A new ransomware variant called Onyx is destroying files larger than 2MB instead of encrypting them, preventing those files from being decrypted even if a ransom is paid. On April 21, security researcher MalwareHunterTeam discovered that a new ransomware operation had launched called Onyx. Like most of today’s ransomware operations, Onyx threat actors steal data from a network before encrypting devices. This data is then used in double-extortion schemes where they threaten to publicly release the data if a ransom is not paid. The ransomware gang has been reasonably successful so far, with six victims listed on their data leak page.
However, the technical functionality of the ransomware was not known until April 28, when MalwareHunterTeam found a sample of the encryptor. What was found is concerning, as the ransomware overwrites large files with random junk data rather than encrypting them.
Onyx encrypts files smaller than 2MB in size. However, according to MalwareHunterteam, Onyx will overwrite any files larger than 2MB with random data. As this is just randomly created data and not encrypted, there is no way to decrypt files larger than 2MB in size. Even if a victim pays, the decryptor can recover only the smaller encrypted files. Based on the source code, the destructive nature of the encryption routine is intentional rather than a bug. Therefore, it’s advised that victims avoid paying the ransom.
As with any ransomware, it is always recommended to never pay the ransom. When a victim pays a ransom, it only emboldens the attackers to continue their campaign. With this campaign destroying the victim’s files even with payment, a solid data backup plan is recommended. The most preferred method is the 3-2-1 backup strategy is recommended. Three copies of the data, on two separate storage media, one of them being offsite. Early detection of malware is key to preventing destruction of data. Especially with new and evolving threats, it is important to have a solid strategy of endpoint behavioral monitoring and a 24/7 Security Operations Center to respond to incidents quickly.