What is U2k virus?
U2k virus is a ransomware that attacks the victim’s computer by encrypting files and demanding a ransom for decrypting them. The ransomware attack can lead to data loss and financial losses. U2k encrypts files, renames them by appending the extension “u2k”, and creates files named “readme.txt” containing the ransom demand message.
U2k ransomware in detail
U2k ransomware is designed to encrypt files located on the victim’s computer, and then extort money to decrypt them. It sneaks into the system without any visible symptoms, which is why users notice that their computer is infected too late, when the files are already encrypted. Typically, ransomware like U2k can infect a computer when a user runs and installs an infected program as well as cracked games, freeware, key generators, fake Windows/Chrome/Edge updates and other similar software.
Each file affected by ransomware is renamed so that the extension “.u2k” is added to its old name on the right. This means the following, if the file was named “document.docx”, then after it is encrypted, it will be called “document.docx.u2k”. Every file on the victim’s computer becomes the target of the U2k virus. Whether the file is on an internal drive or network storage, it will be encrypted. Thus, the following types of files can be encrypted:
Each file that has been affected by the ransomware is renamed in such a way that the “.u2k” extension is appended to its old name on the right. This means the following, if the file was named ‘document.docx’, then after it is encrypted, it will be called ‘document.docx.u2k’. Each file on the victim’s computer becomes the target of U2k virus. No matter where the file is located, on the internal drive or network storage, this file will be encrypted. Thus, the following types of files can be encrypted:
.kf, .wp5, .xlsm, .xx, .xls, .wb2, .gho, .psk, .gdb, .qdf, .dwg, .xlk, .docx, .erf, .xdl, .p7c, .wcf, .wpl, .yml, .wbmp, .cdr, .xyw, .xxx, .wmd, .webdoc, .mlx, .pst, .sid, .wpg, .p7b, .webp, .wm, .vfs0, .3dm, .zw, .pfx, .m2, .raw, .desc, .wri, .vcf, .x3d, .menu, .ibank, .accdb, .svg, .xdb, .wpa, .pdf, .zdb, .wmf, .jpg, .x3f, .bik, .db0, .rim, .snx, .rtf, .pef, .xpm, .odp, .hkdb, .x, .x3f, .wbc, .xlsm, .blob, .lbf, .sql, .wpe, .ncf, .txt, .ptx, .xbdoc, .upk, .dbf, .tor, .apk, .asset, .bc7, .wmv, .qic, .wdb, .crt, .orf, .xbplate, .re4, .arch00, .xlsx, .odb, .doc, .xll, .bkp, .der, .lvl, .bay, .xmmap, .itl, .big, .wotreplay, .ppt, .pptx, .dmp, .wma, .bkf, .hvpl, .mcmeta, .rofl, .wgz, .d3dbsp, .p12, .wma, .pptm, .xyp, .itm, .ztmp, .sidd, .odm, .rgss3a, .ods, .m3u, .epk, .wire, .py, .w3x, .iwd, .icxs, .odc, .ysp, .mp4, .psd, .wbk, .map, .wp4, .sis, .wps, .rb, .z, .1, .ntl, .dxg, .2bp, .xy3, .t13, .wn, .7z, .srw, .zip, .fos, .rwl, .jpeg, .xlsx, .wp6, .cas, .yal, .eps, .wps, .wpt, .css, .zip, .indd, .xf, .wpd, .xlgc, .wpb, .dba, .lrf, .vpk, .xar, .ws, .1st, .kdb, .zabw, .iwi, .zif, .mddata, .xmind, .rar, .bsa, .dng, .das, .fsh, .mef, .mdbackup, .nrw, .xls, .avi, .wpw, .pem, .wsc, .wdp, .wbm, .hkx, .hplg, .syncdb, .bc6, .3ds, .dazip, .vpp_pc, .sav, .wbz, .zi, .fpk, .mpqge, .cr2, .vdf, .xlsb, .wsh, .mov, .sb, .xml, .sum, .m4a, .kdc, .raf, .t12, .mdf, .sr2, .rw2, .docm, .wmv, .jpe, .r3d, .ltx, .srf, .mrwref, .flv, .pdd, .js, .sie, .ai, .bar, .odt, wallet, .y, .xld, .slm, .wbd, .arw, .tax, .wp, .mdb, .wsd, .ybk, .wot, .wav, .3fr, .cfr, .xwp, .itdb, .dcr, .esm, .csv, .pkpass, .pak
Encrypted files are locked, i.e. their contents cannot be accessed in any way. Renaming the files and changing their extension will not help unlock these files. In directories where there are encrypted files, the ransomware drops files called “readme.txt”. These files contain a message from the ransomware authors. The content of all files with this name is the same and does not depend on which directory the file is in.
The full text of this file is:
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor:
| 1. Download Tor browser – https://www.torproject.org/ and install it.
| 2. Open link in TOR browser – http://u2kqti2utfaiefucegnmd6yh6hledbsfanaehhnnn3q5usk6bvndahqd.onion/?ST1HYJUHGFV
| 3. Create Ticket
Note! This link is available via Tor Browser only.
The ransom demand message says that the victim’s files are encrypted and a decryptor is needed to recover them. To buy the decryptor, the victim must download and install the TOR browser, then follow the link provided in the message and create a ticket. It is likely that the response to this ticket will include the amount of the ransom and the method of payment. Of course, there is no guarantee that even after paying the ransom to the attackers, the victim will be able to restore the encrypted files to their original state.
Unfortunately, there is no way to decrypt encrypted files yet. Nevertheless, you do not need to despair. There are several ways to find and remove U2k ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
|Type||Crypto malware, File locker, Ransomware, Crypto virus, Filecoder|
|Encrypted files extension||.u2k|
|Detection||Suspicious.Win32.Save.a, Ransom.LolKekU2KCiR, TScope.Trojan.MSIL, Spyware.PasswordStealer.MSIL, HEUR:Trojan.MSIL.Bingoml.gen, TR/Kryptik.lsxtv, Win32:CrypterX-gen [Trj], Gen:Trojan.Mardom.MN.10, Win32:CrypterX-gen [Trj], RDN/Bingoml, Trojan:MSIL/AgentTesla.NYJ!MTB, Trojan.Ransom.Filecoder|
|Symptoms||Encrypted documents, photos and music. Your personal files have a wrong name, suffix or extension, or don’t look right when you open them. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’.|
|Distribution ways||Malicious links in emails. Exploit kits (cybercriminals use crypto malware packaged in an ‘exploit kit’ that can find a vulnerability in Adobe Flash Player, Windows operating system, Browser, PDF reader). Social media, such as web-based instant messaging applications. Cybercriminals use suspicious advertisements to distribute malicious software with no user interaction required.|
|Removal||U2k removal guide|
How to remove U2k ransomware, Recover encrypted files
If your files were encrypted, then you first need to remove the U2k ransomware, and then proceed with file recovery. Both the ransomware removal process and the file recovery process will take a long time, so don’t believe the magic instructions that say it can be done very quickly. We strongly recommend that even if for some reason one of the methods below does not suit you, try another and try them all. Perhaps one of them will help you. Feel free to ask questions in the comments below. And finally, before proceeding with the instructions, we advise you to carefully read it, and then print it or open it on a tablet or smartphone so that it is always at hand.
Remove U2k ransomware virus
You first need to delete U2k-related files and registry entries before proceeding with the recovery of encrypted files. This must be done since otherwise the ransomware may re-encrypt the restored files.
Kill malicious processes
Press CTRL, ALT, DEL keys together.
Click Task Manager. Select the “Processes” tab, look for something suspicious that is the U2k virus then right-click it and select “End Task” or “End Process” option. If your Task Manager does not open or the Windows reports “Task manager has been disabled by your administrator”, then follow the guide: How to Fix Task manager has been disabled by your administrator.
Scan computer for malware
MalwareBytes is a malware removal tool that can be used to remove spyware, trojans, worms, adware, malware, ransomware and other security threats. This program is one of the most efficient anti-malware tools. It helps in ransomware removal and and defends all other types of malware. One of the biggest advantages of using MalwareBytes Anti Malware is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and scan your computer with MalwareBytes in order to remove U2k ransomware from the computer.
Installing the MalwareBytes is simple. First you’ll need to download it from the following link. Save it to your Desktop.
Category: Security tools
Update: April 15, 2020
When the download is complete, close all apps and windows on your device. Open a directory in which you saved it. Double-click on the icon that’s called MBSetup as displayed in the following example.
When the installation begins, you will see the Setup wizard which will help you setup Malwarebytes on your computer.
Once the installation is done, you will see window similar to the one below.
Now click the “Scan” button to scan your computer for the U2k ransomware, spyware, worms, trojans and other malware. This process can take some time, so please be patient. When a threat is detected, the number of the security threats will change accordingly.
When the scan is done, MalwareBytes will show a list of malware found on the computer. Review the list and then click “Quarantine” button.
Malwarebytes will now move the selected threats to the program’s quarantine. Once disinfection is complete, you may be prompted to reboot your computer.
In order to be 100% sure that the computer no longer has the U2k malware, we recommend using the Kaspersky virus removal tool (KVRT). This tool, as its name suggests, is created by the Kaspersky lab and uses the core of the Kaspersky Antivirus. Unlike the Kaspersky Antivirus, KVRT has a smaller size and, most importantly, it can work together with an already installed antivirus software. This utility has great capabilities and therefore we suggest using KVRT in the last turn to be sure that the U2k ransomware virus has been removed.
Download KVRT on your personal computer from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the U2k ransomware. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC. When a threat is found, the number of the security threats will change accordingly.
When Kaspersky virus removal tool is finished scanning your device, it will prepare a list of found threats similar to the one below.
Once you have selected what you wish to delete from your computer press on Continue to begin a cleaning task.
Recover encrypted files
If your files are encrypted, then your only option is to use alternative methods to recover the contents of encrypted files. There are several alternative methods that may allow you to recover the contents of encrypted files. These file recovery methods do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that there are no active ransomware on your computer. So if you haven’t already scanned your computer for ransomware, do it now with free malware removal tools or go back to step 1 above.
Restore encrypted files using Shadow Explorer
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 11 (10, 8, 7 , Vista). You can recover your documents, photos, and music encrypted by U2k ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your system from the link below.
Category: Security tools
Update: September 15, 2019
After the download is done, extract the saved file to a directory on your personal computer. This will create the necessary files as on the image below.
Run the ShadowExplorerPortable program. Now choose the date (2) that you want to restore from and the drive (1) you wish to recover files (folders) from such as the one below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button like below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Recover encrypted files with PhotoRec
There is another way to recover the contents of encrypted files. This method is based on the use of data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary features and is completely free.
Download PhotoRec by clicking on the following link.
Category: Security tools
Update: March 1, 2018
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as displayed in the figure below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, press Browse button to choose where restored personal files should be written, then press Search. We strongly recommend that you use an external device to save the restored files!
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as displayed below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
Protect your PC from U2k ransomware
Most antivirus programs already have ransomware protection built in. Therefore, if your computer does not have an antivirus program, be sure to install it. For additional protection, use HitmanPro.Alert. All in all, HitmanPro.Alert is a fantastic utility to protect your computer from any kind of ransomware. When ransomware is detected, HitmanPro.Alert automatically neutralizes malware and restores encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows from Windows XP to Windows 11.
First, click the following link, then click the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
Category: Security tools
Update: March 6, 2019
After the downloading process is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
This guide has been created to help all victims of the U2k ransomware. We tried to answer the following questions: how to remove ransomware; how to recover encrypted files. We hope the information provided in this guide has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with U2k related issues, go to here.