Remove Onyon Ransomware

Leave a Comment / Ransomware / By

I wrote this article to help you remove Onyon Ransomware. This Onyon Ransomware removal guide works for all Windows versions.

This article is about the Onyon ransomware. The ransomware industry has proven itself quite lucrative and newer and newer pieces are being developed every single day. This particular infection is not actually new. Onyon is an updated version of the BTCWare ransomware. Regardless its origin though, as a classic member of the dreaded ransomware family, Onyon is destructive and dangerous. It does what all ransomware pieces do – it invades your system, locks your files and then demands a ransom for their release. Your money is its main goal.

As soon as Onyon lands on board, it performs a quick but thorough scan of your machine in search of your private files. Unfortunately, it doesn’t take long before it finds them all. Your pictures, videos, music, files, documents, presentation, etc. The pest lock everything with a strong encryption algorithm thus denying you access to them. Needless to say, you probably have some very important files stored on your PC. Most people do. And now, everything is inaccessible.

Your machine is no longer able to read your data. All you are left with are just empty icons which you cannot use for anything. What is more, to solidify its hold over your private data, Onyon appends its pesky extension to each encrypted file. For example, if you had a file named “mysong.mp3”, after being locked it becomes “mysong.mp3.onyon. Seeing all of your files renamed like that means that the encryption process is over. Nothing you do can change the fact that your data is being kept hostage, including trying to rename it or move it into another folder.

Remove Onyon Ransomware
The Onyon Ransomware

This is when Onyon makes its next move. The pest drops a note for you, aka the ransom note. This is a file named “!#_DECRYPT_#!.inf” which you can find in each folder, containing encrypted data as well as on your Desktop. With this message, the hackers explain your unpleasant situation AND offer you a solution. Ironic, isn’t it? The same people who took your data are now trying to help you. According to the note, you have to constant the crooks via the tk.btcw@protonmail.ch email address so they can give you more payment details. They claim that once you pay the ransom sum (in Bitcoins of course) they will send you a special decryption tool to free your files.

Well, whatever you do, DO NOT pay. You have zero guarantees that these cybercriminals will keep their end of the bargain. For all you know, they may just take your money without sending you anything. But even if they do send you the decryptor, you still lose because this tool does not remove the ransomware itself from your machine. It only removes the encryption on your data which is not enough considering it can be re-encrypted hours later. No matter how you look at it, paying is not an option. By complying with the crooks` demands, you are only helping them expand and create more infections. With your money! Don’t become a sponsor of hackers. Instead, delete Onyon from your PC as soon as possible. To do so manually, please follow our removal guide at the end of this article.

How did Onyon infect you, though? Do you know how? It relied on tricks. One of the most popular methods for ransomware distribution is spam email messages. Crooks attach their product to an email message, which, in turn, it disguised to look like a legitimate one. Then, they send this message to your inbox and you do the rest by opening it without thinking twice about it. Be more careful with the email you receive as most of them are probably corrupted.

Also, stay away from shady pages and links because a single click is all it takes for you to invite some nasty pest on board. Be extra careful when installing updates/bundles as well. Do not rush and always read the Terms and Conditions to be aware of what you are giving permission to. Opt for the Custom settings in the Setup Wizard as they allow you to see if there are any additional and potentially unwanted programs attached. If you spot anything suspicious, you either deselect it or abort the installation immediately.

Onyon Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Onyon Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Onyon Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.