Geek's Advice

UYJH ransomware seeks to encrypt all of your personal files

UYJH ransomware is a computer virus that encrypts all files on infected computer using Salsa20+RSA-2048 encryption types. This malicious program belongs to the STOP/DJVU ransomware group and is normally recognized from .uyjh extension it appends to each encrypted file. For instance, original file named 1.jpg appears as 1.jpg.uyjh after the attack. After compromising the system, the virus also leaves ransom notes named _readme.txt in many folders so that the victim would notice them. Contents of this note suggest that the only possible way to decrypt locked files is to pay a ransom to cybercriminals and receive UYJH decryption tool in return.

The aim of UYJH ransomware virus is to extort the computer user by taking one’s files hostage and demanding a ransom payment for a tool that can reverse the damage. The virus aims at documents, pictures, videos, music files and archives as well as many other data types. The message from the ransomware operators left in the _readme.txt note suggests that the virus operates by using a robust encryption algorithm and unique key to securely lock all of victim’s files. It also explains that the ransom price varies depending on how quickly the victim reaches out to the attackers via provided emails – support@sysmail.ch and supportsys@airmail.cc.

According to the _readme.txt contents, the decryption tool costs $490 with 50% discount which will be applied if the victim writes to the provided email addresses within 3 days (72 hours) starting from the infection timestamp. Otherwise, the decryption tool price (the ransom) will be raised to $980. The note also suggests inserting victim’s PersonalID in the email and sending one encrypted file (one that doesn’t contain valuable information) in order to receive a decrypted version in return. This way, the cybercriminals hope to spark victim’s motivation to pay the ransom.

After contacting the criminals’ via email, the computer user will find out that the ransom can only be paid using cryptocurrency. In short, the attackers will ask the victim to purchase Bitcoin via one of suggested cryptocurrency exchange platforms and transfer the settled amount to the criminals’ cryptocurrency wallet. The reason behind this is that such transactions are untraceable, thus it prevents law enforcement agencies from tracking the criminals down.

In regards of ransomware response, cybersecurity experts and FBI recommend computer users to refrain from paying ransoms. Some of the reasons that support this suggestion are presented below.

• Paying a ransom doesn’t always result in successful data recovery.
• Sending your funds to cybercriminals helps them to create more malware and employ more people.
• Paying a ransom helps them to identify you as a potential victim in future attacks.

On top of that, victims of STOP/DJVU variants such as UYJH virus should beware that this piece of malware doesn’t spread alone. Instead, it usually comes alongside VIDAR or AZORULT Trojans and various other malware. That said, such pack of threats on your computer can result in private data loss, stealth of your online accounts, identity theft and more. Moreover, cybercriminals can continue to blackmail you after using collected data.

Victims of this malware variant are advised to remove UYJH ransomware virus and related threats from their computers. For this matter, we suggest that you boot your computer in Safe Mode with Networking as explained in the tutorial below this article. Make sure you use a genuine antivirus or malware removal tool only. For repairing virus damage inflicted by this malware, we strongly recommend that you download RESTORO.

Ransomware Summary

REPAIR VIRUS DAMAGE

Ransomware distribution in general: avoid getting infected

Ransomware-type threats are mostly distributed via malicious email attachments, pirated software versions accessible via torrent sharing platforms or rogue websites online, fake software update ads and other mediums. All that it takes to download and run the ransomware is to open an infected file unknowingly.

Variants of STOP/DJVU ransomware, including UYJH virus are mostly detected in illegal downloads that comprise of pirated software versions, operating system activation tools (such as KMSPico) and similar. These threats await for unsuspecting victims in various torrent listings online or in websites offering 100% free full paid software versions that can be downloaded in password-protected archives. After opening the alleged setup file, all of malware components will be downloaded and executed on the victim’s computer immediately. In some cases, the malware restarts the victim’s computer after installing itself and setting itself to automatically run after the computer boots up.

Victims of STOP/DJVU reported getting infected after downloading and launching fake installers for popular programs such as Adobe Photoshop, Adobe Illustrator, AutoCAD, Corel Draw, League of Legends and others. Therefore, if you have a bad habit of searching for cracked software versions online, we strongly recommend that you drop it immediately. By doing this, you infringe copyrights of legitimate software developers and expose your personal files and information to a bunch of cybersecurity risks.

To prevent getting infected, we strongly recommend that you source your programs from their official websites or confirmed partner sites only. The same applies to software updates as cybercriminals often use malvertising to target their victims.

On top of that, you should be extremely careful when checking your email. Ransomware operators often use malicious email attachments to spread malware. Such phishing emails are usually designed to look like they come from a legitimate entity, for example, a well-known company such as Amazon, eBay, DHL or others. The attachment comes with a safe-looking name, for instance, an invoice, payment details, order summary or parcel tracking information. The crooks seek to spark victim’s curiosity and trick one into opening the attached file. The attachment usually contains a script that connects to criminals’ domains, downloads the payload and runs it on victim’s PC.

Finally, STOP/DJVU ransomware victims are advised to stay away from suspicious websites offering 100% working decryption tools as these, in short, do not exist. Such rogue decryptors can hide other ransomware or malware variants, for instance, ZORAB. The only tools capable of decrypting or repairing files locked by STOP/DJVU at this moment are created by Emsisoft and DiskTuna, and they only function to a limited extent. You can read more about decrypting/repairing your files with these tools in this guide.

UYJH ransomware modus operandi

This article section covers basic modus operandi details of UYJH ransomware virus. The threat typically consists of several main executables as well as many helper components. The main executable is usually named with 4 random characters and may appear as 7GB8.exe or 8D4B.exe. It also comes with a bunch of build.exe, build2.exe or build3.exe files. Before starting data encryption, the ransomware requests a response from https[:]//api.2ip.ua/geo.json which will be saved into geo.json file (examples shown below).

The said file contains computer’s geolocation data, such as IP address, country, city, zip code and other details. The reason behind this is that the virus needs to figure out computer’s location to avoid infecting computers in Russian-speaking countries. To be specific, malware analysts point out that STOP/DJVU ransomware avoids encrypting data on computers located in Russia, Belarus, Syria, Armenia, Tajikistan, Ukraine, Kazachstan, Kyrgyzstan, and Uzbekistan.

If the computer passes the geolocation test, the virus proceeds and gathers system-related information, such as hardware specifics, installed software and currently running processes’ list. This data will be saved into information.txt file and forwared to Command&Control server along with victim’s desktop screenshot. Shown below is the described file example.

The virus then attempts to request unique encryption key from its server. If this works out, the victim’s computer’s files will be encrypted with one of a kind encryption key, which makes the encryption almost impossible to reverse. If the connection to the server fails due to Internet connectivity issues or the server being down, the ransomware switches to autonomous encryption mode and uses a hardcoded offline encryption instead. Each computer will also be identified with Personal ID, and this ID will be saved to file called PersonalID.txt. The ID and encryption key together will be forwarded to a file called bowsakkdestx.txt. Examples of both files are demonstrated below.

One thing that matters to ransomware victims the most if whether it is possible to decrypt .uyjh files. Unfortunately, in cases where online encryption key was used, this might not be the case. However, for offline encryption victims, their encryption keys match, so this gives a potential opportunity to recover files in the future. For information how to identify the encryption type and how/when files can be restored, please read this guide.

The ransomware carries out data encryption using Salsa20 encryption additionally secured with RSA-2048. During this procedure, each file will be marked with an additional .uyjh extension. See the screenshot below to see how an affected data folder looks like.

Contents of _readme.txt note dropped in each folder are depicted below.

Last modifications to computer files initiated by the ransomware involve adding a list of domains to the Windows HOSTS file. The virus maps them to localhost IP, which causes a DNS error and prevents the user from visiting them. It appears that this ransomware seeks to block every website that might provide relevant ransomware response information for the computer user. Attempts to visit any of them will cause the web browser to display DNS_PROBE_FINISHED_NXDOMAIN or similar error.

Remove UYJH Ransomware Virus and Decrypt .uyjh Files

If you have unfortunatelly fell into a trap of file-encrypting malware described, you should take action to secure your computer. To remove UYJH ransomware virus and any other malware remains, we recommend you to run an up-to-date antivirus or malware removal software after booting your PC in Safe Mode with Networking.

A good tool to repair virus damage is RESTORO, which you can download via provided link.

Once UYJH ransomware virus removal is complete, take a look at the following recommendations:

• Inform your local law enforcement agency about the ransomware attack incident.
• Use data backups to recover your files. If you didn’t have any, consider creating them from now on on a regular basis;
• Learn more about ways STOP/DJVU encrypted files could be decrypted or repaired.
• Immediately change all passwords associated with the compromised computer.

OUR GEEKS RECOMMEND

Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:

REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.