OnyonLock Ransomware

Posted: May 16, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	211

First Seen:	May 16, 2017
Last Seen:	January 2, 2022
OS(es) Affected:	Windows

The OnyonLock Ransomware is an updated release of the BTCWare Trojan, which can lock your files through non-consensual encryption. This threat's authors are demanding variable Bitcoin ransoms through text messages to their victims currently, although paying may not decrypt the content that they're holding hostage necessarily. A majority of users should protect their files with backups, and the rest of their PCs with anti-malware programs for removing the OnyonLock Ransomware when detected.

Bitcoin Trojans with New Names by the Month

The lesser-known family of file-encryptor Trojans referred to as Cryptobyte Ransomware and the Crptxxx Ransomware, although the main differences are changes to the ransom addresses of the threat actors. For the victims, the symptoms still are having their files blocked, their backups wiped, and the appearance of extortion-themed messages.

The OnyonLock Ransomware scans the compromised PC for files including documents, spreadsheets, and other formats associated with work or another media. While doing so, it makes the following attacks:

Appropriate data go through an encryption routine using an AES-based cipher, which makes the affected files unreadable.
Their filenames also experience separate edits: the insertion of the '.onyon' extension, which is custom to the OnyonLock Ransomware branch of BTCWare.
The Trojan generates a custom ID string for the infected PC, which it uses later in the ransoming process (see below).
Lastly, the OnyonLock Ransomware creates an INF format text file that contains its threat actor's demands for unlocking your data: Bitcoin payments made to an unspecified wallet, of an amount determinable by the victim's response time. Malware analysts see two variants of this message, although the only significant change lies in which e-mail address they provide for negotiating.

Drying Your Tears over the 'Onyon' Files

Although the above features are the most obvious parts of the OnyonLock Ransomware's payload, the Trojan also commits attacks with less than visible side effects. Local backups, especially SVC data, is subject to deletion, and malware experts sometimes see the OnyonLock Ransomware disabling the Windows Startup Repair feature. Besides being problematic for your PC's security, these functions also can be obstacles stopping the recovery of any content that the OnyonLock Ransomware locks.

Non-localized backups kept in USB drives, DVDs, or cloud storage servers are at less risk of attack by threats like the OnyonLock Ransomware significantly. Although malware experts can't yet confirm all distribution methods in use in the OnyonLock Ransomware's campaign, file-encrypting Trojans often circulate via corrupted website exploits and e-mail spam attachments. Free decryptors sometimes are available for the BTCWare family of threats, and malware experts recommend using them for any additional data recovery before or after removing the OnyonLock Ransomware with a suitable anti-malware program.

You needn't pay for retrieving files from the encryption-based blockades of most threats like the OnyonLock Ransomware. However, in these attacks, the con artists often are reliant on pressuring you with time limits into paying them before you realize that the Web has free alternatives.

OnyonLock Ransomware

Threat Metric

Bitcoin Trojans with New Names by the Month

Drying Your Tears over the 'Onyon' Files

Leave a Reply