Onion3Cry Ransomware

Posted: September 26, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	92

First Seen:	September 26, 2017
OS(es) Affected:	Windows

The Onion3Cry Ransomware is a new version of Hidden Tear. In addition to blocking files by using encryption on them, the Onion3Cry Ransomware also may disguise itself and its payload by creating fake update-themed symptoms such as pop-ups. Malware experts recommend uninstalling the Onion3Cry Ransomware with an appropriate anti-malware tool to reduce any ongoing file issues and using any of a variety of free solutions for restoring all encrypted media.

The Recycling that Births New Flavors of Trojans

Threat actors often are dedicated to using the hard work of others, both for finding software code and a brand name for publicity. Many Trojans with file-locking functions, like the newest the Onion3Cry Ransomware, can use names that imply one relationship while their attacks originate from elsewhere. As one consequence, any victims have the risk of using unlocking solutions that may not be relevant to their situation necessarily.

Despite the name, the Onion3Cry Ransomware isn't an update of the much older Onion Ransomware. Malware analysts can trace most of its code back to the semi-open-source Hidden Tear, which provides this program with its encryption function. Some of the additions that the threat actor has made independently include a ransom note-based pop-up and a disguise for the encryption attack: a fake update screen.

While it scans your computer for documents and other media to lock, the Onion3Cry Ransomware launches a screen-wide window that pretends to be a software update notification. Its Portuguese text bears the closest resemblance to Windows-standardized phrasing, but the author hasn't imitated the Windows background or loading icon, which he may be saving for a future version. Once it has encrypted and locked your files, the Onion3Cry Ransomware replaces this screen with its second window, asking the user to pay in Bitcoins for the con artist's decryptor.

Dicing Up an Onion's Extorted Earnings

The Onion3Cry Ransomware isn't likely of being the last Trojan malware experts see using updates to hide its attacks, which require time to encrypt the contents of the compromised system. The multi-linguist HACKED Ransomware and the Kryptonite Ransomware also provide similar examples of how Trojans can conduct data-locking functions while they distract the user with minimal effort. In the Onion3Cry Ransomware's case, just knowing the appropriate format of a Windows update and avoiding potential sources of fake ones, such as browser-based pop-ups, should give most users some forewarning of its attacks.

Hidden Tear's variants often use encryption methods that are compatible with free programs that various actors in the security industry host. If you have no other means of recovering your blocked files, malware experts suggest creating copies before testing their chances of unlocking with Hidden Tear-based decryptors. Secure backups can give any victim an even better recovery strategy, and many anti-malware programs may block, quarantine or delete the Onion3Cry Ransomware before its file-locking feature comes to a natural conclusion.

Users in Portuguese-speaking regions are at a high risk from the Onion3Cry Ransomware's incoming campaign particularly. However, Hidden Tear, encryption without consent, and fake software updates are problems for the rest of the world and raise the value of backups accordingly.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 404.3 KB (404307 bytes)
MD5: 92117db6e028061b49507c9538a19a79
Detection count: 22
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: September 26, 2017