Unlock26 targets Windows OS and is distributed through a Ransomware-as-a-Service (Raas) portal named Dot-Ransomware. The portal contains a basic, command line interface (CLI) builder that helps users create a custom binary to infect victims. Once a targeted system is infected, Unlock26 encrypts the victim’s files and appends .locked- and a random selection of three-digit characters to the end of the file names. The random characters are unique for each victim. It then drops a ransom note named ReadMe-[three character victim ID].html. In order to pay the ransom, victims need to click directly on the link provided within the ransom note as the note contains a signature that allows the RaaS user to distinguish between infections. Manually entering the URL of the ransom payment site will not allow the victim to access the payment site. As of February 25, 2017, Unlock26 appears to still be under development by its author.
- Bleeping Computer provides more information about Unlock26 here.
- The NJCCIC is not currently aware of any free decryption tools available for Unlock26.