OnyxLocker ransomware (Virus Removal Instructions) - Quick Decryption Solution

What is OnyxLocker ransomware?

OnyxLocker ransomware is a file locker that encrypts data with XXTEA cipher, and targets mainly Russian users

OnyxLocker ransomware is a file locking virus that focus on money extortion - locks up personal files and presents users with ransom demands

OnyxLocker is malware that belongs to the ransomware group – it focuses on file encryption. This consequently prevents victims from opening pictures, music, videos, documents, and other personal data located on the local drive or any connected devices. The goal of ransomware authors is to blackmail users into paying ransom demands – they are asking for $100 in Bitcoin.

In order to be able to extort money, the OnyxLocker virus is programmed to search for the most relevant file types on the machine and encrypted them by using XXTEA block cipher.^[1] Each file modified by ransomware acquires a .onx marker at the end, and victims can no longer access the data. Instead of dropping a predetermined text file, this ransomware opts to inserting 10 ransom notes on the system (Прочти меня! 0 .txt, Прочти меня! 1 .txt, Прочти меня! 2 .txt, etc.).

The note is written in Russian, which immediately brings to the conclusion that OnyxLocker ransomware authors are aiming to infect Russian users. Nevertheless, it does not mean that the infection can not occur anywhere else in the world, so users from other countries should keep an eve on spam email messages that hold attachments like goload_1008_1569853988.doc, as malspam^[2] is the most likely cause of OnyxLocker ransomware infection.

OnyxLocker is a new ransomware strain, and it was first spotted by security specialist Alex Svirid on October 7, 2019. It does not seem like it is connected to any other ransomware families, so it might be that crooks behind this malware are new to the cybercriminal world. This also implies that there is a chance that OnyxLocker ransomware has some bugs^[3] that might be exploited by security experts to create a free decryptor.

Talking about bugs, OnyxLocker ransomware does not encrypt all files located on the host system. Therefore, those lucky ones might still find some of the data usable, even after the infection occurs. Unfortunately, other files that do get encrypted, are impossible to return without a unique key that is held on a remote Command & Control server – it is, unfortunately, only accessible to the attackers behind OnyxLocker ransomware.

Infection and file encryption of OnyxLocker

Once the infection vector is triggered, OnyxLocker ransomware creates a new folder inside the %TEMP% directory and places OnyxLocker.exe or a randomly-generated name for the dropper – an executable that starts the infection process. This file is then automatically opened, and multiple changes are performed to the Windows OS. Some of them include:

• Shadow Volume Copies deleted with “vssadmin Delete Shadows / all / quiet” command;
• Multiple malicious files dropped on in various places on the OS;
• Various processes (such as WMI Provider Host^[4] – this could complicate OnyxLocker ransomware removal) terminated and new ones created;
• Shell commands executed;
• Windows registry keys deleted, created and modified, etc.

After the required preparation, the OnyxLocker virus starts to process personal files with the encryption cipher. As a result, the victim would see a particular file with .onx extension, and no regular icon visible. For example, a picture.jpg would be turned into picture.jpg.onx, and would no longer be accessible.

OnyxLocker is a ransomware-type virus that uses XXTEA encryption algorithm to lock up all data on the infected device

In each of the affected file folders, users can see ten identical ransom notes which all claims the same:

Моя почта для связи: crypt@ctemplar.com
|||
Меня зовут David. Я зашифровал все ваши драгоценные файлы, включая изображения, видео, песни, текстовые файлы, текстовые файлы и многое другое! Короче говоря, вы облажались … но вам повезло. Почему это??
|||
Я вымогатель, который оставляет вам только 12 часов, чтобы собрать деньги и заплатить мне, затем ваши файлы будет невозможно расшифровать!)
|||
Любые вопросы относительно разблокировки файлов, вы можете задавать написав на почту: crypt@ctemplar.com
|||
ЧАСТО ЗАДАВАЕМЫЕ ВОПРОСЫ:
|||
1. Могу ли я вернуть свои драгоценные файлы?
|||
Ответ: Конечно, вы можете. Есть только незначительная деталь. Вы должны заплатить, чтобы вернуть их.
|||
2. Нет другого способа вернуть мои файлы?
|||
Ответ: Нет
|||
3. Хорошо, что мне тогда делать?
Ответ: Просто вам придется заплатить 100 $ на этот биткойн-адрес: 3LV85h9s2y5c5DLi3YiACDKaR3tytmp3Lq
|||
4. Что за хрень биткойн?
|||
Ответ: Биткойн – это криптовалюта и цифровая платежная система. Вы можете увидеть больше информации здесь: hxxps://en.wikipedia.org/wiki/Bitcoin.
|||
5. Здесь вы можете оплатить, выбрав самый выгодный курс.
|||
Вставьте эту ссылку в адресную строку вашего браузера: hxxps://www.bestchange.ru/visa-mastercard-rur-to-bitcoin.html

In the note, OnyxLocker ransomware authors claim that users need to pay $100 ransom within 12 hour period, or otherwise, they will delete the key, which can regain access to the locked data. However, malware developers can not be trusted, as they can say whatever they want to make victims pay the ransom.

While ransom is not high, you should think twice before paying: crooks might not even have a working OnyxLocker decryptor – you may end up losing your money as well. Besides, it would only prove to criminals that their efforts to infect people are not in vain and some are willing to pay, which would only fuel their will to infect more victims.

Instead, remove OnyxLocker ransomware with anti-malware software and fully clean the machine with optimizing and system repair tools like FortectIntego. You need to get an anti-malware program or another reputable security tool for the initial termination, and then use alternative solutions for file decryption if you did not have backups prepared.

OnyxLocker ransomware appends all the files with .onx extension and drops 10 ransom notes which have identical content inside

Spam emails – primary infection vector for multiple malware strains

Email spam, or so-called malspam, is an old trick that has been used by cybercriminals for decades now. Most computer users have a dedicated or work email, so spreading computer infections via the service makes sense. Crooks compile email lists and use bots to send out these malicious messages to as many people as possible. Nevertheless, in some cases, such a process can also be performed manually if targeted attacks are what cybercriminals are doing.

The phishing email often contains some form of social engineering tricks – users are intimidated by allegedly unpaid taxes, credit card intrusion claims, etc. Additionally, malicious actors often use email addresses that resemble well-established companies, such as UPS, Amazon, etc. Note that email spoofing^[5] is another technique that may confuse many and make them believe that the message is legitimate.

Thus, never open .doc, .html, .txt, .pdf or other attachments inside these emails. A definite no-no is allowing macros to be run on these documents – that is what usually starts the infection process. To be safe, scan such documents with tools like Virus Total if in doubt.

Additionally, you should always protect your machine with anti-malware software, patch Windows with the latest security updates, never download software cracks/keygens, use ad-blocker, avoid high-risk sites, and always backup your important data on drives that are not connected to your PC.

Get rid of OnyxLocker before you proceed with data recovery process

Most of the ransomware viruses delete themselves after the encryption process is finished, although some may keep the file encryption module running. Therefore, it is vital to make sure that all of the malware's elements are deleted, and a full OnyxLocker ransomware removal is performed.

To remove OnyxLocker ransomware successfully, you may have to enter Safe Mode with Networking, as some malware is known to be tampering with security software in order to prevent its termination. If that is the case, we provide detailed instructions on how to access the mode below. Once eliminated, you should try alternative file recovery methods for the OnyxLocker virus – you can find them in the recovery section below.

There are some users that might want not to risk it and pay the criminals to recover .onx locked files. While it is one of the options available to you, it is also highly discouraged by the infosec community and security advisers.^[6] As we already mentioned, you may not only lose your files but also money. However, if none of the decryption methods helped you, you might try this as your last resort (perform it at your own risk!).