Onion3Cry Ransomware is a new ransomware-type infection similar to VideoBelle Ransomware, Balbaz Ransomware, and Matroska Ransomware as it is based on the Hidden-Tear ransomware project. It was designed to encrypt your files and then offer you to buy a decryption tool/key to decrypt them. As with all ransomware, you have to be careful because the cybercriminals might not send you the decryptor or the key. Therefore, instead of complying with the cybercriminals’ demands, we strongly recommend that you remove it. In this article, we will discuss how this ransomware might be distributed, how it functions and how you can delete it.
Unlike most of its counterparts that are usually distributed via email, Onion3Cry Ransomware is known to be disseminated via a fake update. We have received information that it is a fake Windows update that will claim your PC is being updated. So, the next time you startup your PC, it might have already been infected with this ransomware. Unfortunately, we do not know how the fake update itself is distributed. The fake update might be promoted on shady websites that can claim that your PC is outdated. If you fall into this trap, then your PC might become infected with this ransomware. This is just a theory as we have no concrete information on how the fake update is distributed. Evidently, the fake update was designed to infect your PC secretly so having an anti-malware program helps avoid such applications.
When Onion3Cry Ransomware infects a computer, it drops its executable “goupdate.exe” at %APPDATA%\Local\Gogle\update\. Furthermore, it creates Point of Execution (PoE) at %ALLUSERSPROFILE%\Start Menu\Programs\Startup\goupdate.exe.lnk to launch this ransomware each time you start up your computer.
When this ransomware runs for the first time, it starts encrypting targeted file types immediately. Research has shown that this ransomware was set to target file types that include but are not limited to .index .zip .rar .css .xlsx .ppt .pptx .odt .jpg .bmp .png .csv .sql .mdb .sln .php .asp .aspx .xml and .psd. Testing has shown that Onion3Cry Ransomware uses the Advanced Encryption Standard (AES) The encrypted files are rendered unusable and that is the whole point because, then, cyber criminals have leverage over you to demand money.
Once the encryption process is complete, this ransomware drops a ransom note named ## DECRYPT MY FILES ###.exe on the desktop and also a PoE at %ALLUSERSPROFILE%\Start Menu\Programs\Startup\### DECRYPT MY FILES ###.exe.lnk to open in full screen on system startup. The ransom note says you have to send an email to onion33544@india.com to get the full instructions on how to pay the ransom and how much you should pay.
That is all of the information we have on this particular ransomware. It is just another recycled version of the Hidden-Tear ransomware project that was abandoned a long time ago. Still, some novice would-be cybercriminals use to make some easy money. You can prevent this and similar applications from infecting your PC by getting an anti-malware program such as SpyHunter. If you want to remove Onion3Cry Ransomware consult the guide provided below.
# | File Name | File Size (Bytes) | File Hash |
---|---|---|---|
1 | Onion3Cry Ransomware.exe | 404307 bytes | MD5: 92117db6e028061b49507c9538a19a79 |
2 | ### DECRYPT MY FILES ###.exe | 39424 bytes | MD5: C1A0B66678BF454BD5F898CD8CBD61C0 |
3 | goupdate.exe | 37376 bytes | MD5: a4046a44b24f172d662e01bd05ac046b |
# | Process Name | Process Filename | Main module size |
---|---|---|---|
1 | Onion3Cry Ransomware.exe | Onion3Cry Ransomware.exe | 404307 bytes |
2 | ### DECRYPT MY FILES ###.exe | ### DECRYPT MY FILES ###.exe | 39424 bytes |
3 | goupdate.exe | goupdate.exe | 37376 bytes |