Orion Hackers Ransomware

Orion Hackers ransomware is a malicious program based on the LockBit 3.0 (LockBit Black) ransomware. It encrypts data on infected systems and demands a ransom for decryption. Victims also face threats of data leaks and repeated cyberattacks if they refuse to comply. This ransomware appends a random character string to encrypted file extensions and drops a ransom note named “[random_string].README.txt.”

Threat Summary

Attribute	Details
Name	Orion Hackers virus
Threat Type	Ransomware, Crypto Virus, File Locker
Encrypted Files Extension	Files are appended with an extension comprising a random character string (e.g., 1.jpg.3OYkmrLQx)
Ransom Note Name	[random_string].README.txt
Free Decryptor Available?	No
Cyber Criminal Contact	Tox chat
Detection Names	Avast (Win32:RansomX-gen [Ransom]), Combo Cleaner (Trojan.GenericKDZ.107474), ESET-NOD32 (A Variant Of Win32/Filecoder.BlackMatte), Kaspersky (UDS:Trojan-Ransom.Win32.Generic), Microsoft (Ransom:Win32/Lockbit.HA!MTB)
Symptoms	Files are encrypted, their extensions changed, and a ransom note appears on the desktop. Affected files cannot be accessed.
Distribution Methods	Infected email attachments, torrent websites, malicious ads, backdoor trojans, drive-by downloads, fake software updates, and social engineering tactics.
Damage	Encrypts files, making them inaccessible; threatens data leaks and repeated cyberattacks. May install additional malware.

Ransom Note Overview

Your System Hacked By Orion Hackers!

Your data are stolen and encrypted

The data will be published on TOR website if you do not pay the ransom

What guarantees that we will not deceive you?

We are not a politically motivated group and we do not need anything other than your money.

If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper.

If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore, our reputation is very important. We attack companies worldwide and there is no dissatisfied victim after payment.

You need to contact us and decrypt one file for free on these tox id = 32C12B278912E26E5EAC57AEBB3F4FF16F0E31603C7B9D46AC02E9D993EE14351CEC3AB5945C with your personal DECRYPTION ID

Download and install TOR Browser hxxps://www.torproject.org/
Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies.

Links for Tor Browser:
hxxps://utox.org/
hxxps://utox.org/uTox_win64.exe

If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox.

Tox ID : 6F902E0A889E60D47FB305E2EE4B72926A4A68297F2364285E2CB005DE53B377F76934FF16AB

Your personal DECRYPTION ID: –

Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

Warning! If you do not pay the ransom, we will attack your company repeatedly again!

How Does Orion Hackers Ransomware Infect Systems?

Cybercriminals use various tactics to spread Orion Hackers ransomware:

• Email Attachments & Links – Malware is delivered via malicious email attachments (Microsoft Office, OneNote, PDF, ZIP, RAR files) or phishing links.
• Backdoor Trojans – Hackers use trojans to infiltrate systems and execute ransomware.
• Malvertising & Fake Software Updates – Users clicking on deceptive ads or fake update prompts risk ransomware infections.
• Illegal Software & Torrents – Downloading pirated software, cracked programs, or games from untrusted sources can expose users to malware.

How to Remove Orion Hackers Ransomware

Step 1: Disconnect from the Internet

To prevent further encryption, immediately disconnect your computer from the internet.

Step 2: Boot into Safe Mode with Networking

1. Restart your PC and press F8 (or Shift + Restart for Windows 10/11) before Windows loads.
2. Select Safe Mode with Networking.

Step 3: Terminate Malicious Processes

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Look for suspicious processes (e.g., random character names) and end them.

Step 4: Delete Orion Hackers Ransomware Files

1. Open File Explorer (Win + E).
2. Navigate to:
   • %AppData%
   • %LocalAppData%
   • %ProgramData%
   • %Temp%
3. Delete recently modified suspicious files.

Step 5: Remove Registry Entries

1. Press Win + R, type regedit, and press Enter.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
3. Look for suspicious keys and delete them.

Step 6: Use Anti-Malware Software

Run a scan with SpyHunter or another reputable anti-malware tool to remove residual threats.

How to Prevent Future Ransomware Attacks

• Backup Your Data – Store backups on external drives and cloud storage.
• Enable Automatic Updates – Keep your OS, software, and antivirus updated.
• Avoid Phishing Emails – Do not open suspicious emails or attachments.
• Use Strong Passwords – Enable 2FA for critical accounts.
• Install Security Software – Use real-time protection against malware.
• Disable Macros in Documents – Never enable macros in documents from unknown sources.

Conclusion

Orion Hackers ransomware is a severe threat that encrypts data and demands ransom payments while threatening victims with repeated cyberattacks. Removing the malware is crucial, but decryption without the attackers is nearly impossible. Preventative cybersecurity measures can significantly reduce the risk of infection.