Instead of encrypting files larger than 2MB, a new Onyx ransomware operation is destroying them, preventing them from being decrypted even if a ransom is paid. MalwareHunterTeam, a security research firm, found Onyx, a new ransomware operation, last week.
Onyx threat actors, like the majority of today’s ransomware attacks, steal data from a network before encrypting devices. This information is then used in double-extortion scams, in which they threaten to release the information unless a ransom is paid. So far, the ransomware gang has had some success, as evidenced by the six victims posted on their data leak page. The majority of data is destroyed by the Onyx ransomware.
The Onyx ransomware’s technological capabilities were unknown until today, when MalwareHunterTeam discovered a sample of the encryptor. What was discovered is alarming, as the ransomware overwrites numerous files with random junk data instead of encrypting them. Onyx encrypts files smaller than 2MB, as you can see from the source code below. Onyx, however, will overwrite any files larger than 2MB with garbage data, according to MalwareHunterteam.
There is no way to decode files larger than 2MB in size because this is just randomly generated data that isn’t encrypted. Even if a victim pays, the decryptor can only recover the encrypted files that are smaller. This ransomware is based on Chaos ransomware, which features the same harmful encryption process, according to Vinopal, a forensic expert at the Czech Republic CERT. It is strongly urged that victims do not pay the ransom because the encryption routine’s damaging nature is intended rather than a flaw.
