UltraCrypter Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 3 |
| First Seen: | May 31, 2016 |
| Last Seen: | January 5, 2023 |
| OS(es) Affected: | Windows |
The UltraCrypter Ransomware is a threatening encryption ransomware Trojan that encrypts its victims' files using the RSA-2048 encryption, making them inaccessible until the victim pays a ransom in exchange for the decryption key. The UltraCrypter Ransomware changes the encrypted files' extensions to '.CRYP1' and displays a ransom note demanding the payment of a ransom of 1.2 BitCoins, approximately $500 USD at the average current exchange rate. Fortunately, there is a decryption utility available for the UltraCrypter Ransomware and its clones released by PC security researchers.
Table of Contents
Common Ways Used by the UltraCrypter Ransomware to Enter a Computer
The UltraCrypter Ransomware may be delivered through spam email messages. These kinds of messages may contain infected attachments or embedded links. These messages are disguised as legitimate communications from real companies, such as a shipping company or airline. When victims open the included file or link, the UltraCrypter Ransomware infects the victim's computer.
How the UltraCrypter Ransomware may Attack a Computer
The UltraCrypter Ransomware infects all versions of the Windows operating system, from Windows XP all the way through Windows 10. The UltraCrypter Ransomware scans the victim's hard drives for files matching a list of extensions in its configuration files. When it finds the files matching this requirement, the UltraCrypter Ransomware encrypts them using the AES-256 and RSA encryptions, storing the private key on the con artists' Command and Control server. Files that are encrypted by the UltraCrypter Ransomware will have a new extension, '.CRYP1' and are not accessible until decrypted. Some examples of files that are targeted by the UltraCrypter Ransomware and similar malware threats include:
sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.
The UltraCrypter Ransomware drops text files with instructions on how to pay the ransom in directories where files were encrypted. The UltraCrypter Ransomware will also change the victim's Windows Desktop image into the ransom note. The UltraCrypter Ransomware also deletes Shadow Volume Copies of files encrypted by the UltraCrypter Ransomware and System Restore points, making it impossible to recover using these kinds of alternate methods.
Several ransom notes have been associated with the UltraCrypter Ransomware and similar threats. An example of a ransom message linked to the UltraCrypter Ransomware is:
All you data (photos, documents, database, …) have been encrypted with a private and unique key generated for this computer.
It means that you will not be able to access your files anymore until they’re decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.
The payment has to be done in Bitcoin to a unique address that we generated for you, Bitcoins are a virtual currency to make online payments. If you don’t know how to get Bitcoins, you can google “How to Buy Bitcoins” and follow the instructions.
YOU ONLY HAVE 4 DAYS TO SUBMIT THE PAYMENT! When the provided time ends, the payment will increase to 5 Bitcoins. Also, if you don’t pay in 7 days, your unique kay will be destroyed and you won’t be able to recover your files anymore.
To recover your files and unlock your computer, you must send 1.2 Bitcoins (500$), to the next Bitcoin address: –
WARNING!
DO NOT TRY TO GET RID OF THIS PROGRAM YOURSELF, ANY ACTION TAKEN WILL RESULT IN DECRYPTION KEY BEING DESTROYED. YOU WILL LOSE YOUR FILES FOREVER. ONLY WAY TO KEEP YOUR FILES OS TO FOLLOW THE INSTRUCTIONS.
1. To decrypt your files you need to make pay for UltraDeCrypter and receive a private key to decrypt your files.
2. Download UltraDeCrypter to begin to decrypt your files. The link to download the program will appear here, after you pay.
3. Install the program on your computer and press the SCAN button to find all the encrypted files.
4. Please wait until the program finishes searching your files and reports the successful completion of the operation.
5. If your payment has been confirmed, you will be able to see your private key on this page.
6. Copy your private key and place it in the text box of the program, as shown in the image.
7. Please press the DECRYPT button and wait until the program finishes decrypting your files and reports the successful completion of the operation.
8. That’s all! Your files have been restored and you can use them again!
Question: How can I decrypt my files after the payment?
Answer: After the successful payment, you can download UltraDeCrypter on your personal page. We guarantee that all your files will be successfully decoded.
Question: What exactly should I specify in the field “Transaction ID”?
Answer: Specify the transaction ID you received during the Bitcoin successful purchase on the merchant’s site.
We give you the opportunity to decrypt one file completely FREE OF CHARGE!
You can be sure that the server actually operates, and after making the payment, you can decrypt all files using UltraDeCrypter
Note: The file cannot be larger than 512 kilobytes
How to Recover from an UltraCrypter Ransomware Attack
Although PC security researchers have released decryption utilities for various clones of the UltraCrypter Ransomware, it is not certain that they will work to help computer users recover from an UltraCrypter Ransomware attack. Because of this, the best method to deal with the UltraCrypter Ransomware and similar threats remains prevention. Malware analysts strongly urge computer users to keep a reliable, updated off-site backup of all of their files. This way, when the UltraCrypter Ransomware or another ransomware Trojan attacks, the encrypted files can be recovered by restoring them from the backup location.
