.Oled Files Ransomware Virus (Decrypt Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.Oled Files Ransomware Virus (Decrypt Files)

This article aims to help you remove the Oled ransomware virus completely from your computer and restore files encrypted with .oled file extension added.

A ransomware virus, believed to be a part of the BTCWare ransomware family has been reported to append AES encryption algorithm on important files of the computers it has infected. The Oled ransomware’s primary purpose is to convince the victims to pay a hefty ransom fee and this is why the virus drops a ransom note, named DECRYPTION.txt. In this note, the cyber-criminals even provide the option to decrypt 3 files without having to pay anything as a guarantee. In case your computer has been infected by Oled ransomware, recommendations are to read this article thoroughly.

Threat Summary

NameOled Ransomware
TypeRansomware, Cryptovirus
Short DescriptionA variant of BTCWare. Uses AES encryption algorithm on the infected computer and then demands Bitcoin payment as a ransom payoff.
SymptomsFiles encrypted with .oled file extension added to them. Dropped ransom note, named DECRYPTION.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Oled Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Oled Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.oled File Virus – Distribution

For it’s distribution, Oled ransomware may use spam e-mails that aim to spread it’s malicious executable that drops the payload of the ransomware once opened. These malicious executable files may be loaders or droppers and may be either uploaded on websites or sent out via spam.

One of the spam methods which may be associated with Oled ransomware infections, is via e-mail. What the cyber-criminals do is they aim to send out message portraying the infection file as a legitimate document, for example letter of complaint or an invoice. Usually most e-mails aim to resemble legitimate companies such as PayPal or other entities.

.oled Ransomware – Analysis

Oled ransomware virus is a part of the BTCWare ransomware family, meaning it may exhibit similar behavior to other viruses from the family, like the .onyon ransomware.

After infection has taken place, the ransomware virus may begin to exhibit different types of activities, the first of which is to drop the malicious files related to the virus in various Windows folders. These files may be located in multiple different Windows folders, such as:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

After the malicious files of the Oled ransomware are dropped on the infected computer, the malware may modify the registry keys on the infected computer, more specifically targeting the Run and RunOnce registry keys. After doing so, the virus may also delete the shadow volume copies on the infected computer. These shadow copies are an option to recover files and Oled ransomware may execute the vssadmin and other commands in order to delete them:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

After this has happened, the Oled ransomware infection may also drop it’s ransom note, which has the following message to victims:

The ransom note is almost identical to the ransom note set by OnyonLock ransomware:

Oled Ransomware – Encryption Process

Being a suspected variant of the BTCWare ransomware family, the .oled file virus is believed to use the same AES encryption algorithm to render the files on the compromised PC no longer able to be opened. Oled ransomware looks for specific types of files to encrypt:

  • Microsoft Office documents.
  • Adobe documents.
  • Text files.
  • Pictures.
  • Music.
  • Videos.
  • Archives.
  • Other often used file types.

After the .oled file virus encrypted the files, it appends it’s distinctive file extension which includes the e-mail black.mirror@qq.com. The encrypted files look like the following:

Remove Oled Ransomware and Restore .oled Encrypted Files

For the removal of Oled ransomware it is advisable to follow the removal instructions down below. They are specifically designed to help you with removing the malicious files either manually or automatically with the aid of an anti-malware tool. Security experts always advise using the automatic approach since it is swift, effective and will protect your computer system in the future as well.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share