Security Experts:

Connect with us

Hi, what are you looking for?



New Unlock26 Ransomware and RaaS Portal Discovered

A recently discovered Ransomware-as-a-Service (RaaS) portal was found to be responsible for the distribution of a brand new ransomware family dubbed Unlock26.

A recently discovered Ransomware-as-a-Service (RaaS) portal was found to be responsible for the distribution of a brand new ransomware family dubbed Unlock26.

Dubbed Dot-Ransomware, the RaaS portal went live on February 19, and security researchers suggest that the Unlock26 ransomware was released the same day. Further, they reveal that the ransomware operation features a very minimal and direct style, with few instructions and simple ransom notes and payment portal.

Wannabe criminals registering for the service get to download two files, one being a benign ransomware payload dubbed core.exe, while the other being an archive containing the builder and usage instructions called

The builder, BleepingComputer reports, is a minimal command-line interface through which affiliates can customize the ransom amount (can even set special decryption prices per country), the targeted file types, the type of encryption (full or first 4MB of each file), and the Bitcoin address where the payment should be sent.

To apply the custom settings to the ransomware, affiliates only need to load the core.exe file in the builder, which will also generate a fully weaponized binary, ready for distribution. From this point onward, it’s up to each affiliate to distribute the malicious file using whatever means necessary.

Dubbed Unlock26, the newly-generated ransomware appends a .locked-[XXX] extension to the encrypted files, where XXX appear to be three random alpha-numeric characters unique for each victim. Once the encryption process has been completed, the malware displays a ransom note that instructs victims to access one of four Tor-to-Web proxy URLs.

A signature hidden in the links displayed by the ransom note allows cybercriminals to distinguish between infected hosts, researchers say. However, this also means that victims have to click on the links, and that typing the visible URLs manually in a browser won’t offer access to the payment portal, because the site checks for the presence of those signatures.

The signatures are believed to have been included so that each user would be pointed to a unique Bitcoin address when accessing the portal. The payment site, however, doesn’t provide clear instructions on what victims should do, most probably because the malware authors expect victims to have knowledge of what being infected with ransomware involves.

On the other hand, both the ransom note and the payment site also fail to inform the victims on the amount they have to pay. On the payment site, a math function is listed instead: 6.e-002 BTC. Because of all these and because the builder features an error, researchers suggest that both the ransomware and the RaaS operation are under development, not yet ready to be deployed.

Related: Satan RaaS Promises Large Gains With Zero Coding Needed

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.