Unrans Ransomware

The Unrans Ransomware is an encryption ransomware Trojan that is very similar to numerous other threats that are active in early 2018. The Unrans Ransomware was first observed on January 12, 2018. The Unrans Ransomware seems to be designed to target servers rather than individuals' private computer. However, the Unrans Ransomware has some aspects that seem to indicate that the Unrans Ransomware is still under development and is unfinished currently. The Unrans Ransomware is typically delivered in a self-extracting PowerShell script that installs the Unrans Ransomware with administrative privileges on the infected computer. The Unrans Ransomware seems to be distributed through TOR and is often installed manually by taking advantage of poor security protection.

The Unrans Ransomware will Focus on the Files Created by the Victim

The Unrans Ransomware's main purpose, as with most encryption ransomware Trojans, is to make the victim's files inaccessible by encrypting them with an AES 256 encryption algorithm. The Unrans Ransomware will make the victim's files inaccessible and then send the decryption key to its Command and Control server through an encrypted connection, making it impossible for PC security researchers or security software to recover the decryption key from the infected computer. The Unrans Ransomware targets a wide variety of file types, generally avoiding the Windows system files and encrypting the user-generated files of numerous types, including files with the following extensions:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Unrans Ransomware also deletes the System Restore points and the Shadow Volume Copies, which could be used to restore some of the corrupted files potentially. Typical methods for delivering the Unrans Ransomware to victims include taking advantage of poorly protected Remote Desktop Protocol ports and unpatched software. Weak passwords also can lead to infections like the Unrans Ransomware.

The Unrans Ransomware's Ransom Note

The Unrans Ransomware will load its ransom note as a website on the Dark Web, hxpoklw6l556364m[.]onion, which is accessed using TOR. The Unrans Ransomware's ransom note includes a 24-hour timer and a text box where the victim is prompted to enter the decryption key after paying. The full text of the Unrans Ransomware ransom note reads as follows:

'Ransomware! Your personal files have been encrypted!
Files can be recover for 0.5 Bitcoin to 1BCXdp6jc4cQiG3hpwb5sm5XfvHN1sbSkg
Encryption date : [current date and hour]
Check in RansomText.txt your unique ID and submit it to get your encryption key or your time limit before price increase :
Price will be increase in
[24h timer]
To get a proof of recovering, send an encrypted file (lower than 5MB) to krom.mork@openmail.cc with your unique ID (in RansomText.txt), we will return you the orignal file.
Help With Buying Bitcoins
As soon as your payment has been received, we will unblock your unique ID and send you your key encryption. Unrans script already on infected computer or download it here : Unrans.ps1'

The Unrans Ransomware will deliver a text file named 'RansomText.txt,' which contains the victim's unique ID number. This note is dropped to the infected computer's desktop. The Unrans Ransomware ransom amount is approximately 7000 USD at the current exchange rate. However, the payment of this ransom or negotiating with the cybercrooks in any way should be avoided at all costs. Instead, file backups should be used to recover the affected files.