Ox4444 Ransomware

Ox4444 Ransomware looks similar to GlobeImposter Ransomware, which is why our researchers believe the applications could be related. The new variant seems to be capable of encrypting not only personal data, like photos or documents but also executable files. Therefore, after the malware performs the encryption process the victim might notice that his games and applications are crashing. Another thing that ought to hint the system was infected with this malicious application is the .Ox4444 extension that should be on all affected files, e.g., document.docx.Ox4444. To learn more about this threat, we invite you to read the rest of our report. Also, there are instructions showing how to remove Ox4444 Ransomware just a bit below the article. They might be helpful if you decide you want to get rid of the malicious application manually.

According to our researchers, Ox4444 Ransomware could be spread through various malicious websites, Spam emails, untrustworthy advertising content, etc. In other words, the victim ought to infect his system unknowingly by launching some suspicious data downloaded from the Internet. If you often start files without checking them first, we highly recommend scanning data, especially the one received from unreliable sources, with a reliable antimalware tool of your choice. The scan should be performed before the data in question is launched. In case, it carries a threat it could infect the system quickly without you being able to do anything to stop it. Thus, taking extra precautions like scanning files first is one of the best things you can do to keep the system safe. The other one is to avoid visiting questionable websites or interacting with doubtful files altogether.

Furthermore, once the malware’s installer starts running, it should create a copy of itself in the %LOCALAPPDATA% folder. Also, it should place a value name that’s value data ought to point to the installer’s copy in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce location. Together, these files should make the infected device load Ox4444 Ransomware at every restart. Meaning, if you do not erase the threat, the system might relaunch it every time you restart the computer. While it may not make any difference to already encrypted files, keep in mind, it could affect data you might create later on. As said earlier, all encrypted files should have a second extension. Also, it is likely the only files left unaffected should be data that belongs to Windows. Thus, encountering this malware could ruin a lot of files.

Soon after making user’s data unusable, the malicious application is supposed to open a particular text document carrying a message from Ox4444 Ransomware’s creators. It ought to say the user cannot restore his files without decryption tools that the malware’s developers claim to have. Not only it is possible they may not have the needed tools as decryptions keys are often available only for some time, but there is also a possibility you may not need decryption tools at all if you have a backup. To be more precise, if you have your files backed somewhere safe, you could replace encrypted data with them.

However, even if you have no backup, we would still recommend against agreeing to the hacker's demands. As you see, they ought to offer their decryption tools in exchange for a ransom, which could be huge. Plus, there are no guarantees the money will not be lost in vain as hackers cannot be trusted. If you think paying the ransom might be too risky too and you do not want to take any risks, you could erase Ox4444 Ransomware manually or with a reliable antimalware tool of your choice. Users who feel up to the task could follow the instructions located below as they explain the removal process bit by bit. For those who choose to employ an antimalware tool, we recommend performing a full system scan. Once it is over it should be possible to eliminate all data associated with Ox4444 Ransomware and other possible threats by pressing the provided deletion button.

Eliminate Ox4444 Ransomware

1. Click Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Find a process belonging to the threat.
4. Mark it and click End Task.
5. Exit Task Manager.
6. Click Win+E.
7. Find these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
8. Locate the malicious application’s launcher.
9. Right-click it and select Delete.
10. Then check %LOCALAPPDATA% and look for the malicious launcher’s copy.
11. Right-click the copy and press Delete.
12. Locate text documents with ransom notes, right-click them and select Delete.
13. Exit File Explorer.
14. Press Win+R.
15. Insert Regedit and click Enter.
16. Find the given directory: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
17. Look for a value name dropped by the threat; its name could be BrowserUpdateCheck.
18. Right-click this value name and press Delete.
19. Exit Registry Editor.
20. Empty your Recycle Bin.
21. Restart the computer.