OmniSphere ransomware (Decryption Steps Included) - Free Guide

OmniSphere virus Removal Guide

What is OmniSphere ransomware?

OmniSphere ransomware is the new virus that encrypts files and demands 0,03BTC in the ransom note where developers named the threat

OmniSphere ransomwareOmniSphere ransomware is the virus that changes the original code of the file and makes it unopenable. OmniSphere ransomware is the cryptovirus that employs a proper AES encryption[1] algorithm for file-locking, so there is a reason to blackmail victims. This encoding is the main process that malware runs on the machine, once your important documents, photos, and archives get locked, a lengthy message from virus developers appears on the screen as a text file named ! DECRYPT_MY_FILES_OS.txt. This note includes instructions on how to get Bitcoins and information about the whole encryption process. Another file that malware adds on the system consists of your unique victims' ID that is needed for the alleged decryption. However, we don't recommend going that route since criminals are not the people that should be worthy of your trust.

The initial infiltration and malicious processes of OmniSphere ransomware virus are hardly noticed on the machine because hackers inject the code on a file and sometimes use brute force to open particular ports. When your data get marked with .omnisphere extension and virus creates those particular files, you can be sure that ransomware might already be gone from the system. It is common that the virus deletes itself, but leaves other files that control changes and system alterations, so cryptovirus is one of the more persistent cyber threats.

Name OmniSphere ransomware
Symptoms Malware runs on the machine and encrypts files in common formats, so once people can't open their files they are more eager to pay up when the ransom is demanded
File marker .omnisphere
Ransom note ! DECRYPT_MY_FILES_OS.txt is the ransom note that shows on the screen with information about encryption and possible actions after the attack
File with victims' ID unique_decrypt.key
Ransom amount Starts at 0.0318 Bitcoin but criminals can double the price after 5 days or ask larger amounts from the beginning when something valuable is found on those files or your system
Distribution Criminals can load the malicious script with the help of an infected file or other malware and brute force through unprotected RDP or rely on security flaws.[2] Since this is a new threat there are not many unique details known
Elimination Remove OmniSphere ransomware with the anti-malware tool and clean the machine fully from virus damage using ReimageIntego

OmniSphere ransomware is set to target users on a global scale, but there is no information available about the group of hackers behind this threat or any features regarding the infection. It may come to light later once researchers get more malware samples or user reports.

Until then, the only tip from experts[3] is to stay away from contacting criminals related to this malware and remove OmniSphere ransomware traces from the machine. Depending on specific goals and conditions, hackers may develop the threat to run processes on the system and change particular settings of the device besides the encryption.

However, file locking starts immediately after the OmniSphere ransomware infiltration, and once those photos, documents, video files, archives, and other data gets marked with .omnisphere appendix, the virus can run other processes in the background and demand the payment.

OmniSphere ransomware ransom note delivers the following text:

## OmniSphere ransomware ##
—-
Y0UR PERS0NAL FILES, PHOTOS, DATABASES ARE ENCRYPTED!
If you want return all files, read this instruction
—-
The only way to decrypt your files is to receive the private key and decryption program
Private decryption key is stored on a secret server and nobody can decrypt your files
until you pay and obtain the private key
—-
To obtain the private key for this computer find special file (unique_decrypt.key)
(You can find this file in any encrypted folder)
If you found this file please, follow instruction below for DECRYPT ALL YOUR FILES:
—-
1. Download Tor Browser https://www.torproject.org/download/ and install.
2. Open Tor Browser
3. In Tor Browser open personal page here:
http://uu6issmbncd3wjkm.onion/46HFJZEAPF3JKNLU
4. When personal page open, click on browse button and upload unique_decrypt.key file
5. Follow instruction on personal page
Note! This page is available via Tor Browser only!

OmniSphere ransomware virusOmniSphere ransomware is the threat that is new in the wild since there is no accurate relation with other already known ransomware threats.

OmniSphere ransomware is developed by hackers and cybercriminals that can affect backups, archives, databases, multimedia files or documents. But the virus also targets system folders, Windows Registry and general settings of the machine to affect the speed, performance and file recovery options, or sometimes even damage the computer on purpose.

On the message delivered in the ransom note, OmniSphere ransomware developers claim that you have no other options besides paying the ransom and once you go to the Tor website the personal page opens up with particular payment instructions and the offer to decrypt one file for free.

This free test decryption is a common offering from cryptovirus developers because they try to fake the trust between them and the victim. Unfortunately for victims, one file recovery doesn't guarantee that criminals will restore your encrypted data. You should focus on OmniSphere ransomware removal first and then try to restore files with your backups or third-party data recovery software.

You can eliminate OmniSphere ransomware with the anti-malware tool, and once all traces of this virus get cleaned using ReimageIntego or a different program, you can focus on file recovery. Since the official decryption tool was not developed yet, the best solution is replacing encoded data with file backups stored on cloud storage or external device. If you need more alternatives or tips for malware termination – go to the end of the article.

OmniSphere cryptovirusOmniSphere virus is the ransomware-type threat that plants malicious files on the machine that you need to find and store on the external device before you clean the machine. It is needed for later decryption possibilities.

Payload carriers of ransomware include malicious files and pirated software

Since the malware is not yet analyzed in-depth and is not a version of any other family, we cannot be sure which method is employed for the delivery of this cryptovirus. However, there are not many possible scenarios since criminals behind such type of malware mainly focus on silent techniques and widely spreading campaigns. In most cases, creators focus on malicious files and distribute them via:

  • Phishing email campaigns when the email gets attachments in common types of files with malicious script planted on the document or executable. This technique involves malicious macros and payload droppers that launches encryption immediately.
  • Cracked software and other illegal distribution of programs, serial numbers, game cheats. Once you download such packages of laced files, you may get infected file that launches malicious script and infiltrates the machine with ransomware.

Thorough OmniSphere ransomware elimination involves proper anti-malware tools and additional data recovery software

This OmniSphere ransomware virus is set to affect your files and the performance of the system significantly. But developers also want to make sure that data remain locked and cannot be simply recovered, so you pay the sum. For this reason, the malware deletes Shadow Volume Copies and disables other system functions.

To remove OmniSphere ransomware completely, you need to address all those issues and alter changes made behind your back. The virus will reboot itself with each system start due to registry entry alterations, so you need a thorough system scan to fix all the issues. If you attempt to do all the changes manually, you can damage the machine further.

Automatic OmniSphere ransomware removal is the best option for malware termination, and staying away from paying the ransom keeps you from losing data and money permanently. Focus on anti-malware tools like ReimageIntego, SpyHunter 5Combo Cleaner, Malwarebytes and then rely on data recovery software that restores your encrypted files.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of OmniSphere virus. Follow these steps

Manual removal using Safe Mode

You may need to reboot the machine in a Safe Mode with Networking and then scan the system with antivirus tool to remove OmniSphere ransomware

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove OmniSphere using System Restore

System Restore feature is the one that can help with your device by recovering the system in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of OmniSphere. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that OmniSphere removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove OmniSphere from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by OmniSphere, you can use several methods to restore them:

Data Recovery Pro is the third-party program that helps with file restoring

You should use Data Recovery Pro for your encrypted files when data backups are not up to date

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by OmniSphere ransomware;
  • Restore them.

Windows Previous Versions is the feature that makes a difference with your encrypted files

When you enable System Restore, files can be recovered using Windows Previous Versions feature one by one

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is yet another method that can help with your files

Data encrypted by OmniSphere ransomware can be restored with this feature when Shadow Volume Copies are left untouched

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption is not possible for OmniSphere ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from OmniSphere and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References