February 27, 2017

A new Ransomware-as-a-Service (RaaS) portal named Dot-Ransomware is behind the Unlock26 ransomware discovered this past week.

First spotted two days ago, this ransomware operation is quite unique as it features a very minimal and direct style, with little-to-no instructions and simple-designed ransom notes and ransom payment portal.

Based on two messages left on the Dot-Ransomware homepage, this entire operation launched on Tuesday, February 19, when the website was set up.


Anyone who registers on the service will be able to download two files. One is titled core.exe, which is the benign ransomware payload, while the second is, an archive containing the builder and usage instructions (embedded in full at the end of the article).

The builder is a minimal CLI tool that allows users to customize the following options:

  • Ransomware decryption price
  • Special decryption prices per country
  • Extensions targeted for encryption
  • The type of encryption (full or first 4MB of each file)
  • The Bitcoin address where to send the crook's 50% cut


According to the builder's instructions file, users must load the core.exe file in the builder, which will then patch the file with the user's custom settings, and generate a fully weaponized binary, ready for distribution.

The way each Dot-Ransomware user spreads this file is up to him. This may be malvertising, spam, or manual infections after brute-forcing RDP connections.

Unlock26 infection process

On the victim's side, the newly-generated Unlock26 ransomware will encrypt the user's files based on the internal configuration file, and append each locked file with a .locked-[XXX] extension, where XXX appear to be three random alpha-numeric characters unique for each victim.

Unlock26 encrypted files

The last step in the infection process is to show the ransom note, which is simple and to the point, urging users to access one of four Tor-to-Web proxy URLs.

The first eight characters of the ransomware's payment site is also from where the ransomware's name came from, before researchers discovered and linked the ransomware with the Dot-Ransomware RaaS.

Unlock26 ransom note
The links in the Unlock26 ransom note also hide a signature that allows crooks to distinguish between infected hosts.

Unlock26 signature
This means you have to click on the links from the ransom note itself. Typing the visible URLs manually in a browser won't let you access the payment site, which checks for the presence of these signatures. We suspect the signatures are most likely used to display unique Bitcoin addresses for each user accessing the payment site.
Unlock26 signature url

Accessing the Unlock26 payment site we find the same simplistic style, lacking any kind of meaningful instructions.

From our analysis of this entire operation, it's like the ransomware author is expecting everyone to know what to do, as if everyone gets infected with ransomware on a daily basis, and all users are tech-savvy PC veterans that know exactly what should happen next.

Dot-Ransomware, Unlock26 appear to be under development
But user instructions are not the only things missing from Dot-Ransomware and Unlock26.

For example, if users wanted to pay, they wouldn't even know the amount of Bitcoin they'd need to send, since the Unlock26 payment site doesn't list the decryption price, but shows a math function instead: 6.e-002 BTC. This is weird, to say the least, unless you really want people not to pay the ransom.

Putting this detail together with the error seen in one section of the builder (screenshot above), and with the fact that no users have reported Unlock26 infections as of now, we can say safely say this ransomware and its RaaS are still under development, and not yet ready to be deployed. Let's hope its author gets bored in a few days and drops the service entirely, but we doubt it will happen after working so hard to reach this advanced stage of development.

Special thanks to MalwareHunter, who discovered the Unlock26 ransomware, David Montenegro, who discovered the Dot-Ransomware RaaS, Bleeping Computer's Lawrence Abrams and GrujaRS, who helped with the analysis and info gathering.

core.exe SHA256 hash:
db43d7c41da0223ada39d4f9e883611e733652194c347c78efcc439fde6dde1c SHA256 hash:

Ransom note:
ransom3Builder 'Setup Guide.txt' file
News Courtesy :