Home Malware Programs Ransomware OXAR Ransomware

OXAR Ransomware

Posted: July 11, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 70
First Seen: July 11, 2017
OS(es) Affected: Windows

The OXAR Ransomware is a modified version of Hidden Tear, which encrypts your files and can drop messages asking for ransoms via text, images or pop-ups. While the OXAR Ransomware's data-locking feature is intact, malware researchers can recommend alternatives to paying an extortionist's fee for restoring any encoded content. When possible, you should block and delete the OXAR Ransomware with anti-malware products before it can initiate its encryption attack.

Expanding the Net of Data Attacks for Growing Ransoms

Hidden Tear is a high-yielding collection of Trojans, but not the usual source to look for threats that show evidence of creative features. Most variants of Hidden Tear demonstrate significant variability in nothing more than their ransom notes, which are custom-tailored to different threat actors' preferences. Now, however, malware researchers are finding another HT version, the OXAR Ransomware, which is showing a significantly increased capacity for damaging media.

The OXAR Ransomware uses a similar, AES-based encryption feature as other versions of its family, which encodes the user's media with an algorithm meant to block it until they buy a decryption key. Many versions of Hidden Tear are limited to just barely over twenty different formats of data for encrypting, but the OXAR Ransomware's author has upgraded this function significantly. With a cost in increased footprint and payload duration, the OXAR Ransomware attacks seventy-two different types of files, almost all of which are general-purpose formats, such as WAV, HTML, MP3, BAT and JPG.

Although this expansion of what content to attack is relatively original, the OXAR Ransomware's ransom instructions are a copy of previous resources from other threat campaigns primarily. This HTML-based pop-up asks for 100 USD in Bitcoins and includes links to relevant websites for further information. Like most cryptocurrencies, Bitcoin makes consent from the second party a prerequisite for a refund, which can enable the threat actor to take this money without giving the victim a code to the decryptor.

Getting out of a Lock-In that's Flimsier than Obvious

The OXAR Ransomware should be compatible with previous decryption solutions available for Hidden Tear-based Trojans, but malware researchers also discovered another flaw for helping users recover. Currently, the OXAR Ransomware uses the fixed password of 'key' for its bundled decryption module. Entering that code into the window should unlock all of your encrypted files. If this Trojan is updated to correct the issue its victims can continue using both third-party decryption software or backups.

System infiltration from the OXAR Ransomware can arise through any of several exploits:

  • E-mail content may disguise itself as safe to trick a victim into opening it and enabling exploits that drop and run this threat automatically.
  • Con artists can gain access to your login credentials through methods such as brute-forcing and, then, install the OXAR Ransomware by manual methods.
  • A website can host exploit kit packages that scan the PC for vulnerabilities and let them initiate drive-by-download attacks with either no consent or misinformed consent from the user.

The OXAR Ransomware hasn't received any massive updates to protect it from detection methods that are equally workable against other Hidden Tear clones. Most anti-malware programs are detecting and removing the OXAR Ransomware at acceptable rates. If your anti-malware protection is active, it should isolate this Trojan without letting its data-locking encryption go off.

The OXAR Ransomware's copy-pasted ransom demands make much noise about warning you not to seek alternatives to paying its Bitcoin price. However, when a con artist tells you to do one thing, the best course of action, often, is to do the opposite, particularly when money is on the line.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 3.2 MB (3207168 bytes)
MD5: f7ebfe9a98a578dade2c4af0b1fe3b52
Detection count: 88
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 15, 2017
file.exe File name: file.exe
Size: 557.05 KB (557056 bytes)
MD5: b55a984de9379ebc24ca0a16a321c9cb
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 15, 2017
file.exe File name: file.exe
Size: 3.33 MB (3337216 bytes)
MD5: e7ac76cf349aa111f5a0f0ff0f905417
Detection count: 81
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 15, 2017
Loading...