Instead, third-party programs Shadow Explorer, PhotoRec, or Recuva can be used to potentially recover files encrypted by this virus. A user may also be able to retrieve encrypted files by performing a system restore to a date and time before the infection occurred.

Removal Software

Name Detection Download
Malwarebytes Anti-Malware Ransomware Download (Free) | Buy
HitmanPro by Surfright Ransomware Download (Free)

Decryption Software

Decryption Software

File Recovery Software

Name Description Download
Shadow Explorer Restores lost or damaged files from Shadow Copies Download (Free)
Photorec Recovers lost files Download (Free)
Recuva Recovers lost files Download (Free) | Buy

Troubleshoot

Alternative methods are suggested if there are issues removing UltraLocker ransomware from an infected computer.

How to Restore your computer

If a restore point has previously been established on your machine you will be able to perform a system restore in order to restore your machine to a date and time before it was infected. You will lose files on your computer that were obtained prior to the restore point.

There are several options to restore your computer. Most computers have their own restore software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default restore program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

How to Recover your computer to factory settings

A system recovery (or reset) will recover your computer to factory settings. You will lose the current programs and files on your computer.

There are several options to recover your computer to factory settings. Most computers have their own recovery software that can be found by performing a search. Additionally, computers that run the Windows Operating System have a default recovery program that can also be found by performing a search.

A boot screen that can be used to access options to restore your computer can be reached by rebooting your computer and pressing the F8 key once the manufacture screen is displayed.

Reader Interactions

Leave a Reply

Your email address will not be published.