Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Onion3Cry Ransomware

Onion3Cry Ransomware is one of the latest threats to join the Hidden-Tear family. All threats within this family were created using one source-code. Others include FlatChestWare Ransomware, Explorer Ransomware, and Oxar Ransomware. All of these infections are created by malicious cyber criminals who are using them to extort money. At this point, only owners of Windows operating systems need to be worried about this malware, and it is believed that spam emails are used for the distribution in most cases. According to our research team, this new infection might also be spread using a fictitious update. If the user interacts with it, the malicious launcher is executed, and the encryption of files begins. The encryption process is discussed in this report at length, and so if you want to learn more about it, you need to continue reading. You also should read this report if you want to learn how to remove Onion3Cry Ransomware from your operating system. Make sure you start a conversation in the comments section if any questions arise while reading.

According to our research team, the malicious Onion3Cry Ransomware uses the AES encryption algorithm to encrypt files. The file encryptor works from the %APPDATA%\Local\Gogle\update\ folder, and its name is “goupdate.exe”. Needless to say, the name of this file could be different in your case. The file has a point of execution in the Startup folder under %ALLUSERSPROFILE%\Start Menu\Programs\Startup\, called “goupdate.exe.lnk”. If this file is not deleted, the malicious ransomware will continue encrypting files every time you restart the computer. When the files are encrypted, their names are not changed, but an additional extension, “.onion3cry-open-DECRYPTMYFILES”, is appended. It can help you identify the files that are corrupted more quickly. After analyzing the malicious launcher, it appears that Onion3Cry Ransomware is targeted at files with these extensions: .asp, .aspx, .avi, .bat, .bmp, .bk, .cns, .css, .csv, .dat, .dbx, .DEC, .divx, .doc, .docx, .docxx, .gbk, .ico, .index, .jpg, .mdb, .mdw, .mp3, .mp4, .mkv, .mpeg, .mov, .msi, .odt, .ogg, .png, .ppt, .pptx, .pst.xls, .pst, .pdf, .php, .psd, .rar, .REC, .RE, .sql, .sln, .tmp, .txt., .wav, .wma, .wmv, .xlsx, .xlxx, .xls, .xml, and .zip. Unfortunately, you cannot recover these files by deleting the appended extension, or even by removing the ransomware itself.

The ransom note by Onion3Cry Ransomware is represented using a file named “### DECRYPT MY FILES ###.exe”. It was found that this file also has a point of execution, and so it will be launched whenever you restart the PC. According to the message, you need to purchase “special software” to get your files back. To be able to purchase it, you need to email your ID number. Obviously, the goal that cyber criminals have is to make you pay a ransom, but you should not do that. First and foremost, you do not want to support cyber criminals and their activity. Second, you do not want to waste your money, which is likely what would happen if you paid the ransom. Instead, we recommend investing in a security tool that could guard you against Onion3Cry Ransomware and similar infections in the future. First, of course, you need to delete the malware that is already active on your operating system.

If you install a legitimate anti-malware tool, you will have Onion3Cry Ransomware deleted from your PC automatically. This is a terrific option, especially if other infections require removal as well, and if you want to use a tool that could keep malware away in the future. If you are not interested in this option, you will need to get rid of the ransomware manually, and, luckily, that is not tremendously difficult. Of course, if you cannot find the launcher file, you will not be able to successfully eliminate this malware. If you find and delete the launcher, the rest of the steps will be easy. Needless to say, if you need our help or advice, you can add a question in the comments section. One more thing we have to mention for those who choose manual removal is that you need to take good care of your virtual security. If you do not invest in anti-malware software, you will need to be cautious yourself. Make sure you do not open files sent to you via spam email and do not interact with suspicious updates.

Onion3Cry Ransomware Removal

  1. Launch Task Manager by tapping Ctrl+Shift+Esc and then click the Processes tab.
  2. Find the {random name} process representing the ransomware, right-click it, and select Open File Location.
  3. In the Task Manager, select the malicious process, and click End process.
  4. In the {unknown name}.exe location, right-click the file, and choose Delete.
  5. Next, launch Explorer by tapping Win+E keys.
  6. Enter %APPDATA%\Local\Gogle\update\ into the bar at the top.
  7. Right-click and Delete the file named goupdate.exe.
  8. Enter %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ into the bar at the top.
  9. Right-click and Delete the files named goupdate.exe.lnk and ### DECRYPT MY FILES ###.exe.lnk.
  10. Move to Desktop and Delete the ransom note file, ### DECRYPT MY FILES ###.exe (if copies exist, you should delete all of them as well).
  11. Empty Recycle Bin and then immediately perform a full system scan.
Download Spyware Removal Tool to Remove* Onion3Cry Ransomware
  • Quick & tested solution for Onion3Cry Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.