The OBLIVION virus is a newly discovered threat that uses the built-in ransomware engine to rename target sensitive files with the .OBLIVION extension. Our in-depth removal guide shows how victims can recover the data and remove the threat from their computers.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .OBLIVION extension and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Oblivion |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Oblivion.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
OBLIVION Virus – Distribution Ways
The Oblivion virus was discovered in a very limited attack campaign. At the moment it cannot be told which is the primary delivery method however we assume that the hacker or group behind it will use the most popular tactics.
One of the common methods is the use of email spam messages. They use social engineering tactics in order to coerce the targets into interacting with the dangerous element. The hackers typically take text and graphics from well known Internet sites and web services. Links to the malware strains can be embedded in the body contents, in other cases it can also be delivered directly as file attachments. The messages can also be used to deliver payloads. There are two popular types:
- Software Installers — The hackers can embed the Oblivion virus code into application installers. The typical method is to take the legitimate installers from the official site and modifying them with the Oblivion malware. Usually the criminals choose popular targets such as system utilities, creativity suites or games.
- Documents — One of the most common tactics is to include the dangerous code into files of various types: text documents, spreadsheets and presentations. Once the users open them up they will be greeted with a message asking them to enable the built-in macros (scripts). When this is done the malware will be downloaded from a remote server and executed on the local computer.
The threat can also be delivered using web scripts of various types such as scripts, banners, pop-ups and redirects. They can also affecte legitimate sites through affiliate and ad networks.
Another delivery method that may be used by the Oblivion virus criminals is the use of browser hijackers. They represent malware plugins made for the most popular applications: Mozilla Firefox, Microsoft Edge, Opera, Safari and Google Chrome. In most cases the main goal seems to be the redirection to a hacker-controlled site. This is done by changing settings such as the home page, search engine and new tabs page. The next step is to load the virus engine.
OBLIVION Virus – In-Depth Analysis
The Oblivion virus seems to be a new strain based on Scarab. The initial code analysis shows that the encountered samples may be testing versions as they do not contain much of the advanced code that is expected in such releases.
Future versions of the threat are expected to launch a data harvesting component. It is programmed to extract strings that can be classified into these two types:
- Anonymous Metrics — They are used by the criminals to judge how effective the attack campaign is. The data is composed mainly of information about the available hardware components and certain operating system values.
- Personal Data — It can be used to directly expose the identity of the users. Example information includes a person’s name, addresss, telephone number, interests, location, passwords and account credentials.
Using the gathered data the hackers can launch a stealth protection feature. It is used to protect the Oblivion virus from being interrupted by software applications and security services. This includes the likes of anti-virus software, sandbox environments and virtual machine hosts. If the virus engine is not able to bypass them then it may remove itself to avoid detection.
The next step is to launch different system changes. Modifications to the Windows Registry can render certain applications unusable. This can also apply to system services if such entries are impacted. Advanced strains can lead to severe performance issues and a persistent state of execution. If this is done the virus will be automatically launched every time the computer is started.
Further modifications can result in the inability to enter into the recovery menu, a consequence of boot options manipulation. The hackers are also expected to delete the Shadow volume copies of personal user files. This makes recovery harder without the use of a quality product. Refer to our instructions for more information.
The criminals can also choose to use the virus in a Trojan like manner by instituting a network connection with a malware server. it is used to spy on the victims in real time, as well as overtake their machines on request. Additional malware can be loaded through it.
OBLIVION Virus – Encryption Process
The ransomware module is started once all prerequisite components have completed execution. It uses a powerful cipher in order to encrypt sensitive files found on the infected machines. This is done by using a built-in list of target file types. An example list includes the following data:
The affected files are renamed with the .OBLIVION extension. A ransomware note is created in a OBLIVION DECRYPTION INFORMATION.TXT file which contains the following message:
,o888888o. 8 888888888o 8 8888 8 8888 `8.`888b ,8′ 8 8888 ,o888888o. b. 8
. 8888 `88. 8 8888 `88. 8 8888 8 8888 `8.`888b ,8′ 8 8888 . 8888 `88. 888o. 8
,8 8888 `8b 8 8888 `88 8 8888 8 8888 `8.`888b ,8′ 8 8888 ,8 8888 `8b Y88888o. 8
88 8888 `8b 8 8888 ,88 8 8888 8 8888 `8.`888b ,8′ 8 8888 88 8888 `8b .`Y888888o. 8
88 8888 88 8 8888. ,88′ 8 8888 8 8888 `8.`888b ,8′ 8 8888 88 8888 88 8o. `Y888888o. 8
88 8888 88 8 8888888888 8 8888 8 8888 `8.`888b ,8′ 8 8888 88 8888 88 8`Y8o. `Y88888o8
88 8888 ,8P 8 8888 `88. 8 8888 8 8888 `8.`888b8′ 8 8888 88 8888 ,8P 8 `Y8o. `Y8888
`8 8888 ,8P 8 8888 88 8 8888 8 8888 `8.`888′ 8 8888 `8 8888 ,8P 8 `Y8o. `Y8
` 8888 ,88′ 8 8888 ,88′ 8 8888 8 8888 `8.`8′ 8 8888 ` 8888 ,88′ 8 `Y8o.`
`8888888P’ 8 888888888P 8 888888888888 8 8888 `8.` 8 8888 `8888888P’ 8 `Yo
YOUR FILES ARE ENCRYPTED!
Your personal ID
[redacted 324 hex]
Your documents, photos, databases, save games and other important data was encrypted.
Data recovery the necessary decryption tool. To get the decryption tool, should send an email to:
Or telegram us:
Letter must include Your personal ID (see the beginning of this document).
In the proof we have decryption tool, you can send us 1 file for test decryption.
Next, you need to pay for the decryption tool.
In response letter You will receive the address of Bitcoin wallet which you need to perform the transfer of funds.
If you have no bitcoins
* Create Bitcoin purse: https://blockchain.info
* Buy Bitcoin in the convenient way
https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)
– It doesn’t make sense to complain of us and to arrange a hysterics.
– Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.
Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.
– Just contact with us, we will stipulate conditions of interpretation of files and available payment,
in a friendly situation
– When money transfer is confirmed, You will receive the decrypter file for Your computer.
* Do not attempt to remove a program or run the anti-virus tools
* Attempts to decrypt the files will lead to loss of Your data
* Decoders other users is incompatible with Your data, as each user unique encryption key
Remove OBLIVION Virus and Restore .Oblivion Files
If your computer system got infected with the OBLIVION ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.