.ONI Files Virus (Oni Ransomware) – How to Remove and Restore Data

.ONI Files Virus (Oni Ransomware) – How to Remove and Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to explain what is the .ONI files virus and how to remove it from your computer effectively.

A new ransomware virus, going by the name of ONI ransomware has been detected by security researchers. The ransomware virus is similar to a virus that we have detected late October, 2017, called ONI Locker and originated from what appears to be Russia. Unlike the previous version, that encrypted the whole drive of the computers infected by it, this version of ONI ransomware encrypts only the files, leaving behind the .ONI file suffix after their original one. If your computer has been infected by this variant of ONI ransomware, we strongly suggest that you read this article as it aims to help you remove this virus and shows you several methods which you can use to try and restore your encrypted files.

Threat Summary

Name.ONI Ransomware
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer and then asks victims to pay ransom to get them back.
SymptomsThe files have the .ONI file extension added and are completely renamed to random 0-9 A-Z names. A ransom note, called RESTORE_ONI_FILES.txt starts to appear.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .ONI Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .ONI Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.ONI Files Virus – Update January 2019

Update! A decryption tool is now available for .ONI Ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: AuroraDecrypter.zip. The tool is designed to decrypt the following variants of the cryptovirus: .ONI, .desu, .Aurora, .aurora, .Nano and .Animus.

.ONI Files Virus – How Does It Infect

The primary method via which the .ONI file ransomware infects computers is via malicious e-mail attachments. These attachments may be encountered malicious spam e-mails that include them as archives. They often pretend to be seemingly legitimate forms of documents, for example:

  • Invoices.
  • Receipts.
  • Banking documents.
  • Warranty of a product.

The e-mails sent are also very cleverly composed and may include multiple different types of messages, stating the importance of those files, for example:

Besides via e-mail, the .ONI virus may land on your computer via other methods as well. One of those methods is believed to be by uploading the virus files and making it seem as if they are legitimate type of files, such as:

  • Setups of programs.
  • License activators.
  • Portable programs.
  • Cracks.
  • Patches.
  • Keygens.

.ONI Files Virus – Activity Report

Once .ONI ransomware has infected your computer, the virus may commence it’s infection activity. The first chain of actions it performs is to drop it’s malicious payload on your computer. It may consist of more than one files being spawned and these processes may have the following locations:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%

In addition to this, the ransomware virus also drops it’s ransom note file, called RESTORE_ONI_FILES.txt. The ransom note has the following contents:

Oops! Your files have been encrypted.

Your files are no longer accessible.
You might have been looking for any way to recover your files.
Don’t waste your time, you can’t recovery PC without our decryption service.

Our email: [email protected]
Your ID (send it to my mail):
-Only [email protected] can decrypt your files
-Trist no one [email protected]
-Do not attempt to uninstall the program or run anti-virus tools
Attempts to self-encrypt files will result in loss of your data.
-Decoders of other users are not compatible with your data because each user has a unique encryption key.

Furthermore, ONI ransomware also heavily modifies registries in Windows Registry Editor. For starters, the .ONI ransomware virus interacts with the following Windows files via the registry editor of Windows:

→ “C:\Windows\SysWOW64\rsaenh.dll”

ONI ransomware then may perform other activities on the infected machine, such as delete the shadow volume copies in it. To do this, ONI ransomware may run the following Windows Shell commands:

→ /c cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP & wbadmin.exe wbadmin DELETE SYSTEMSTATEBACKUP & cmd.exe /c wmic SHADOWCOPY DELETE & WMIC.exe wmic SHADOWCOPY DELETE & cmd.exe /c vssadmin Delete Shadows /All /Quiet & vssadmin.exe vssadmin Delete Shadows /All /Quiet & cmd.exe /c bcdedit /set {default} recoveryenabled No & bcdedit.exe bcdedit /set {default} recoveryenabled No & cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures

Once this is done, .ONI files virus may immediately start encrypting your files.

.ONI Files Virus – Encryption Process

In order to encrypt the files on your computer, the .ONI files virus may initially scan for the types of files it wants to encrypt. The files this virus may look for are often used types of files, such as:

  • Documents.
  • Images.
  • Videos.
  • Archives.
  • Virtual Drives.

Once, the .ONI ransomware virus is able to encrypt the files on your PC, the malware may add the .ONI file extension to the files. After this, the files may start to appear like the following:

Remove ONI Ransomware and Restore .ONI Encrypted Files

If you want to remove .ONI ransomware from your PC, it is recommended that you be very careful. For removal, you can use the manual and automatic removal instructions below. If manual removal does not seem to help or you feel lack of confidence that you will be able to delete this virus in full, we strongly suggest that you remove this virus automatically. For maximum effectiveness, security experts strongly advise using an advanced anti-malware software for the removal process. Such software’s primary goal is to fully scan for and delete all files, related to .ONI ransomware from your computer and in the same time ensure that it stays protected against infections that might occur in the future too.

If you want to restore .ONI encrypted files, you can try and use the file recovery instructions in step “2. Restore files, encrypted by .ONI Ransomware”. They have been created with the main purpose to help you recover as many files as possible, but they are no guarantee that you will be able to restore all the files.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share