Has your computer been attacked by Onion ransomware all of a sudden? Have all of your important files been encrypted by this loathsome ransomware? Are you totally at a loss and do not know what to do when asked to pay a ransom? This article aims to provide useful guide to help you remove the malicious ransomware and try to restore your files.
Ransomware attack has become one of the most prevalent and pernicious security issues over the last couple of years. And ransomware has evolved from simply locking computer screen to encrypting personal files by using the intricate cryptography. Since CryptoLocker, a type of file-encrypting ransomware, first emerged in 2013, a lot of cyber criminals have followed suit with this style of attack. In recent years, a growing number of ransomware threats working in the similar way are developed and put on the Internet. Onion, first identified in 2014, is one of the so-called file-encrypting ransomware threats, and it is recently prevalent again.
In case you have become a victim of the Onion ransomware, we highly recommend you to remove this threat immediately so as to avoid other serious problems generated by the infection.
Victims Are Searching for Help
From the beginning of this month, we continuously received e-mails asking for help to remove Onion ransomware and restore the encrypted files. Here is an email coming from one of the victims whose name is Bella.
About Onion Ransomware
|Threat Name||Onin Ransomware|
|Affected System||Windows XP, Windows 7, Windows Vista, Windows 8/8.1 and Windows 10|
|Behaviors||Encrypt important files; Demand a ransom payment.|
|Distribution Methods||Via spam emails, malicious Exploit kits, malicious websites, fake update notifications.|
It may be impossible to detect Onion ransomware with a general antivirus program, so it is highly recommended that you use a specialized tool to find and delete all files related to this threat.
Onion is an extremely pernicious ransomware that attacks people’s computers and encrypts every kind of data & files that may be value to the victims, including personal photos, archives, database, diagrams and financial statements. It is called “Onion” because it uses the network Tor (the Onion Router) to hide its malicious nature and also because it uses “onion” as the extension of the encrypted files. Like its predecessors CryptoLocker and Cryptowall, this ransomware demands its victims to pay ransom in order get their files back. It also uses a countdown mechanism to scan victims into making the payment as soon as possible.
Onion ransomware is believed to use social engineering techniques to trick users into running it. More specifically, a user would receive an email purporting to be from a logistics company and containing a .Zip file with filename and the icon disguised as a PDF. Once the user opens the .Zip file, a Trojan (Backdoor.Win32.Androm) will be running and quickly save itself to a folder (AppData, LocalAppData) on the user’s computer. The Trojan then downloads and runs another piece of malware on the infected computer according to the cyber hackers’ command. The latter malware then downloads the Onion ransomware to the user’s computer.
Upon getting into a target computer, this ransomware copies its body to CSIDL_COMMON_APPDATA and adds the task to launch the file to the Task Scheduler. Next, it begins to search for files with specific extensions (see below) and encrypt them all. When the file-encryption process is completed, the ransomware drops a ransom note on the infected computer. The ransom note informs the victim that all his files have been encrypted and a piece of special software should be bought in order to decrypt the files. There are several site addresses provided in the text, by visiting which, the victim will get into a new page where further instructions on how to buy the decryption tool will be given.
A list of file extensions targeted by the ransomware:
PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .Audio .Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL
Onion is not a newly created ransomware. It first appeared in 2014, and now it comes back again with several improvements. The new version of Onion ransomware will allow victims to decrypt five of their files as a “trial” without paying the ransom. The cyber hackers add this new feature in order to make victims believe that they are really able to decrypt their files. This ransomware also adds three three new language versions, German, Italian and Dutch. By extending the scope of attack areas, the cyber hackers behind this ongoing ransomware campaign will make more money. To conceal themselves, the cyber hackers connect to Tor in a variety of new ways, which makes it difficult for PC security researchers to pinpoint the origin of the ransomware attacks.
Due to its stealthy nature and disastrous effects (e.g. losing important data for good, or worse, having it leaked publicly), Onion ransomware is considered as a big threat to PC users. So, stop waiting until it is too late. Just take action to remove Onion ransomware from your PC right away!
Onion Ransomware Removal Guide
Upon receiving Bella’s email, we quickly contacted her and checked her PC using remote control. On the desktop, we found the ransom note mentioned by her. And when we opened her hard drives, unsurprisingly, we saw a lot of files had been encrypted.
The name of those encrypted files consists of four parts: original filename, ID, domain name, and extension.
Having verified that Bella’s computer had really been infected, we started to help her clean Onion ransomware and other malware threats that possibly came into the computer during the ransomware infection. Below are the steps:
Reboot the computer in Safe Mode with Networking.
Open Start menu, go to Shut down and click Restart
Tap F8 key repeatly before the Windows logo appears. F8 key is to initiate Advanced Boot Options menu.
When the Advanced Boot Options screen appears, select Safe Mode with Networking by using the up and down arrow keys and then hit the Enter key.
Download and install SpyHunter.
Once the computer enters Safe Mode, download SpyHunter on the desktop.
Run the setup up file that has been downloaded by double clicking on it. When a dialog box pops up as below, click the Run button.
Select the language and click the OK button.
Click CONTINUE to proceed.
Click I accept the EULA and Policy and click the INSTALL button.
Wait for the installation of SpyHunter to be completed.
Click the EXIT button when SpyHunter is successfully installed.
Run SpyHunter to kill Onion ransomware and other existing threats.
Double click the icon of SpyHunter to run it. On its main screen, click the Scan Computer Now button to do a full system scan.
SpyHunter now will start scanning the entire system for any existing threats.
When the scanning is done, SpyHunter will show all detected threats, the malicious ransomware (note: Onion ransomware may be detected as a Trojan, such as Trojan-Ransom.Win32.Onion), browser hijackers, and other potentially unwanted programs. Click the Fix Threats button and SpyHunter will completely remove all found threats.
Restart the computer and run a system scan once again.
Click the Start menu, go to Shut down and click Restart. Once the Windows has logged in, run SpyHunter and conduct a full system scan again. If there are still any threats detected, remove them. If no threats are detected. Then, proceed to the next step.
Note: When fixing Bella’s problem, we used SpyHunter’ registered version, since the free version only supports the malware detection. So, if you also want to use SpyHunter to kill the ransomware, you should buy its registered version before fixing the detected threats. In case you cannot remove the ransomware using this tool, please contact the tech support for further help.
Several Methods to Restore Files
If you don’t want to pay the ransom, you can try the following methods to restore your files. In Bella’s case, we use the method 2. We all believed the ransomware had deleted her shadow copies, but when we had a try, we surprisingly found that it didn’t. Bella was indeed a lucky person.
Method 1: Use the Backups
The precondition to use this method is that you make a backup of your files before the ransomware attack. If you have, you can easily restore your files from a backup by following the steps below.
1. Click the Start menu, type backup into the search text box and click Backup and Restore from the resulting list.
2. In the popup window, find and click the Restore my files button.
3. Now you can browse for the file or folder you have recently backed up.
4. You can restore them back to the original location or choose a different place. click Restore and the system will start restoring your files.
Method 2: Use Shadow Volume Copies
Another method is to use Shadow Volume Copies. If the ransomware hasn’t time to delete your shadow copies, and you notice and delete it in the first place, you might be able to restore your files with this method. See the detailed guide here.
Method 3: Use a Decryption Tool
So far, there isn’t a specialized tool created to help decrypt the files encrypted by Onion ransomware. But you still can try Kaspersky’s decryption tool and Trend Micro’s ransomware file decryptor.
If the tools fail to help you, the only way is to wait for an effective tool to be developed.
Precautions Against Ransomware Attacks
Onion ransomware can be very scary – the files encrypted by it can essentially be considered damaged beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance. Here are a few tips that will help you keep ransomware from wrecking your day:
- Back up your data
Make sure you back up your data regularly to an external drive or backup service. The biggest damage that a ransomware attack may bring you is the loss of valuable data. A regular backup will spare you the trouble of data missing when your computer are attacked by a ransomware. Plus you have better back up your information to some external drives or online storage services which are disconnected with your computer. By this means, even ransomware locks your computer, you can still have your data restored.
- Do not open any attachment or click on suspicious links.
Ransomware is often distributed through e-mails that are seemingly secure but actually contain malicious attachments and links. Characteristically these attachments and links look harmless or even attractive, yet once you get tricked into clicking them, some malware may get into your PC and further download ransomware automatically. For this reason, it is suggested that not to open any attachments or click any links without verifying their safety.
- Patch or update your software.
This tip is a more general malware-related advice, which applies equally to ransomware as to any malware threat. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often. Some vendors release security updates on a regular basis (Microsoft and Adobe both use the second Tuesday of the month), but there are often “out-of-band” or unscheduled updates in case of emergency. Enable automatic updates if you can, or go directly to the software vendor’s website, as malware authors like to disguise their creations as software update notifications, too.4. Secure your PC with a reliable anti-malware program.
- Secure you PC with a reliable anti-malware program.
After getting infected by the ransomware, some of your system settings could be changed, which lowers the security level. Under this situation, your computer system will become vunlerable and is very easy to be attacked by the ransomware again. Hence, protecting your PC with a reliable anti-malware program is a very important thing that you should do.
Stop searching for other unreliable solutions to removal of this ransomware. Now you can immediately get rid of Onion ransomware and safeguard your computer system using the tool below.