Security researchers have found peculiar ransomware in the wild disrupting the ransomware business. Identified as “Onyx”, the ransomware doesn’t encrypt large files but deletes them to prevent recovery. This irreversible data loss can be even more devastating for the victims even if they choose to pay the ransom.
Onyx Ransomware
Researchers from the MalwareHunterTeam have discovered the Onyx ransomware in the wild. As revealed through their analysis (shared via a series of tweets), Onyx isn’t ransomware technically. Instead, it is, what the researchers called, a “skidware” with poor functionalities.
As explained, they first spotted a ransom note mentioning Onyx, without an actual malware sample. That note replicated the infamous Conti ransomware note. Nonetheless, despite the apparent weakness, the threat actors behind Onyx still managed to target numerous companies, listing at least 6 different businesses on their victim list.
Even if they are using a .NET skidware ransomware, the ONYX gang looks successful in pwning companies, as their leak site already has 6 companies listed…
? pic.twitter.com/eJ3rJE9F38— MalwareHunterTeam (@malwrhunterteam) April 27, 2022
The reason why the researchers called it a “skidware” is the malware’s failure to function as actual ransomware that encrypts data. Instead, the malware code shows that it fails to encrypt files larger than 2MB, and so, it instead overwrites them with junk data. It means the malware deletes the actual file during encryption. Thus, an Onyx attack means that the victims won’t be able to recover their data even if they choose to pay the ransom.
Nonetheless, that doesn’t mean that the victims can decide to not pay at all. That’s because the threat actors do not fail to steal data before encryption. Hence, this double extortion strategy with failed data recovery means a doubled loss for Onyx victims – money and data both.
Another researcher, also confirmed the malware’s weakness, further describing that it is actually based on the Chaos ransomware.
#ONYX Ransomware is based on #Chaos Ransomware Builderv4. No matter what option chosen in builder, there is bug which will always destroy all files larger than 2117152 bytes. (thx @vxunderground for sample and #chaos builder) Full analysis below:@malwrhunterteam @BleepinComputer https://t.co/WuRrFuAt0T pic.twitter.com/8xgQWPlbYy
— Jiří Vinopal (@vinopaljiri) April 28, 2022
Bleeping Computer has also explained that the deletion of large files is intentional, and not a bug in Onyx codes. Therefore, Onyx victims should avoid paying the ransom as it would be of no good anyway.
Let us know your thoughts in the comments.