New Onyx Ransomware Skips Encrypting Large Files; Instead, Deletes Them

Security researchers have found peculiar ransomware in the wild disrupting the ransomware business. Identified as “Onyx”, the ransomware doesn’t encrypt large files but deletes them to prevent recovery. This irreversible data loss can be even more devastating for the victims even if they choose to pay the ransom.

Onyx Ransomware

Researchers from the MalwareHunterTeam have discovered the Onyx ransomware in the wild. As revealed through their analysis (shared via a series of tweets), Onyx isn’t ransomware technically. Instead, it is, what the researchers called, a “skidware” with poor functionalities.

As explained, they first spotted a ransom note mentioning Onyx, without an actual malware sample. That note replicated the infamous Conti ransomware note. Nonetheless, despite the apparent weakness, the threat actors behind Onyx still managed to target numerous companies, listing at least 6 different businesses on their victim list.

The reason why the researchers called it a “skidware” is the malware’s failure to function as actual ransomware that encrypts data. Instead, the malware code shows that it fails to encrypt files larger than 2MB, and so, it instead overwrites them with junk data. It means the malware deletes the actual file during encryption. Thus, an Onyx attack means that the victims won’t be able to recover their data even if they choose to pay the ransom.

Nonetheless, that doesn’t mean that the victims can decide to not pay at all. That’s because the threat actors do not fail to steal data before encryption. Hence, this double extortion strategy with failed data recovery means a doubled loss for Onyx victims – money and data both.

Another researcher, also confirmed the malware’s weakness, further describing that it is actually based on the Chaos ransomware.

Bleeping Computer has also explained that the deletion of large files is intentional, and not a bug in Onyx codes. Therefore, Onyx victims should avoid paying the ransom as it would be of no good anyway.

Let us know your thoughts in the comments.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil