Onyx Malware Destroys Large Files Instead of Encrypting Them

Security researchers warned about an unpleasant feature of the Onyx ransomware (although what kind of malware can have nice features?): the ransomware destroys large files (more than 2 MB in size) instead of encrypting them.

Unfortunately, it will not be possible to decrypt the data, even if the victim paid the ransom.

Let me remind you that we also wrote that Quantum Ransomware Operators Carried Out the Attack in Less Than 4 Hours.

The Onyx extortion campaign was discovered last week by an expert from MalwareHunterTeam, who says that the new hack group already has six victims (that’s how many are listed on the “leak site”).

And there’s a big problem: as the ransomware they are using is a trash skidware, it’s destroying a part of the victims’ files. Would say, no company should pay to these idiots as smaller files decryptable, big they can’t decrypt, but they are stealing files too, so…MalwareHunterTeam representative wrote in Twitter.

Like most other ransomware hackers, Onyx operators steal data from victims’ networks before encrypting files, and then use it for so-called “double extortion”, that is, they threaten to release or sell the information if the affected company does not pay.

Onyx destroys large files

Bleeping Computer writes that until recently, nothing was known about the technical capabilities of this malware, but recently MalwareHunterTeam discovered and studied a sample of the ransomware. During the analysis, it turned out that the ransomware overwrites many files with random junk data, and does not encrypt them at all.

As you can see from the example below, Onyx encrypts files smaller than 2 MB quite efficiently, but overwrites any files larger than that. In fact, this means that the malware damages information irrevocably.

Onyx destroys large files

According to cybercriminalist Jiří Vinopal from the Czech CERT, this ransomware is based on the code of another malware, Chaos, which also exhibited similar destructive behavior during encryption. Since the destructive nature of the malware is not a bug, but a deliberate infliction of harm, experts strongly advise against paying a ransom to victims.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.