A malware researcher from G Data has discovered the Onyx ransomware cryptovirus. The virus will encrypt your files and display a ransom note with instructions written in the Georgian language. To see how to remove the ransomware and how you can try to restore your files, read the article till its end.
|Short Description||The ransomware will encrypt your files and then display a ransom note with instructions for payment.|
|Symptoms||The ransom note is written in the Georgian language and has a picture that is also a screen locker.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Onyx |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Onyx.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Onyx Ransomware – Infection
The Onyx ransomware could infiltrate your computer system by using multiple ways. The payload file might be spread via spam e-mails. This spam mail technique is designed to make you think that the email is important and the file attached to it is just as important. If you believe what such an email claims and you are in a rush, you just might open the attachment. Thus, the contents of the file release the payload and you can deem your computer device infected.
Onyx ransomware could infect your machine using other methods. For instance, the malware creators might distribute the malware file through social media and file-share networks. The file could be hosted on any of those platforms with the purpose of getting to more unsuspecting people. Refrain from simply opening files from dubious sources such as e-mails or links. Instead, do a scan with a security tool and check their size and signature beforehand. You should read the ransomware prevention tips from the thread in our forum.
Onyx Ransomware – More About It
A ransomware cryptovirus has recently been found. It goes by the name of Onyx. The malware researcher Karsten Hahn from G Data has found it in the wild.
Your files will get encrypted and afterward the extension .wnx will be set to every one of them. The demand instructions are written in a text file in the Georgian language. That will also load as a ransom message on your desktop screen whenever the encryption process finishes.
When the Onyx ransomware launches its payload, it can create entries in the Windows Registry. That is done for the ransomware to achieve a higher level of persistence. These registry entries will make the virus start automatically with every loading of the Windows operating system. Your data will then become encrypted, and after that, the ransom note will show up on your desktop screen.
The ransom note reads something in the lines of the following:
თქვენი ყველა ფაილი დაშიფრულია,
მაგრამ არ ინერვიულოთ, ისინი არ მოიხსნა. (ახლა)
თქვენ 24 საათის განმავლობაში უნდა გადაიხადოს $ 100.
ფულის ნაბიჯი მითითებულ ვიკიპედია ანგარიშზე.
წინააღმდეგ შემთხვევაში, ყველა ფაილი იქნება განადგურებული.
არ გამორთეთ კომპიუტერი და / ან არ ცდილობენ გამორთოთ ჩემთვის.
დაუმორჩილებლობა წაიშლება 100 ფაილი.
Here is how the original text looks in the ransom lock-screen:
A rough English translation looks like this:
All your files are encrypted,
but do not worry, they have not been removed. (for now)
You have 24 hours to pay $100.
Money move to the specified Bitcoin-account.
Otherwise, all files will be destroyed.
Do not turn off the computer and/or do not attempt to disable me.
When disobedience will be deleted 100 files.
You are given a deadline of just one day to pay the sum of 100 US dollars to a select Bitcoin address. In case you disobey, the ransomware threatens you to delete 100 of your files. You should NOT even be thinking of contacting the cybercriminals or funding their criminal activity. No one can guarantee that all of your files will become accessible again. What’s more, the criminals will probably just put the money into a new ransomware project.
The Onyx ransomware encrypts files and appends the .wnx extension to them. A list with file extensions which the ransomware searches to encrypt is not available yet, but the file types are documents, photos, and database files or something along those lines.
The Onyx cryptovirus is highly possible to erase the Shadow Volume Copies from the Windows operating system by using the following command:
→vssadmin.exe delete shadows /all /Quiet
Read more to see what types of methods you can try to restore parts of your data.
Remove Onyx Virus and Restore Your Files
If your computer got infected with the Onyx ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Onyx.