Onion3Cry Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 504
Category: Trojans

Onion3Cry Ransomware is a new ransomware-type infection similar to VideoBelle Ransomware, Balbaz Ransomware, and Matroska Ransomware as it is based on the Hidden-Tear ransomware project. It was designed to encrypt your files and then offer you to buy a decryption tool/key to decrypt them. As with all ransomware, you have to be careful because the cybercriminals might not send you the decryptor or the key. Therefore, instead of complying with the cybercriminals’ demands, we strongly recommend that you remove it. In this article, we will discuss how this ransomware might be distributed, how it functions and how you can delete it.

Unlike most of its counterparts that are usually distributed via email, Onion3Cry Ransomware is known to be disseminated via a fake update. We have received information that it is a fake Windows update that will claim your PC is being updated. So, the next time you startup your PC, it might have already been infected with this ransomware. Unfortunately, we do not know how the fake update itself is distributed. The fake update might be promoted on shady websites that can claim that your PC is outdated. If you fall into this trap, then your PC might become infected with this ransomware. This is just a theory as we have no concrete information on how the fake update is distributed. Evidently, the fake update was designed to infect your PC secretly so having an anti-malware program helps avoid such applications.

When Onion3Cry Ransomware infects a computer, it drops its executable “goupdate.exe” at %APPDATA%\Local\Gogle\update\. Furthermore, it creates Point of Execution (PoE) at %ALLUSERSPROFILE%\Start Menu\Programs\Startup\goupdate.exe.lnk to launch this ransomware each time you start up your computer.

When this ransomware runs for the first time, it starts encrypting targeted file types immediately. Research has shown that this ransomware was set to target file types that include but are not limited to .index .zip .rar .css .xlsx .ppt .pptx .odt .jpg .bmp .png .csv .sql .mdb .sln .php .asp .aspx .xml and .psd. Testing has shown that Onion3Cry Ransomware uses the Advanced Encryption Standard (AES) The encrypted files are rendered unusable and that is the whole point because, then, cyber criminals have leverage over you to demand money.

Once the encryption process is complete, this ransomware drops a ransom note named ## DECRYPT MY FILES ###.exe on the desktop and also a PoE at %ALLUSERSPROFILE%\Start Menu\Programs\Startup\### DECRYPT MY FILES ###.exe.lnk  to open in full screen on system startup. The ransom note says you have to send an email to onion33544@india.com to get the full instructions on how to pay the ransom and how much you should pay.

That is all of the information we have on this particular ransomware. It is just another recycled version of the Hidden-Tear ransomware project that was abandoned a long time ago. Still, some novice would-be cybercriminals use to make some easy money. You can prevent this and similar applications from infecting your PC by getting an anti-malware program such as SpyHunter. If you want to remove Onion3Cry Ransomware consult the guide provided below.

Removal Guide

  1. Simultaneously press Ctrl+Shift+Esc keys.
  2. Click the Processes tab.
  3. Find a process called “goupdate.exe” ( but the name can be random)
  4. Right-click it and click End process.
  5. Close the Task Manager.
  6. Simultaneously press Windows+E keys.
  7. Type %APPDATA%\Local\Gogle\update in the address box and hit Enter.
  8. Find goupdate.exe, right-click it and click Delete.
  9. Then type %ALLUSERSPROFILE%\Start Menu\Programs\Startup and hit Enter.
  10. Find goupdate.exe.lnk and delete it.
  11. Then go to %ALLUSERSPROFILE%\Start Menu\Programs\Startup\
  12. Locate ### DECRYPT MY FILES ###.exe.lnk and delete it.
  13. Lastly, go to the desktop and delete ### DECRYPT MY FILES ###.exe
  14. Empty the Recycle Bin.
Download Remover for Onion3Cry Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Onion3Cry Ransomware Screenshots:

Onion3Cry Ransomware
Onion3Cry Ransomware

Onion3Cry Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
1goupdate.exe37376 bytesMD5: a4046a44b24f172d662e01bd05ac046b
2### DECRYPT MY FILES ###.exe39424 bytesMD5: C1A0B66678BF454BD5F898CD8CBD61C0
3Onion3Cry Ransomware.exe404307 bytesMD5: 92117db6e028061b49507c9538a19a79

Memory Processes Created:

# Process Name Process Filename Main module size
1goupdate.exegoupdate.exe37376 bytes
2### DECRYPT MY FILES ###.exe### DECRYPT MY FILES ###.exe39424 bytes
3Onion3Cry Ransomware.exeOnion3Cry Ransomware.exe404307 bytes

Comments are closed.