The ransomware strain that exploits even 2MB files: Onyx

Onyx is among the latest entrants into the ransomware landscape; it began making appearances in April 2022. It is believed to be a variant of Chaos ransomware, but some of its features are also similar to those of Conti ransomware. The Onyx ransomware group reportedly has a total of 13 victims from six different countries so far, with most victims being from the United States.

Double extortion strategy

Like most ransomware, Onyx operates on the double extortion strategy, where the attackers not only steal and encrypt the data but also threaten to publish it if the ransom is not paid. As if that wasn’t bad enough, the level of threat and destruction has been taken up a notch by the group. Onyx ransomware overwrites the data in files with random junk data instead of just encrypting it. This means that a major part of the victim’s data is essentially destroyed and cannot be retrieved or decrypted. It was initially reported that Onyx ransomware was overwriting all files larger than 200MB. This was believed to be a deliberate attempt to destroy large files. However, it was later found that Onyx in fact overwrites all files larger than just 2MB, and only encrypts the ones smaller than 2MB. This makes things much worse; with 2MB being a relatively small file size, many of the victims' files will be overwritten with trash data, and hence cannot be recovered.

Technical specifications

While there is still much to learn about Onyx now, security researchers have been able to analyze samples of this ransomware to understand some of its functionalities. The findings include:

• Onyx malware is written in the .NET programming language.
• Onyx ransomware uses AES and RSA encryption algorithms to encrypt victims' files.
• The malware is known to target more than 250 different file extensions.
• Once executed, the malware encrypts the target files with the “.ampkcz” extension.
• The ransomware only encrypts files that are less than 2MB in size; anything bigger is overwritten with random junk data.
• It operates as a trash skid-ware that destroys a part of the victim’s files. Due to this destructive nature, it is being seen more as disk wiper malware than classic ransomware.
• The code also contains a function named “spreadIt,” which is designed to propagate the ransomware.
• This ransomware deletes the volume of shadow copies and backup catalogs, thereby preventing any possible data recovery.
• Once the encryption process is complete, the ransomware drops a ransom note titled “readme.txt” into every encrypted directory. This ransom note is reportedly a rip-off of the Conti ransom note.
• While no specific attack vector is known, Onyx could be using tactics like social engineering, phishing, spam emails, or malicious attachments, much like any other ransomware.

On the whole, the malcode seems unsophisticated in many ways and also has some apparent errors, so it is highly likely that the group is working towards upgrading the ransomware executable.

Payment of ransom

Ransomware groups usually rely on the victim’s desperation and demand a ransom in exchange for decryption. Victims end up paying in hopes of getting their data back. The underlying logic here is that the threat will work only if the victims have even the slightest hope of recovering their data. So, if these threat actors don’t keep their end of the bargain by decrypting files after payment, victims will see no point in paying the ransom amount. Onyx ransomware is designed in a way that it cannot possibly keep this promise because it effectively overwrites all files above 2MB, making the data impossible to recover. As more and more companies begin to realize this, they would see no merit in paying the ransom. Researchers are having a hard time understanding the Onyx group’s intention behind designing their malware in a manner that would make it less likely to get paid in the long run.

Even with other ransomware groups, only a handful of victims get back their data after paying the ransom. There also have been instances where ransomware groups, like Conti, have disclosed stolen data even after the victim paid the ransom. With Onyx, the situation is so much worse, because the victims end up losing most of their data in any case. Even if they pay the ransom and even if they get a decryptor, only the smaller encrypted files can be recovered. Analysts are thus advising victims not to pay the ransom because it won’t really solve the problem, and it is also likely that the extortion might continue even after payment.

Even with other ransomware groups, only a handful of victims get back their data after paying the ransom. There also have been instances where ransomware groups, like Conti, have disclosed stolen data even after the victim paid the ransom. With Onyx, the situation is so much worse, because the victims end up losing most of their data in any case. Even if they pay the ransom and even if they get a decryptor, only the smaller encrypted files can be recovered. Analysts are thus advising victims not to pay the ransom because it won’t really solve the problem, and it is also likely that the extortion might continue even after payment.

Although it is considered to be in its initial stages and lacking sophistication, Onyx still poses a huge threat to organizations because of its highly destructive nature. An effective security solution that detects threats or any malicious activity quickly, investigates the root cause, and takes remedial actions is required to protect against the damage caused by ransomware such as Onyx. Our SIEM solution, ManageEngine Log360, helps prevent attacks by alerting if any unusual events or activities are detected, and initiating automatic remediation processes. To fully evaluate how Log360 can help your organization defend against Onyx ransomware and other cyberattacks, sign up for a free, personalized demo.