How to Remove Onion Ransomware and Restore Your Files (Step-by-Step Guide)

Has your computer been attacked by Onion ransomware all of a sudden? Have all of your important files been encrypted by this loathsome ransomware? Are you totally at a loss and do not know what to do when asked to pay a ransom? This article aims to provide useful guide to help you remove the malicious ransomware and try to restore your files.


Ransomware attack has become one of the most prevalent and pernicious security issues over the last couple of years. And ransomware has evolved from simply locking computer screen to encrypting personal files by using the intricate cryptography. Since CryptoLocker, a type of file-encrypting ransomware, first emerged in 2013, a lot of cyber criminals have followed suit with this style of attack. In recent years, a growing number of ransomware threats working in the similar way are developed and put on the Internet. Onion, first identified in 2014, is one of the so-called file-encrypting ransomware threats, and it is recently prevalent again.

In case you have become a victim of the Onion ransomware, we highly recommend you to remove this threat immediately so as to avoid other serious problems generated by the infection.



Victims Are Searching for Help


From the beginning of this month, we continuously received e-mails asking for help to remove Onion ransomware and restore the encrypted files. Here is an email coming from one of the victims whose name is Bella.

Hi, guys! I desperately need your help! It might be a long story and hope you will read it with patience.

It was in this morning when I started my computer and noticed a text file name “-DECRYPT-MY-FILES.txt” popping up on my desktop. It said that all my files had been decrypted and I need to buy the special software in order to recover my files. Here is the screenshot of the text.

ransom note

At first I thought it was a joke by my naughty brother, but soon I realized that my computer had got infected by the fearsome ransomware. I wonder why my PC got infected, since I had installed an antivirus program to safeguard it all the day!

Even though I felt at once that I was in big trouble, I tried to keep myself calm and quickly ran a malware scan with Norton, but no threats are detected. I also tried other tools like AVG, Avira, and Bitdefender, no luck.

Then, I started to check my hard drives and found many folders with encrypted files in them. In each folder there was a text file that contained the same content as what had been displayed on the desktop. I tried to access those files but failed.


In desperation, I intended to buy the decryption tool mentioned in the text. This was the first time I got hit by a ransomware. For fear of getting infected by other threatening malware when opening the given unknown sites, I decided to use another computer which didn’t have any important files to visit the sites provided in the text for the further instructions.

However, there was no response for a long time when I type one of the site addresses to the address bar of Chrome browser and press the Enter key. Then, I downloaded and used Tor browser, and this time I successfully opened a webpage which required me to enter a personal ID.

input ID

I input the ID and clicked Sign in. A new page appeared. There I chatted with the cyber hackers. They required me to pay $600 to get the decryption tool. To tell the truth, $600 is not a small amount of money for me, and I was rather reluctant to make the payment. Besides, I doubted the reliability and safety of the tool provided by them. What if the tool fails to decrypt my files? What if the tool brings backdoor Trojan that steals my confidential information like credit card number and password?

Based on these considerations, I decided not to pay the ransom for the time being. I tried to search for other solutions on Google, but couldn’t find an effective one. When I felt desperate and reconsidered whether to buy the decryption tool, one of my friends recommended you to me. He said you are highly experienced security experts and can help people in need resolve various computer issues.

So, I wrote to you and expect your quick reply. Thanks in advance!

Your Sincerely, Bella



About Onion Ransomware


Basic Information

Threat Name Onin Ransomware
Risk Level danger-level9
Category Ransomware; Malware
Affected System Windows XP, Windows 7, Windows Vista, Windows 8/8.1 and Windows 10
Behaviors Encrypt important files; Demand a ransom payment.
Distribution Methods Via spam emails, malicious Exploit kits, malicious websites, fake update notifications.
Removal Sulotion

It may be impossible to detect Onion ransomware with a general antivirus program, so it is highly recommended that you use a specialized tool to find and delete all files related to this threat.


Onion is an extremely pernicious ransomware that attacks people’s computers and encrypts every kind of data & files that may be value to the victims, including personal photos, archives, database, diagrams and financial statements. It is called “Onion” because it uses the network Tor (the Onion Router) to hide its malicious nature and also because it uses “onion” as the extension of the encrypted files. Like its predecessors CryptoLocker and Cryptowall, this ransomware demands its victims to pay ransom in order get their files back. It also uses a countdown mechanism to scan victims into making the payment as soon as possible.

Onion ransomware is believed to use social engineering techniques to trick users into running it. More specifically, a user would receive an email purporting to be from a logistics company and containing a .Zip file with filename and the icon disguised as a PDF. Once the user opens the .Zip file, a Trojan (Backdoor.Win32.Androm) will be running and quickly save itself to a folder (AppData, LocalAppData) on the user’s computer. The Trojan then downloads and runs another piece of malware on the infected computer according to the cyber hackers’ command. The latter malware then downloads the Onion ransomware to the user’s computer.

Upon getting into a target computer, this ransomware copies its body to CSIDL_COMMON_APPDATA and adds the task to launch the file to the Task Scheduler. Next, it begins to search for files with specific extensions (see below) and encrypt them all. When the file-encryption process is completed, the ransomware drops a ransom note on the infected computer. The ransom note informs the victim that all his files have been encrypted and a piece of special software should be bought in order to decrypt the files. There are several site addresses provided in the text, by visiting which, the victim will get into a new page where further instructions on how to buy the decryption tool will be given.

A list of file extensions targeted by the ransomware:


Onion is not a newly created ransomware. It first appeared in 2014, and now it comes back again with several improvements. The new version of Onion ransomware will allow victims to decrypt five of their files as a “trial” without paying the ransom. The cyber hackers add this new feature in order to make victims believe that they are really able to decrypt their files. This ransomware also adds three three new language versions, German, Italian and Dutch. By extending the scope of attack areas, the cyber hackers behind this ongoing ransomware campaign will make more money. To conceal themselves, the cyber hackers connect to Tor in a variety of new ways, which makes it difficult for PC security researchers to pinpoint the origin of the ransomware attacks.

Due to its stealthy nature and disastrous effects (e.g. losing important data for good, or worse, having it leaked publicly), Onion ransomware is considered as a big threat to PC users. So, stop waiting until it is too late. Just take action to remove Onion ransomware from your PC right away!



Onion Ransomware Removal Guide


Upon receiving Bella’s email, we quickly contacted her and checked her PC using remote control. On the desktop, we found the ransom note mentioned by her. And when we opened her hard drives, unsurprisingly, we saw a lot of files had been encrypted.


The name of those encrypted files consists of four parts: original filename, ID, domain name, and extension.

encryted file analysis

Having verified that Bella’s computer had really been infected, we started to help her clean Onion ransomware and other malware threats that possibly came into the computer during the ransomware infection. Below are the steps:


Reboot the computer in Safe Mode with Networking.

Open Start menu, go to Shut down and click Restart


Tap F8 key repeatly before the Windows logo appears. F8 key is to initiate Advanced Boot Options menu.

When the Advanced Boot Options screen appears, select Safe Mode with Networking by using the up and down arrow keys and then hit the Enter key.




Download and install SpyHunter.

Once the computer enters Safe Mode,  download SpyHunter on the desktop.

SpyHunter is an effective anti-malware program which can detect and remove all types of computer threats including adware, browser hijackers, rootkits, Trojans, keyloggers, PUPs, ransomware and more. Spyware Helpdesk included in SpyHunter provides users the interactive one-on-one customer support solution designed to deal with any issues that SpyHunter can’t solve automatically.


Run the setup up file that has been downloaded by double clicking on it. When a dialog box pops up as below, click the Run button.SpyHunter-shortcut

click run

Select the language and click the OK button.

select language

Click CONTINUE to proceed.

click continue

Click I accept the EULA and Policy and click the INSTALL button.

accept terms and agreements

Wait for the installation of SpyHunter to be completed.


Click the EXIT button when SpyHunter is successfully installed.

click finish



Run SpyHunter to kill Onion ransomware and other existing threats.

Double click the icon of SpyHunter to run it. On its main screen, click the Scan Computer Now button to do a full system scan.

scan computer now

SpyHunter now will start scanning the entire system for any existing threats.

scanning process

When the scanning is done, SpyHunter will show all detected threats, the malicious ransomware (note: Onion ransomware may be detected as a Trojan, such as Trojan-Ransom.Win32.Onion), browser hijackers, and other potentially unwanted programs. Click the Fix Threats button and SpyHunter will completely remove all found threats.




Restart the computer and run a system scan once again.

Click the Start menu, go to Shut down and click Restart. Once the Windows has logged in, run SpyHunter and conduct a full system scan again. If there are still any threats detected, remove them. If no threats are detected. Then, proceed to the next step.


Note: When fixing Bella’s problem, we used SpyHunter’ registered version, since the free version only supports the malware detection. So, if you also want to use SpyHunter to kill the ransomware, you should buy its registered version before fixing the detected threats. In case you cannot remove the ransomware using this tool, please contact the tech support for further help.


Several Methods to Restore Files


If you don’t want to pay the ransom, you can try the following methods to restore your files. In Bella’s case, we use the method 2. We all believed the ransomware had deleted her shadow copies, but when we had a try, we surprisingly found that it didn’t. Bella was indeed a lucky person.


Method 1: Use the Backups

The precondition to use this method is that you make a backup of your files before the ransomware attack. If you have, you can easily restore your files from a backup by following the steps below.

1. Click the Start menu, type backup into the search text box and click Backup and Restore from the resulting list.


2. In the popup window, find and click the Restore my files button.

resore my files3. Now you can browse for the file or folder you have recently backed up.

browse for folders

4. You can restore them back to the original location or choose a different place. click Restore and the system will start restoring your files.


Method 2: Use Shadow Volume Copies

Another method is to use Shadow Volume Copies. If the ransomware hasn’t time to delete your shadow copies, and you notice and delete it in the first place, you might be able to restore your files with this method. See the detailed guide here.

Method 3: Use a Decryption Tool

So far, there isn’t a specialized tool created to help decrypt the files encrypted by Onion ransomware. But you still can try Kaspersky’s decryption tool and Trend Micro’s ransomware file decryptor.

If the tools fail to help you, the only way is to wait for an effective tool to be developed.


Precautions Against Ransomware Attacks


Onion ransomware can be very scary – the files encrypted by it can essentially be considered damaged beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you keep ransomware from wrecking your day:

  • Back up your data

Make sure you back up your data regularly to an external drive or backup service. The biggest damage that a ransomware attack may bring you is the loss of valuable data. A regular backup will spare you the trouble of data missing when your computer are attacked by a ransomware. Plus you have better back up your information to some external drives or online storage services which are disconnected with your computer. By this means, even ransomware locks your computer, you can still have your data restored.

  • Do not open any attachment or click on suspicious links.

Ransomware is often distributed through e-mails that are seemingly secure but actually contain malicious attachments and links. Characteristically these attachments and links look harmless or even attractive, yet once you get tricked into clicking them, some malware may get into your PC and further download ransomware automatically. For this reason, it is suggested that not to open any attachments or click any links without verifying their safety.

  • Patch or update your software.

This tip is a more general malware-related advice, which applies equally to ransomware as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications, too.4. Secure your PC with a reliable anti-malware program.

  • Secure you PC with a reliable anti-malware program.

After getting infected by the ransomware, some of your system settings could be changed, which lowers the security level. Under this situation, your computer system will become vunlerable and is very easy to be attacked by the ransomware again.  Hence, protecting your PC with a reliable anti-malware program is a very important thing that you should do.

Stop searching for other unreliable solutions to removal of this ransomware. Now you can immediately get rid of Onion ransomware and safeguard your computer system using the tool below. 


Share Button