UST29 ransomware (virus) - Recovery Instructions Included

by Olivia Morelli - - | Type: Ransomware

UST29 virus Removal Guide

What is UST29 ransomware?

UST29 ransomware authors encrypt users' files in order to make them pay a ransom

UST29 ransomwareUST29 ransomware is a malware that locks personal files and demands ransom for their return

UST29 is a ransomware-type computer virus that was first spotted in the wild in mid-April 2022. It belongs to a prominent and expansive malware family known as Dharma – it has been active for many years, and by now, hundreds of versions have been released by cybercriminals behind it.

Upon entry, the UST29 virus inserts malicious files and reconfigures the Windows system to allow the data encryption process to occur. With the help of a powerful encryption algorithm, it then locks all the personal files located on the device. During this process, all pictures, documents, databases, and other files are appended with the following extension:

  • .id-ID.[ust29@aol.com].ust29

The second “ID” represents a modifier that is assigned to each of the victims individually – it is also used to recognize each of the victims by the attackers. Data marked by this extension is stripped of the original file icons and can no longer be modified or even accessed by users.

The ransom note titled FILES ENCRYPTED.txt is dropped on the desktop and other locations of the computer immediately after. A pop-up window from the file Info.hta also shows up, which describes in detail what users need to do in order to recover their files. As usual, they ask to write an email to negotiate a price of UST29 ransomware decryptor, to be paid in Bitcoin.[1]

Do not pay the cybercriminals or you may end up losing money together with your files. Instead, we recommend following the guide we provide below to attempt alternative file recovery methods after the removal of ransomware.

Name UST29 ransomware
Type Ransomware, file locking virus
malwre family Dharma
File extension .id-ID.[ust29@aol.com].ust29 (“ID” is replaced by a unique user ID which varies from victim to victim)
Ransom note Info.hta, FILES ENCRYPTED.txt
Contact ust29@aol.com or ust29@nerdmail.co
File Recovery If no backups are available, recovering data is almost impossible. However, we suggest you try the alternative methods that could help you in some cases – we provide them below
Malware removal Perform a full system scan with powerful security software, such as SpyHunter 5Combo Cleaner
System fix Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the OS and avoid its reinstallation, we recommend scanning it with the FortectIntego repair tool

How UST29 ransomware spreads

Ransomware is as successful as its methods of distribution, so it is not surprising that cybercriminals choose several methods for malware delivery. In the case of Dharma, crooks behind it employ the following:

  • Spam emails. A malicious MS Office document, usually trapped with a malicious macro, is attached to a phishing or spoofing email. If opened, the payload is immediately downloaded and executed on the target machine.
  • Software cracks are one of the most popular tools for ransomware delivery. Users typically access risky websites that host torrents and cracks willingly and download the tool intentionally, completely ignoring all the warnings from security software. Once the file is launched, data encryption is imminent.
  • Weakly protected RDP (Remote Desktop Protocol)[2] connections are mostly used to attack businesses and organizations. Cybercriminals scan the internet for weak connections and brute-force the entry, allowing them to deploy malicious payloads manually.

The most important thing when trying to protect yourself against ransomware and other malware attacks is a reliable anti-malware tool. We recommend employing SpyHunter 5Combo Cleaner or Malwarebytes for this job. You mustn't ignore warnings coming from these tools under various circumstances and keep the database updated to the latest version.

The demands and why you shouldn't pay

Dharma ransomware attacks small businesses, although its primary focus remains on regular computer users. In the latter case, the ransom demands are likely to be lower, although it is not worth expecting that it would be cheap. Regardless of your financial status, you should avoid contacting crooks, as you may lose your money along with your files.

UST29 ransomware virusUST29 virus delivers a pop-up message which serves as a message from the attackers

As soon as malware completes its job, it delivers two ransom notes. The small text-based message reads as follows:

all your data has been locked us
You want to return?
write email ust29@aol.com or ust29@nerdmail.co

The pop-up window Info.hta is immediately opened automatically and provides the following information:

YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email ust29@aol.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:ust29@nerdmail.co
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

It is ironic how cybercriminals are talking about scams, knowing that they are committing a crime themselves. Remember, these people are not your friends and should never be trusted.

Malware removal

Your first task is to ensure that malware is terminated from all the affected machines. If you do not have your device connected to a network, then it's only your own computer you need to take care of.

Your first step is to disconnect the affected machine from the network and/or the internet. All you have to do is unplug the internet cable or disconnect the WiFi on a personal device. If the whole network is affected, you can proceed with the following steps:

  • Type in Control Panel in Windows search and press Enter
  • Go to Network and InternetNetwork and internet
  • Click Network and Sharing CenterNetwork and internet 2
  • On the left, pick Change adapter settingsNetwork and internet 3
  • Right-click on your connection (for example, Ethernet), and select DisableNetwork and internet 4
  • Confirm with Yes.

Once the infected PC is isolated, you should scan it with SpyHunter 5Combo Cleaner or another powerful security software. In some rare cases, this might not be possible due to the persistence mechanisms employed by the UST29 virus. If that's the case, check the bottom of the article to find how to enter Safe Mode and delete the infection from there, temporarily disabling malware.

System fix

After malware infection, Windows is no longer the same, as some system files might get damaged or even destroyed. This can result in system instability – crashes, failure to launch programs, BSODs,[3] and many other issues. If you are suffering from these problems after eliminating the infection, use recovery software as explained below.

  • Download FortectIntego
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

Data recovery

Before you proceed with file recovery, we recommend you back up all the encrypted data on a separate medium, such as a USB flash drive. Tampering with encrypted files might permanently damage them, so saving copies can be a real relief.

Once you have backups ready, you should then attempt to recover your data. It is important to note that antivirus would not restore your files back to normal – it simply deletes the infection and all its malicious files so that the unwanted activity can no longer continue. Your best bet is trying data recovery software:

  • Download Data Recovery Pro.
  • Double-click the installer to launch it.
    UST29 ransomware
  • Follow on-screen instructions to install the software.
  • As soon as you press Finish, you can use the app.
  • Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  • Press Next.
  • At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  • Press Scan and wait till it is complete.
  • You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  • Press Recover to retrieve your files.Recover files

Your other option is to wait for a working decryptor that could be successfully created by security experts. Ransomware's encryption code is usually extremely secure, so breaking it is rather difficult. In some cases, law authorities might gain access to the hackers' servers, which helps security researchers to create a working decryptor, allowing all the victims to recover their files for free.

Currently, there is no working decryption tool for .UST29 files available, although we recommend tracking the following links for the future reference:

No More Ransom Project

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of UST29 virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Create data backups to avoid file loss in the future

One of the many countermeasures for home users against ransomware is data backups. Even if your Windows get corrupted, you can reinstall everything from scratch and retrieve files from backups with minimal losses overall. Most importantly, you would not have to pay cybercriminals and risk your money as well.

Therefore, if you have already dealt with a ransomware attack, we strongly advise you to prepare backups for future use. There are two options available to you:

  • Backup on a physical external drive, such as a USB flash drive or external HDD.
  • Use cloud storage services.

The first method is not that convenient, however, as backups need to constantly be updated manually – although it is very reliable. Therefore, we highly advise choosing cloud storage instead – it is easy to set up and efficient to sustain. The problem with it is that storage space is limited unless you want to pay for the subscription.

Using Microsoft OneDrive

OneDrive is a built-in tool that comes with every modern Windows version. By default, you get 5 GB of storage that you can use for free. You can increase that storage space, but for a price. Here's how to setup backups for OneDrive:

  1. Click on the OneDrive icon within your system tray.
  2. Select Help & Settings > Settings.
    Go to OneDrive settings
  3. If you don't see your email under the Account tab, you should click Add an account and proceed with the on-screen instructions to set yourself up.
    Add OneDrive account
  4. Once done, move to the Backup tab and click Manage backup.
    Manage backup
  5. Select Desktop, Documents, and Pictures, or a combination of whichever folders you want to backup.
  6. Press Start backup.
    Pick which folders to sync

After this, all the files that are imported into the above-mentioned folders will be automatically backed for you. If you want to add other folders or files, you have to do that manually. For that, open File Explorer by pressing Win + E on your keyboard, and then click on the OneDrive icon. You should drag and drop folders you want to backup (or you can use Copy/Paste as well).

Using Google Drive

Google Drive is another great solution for free backups. The good news is that you get as much as 15GB for free by choosing this storage. There are also paid versions available, with significantly more storage to choose from.

You can access Google Drive via the web browser or use a desktop app you can download on the official website. If you want your files to be synced automatically, you will have to download the app, however.

  1. Download the Google Drive app installer and click on it.
    Install Google Drive app
  2. Wait a few seconds for it to be installed. Complete installation
  3. Now click the arrow within your system tray – you should see Google Drive icon there, click it once.
    Google Drive Sign in
  4. Click Get Started. Backup and sync
  5. Enter all the required information – your email/phone, and password. Enter email/phone
  6. Now pick what you want to sync and backup. You can click on Choose Folder to add additional folders to the list.
  7. Once done, pick Next. Choose what to sync
  8. Now you can select to sync items to be visible on your computer.
  9. Finally, press Start and wait till the sync is complete. Your files are now being backed up.

Report the incident to your local authorities

Ransomware is a huge business that is highly illegal, and authorities are very involved in catching malware operators. To have increased chances of identifying the culprits, the agencies need information. Therefore, by reporting the crime, you could help with stopping the cybercriminal activities and catching the threat actors. Make sure you include all the possible details, including how did you notice the attack, when it happened, etc. Additionally, providing documents such as ransom notes, examples of encrypted files, or malware executables would also be beneficial.

Law enforcement agencies typically deal with online fraud and cybercrime, although it depends on where you live. Here is the list of local authority groups that handle incidents like ransomware attacks, sorted by country:

Internet Crime Complaint Center IC3

If your country is not listed above, you should contact the local police department or communications center.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from UST29 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Protect your privacy – employ a VPN

There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

No backups? No problem. Use a data recovery tool

If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.

If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References