|Short Description||A file-encrypting threat, that encrypts the user’s files and ask for payment to decrypt them via unique key.|
|Symptoms||Files are encrypted and a ransom message is displayed.|
|Distribution Method||Via Exploit Kits, network vulnerabilities, spam emails, etc.|
|Detection tool||Download SpyHunter, to See If Your System Has Been Affected By Trojan-Ransom.NSIS.ONION.air|
Ransomware doesn’t sleep and we have a new file encrypting threat on the malware horizon to prove it. Actually, the Trojan ransomware that has just been detected is considered a new variant of the Onion Ransomware (Trojan-Ransom.Win32.Onion) also known as CTB-Locker or Citroni. Ransomware pieces are being redesigned as we speak and there are many cases of CryptoWall and CryptoLocker copycats. Sophisticated and not-so-crafted ransom malware is being sold on the black market. Why? Ransomware and online money theft have proven to be effective methods for quick and easy gain.
The message displayed by the new version of the Onion Ransomware (a.k.a. Trojan-Ransom.NSIS.ONION.air) is:
→MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt
The ransom message within .txt file contains the following information:
→Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately “lost” all your pictures,
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
All encrypted files contain MW_
Your number: [edited] To obtain the program for this computer, which will decrypt all files, you need to pay
3 bitcoins on our bitcoin address [edited] (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
You can check bitcoin balanse here – https://www.blockchain.info/address/[edited] After payment send us your number on our mail email@example.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1…3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it – it’s your garantee that we have decryption tool. And send us your number with attached file
We dont know who are you. All what we need – it’s some money.
Don’t panic if we don’t answer you during 24 hours. It means that we didn’t received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON’T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
You can use one of that bitcoin exchangers for transfering bitcoin.
Trojan-Ransom.NSIS.ONION.air Technical Resume
As already mentioned, the MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt message is distributed via a new variant of the Onion Ransomware – Trojan-Ransom.NSIS.ONION.air. The malicious piece is encrypting files via the RSA-1024 encryption key. Once the encryption process has finished, the cyber criminals will ask for a payment of 3 bitcoins to decrypt the files with the unique decryption key. As of the time the ransom message was created, 1 bitcoin was about $260.
Interestingly enough, according to users’ posts on BleepingComputer, a decryption key was provided after 1 bitcoin was paid. It won’t be the first time crooks deliver the deciphering tool without the whole ransom amount being transferred.
Onion Ransomware Technical Details
Onion Ransomware is also dubbed CTB-Locker and Citroni. Since CTB-Locker has been quite active in 2015, a lot of information has been gathered about its ways. For instance, it is known that Critoni Ransomware has the same features as other ransom Trojans. CTB-Locker makes randomly selected files unreadable. In most cases, a .TXT file contains the instructions for the Bitcoin-based payment required for the decryption of the user’s files. Such malware often exploits network vulnerabilities and can be spread with the help of Exploit Kits. Spam-email messages are one of the common ways to infect a system.
The latest version of the Onion ransom is most likely not that different, compared to its malicious predecessors. However, Trojans are famous for acting as backdoors on affected system which means that more malicious software can enter any time. A scan report indicates that Trojan-Ransom.NSIS.ONION.air may be accompanied by other Trojans and exploiting tools:
Image Source: BleepingComputer
Keep in mind that the ‘infection’ described above may be true for one particular system only.
Trojan-Ransom.NSIS.ONION.air Removal Instructions
Trojan-Ransom.NSIS.ONION.air may be residing in any of the following directories:
The listed locations are often used by malicious executables related to aggressive rasomware attacks.
An anti-malware solution will detect and delete the threat. However, file decryption can happen only when the decryption key is obtained. On the grounds of Kaspersky Lab vast research on the Onion family , files can be decrypted only with the master-private key.
What is even worse is that there have been cases when not only the files located on the system were encrypted but the backup copies as well.
Additionaly, what we can suggest to you, our readers, is educate yourselves about how ransomware works. To do that, feel free to refer to the following articles:
To remove Trojan-Ransom.NSIS.ONION.air, scan the system. To preserve your files, you may want to use an external storage device, since newly-crafted ransomware may be capable of affecting back-up copies as well.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter