FANDOM


OhNo! is an encryption ransomware Trojan. OhNo!, like other, similar threats, is designed to encrypt data on the victim's computer to demand a ransom payment. OhNo takes hostage the victim’s data until the victim pays for the decryption key necessary to recover the affected files.

Payload

OhNo! was first discovered on an online anti-virus platform and seems to be unfinished. Con artists may submit unfinished versions of their threats to these platforms to test whether they can evade the latest anti-virus technology. OhNo! seems not to have an encryption algorithm that is functional, but it is likely that this will be implemented in the full version of OhNo!. OhNo!'s presence is easy to be identified because it will rename files encrypted by the attack by adding the file extension '.ohno!' to the end of each affected file's name.

OhNo! targets a small range of file types when it infects a computer. However, these are widely used files that can make the victim lose valuable data. OhNo! targets some file types in its attack, which include:

.7z, .bmp, .csv, .dll, .doc, .docx, .exe, .gif, .gz, .jpeg, .jpg, .lnk, .midi, .mp3, 
.pdf, .png, .ppt, .pptx, .txt, .wav, .wpd, .xlsm, .xlsx, .zip.

OhNo! , in its attack, will encrypt the file types above, threatening the victim with the total loss of the affected data unless the victim agrees to pay a ransom. Most ransomware Trojans that use an attack similar to OhNo! will use AES and RSA encryptions to make the victim's files corrupted irreversibly. Although encryption does not seem to be implemented in OhNo! yet, it will probably not be released to the public without the ability to encrypt victims' data. OhNo! will change the victim's desktop background into an image that seems very similar to the Google Chrome default page after encrypting the victim's files. OhNo! will display a ransom note in a dialog box demanding payment in Monero (XMR). While most ransomware Trojans demand payment in crypto currency, most of them use Bitcoins and threats like OhNo! that demand payment in Monero are still relatively rare. There is the full text of OhNo!'s ransom note:

You have been, infected with OhNo! ALL your Documents, Downloads, and Desktop have been Encrypted \
with a Unique Key to your System. Each Key is a TOTALLY Random Key specific to that Machine. Please Pay 
2. XMR to the specified address below and you will receive a Email with your Key. Monero (XMR) is a 
cryptocurrency based on 100% annoymous transactions. You can find how to purchase Monero by using 
Google. If you can't figure out how to Buy XMR, you probably shouldn't have a PC.
- Goodluck
XMR ADDRESS: [RANDOM CHARCTERS]

OhNo! demands the payment of 2 Moneros, which is equivalent to 290 USD approximately. 

Media

AppCheck Anti-Ransomware OhNo! Ransomware (

AppCheck Anti-Ransomware OhNo! Ransomware (.OhNo!) Block Video

Community content is available under CC-BY-SA unless otherwise noted.