What is Ultimo ransomware? And how does it execute its attack?
Ultimo ransomware, also known as “.Locked virus”, is a file-encrypting Trojan developed using the open source platform called HiddenTear. In other words, this ransomware Trojan is a new addition to the ever growing HiddenTear ransomware group. Ultimo ransomware executes its attack in a typical ransomware manner – it will scan the entire drive of the infected computer looking for certain file types such as:
.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp
Ultimo ransomware applies the AES encryption algorithm in encrypting files and appends the .locked extension on every affected file. Following the encryption, it delivers a ransom note demanding a ransom payment in exchange for the recovery of the encrypted files. Here’s the context of the ransom note contained in a file named “READ_IT.txt”:
“Oooopppsss Your Files Has Been Encrypted
Your Unique GUID for Decrypt: j43as8fk-29gp-61da-3671-h03c83472r74
SEND ME SOME 0.022 Bitcoin on Adress: 1CCnFhbLT1VSMUqXaSqsYUAwcGU4evkbJo
After Confirming The Payment, ALL YOUR FILES CAN BE DECRYPTED.
If you do not make payment within 48 Hrs, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: xxxxs://www.coinbase.com/ or xxxx://blockchain.info”.
How to buy /sell and send Bitcoin :
xxxxs://support.coinbase.com/customer/en/portal/topics/***
xxxxs://support.coinbase.com/customer/en/portal/topics/***
xxxxs://support.coinbase.com/customer/en/portal/topics/***
After the payment, enter the wallet from which paid, and email, in which contact you. [email protected]”,
After receiving the payment, we will contact you.”
The ransom note of this crypto-malware aims to blackmail victims into paying the demanded ransom as soon as possible by setting a time of 48 hours. But you have nothing to worry about and the only thing you should be rushing to do is to remove Ultimo ransomware. After you’ve accomplished that task, you can recover your encrypted files by using an alternative option provided later on this post.
How does Ultimo ransomware distribute its malicious files?
Ultimo ransomware uses the most common distribution method in spreading its malicious files which is via spam emails. These emails may be disguised as some email sent by crooks pretending to be from well-known company or groups just to lure users into opening the email and downloading the infected attachment.
Use the given removal instructions below to obliterate Ultimo ransomware from your system successfully.
Step 1: Close the ransom note of Ultimo ransomware and tap the Win + E keys to open File Explorer.
Step 2: Navigate to the following locations and look for a malicious executable file which is randomly named used to install Ultimo ransomware into the computer as well as its ransom note named READ_IT.txt.
- %TEMP%
- %APPDATA%
- %DESKTOP%
- %USERPROFILE%\Downloads
- %HOMEDRIVE%\user | ransom.jpg
- %USERPROFILE%\Desktop | READ_IT.txt
Step 3: Close the File Explorer and tap Ctrl + Shift + Esc keys to open the Task Manager.
Step 4: After opening the Task Manager, look for Ultimo ransomware’s malicious process, right click on it and select End Process or End Task.
Step 5: Close the Task Manager.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use Advanced System Repair Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 6: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 7: Navigate to the paths listed below:
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step 8: Look for all the registry values and keys that were both created modified by Ultimo ransomware and delete them.
Step 9: Close the Registry Editor and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 10: Look for Ultimo ransomware or any suspicious program and then Uninstall it/them.
Step 11: Empty your Recycle Bin.
Restore the previous state of your files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Ultimo ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It’s not enough that you have killed Ultimo ransomware from your system since you also have to ensure that it is completely removed. How? Follow the advanced steps below.
Perform a full system scan using Advanced System Repair Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in the URL address, http://advancedsystemrepair.com/ASR_Installation.exein the Run dialog box and then tap Enter or click OK.
- After that, it will download Advanced System Repair Pro. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run Advanced System Repair Pro to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.