What is Oxar ransomware? And how does it execute its attack?
Oxar ransomware is a typical ransomware threat that is currently targeting English-speaking users. This crypto-malware seeks to encrypt targeted files in a system extort money from users. It uses the AES encryption algorithm in encrypting files and appends the “.FUCK” extension in marking the encrypted files. During its attack, it scans the entire drive of the computer looking for files to encrypt. Just like a typical ransomware, it targets user-generated file types such as images, documents, videos, audio files, databases, archives, etc. Once it’s done with the encryption, Oxar ransomware drops its ransom note with a lengthy message in a file named “1 What happens with my files.txt” that states:
“What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files but do not waste your time. Nobody can recover your files without our decryption service.
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
But if you want to decrypt all your files, you need to pay.
How Do I Pay?
Payment is accepted in Bitcoin only.
Please check the current price of Bitcoin and buy some bitcoins.
And send the correct amount to the address specified in this window.
We strongly recommend you do not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!
Once the payment is sent, send us an e-mail to the specified address specifying your “Client ID”, you will be sent your decryption key in return. How to buy Bitcoins?
Step 1 : Create a portfolio on the Blockchain website at the address : https://blockchain.info/fr/wallet/#/signup
Step 2 : Sign in to your account you just created and purchase the amount shown : https://blockchain.info/wallet/#/buy-sell
Step 3 : Send the amount to the indicated Bitcoin address, once this is done send us an email with your “Client ID” you can retrieve this in the file “instruction.txt” or “Whats Appens With My File.s.txt” in order to ask us the key of decryption of your data.
Contact us at :
Send 20$ to Bitcoin at 1MFA4PEuDoe2UCKgabrwm8P4KztASKtiuv if you want to decrypt your files!
Your Client ID is : [id]”
No matter how threatening its ransom note may seem, don’t panic and give in to the crooks’ demands. The best thing you can do is to remove the ransomware threat as soon as you can and then look for alternative ways to recover your encrypted files.
How does Oxar ransomware disseminate its malicious payload?
Oxar ransomware uses the most common distribution method for ransomware infections – malicious spam email campaigns. Developers of Oxar attach a corrupted file in emails containing some commands used to launch the ransomware threat into the targeted system. The corrupted file may be a document, a PDF file, an executable file or a link to a malicious website.
Make sure you follow the removal instructions set below to successfully eliminate Oxar ransomware from your system.
Step 1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to Processes and look for the malicious process of Oxar ransomware and then right click on each one of them and select End Process or End Task to kill their processes.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for dubious programs that might be related to Oxar ransomware and then Uninstall it/them.
Step 5: Tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for the malicious components of Oxar ransomware such as a text file named 1 What happens with my files.txt and its malicious components like [random].exe then remove them all.
Step 7: Close the File Explorer.
Make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry before you proceed to the next steps below. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by Oxar ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 10: Delete the registry keys and sub-keys created by Oxar ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty the contents of Recycle Bin.
Complete the removal process using [product-name] right after you followed the removal guide above.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.