Back up your files: .onyon file virus continues spreading

Security experts noticed an increased activity of the .onyon file virus

Spotted on May 2017, .onyon ransomware is not going to fade away from the Internet. Cyber security researchers warn that this file-encrypting virus continues spreading and attacking computers all over the world.

This cyber threat belongs to the dangerous BTCWare ransomware family that appeared on May 2017. However, on May the master keys were released,[1] and malware became decryptable. Thus, there’s no surprise that new variants of malware emerged.

Also known as OnyonLock and ONYON ransomware,[2] .onyon file virus spreads via malicious spam emails and fake “Rogers Hi-Speed Internet” program that can be downloaded from insecure file-sharing websites.

Hoax emails helps to hack computers

Cybercriminals use social engineering techniques to trick people into opening obfuscated files attached in the spoof email.[3]

Crooks pretend to be from governmental organizations, financial institutions, and other companies and inform about serious issues. Users are asked to open a fake invoice, statement or other serious documents.

Once people believe in this hoax and open an obfuscated document, malware enters the system and starts encrypting targeted files with a combination of AES and RSA ciphers.

After data encryption, all files have the .onyon extension that prevents users from opening them. However, hackers do not leave victims alone. They leave a ransom-demanding message in !#_DECRYPT_#!.inf file.

Here victims are asked to contact authors of the .onyon file virus via provided email. They will respond with the size of the ransom and further data recovery instructions.

Steps to take after ransomware attack

First and the most important, do not pay the ransom for cyber criminals. There are numerous cases when victims did not receive the decryption key even if they paid the ransom.[4]

Data recovery should not be your priority after ransomware attack. It’s crucial to remove .onyon malware as soon as it locks your files.

Ransomware virus not only encrypts data but also makes modifications to the system. Thus, it might make or alter Windows Registry, delete some files or install malicious components on the system.

As a result, the system becomes vulnerable. Other cyber threats might take advantage of the situation and launch another attack.

In order to prevent further damage, you should employ a professional security program and run a full system scan. Once your PC is virus-free, you can think about data recovery options. Currently, there are two effective solutions.

You can restore your files from backups. However, if you are one of those computer users who do not back up, you can decrypt your files for free using BTCWare decrypter created by Avast.[5]