UmbreCrypt Ransomware

The UmbreCrypt Ransomware is a threat infection that is used to take the victims' files hostage to extract the payment of a ransom. The UmbreCrypt Ransomware is an updated variant of a previously known ransomware Trojan named HydraCrypt. As part of its encryption process, the UmbreCrypt Ransomware adds a long extension, 'the UmbreCrypt_ID_youruniqueID', to each encrypted file. After the UmbreCrypt Ransomware has encrypted all of the victim's files successfully, the UmbreCrypt Ransomware displays messages with a ransom note and instruction on how to pay the ransom. According to these messages, if the UmbreCrypt Ransomware's ransom is not paid in time, the files will remain encrypted forever.

How the UmbreCrypt Ransomware Performs Its Attack

According to the UmbreCrypt Ransomware message, computer users have 72 hours to pay for the decryption utility. The UmbreCrypt Ransomware message claims that it is necessary to contact the UmbreCrypt Ransomware developers for instructions on payment. Currently, the UmbreCrypt Ransomware payment is in Bitcoins, often ranging from 0.5 to 1.5 Bitcoin (which is, at current exchange rate, anywhere between $200 and $600 USD). Computer users are asked to send one small encrypted file so that the con artists can prove that they can decrypt it. The UmbreCrypt Ransomware uses the RSA-2048 encryption method, which can only be decrypted using a unique private key. Unfortunately, the UmbreCrypt Ransomware generates this private key and then stores it on a remote Command and Control server, making it impossible for PC security researchers to recover this key from the UmbreCrypt Ransomware threat infection itself. To protect yourself against infections like the UmbreCrypt Ransomware you should use a backup method such as the cloud or an external memory device. Fortunately, as of February 14 of 2016, a decryption utility for files infected by the UmbreCrypt Ransomware has become available for free, making it unnecessary to pay the UmbreCrypt Ransomware ransom.

What Threats Like the UmbreCrypt Ransomware may Cause to a Computer User

There are countless variants of the UmbreCrypt Ransomware infection, all of which carry out the same basic tactic. In fact, since most of these infections share code, they are practically identical. Part of the reason the UmbreCrypt Ransomware and similar threats have become so popular is the rise of the RaaS industry or Ransomware as a Service. This industry involves con artists providing threats like the UmbreCrypt Ransomware to their clients, who can then distribute it and customize the ransom note and amount; RaaS providers get a percentage of the ransoms generated from threats like the UmbreCrypt Ransomware.

The following is the ransom note that has been associated with the UmbreCrypt Ransomware:

Attention! All your main files were encrypted!
Your personal files (documents, databases, jpeg, docx, doc, etc.) were encrypted, their further using impossible. Encryption was made using a unique public key RSA-2048 generated for this computer.
TO DECRYPT YOUR FILES YOU NEED TO BUY A SOFTWARE WITH YOUR UNIQUE PRIVATE KEY. ONLY OUR SOFTWARE WILL ALLOW YOU TO DECRYPT YOUR FILES.
NOTE:
You have only 72 hours from the moment when an encryption was done to buy our software with a loyal price, the payment amount will be increased multiple after the lapse of 72 hours.
Any attempts to remove this encryption will be unsuccessful. You cannot do this without our software with your key.
Do not send any emails with threats and rudeness to us. Example of email format: 'Hi, I need a decryption of my files. My ID number is…' (instead of three dots should be you ID number which could be found in the same folder where the encrypted files, also your ID number is shown on this picture)
Contact us by email only, send us an email along with your ID number and wait for further instructions. Our specialist will contact your within 12 hours.
For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. This will be your guarantee.
Contact information:
E-MAIL1:umbredecrypt(@)engineer.com,
E-MAIL2:umbrehelp(@)consultant.com

The UmbreCrypt Ransomware encrypts files with the following extensions:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .unrec, .scan, .sum, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .m3u, .flv, .js, .css, .rb, .png, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .ppt, .xlk, , .xls, .wps, .doc, .odb, .odc, .odm, .odp, .odt, .dx, .mrw, .nef, .tiff, .bd, .tar.gz, .mkv, .bmp, .dot, .xml, .pps, .dat, .ods, .qba, .qbw, .ini.$$$, .$db, .001, .002, .003, .113, .73b, .__a, .__b, .ab, .aba, .abbu, .abf, .abk, .acp, .acr, .adi, .aea,.afi, .arc, , .as4, .asd, .ashbak, .asv, .asvx, .ate, .ati, .bac, .backup, .backupdb, .bak2, .bak3, .bakx, .bak~, .bbb, .bbz, .bck, .bckp, .bcm, .bdb, .bff, .bif, .bifx, .bk1, .bkc, .bkup, .bkz, .blend1, .blend2, .bm3, .bmk, .bpa, .bpb, .bpm, .bpn, .bps, .bup, .caa, .cbk, .cbs, .cbu, .ck9, .cmf, .crds, .csd, .csm, .da0, .dash, .dbk, .dim, .diy, .dna, .dov, .dpb, .dsb, .fbc, .fbf, .fbk, .fbu, .fbw, .fh , .fhf, .flka, .flkb, .fpsx, .ftmb, .ful, .fwbackup, .fza, .fzb, .gb1, .gb2, .gbp, .ghs, .ibk, .icbu, .icf, .inprogress, .ipd, .iv2i, .jbk, .jdc, .kb2, .lcb, .llx, .mbf, .mbk, .mbw, .mdinfo, .mem, .mig, .mpb, .mv_, .nb7, .nba, .nbak, .nbd, .nbf, .nbi, .nbk, .nbs, .nbu, .nco, .nda, .nfb, .nfc, .npf, .nps, .nrbak, .nrs, .nwbak, .obk, .oeb, .old, .onepkg, .ori, .orig, .oyx, .paq, .pba, .pbb, .pbd, .pbf, .pbj, .pbx5script, .pbxscript, .pdb, .pqb, .pqb-backup, .prv, .psa, .ptb, .pvc, .pvhd, .qbb, .qbk, .qbm, .qbmb, .qbmd, .qbx, .qic, .qsf, .qualsoftcode, .quicken2015backup, .quickenbackup, .qv~, .rbc, .rbf, .rbk, .rbs, .rdb, .rgmb, .rmbak, .rrr, .sav, .sbb, .sbs, .sbu, .sdc, .sim, .skb, .sme, .sn1, .sn2, .sna, .sns, .spf, .spg, .spi, .sps, .sqb, .srr, .stg, .sv$, .sv2i, .tbk, .tdb, .tibkp, .tig, .tis, .tlg, .tmp, .tmr, .trn, .ttbk, .uci, .v2i, .vbk, .vbm, .vbox-prev, .vpcbackup, .vrb, .wbb, .wbcat, .wbk, .win, .wjf, .wpb, .wspak, .xbk, .xlk, .yrcbck, .~cw.