Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2018

How to remove .onion file extension virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Linas Kiguolis · Expert in social media

.onion file extension virus wreaks havoc on compromised computers

Onion file virus

.onion file virus is a malicious computer program that can be associated with a couple of ransomware families – Dharma, Amnesia, and Cry128 (CryptON). The ransomware was dubbed as Onion file virus due to the extension it adds to encrypted data. The extension might also contain criminals' email address or victim's ID. The aim of the virus is to encrypt files on the target system to make them inaccessible and then demand a ransom.

This ransomware[1] family has been spotted in November 2016 and has been updated several times since then. Malware researchers have recently spotted this cyber infection and found connections to several ransomware families. Below, you can see the list of viruses that use the .onion extension as a file marker.

  • Cry128 ransomware virus. It is a version of CryptON virus that marks files with id-_[qg6m5wo7h3id55ym.onion.to].[random characters] file extensions. The virus may use .onion or .onion.to_ extension to add at the end of the encrypted file name. Usually, this virus calls its ransom notes as _DECRYPT_MY_FILES.txt or -DECRYPT-MY-FILES.txt.
  • Amnesia ransomware virus. The malware completely distorts the file names and marks them with onion extension as well. To provide a ransom-demanding statement, the ransomware creates HOW TO RECOVER ENCRYPTED FILES.TXT document.
  • CrySiS/Dharma ransomware virus. The virus appends id-[victim's ID].volantem_diem@aol.com.onion, .id-[id].[Gladius_Adeptus@aol.com].onion file extension to encrypted files. The ransom note is usually hidden in Info.hta file.

This Dharma ransomware family seems to be the most prevalent one, so we are going to discuss it in this article. The virus is known for corrupting various types of files; however, not all attempts to take data to hostage were successful. Some versions of the Dharma is decryptable,[2] and users can free their files without paying the ransom.

This new parasite is known for adding .onion file extension to the corrupted files. It’s still unknown whether victims can restore encoded data or not. New versions of the ransomware often are improved. Thus, authors may have fixed some flaws and developed a stronger virus.

However, if you ever encounter this pest, you should not focus on data recovery first.[3] The most important task is to remove .onion from the computer in order to protect your device and personal data. For this task we recommend FortectIntego.

The purpose of all file-encrypting viruses is the same – to swindle the money from computer users. Thus, .onion malware is also used as a blackmailing tool to continue the illegal work of the predecessors. Crooks are willing to get your money for the possibility to use a decryption software and recover your files.

Lesvirus.fr team[4] states that no matter how much Bitcoins you are ready to pay, this deal may not end up as you planned. They may take your money and leave you without promised decryptor because they may not have it or they may not have any intentions to keep their word[5].

Thus, after the attack, we recommend .onion removal and looking for alternative data recovery ways. Bear in mind that previous versions of Dharma are decryptable, so, chances to get back your files for free are high.

The image of .onion file extension virus

Ways to avoid ransomware attack

The new variant of Dharma is suspected of spreading similarly as its predecessors – via malicious email attachments. Crooks might pretend to be representatives from various institutions, organizations or companies and find numerous reasons to convince people to open the attached document. It might be hard to recognize a hoax at first glance because criminals might falsify credentials or signature.

However, if you suddenly receive an email that asks to check details in the statement or other provided document and send it back immediately, you should suspect that something is not right here. Look for grammar mistakes, check sender’s email address, [6] and be critical – do you expect to get this kind of email? If not, delete it from your inbox immediately.

Clicking on the attached document might cause .onion file virus or other malware attacks. This ransomware distribution technique is popular and widely used among hackers. Thus, if you want to protect your data, you should not take harsh actions in your inbox and backup your files regularly.

Remove .onion file virus and try available data recovery options

Getting infected with ransomware requires acting fast. Do not consider taking a shady deal to obtain a decryption software from cyber criminals for few Bitcoins. It may not end up good, and you might become just another sponsor for the cyber crimes.

Thus, without thinking too much, you need to remove .onion file virus using a reputable software. File-encrypting viruses are dangerous and complicated; thus, you need to rely on professional security tools. We suggest using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. These programs are capable of detecting malicious entries and deleting them from the system.

However, .onion removal may not be easy and smooth. These cyber infections are often designed to block antivirus or anti-malware programs. However, you can disable the virus by rebooting PC to the Safe Mode with Networking and then access necessary software.

3 comments

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.