Security researchers warned about an unpleasant feature of the Onyx ransomware (although what kind of malware can have nice features?): the ransomware destroys large files (more than 2 MB in size) instead of encrypting them.
Unfortunately, it will not be possible to decrypt the data, even if the victim paid the ransom.
Let me remind you that we also wrote that Quantum Ransomware Operators Carried Out the Attack in Less Than 4 Hours.
The Onyx extortion campaign was discovered last week by an expert from MalwareHunterTeam, who says that the new hack group already has six victims (that’s how many are listed on the “leak site”).
Like most other ransomware hackers, Onyx operators steal data from victims’ networks before encrypting files, and then use it for so-called “double extortion”, that is, they threaten to release or sell the information if the affected company does not pay.
Bleeping Computer writes that until recently, nothing was known about the technical capabilities of this malware, but recently MalwareHunterTeam discovered and studied a sample of the ransomware. During the analysis, it turned out that the ransomware overwrites many files with random junk data, and does not encrypt them at all.
As you can see from the example below, Onyx encrypts files smaller than 2 MB quite efficiently, but overwrites any files larger than that. In fact, this means that the malware damages information irrevocably.
According to cybercriminalist Jiří Vinopal from the Czech CERT, this ransomware is based on the code of another malware, Chaos, which also exhibited similar destructive behavior during encryption. Since the destructive nature of the malware is not a bug, but a deliberate infliction of harm, experts strongly advise against paying a ransom to victims.