UltraCrypter Ransomware

UltraCrypter Ransomware is a Trojan-type infection that is designed to encrypt all files on your PC and demand money in exchange for the decryption key. However, you should remove it without paying the ransom because there is a good chance that you will not get this key after you pay. Like all malware of this type, it is set to extort money from you, so you should not, in the least, trust the cyber crooks that developed it. This ransomware uses an advanced encryption algorithm that you cannot crack without having the necessary decryption key, but the alternative is a hefty $567 USD ransom. Are your files worth this kind of money? Keep in mind that by paying the ransom you will finance the development of new ransomware.

We have discovered that UltraCrypter Ransomware is distributed using P2P file sharing platforms and, of course, email attachments. Its developers have set up a server that sends email spam to random email addresses. The content of the letter in include text regarding a business inquiry and an attachment that can be an executable file disguised as a PDF file or a self-extracting archive. Furthermore, this ransomware uses the Angler exploit kit which can be configured to install malware, collect confidential data, or tie the infected system to a botnet (a group of computers used to deliver cyber attacks.) Angler exploit kit can take advantage of security holes in your system of which there are many. We found that it drops a file to %WINDIR%\SysWOW64\msxml6r.dll and %WINDIR%\system32\msxml6r.dll. Therefore, you must keep your computer up to date with Windows updates and have a powerful anti-malware tool to ward off all infections.

Our research has shown that once UltraCrypter Ransomware enters a computer, it scans it for files of interest and encrypts them. It scans for files formats that are most likely to contain valuable personal information for which the victim would be ready to pay the ransom. It has been configured to encrypt close to a hundred file formats that include but are not limited to .rar, .m4a, .wma, .avi, .zip, .sie, .sum, .pptx, .ppt, .xlk, .xlsb, .docm, .docx, .doc, and .txt. Once the encryption is complete, the files are added with the .cryp1 file extension and this ransomware will create .bmp, .html, .txt files on the desktop. It will also change the desktop wallpaper that says that all of your files have been encrypted. So this infection can ruin valuable files and keep unusable, and the cyber crooks want you to pay in order to restore them.

Unfortunately, there is no way to decrypt the files without getting the appropriate decryption key because UltraCrypter Ransomware uses the RSA-2048 key (AES CBC 256-bit encryption cipher.) Hence, it uses an advanced encryption method that is impossible to crack. As mentioned, this ransomware wants you to pay $567 USD for the decryption key, but it also sets a payment deadline, and if you fail to meet it, then the ransom will increase to $1008 USD. Also, we have to note that it wants to pay the initial $567 USD in Bitcoins of 1.2 BTC. Of course, the cyber crooks have included instructions on how to get Bitcoins. They use this payment method not to get caught because the authorities cannot trace the payment to a particular person.

UltraCrypter Ransomware is very similar to CryptXXX Ransomware. Therefore, it uses the same unconventional method that makes it work. It does not have an executable file because all of its files are in the .DLL format. Our research has revealed that it creates a randomly named CLSID folder in %TEMP% which is launched with the help of rundll32.exe located in %WINDIR%\SysWOW64 or %WINDIR%\System32. The rundll32.exe file is copied to the randomly named CLSID folder of this ransomware and renamed vchost.exe. Note that this file is not malicious, but it is used to make this ransomware work.

In closing, UltraCrypter Ransomware is a malicious program designed to encrypt your valuable files and demand a hefty ransom for the decryption key that can restore them to their original condition. However, you should not trust the cyber crooks to give this key because all they care about is making money from their illicit activity. Thus, there is no safe method of getting the files back, so if your PC has been infected with this ransomware, then we recommend that you remove it using the instructions presented below. However, if manual removal does not work, then use SpyHunter, an anti-malware program that will surely delete it.

How to delete UltraCrypter Ransomware

1. Press Windows+E keys on your keyboard.
2. In the address bar, enter C:\Users\User\AppData\Local\Temp\{Random CLSID}
3. Locate the randomly named .dll file and delete it.
4. Then, in the address bar enter the following locations and delete the randomly named .bmp, .html, and .txt files.

• %ALLUSERSPROFILE%
• %USERPROFILE%\Desktop