Severity scale:  

Oxar ransomware virus. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Developers of Oxar keeps creating new versions of the ransomware

Ransom note by Oxar

Oxar is a file-encrypting virus that corrupts various files with AES cryptography and .OXR file extension. However, the ransomware has been updated several times and currently appends four unique file extensions that prevent users from opening their documents, audio, video, and other data: .PEDO, .ULOZ and .FDP.

Following data encryption, crypto-malware triggers a pop-up window where it provides data recovery instructions. It seems that cyber criminals want to make users believe that they are dealing with the Locked-In ransomware virus. However, we can assure you that these viruses are entirely different.

Oxar malware is executed on the computer from Data Locker.exe file which spreads via infected email messages, bogus software, fake updates, etc. On the affected device, malware makes important changes in order to run with Windows startup. It might install malicious files and infect system process.

What is more, Oxar gives each of the victims a unique ID number that is provided in the ransom note. Once the preparatory work is over and malware strengthens its presence, it starts scanning the system looking for targeted files. Just like plenty other ransomware, this one also aims at 72 file extensions:

  • Microsoft Office;
  • OpenOffice;
  • pictures;
  • audio;
  • video;
  • documents;
  • text files;
  • databases;
  • archives;
  • etc.

Following data encryption process, Oxar ransomware delivers a ransom note in the program window. The message informs about encrypted data and assures that victims can only recover the files using particular decryption software.

According to the ransom note, victims have “not so enough time” to get Bitcoins and transfer them to the provided address. People are asked to pay $100 in order to use decryption software. However, doing that is not recommended. No one can guarantee that criminals are willing to keep their promise and have working decryptor.

Crooks want to stop victims from scanning the system with antivirus. Undoubtedly, security software such as Reimage can easily remove Oxar from the device. Unfortunately, malware removal tools are not designed to recover encrypted data. Thus, in this case, crooks do not lie. It’s nearly impossible to restore data without specific decryptor.

Currently, the only effective way to recover your files is to use backups.[1] If you do not have them, please check our suggested alternative recovery options. Keep in mind that you need that you need to complete Oxar removal first. Only then you can safely look up for the best recovery solution.

Variants and imposters of Oxar ransomware

.ULOZ file extension virus. This variant of Oxar acts similarly to its predecessor: it uses AES encryption algorithm and demands to pay the ransom in the pop-up window. The only significant difference is an appended file extension. It adds .ULOZ suffix to the targeted data.

.PEDO file extension virus. Though the former impersonates Ableton Live Suite software as it functions via Ableton-live-Suite-v95-WiN-x86-x64.exe, the latter contains more intriguing features. .PEDO file extension malware transmits certain details of a victim's PC system to a remote File Transfer Protocol (FTP) server.

It also shares a similar feature as the former version of Cerber: it drops an audio message to the affected users. Guidelines how to recover the files are delivered in Instructions.txt and 1 What Happens with my files.txt. If you tend to check system processes in the Task Manager, you may cease further activity of the ransomware by shutting the task under Cryptear.exe file.

.FDP file extension virus. On August 8th, cyber security researchers spot a new virus' version that uses .FDP file extension for the encrypted records. The name of the ransom note wasn't changed in this Oxar variant – it still remains 1 What happens with my files.txt.

So far, malware analysts could not find a way to decrypt any version of encrypted files. At the moment, the virus remains undecryptable (using third-party tools). If you are wondering whether it is worth paying the ransom, we can answer this question for you – it is not.

Kappa ransomware virus. On August 21, researchers discovered a new test version of Oxar that runs on the computers from Kappa Ransomware.exe. Just like the original version, it also appends .OXR file extension to the targeted data. The malware works on the computer only if user’s operating system is installed on Drive C. Therefore, if your OS is installed on drive D, you should not worry about this ransomware attack.

Once all the files are encrypted, ransomware opens a black ransom-demanding window that answers three major questions. Developers explain about data encryption and claim that the only way to decrypt files is to pay the ransom in Bitcoins.

Users are supposed to send their Client ID number as soon as the payment is made. Crooks claim to send the decryption key in return. However, you should never pay the ransom for cyber criminals because it most of the time ends up with money loss.

Fake Oxar ransomware virus. On August 21, malware analysts have noticed a fake version of the Oxar ransomware. It spreads as ransomware.exe and appends .OXR file extension. However, the research has shown that these two viruses have nothing in common. The recent discovery is just an imposter.

Following data encryption, it installs instructions.exe file and delivers “File Decryptor | OXAR” window that includes an identical information from the original Oxar’s ransom note. However, this piece of malware demands to pay $20 and after the payment send an email to

Nevertheless, the ransom is small; you should not waste your money and motivate some hacker-wannabes. You’d better remove the virus with reputable antivirus.

DIstribution and infiltration methods of the ransomware virus

Malware mostly aims at English-speaking computer users. Thus, British,[2] Australian and American users should read this part of the article carefully. In order to drop malicious executable on the system, developers apply several strategies:

  • infected email attachments;
  • malicious links;
  • illegal downloads;
  • fake updates;
  • malware-laden ads;
  • exploit kits.

One of the main distribution methods is misleading emails[3] that include malicious attachment, link or button. Such letters usually urge to open infected content due to some serious issue. Typically, crooks pretend to be from financial institutions, banks, and other reputable companies. Before opening such content, you need to inspect the email carefully.[4]

Furthermore, in order to avoid Oxar, you should also stay away from suspicious file-sharing sites, P2P networks and other online sources that offer to download free content. We also recommend staying away from gaming, gambling, and adult-themed sites and keeping away from suspicious ads.

Keeping software and operating system up-to-date also minimize the risk of encounter file-encrypting virus. This cyber threat might use security vulnerabilities in order to sneak into a device.[5]

Elimination of the Oxar ransomware

The correct way to remove Oxar virus from the system is to use reputable security software. Crypto-malware is a complicated infection that might affect various system processes, download dangerous files and cause other serious problems.

To avoid bigger damage, you need to scan the device with Reimage, Malwarebytes Anti Malware or another malware removal program. These tools can locate all malicious components and uninstall them gently from the PC.

If you cannot install or run your chosen security tool, please scroll down below. At the end of the article, you will find the detailed explanation how to run automatic Oxar removal.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Oxar ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Oxar ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Oxar virus Removal Guide:

Remove Oxar using Safe Mode with Networking

If you cannot run or install security software, you need to disable the virus first by rebooting the PC to Safe Mode with Networking. Then try again.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Oxar

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Oxar removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Oxar using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Oxar. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Oxar removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Oxar from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Files having .OXR extension can only be recovered if you have backups. Some of the third-party software may help to restore some of the files. Thus, you should try it. It's better to get back some of your files than loose the money to cyber criminals.

If your files are encrypted by Oxar, you can use several methods to restore them:

Data Recovery Pro – automatic way to restore files

This professional tool has helped numerous people to recover lost, deleted, corrupted and encrypted files. Thus, you should try this tool as well.

Travel back in computer's time using Windows Previous Versions feature

If System Restore has been enabled before ransomware attack, you should try this method and copy the most important individual files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might help to recover files encrypted by Oxar ransomware

This tool helps to recover files from Shadow Volume Copies. Thus, if malware hasn't corrupted or deleted them, we suggest using this tool as well.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Oxar Decryptor is not available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Oxar and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions