OXAR Ransomware Removal - Restore .OXR Files

OXAR Ransomware Removal – Restore .OXR Files

This article will help you remove OXAR ransomware absolutely. Follow the ransomware removal instructions at the end of the article.

OXAR is the name given to a ransomware cryptovirus. The ransomware is a variant of HiddenTear and places the extension .OXR to all files which get locked after the encryption process is done. The OXAR virus will demand a ransom to be paid in Bitcoins. Keep reading below to see how you could try to potentially restore some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .OXR to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by OXAR


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss OXAR.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

OXAR Ransomware – Infection

OXAR ransomware could spread its infection with various methods. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your PC will become infected. You can see the detections of such a file on the VirusTotal service right here:

OXAR ransomware might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware found in our forums.

OXAR Ransomware – In-Depth Look

OXAR is a virus that could encrypt your files and extort you to pay a ransom to get them back to normal. Malware researchers have discovered that it is a variant of the HiddenTear open-source project and also developed with Visual Studio 2017.

OXAR ransomware might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

You can see the ransom note that is placed in your computer system after the encryption process is completed:

That ransom note reads the following:

Files successfully encrypted !
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
But if you want to decrypt all your files, you need to pay.
How Do I Pay?
Payment is accepted in Bitcoin only.
Please check the current price of Bitcoin and buy some bitcoins.
And send the correct amount to the address specified in this window.
And specify your client ID and your e-mail adress in the description when you send the payment via https://blockchain.info/fr/wallet/#/
We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!
Do not modify the “.OXR” extension of your encrypted files, it will become unrecoverable

Step one:
Create a portfolio at https://blockchain.info/fr/wallet/#/
Step two:
Buy 100$ USD https://blockchain.info/fr/wallet/#/buy-sell
Step three:
Send 100$ USD in Bitcoin at 16Vs1Z2yrYBM49GpipN3yz1WaMSYS8xm16

Your working documents, holiday photos, children, videos, and all your valuable documents have been encrypted with a powerful encryption algorithm, follow the instructions given to retrieve the encryption key

The note of the OXAR ransomware states that your files are encrypted. The ransom sum of 100 US dollars is demanded to be paid in Bitcoins for potentially unlocking your files. However, you should NOT under any circumstances pay that ransom. Your files may not get restored, and nobody could give you a guarantee for that. Moreover, giving money to cybercriminals will likely motivate them to create more ransomware viruses or get involved in more serious criminal acts.

OXAR Ransomware – Encryption

The OXAR ransomware is a HiddenTear variant but it encrypts files with the following extensions:

→.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip

Every single file that gets encrypted will receive the same extension appended to it, which is .OXR. The encryption algorithm which is implemented is undoubtedly AES since it is a HiddenTear variant, but that doesn’t completely exclude the possibility of involving another encrypting algorithm in the mix in the near future.

The OXAR cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

If the above-stated command is indeed inputted into your computer, it will delete the Windows copies made for the Recovery feature deeming it unfit to work or recover your files back to the way they were before the infection. If your personal computer was infected with this ransomware and your files are now locked, read on through to find out how you could potentially restore your files.

Remove OXAR Ransomware and Restore .OXR Files

If your computer got infected with the OXAR ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share