Remove MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt, Trojan-Ransom.NSIS.ONION.air - How to, Technology and PC Security Forum |

Remove MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt, Trojan-Ransom.NSIS.ONION.air

TypeTrojan, Ransomware
Short DescriptionA file-encrypting threat, that encrypts the user’s files and ask for payment to decrypt them via unique key.
SymptomsFiles are encrypted and a ransom message is displayed.
Distribution MethodVia Exploit Kits, network vulnerabilities, spam emails, etc.
Detection toolDownload SpyHunter, to See If Your System Has Been Affected By Trojan-Ransom.NSIS.ONION.air
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ransomware doesn’t sleep and we have a new file encrypting threat on the malware horizon to prove it. Actually, the Trojan ransomware that has just been detected is considered a new variant of the Onion Ransomware (Trojan-Ransom.Win32.Onion) also known as CTB-Locker or Citroni. Ransomware pieces are being redesigned as we speak and there are many cases of CryptoWall and CryptoLocker copycats. Sophisticated and not-so-crafted ransom malware is being sold on the black market. Why? Ransomware and online money theft have proven to be effective methods for quick and easy gain.p10_0000

The message displayed by the new version of the Onion Ransomware (a.k.a. Trojan-Ransom.NSIS.ONION.air) is:


The ransom message within .txt file contains the following information:

→Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately “lost” all your pictures,
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
All encrypted files contain MW_
Your number: [edited] To obtain the program for this computer, which will decrypt all files, you need to pay
3 bitcoins on our bitcoin address [edited] (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
You can check bitcoin balanse here –[edited] After payment send us your number on our mail [email protected] and we will send you decryption tool (you need only run it and all files will be decrypted during 1…3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it – it’s your garantee that we have decryption tool. And send us your number with attached file
We dont know who are you. All what we need – it’s some money.
Don’t panic if we don’t answer you during 24 hours. It means that we didn’t received your letter (for example if you use or
it can block letter, SO DON’T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in (it will takes 1..2 minutes) and write us again)
You can use one of that bitcoin exchangers for transfering bitcoin.

Trojan-Ransom.NSIS.ONION.air Technical Resume

As already mentioned, the MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt message is distributed via a new variant of the Onion Ransomware – Trojan-Ransom.NSIS.ONION.air. The malicious piece is encrypting files via the RSA-1024 encryption key. Once the encryption process has finished, the cyber criminals will ask for a payment of 3 bitcoins to decrypt the files with the unique decryption key. As of the time the ransom message was created, 1 bitcoin was about $260.

Interestingly enough, according to users’ posts on BleepingComputer, a decryption key was provided after 1 bitcoin was paid. It won’t be the first time crooks deliver the deciphering tool without the whole ransom amount being transferred.

Onion Ransomware Technical Details

Onion Ransomware is also dubbed CTB-Locker and Citroni. Since CTB-Locker has been quite active in 2015, a lot of information has been gathered about its ways. For instance, it is known that Critoni Ransomware has the same features as other ransom Trojans. CTB-Locker makes randomly selected files unreadable. In most cases, a .TXT file contains the instructions for the Bitcoin-based payment required for the decryption of the user’s files. Such malware often exploits network vulnerabilities and can be spread with the help of Exploit Kits. Spam-email messages are one of the common ways to infect a system.

The latest version of the Onion ransom is most likely not that different, compared to its malicious predecessors. However, Trojans are famous for acting as backdoors on affected system which means that more malicious software can enter any time. A scan report indicates that Trojan-Ransom.NSIS.ONION.air may be accompanied by other Trojans and exploiting tools:

  • Not-a-virus:NetTool.Win32.Wasppace.I
  • Trojan.Win32.Fsysna/.ccym
  • Backdoor.Win32.Hlux.dca
  • HEUR:Trojan.Win32.Generic


Image Source: BleepingComputer

Keep in mind that the ‘infection’ described above may be true for one particular system only.

Trojan-Ransom.NSIS.ONION.air Removal Instructions

Trojan-Ransom.NSIS.ONION.air may be residing in any of the following directories:

  • %Temp%
  • C:\\.exe
  • %AppData%
  • %LocalAppData%
  • %ProgramData%
  • %WinDir%

The listed locations are often used by malicious executables related to aggressive rasomware attacks.

An anti-malware solution will detect and delete the threat. However, file decryption can happen only when the decryption key is obtained. On the grounds of Kaspersky Lab vast research on the Onion family , files can be decrypted only with the master-private key.

What is even worse is that there have been cases when not only the files located on the system were encrypted but the backup copies as well.

Additionaly, what we can suggest to you, our readers, is educate yourselves about how ransomware works. To do that, feel free to refer to the following articles:

Restore Files Encrypted by Ransomware Manually

CryptoLocker’s Copycats

CryptoWall .aaa Files

To remove Trojan-Ransom.NSIS.ONION.air, scan the system. To preserve your files, you may want to use an external storage device, since newly-crafted ransomware may be capable of affecting back-up copies as well.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share