ONIX ransomware (Removal Guide) - Tutorial

ONIX virus Removal Guide

What is ONIX ransomware?

ONIX ransomware – a malware form that comes from Major ransomware and adds the .ONIX appendix next to each filename after the encryption process

ONIX ransomwareONIX ransomware - a virtual threat that replaces the default computer wallpaper with the ransom note and also provides the ransom-demanding message in an HTML format

ONIX ransomware is a virtual parasite that has been discovered to come from Major ransomware family. The first to announce about this ransomware infection on Twitter was a computer security researcher named Amigo-A.[1] The dangerous malware enters Windows computer systems unknowingly and aims to lock up all the documents and files that are placed on the device by marking all of them with the .ONIX appendix. For the encryption, ONIX ransomware employs ciphers such as AES, RSA, or SHA which hold specific codes that differ for each infected computer.

Right after that, the ransomware virus provides ransom demands via TRY_TO_READ.html message and also changes the desktop's background to the ransom note. The messages warn users not to try to unlock files by themselves as this can relate in permanent data loss. However, the main goal of ONIX ransomware is to encourage users to write via Ad_finem@tutanota.com, adfinem001@cock.li, and Ad_finem001@protonmail.com email addresses and discuss all the ransom price matters with the cybercriminals.

Name ONIX ransomware
Type Ransomware virus/malware
Appendix Once all of the files are locked, the ransomware virus appends the .ONIX extension to each filename of encrypted data
Ransom note The virtual parasite provides the ransom note in the TRY_TO_READ.html message format and also replaces the default computer background as the ransom message
Cipher Developers employ encryption ciphers such as AES, RSA, or SHA for locking up files. Each of this code differs for every computer
Spreading Most of the time, ransomware viruses are delivered through email spam, malicious attachments, infectious advertisements, software cracks, and hacked RDP
Founder Amigo-A
Family This dangerous virus belongs to the Major ransomware family
Removal If you have been dealing with the malware lately, you should not postpone its removal process. Try to get rid of the parasite with the help of reliable antimalware software
Fix software If you have discovered any damage on your Windows computer system, you might have a chance of repairing corrupted areas by downloading and employing FortectIntego

ONIX ransomware is a dangerous malware string that has been detected as a virus by 58 antivirus engines out of the total 71. According to VirusTotal information,[2] some of the detection names include ML.Attribute.HighConfidence, Win32:Trojan-gen, Gen:Heur.Ransom.Imps.1 (B), A Variant Of Win32/Filecoder.NSN, Ransom:Win32/Crowti.P!MSR, and others.

ONIX virus uses stealth distribution techniques for appearing on the targeted computer system. This malware infects Windows operating systems only and looks for people who are using the English language. This is also the language in which the TRY_TO_READ.html ransom message is written in:

I am truly sorry to inform you that all your important files are crypted.
If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder
Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever
Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers
Contact me on this email address Ad_finem@tutanota.com adfinem001@cock.li Ad_finem001@protonmail.com ”
Here is you personal id, send it to us

ONIX ransomware manipulates locations such as the Windows Registry and Task Manager in order to fill these areas with malicious processes and keys. All of these tasks are planted to help the malware to operate smoother and reach its goals.

For example, ONIX ransomware might disable your antivirus protection to avoid getting detected and to stay in your computer system for a longer period of time. This way the program could prevent some particular software from deleting the malware itself and all the malicious components that it has brought to the computer system.

Furthermore, ONIX ransomware includes some type of an executable to the Windows computer that scans the entire device for encryptable files and documents. This happens in certain periods of time, for example, half an hour, an hour, and so on in order to make sure that all components were properly locked by the malware.

When ONIX ransomware applies the .ONIX encryption appendix to all of the files and documents found, the content gets locked and cannot be opened properly anymore. The only way to reverse the data back to its previous position is to get the decryption tool that would work. However, we suggest denying the option of buying the tool from the cybercriminals as these people might ask for inadequate amounts of money.

ONIX virusONIX virus is a damaging virus that can be distributed through email spam messages and their infectious attachments, software cracks, malvertising, etc.

ONIX ransomware developers do not provide any particular information about the ransom demands, however, all of the conditions are likely to be discussed via email. We recommend avoiding any type of communication with the criminals. You might not even notice how they will scam you and run off with your money.

Most of the time, malicious actors are likely to urge large amounts of money starting anywhere from $100 and ending up with $2500 or even more. Always be careful with demands that come from malware such as ONIX ransomware and overthink everything twice before deciding whether the price is worth to pay or not.

Keep in mind that you are likely to be asked for cryptocurrency transfers by ONIX ransomware such as Bitcoin. These types of payments allow the cybercriminals to stay untrackable and anonymous so no one could discover the transactions.

ONIX ransomware might try to harden the data recovery process for the victims by running the vssadmin.exe delete shadows /all /Quiet command via PowerShell. This way the malware will erase the Shadow Copies of all of the encrypted data and the users will not be able to employ software that could restore at least some of the locked files with the help of the deleted Shadow Copies.[3]

To add, ONIX ransomware might target the Windows hosts file and aim to totally wreck them for their own purposes. This way the virus seeks to prevent the victim from accessing security-related networks, websites, and forums, where he/she could get reliable information on the malware removal process and data recovery task.

ONIX ransomware virusONIX ransomware is a dangerous parasite that comes from the Major ransomware family and applies the .ONIX appendix next to each filename after the encryption process

Furthermore, ONIX ransomware acts as a backdoor for other malware forms. The ransom-demanding threat makes the Windows computer vulnerable to other infections and increases the risk of getting attacked by dangerous virtual parasites such as Trojan viruses, spyware, worms, and others.

ONIX ransomware removal is the first step you should take the same minute you find the ransomware virus operating on your computer system. Keep in mind that you should not try to eliminate the cyber threat on your own as you can make damaging mistakes and hurt your computer system even more.

When you remove ONIX ransomware and all the bogus products that the malware has brought with the help of antimalware software, you should start looking for possible damage that might have been performed on your Windows computer. If you discover any affected areas, try repairing them with the help of software such as FortectIntego.

Note that you need to uninstall ONIX ransomware before you start taking any data recovery steps, otherwise, all of your files will be encrypted again. If you have terminated the cyber threat properly, you can start opting for file restoring solutions some of which we have provided at the end of this article.

Different techniques used for ransomware distribution

Cybersecurity experts from NoVirus.uk[4] state that ransomware-related payload gets onto Windows computer systems through email spam and the malicious attachments that come clipped to the suspicious messages. Crooks pretend to be from reliable healthcare, shipping, or banking companies.

You should not open any attached component without scanning it with antimalware software. Also, if the email message has a hyperlink included, you should not enter it if the content of the email and the sender looks suspicious to you. Things to search for:

  • A bogus sender email address such as repaircomputer@cock.li.
  • The content is filled with grammar mistakes.
  • You have received an email from a non-existing company.

Furthermore, ransomware infections can be pushed through malicious adverts that are also known as malvertising. The same can happen with hyperlinks that have a tendency to appear on third-party networks. The main thing to do here is to avoid entering suspicious-looking websites and closing all bogus pages that appear.

To add, ransomware viruses can get distributed through software cracks that are placed in peer-to-peer networks such as The Pirate Bay. Regarding this fact, use only reliable downloading sources for getting your wanted products and services.

Also, malicious actors search for vulnerable RDP configuration (one that includes weak passwords or none at all) and hack the port or brute force the password into the system and connect to the computer remotely. So, make sure that you always think of strong and reliable passwords that include some symbols, letters, and numbers.

Know about ONIX ransomware removal possibilities

If you are looking for ways to remove ONIX ransomware from your Windows machine, you have come to the right place. Our security experts claim that you should not try to eliminate the malware on your own as you might skip some malicious components and accidentally leave them on the computer system.

ONIX ransomware removal should be completed with the help of reliable antimalware software that is capable of detecting and eliminating the ransomware virus from your device. Afterward, scan the entire system for possible damage with SpyHunter 5Combo Cleaner or Malwarebytes. If these tools find any compromised areas, you can try repairing them with FortectIntego.

When you uninstall ONIX ransomware properly, it is time to start thinking about data recovery possibilities. Rather than taking risks to get scammed and paying the cybercriminals, you should try some other file restoring alternatives like the ones that we have provided at the end of this article.

Keep in mind that if ONIX ransomware has damaged your Windows hosts files, these components need to be eliminated too, otherwise, access to cybersecurity websites might still remain blocked even if the ransomware virus is no longer active.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of ONIX virus. Follow these steps

Manual removal using Safe Mode

To deactivate malicious settings on your Windows computer system and reverse the device back to how it was before the ransomware attack, you should follow the below-provided steps and boot your machine in Safe Mode with Networking.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove ONIX using System Restore

To disable the malware on your device and get rid of all malicious processes that were brought by the ransomware virus, use the following instructions and activate the System Restore feature.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ONIX. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that ONIX removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove ONIX from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you have discovered files with the .ONIX appendix, do not rush to pay the crooks the price that they demand as all of this can be just a scam and will bring profit for the cybercriminals only. Rather than taking such as risk, you should try other data recovery alternatives like the ones that are provided below.

If your files are encrypted by ONIX, you can use several methods to restore them:

Using Data Recovery Pro might help you with file restoring purposes.

If you have been looking for a tool that would help you to recover the files and documents that were encrypted by the ransomware virus, you can try employing this piece of software.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by ONIX ransomware;
  • Restore them.

Windows Previous Versions feature might be helpful software for file restore.

If you have enabled the System Restore function on your Windows computer, you can give this tool a try.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer might be able to recover some data.

You can try using this piece of software for restoring at least some of your files. However, keep in mind that this tool might not work if the ransomware virus has eliminated or permanently damaged the Shadow Volume Copies of your locked data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Cybersecurity experts are currently working on the .ONIX files decryption tool.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ONIX and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions