Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Unlock92 Ransomware

Unlock92 Ransomware is a malicious Trojan-type infection created by the same developers that made Kozy.Jozy Ransomware. You have to remove this infection as soon as possible, but be warned that by doing so you will eliminate the possibility to decrypt your files. However, there is little hope that the criminals behind this ransomware will give you the decrypter after you have paid the ransom. If your PC is not protected with an anti-malware program, then this ransomware can easily infect it, and you will not notice the infection process taking place. Once on your PC, it will encrypt most of the files on your hard drive and demand that you pay a ransom. This malicious program requires a more detailed overview, so if you are interested, please continue reading.

As mentioned, Unlock92 Ransomware comes from the same developers that released Kozy.Jozy Ransomware. So we were not surprised to discover that it is also disseminated using email spam. We have found that the fake emails can be made to look like invoices, receipts or tax return forms. They contain an attachment that is usually made to look like a .Doc, Docx or a PDF file, but in reality, it is a dropper file that places Unlock92 Ransomware’s executable onto your computer. Take note that the name of its executable is random and can vary in character length and their arrangement. It can also be named using uppercase and lowercase letters and also include numbers. The malicious executable should be dropped in the Downloads folder or any other file path specified by the user.

We believe that this ransomware is distributed in Russian and other countries where the Russian is spoken by a significant portion of the population, such as in Ukraine, Belarus, Kazakhstan, and several other countries. We say this because all of the information regarding the ransom payment is in the Russian language. For example, the ransom note states “ВАШИ ФАЙЛЫ БЫЛИ ЗАШИФРОВАНЫ!” which means “your files have been encrypted!” Furthermore, one of its files is named !!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt and the line of bizarre characters is actually a statement in Cyrillic with the wrong encoding. The name ought to say “Как восстановить файлы” which means “How to recover your files.” The ransom note provides instructions on what to do to get yor files back and one of the steps is bound to involve money. You should not expect the cyber criminals to hold their end of the bargain because they are they are the ones that got your PC infected in the first place. It also drops a second file named keyvalue.bin to each folder where a file has been encrypted. Some iterations of this ransomware might also replace the desktop wallpaper, but the sample we have tested did not do that.

At any rate, the instructions provided in the random note ask you to contact the criminals via email, writing to They want to send them one of the encrypted files so that they could decrypt it to show you that they mean business. They should send you back the decrypted file but, again, that is not to say that they will decrypt all of them. We think that they should ask you for 1 BTC which is an approximate 700 USD. Whether or not this sum of money is worth paying is up to you, but we stand against paying the ransom regardless.

Research has shown that this ransomware is set to encrypt dozens of file formats that include but are not limited to .pdf, .ppt, .xls, .doc, .arj, .tar, .7z, .rar, .zip, .tif, .jpg, .bmp, .png, .cdr, .psd, and .jpeg. While encrypting, the ransomware will replace the default file extensions with either .blocked, .CRRRT or .CCCRRRPPP extension. In our case, the ransomware opted to add the .blocked extension. Unlock92 Ransomware uses the RSA-2048 encryption algorithm, which means that the encryption is quite strong. However, if this ransomware is anything like Kozy.Jozy Ransomware, then a free decryption tool might soon be under way because the above-mentioned ransomware's encryption was broken.

Therefore, we suggest that you refrain from complying with the cyber criminals’ demands and remove Unlock92 Ransomware from your computer using the instructions provided at the bottom. It is paramount that you delete its main executable because if you accidentally run it again, then it will encrypt any newly added files. Its other files are not that important, but you need to get rid of them as well.

Delete Unlock92 Ransomware’s files

  1. Locate and delete the main executable (check the Downloads folder, desktop etc.)
  2. Hold down Windows+E keys.
  3. In the File Explorer’s address box, enter the following locations.
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  4. Locate and delete !!!!!!!!Êàê âîññòàíîâèòü ôàéëû!!!!!!!.txt (!!!!!!!!Как восстановить файлы!!!!!!!.txt) and keyvalue.bin (also named key.bin)
Download Spyware Removal Tool to Remove* Unlock92 Ransomware
  • Quick & tested solution for Unlock92 Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.