Jump to content
  • Beware: Onyx ransomware destroys files instead of encrypting them


    • 2 minutes

    • 2 minutes

    A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them, preventing those files from being decrypted even if a ransom is paid.


    Last week, security researcher MalwareHunterTeam discovered that a new ransomware operation had launched called Onyx.


    Like most of today's ransomware operations, Onyx threat actors steal data from a network before encrypting devices. This data is then used in double-extortion schemes where they threaten to publicly release the data if a ransom is not paid.



    Onyx ransomware data leak site


    The ransomware gang has been reasonably successful so far, with six victims listed on their data leak page.

    Onyx ransomware destroys most data

    The technical functionality of the Onyx ransomware was not known until today, when MalwareHunterTeam found a sample of the encryptor.


    What was found is concerning, as the ransomware will overwrite many files with random junk data rather than encrypting them.


    As you can see from the source code below, Onyx encrypts files smaller than 2MB in size. However, according to MalwareHunterteam, Onyx will overwrite any files larger than 2MB with junk data.



    Onyx ransomware source code


    As this is just randomly created data and not encrypted, there is no way to decrypt files larger than 2MB in size.


    Even if a victim pays, the decryptor can recover only the smaller encrypted files.


    According to Jiří Vinopal, a forensic analyst at the Czech Republic CERT, this ransomware is the based on Chaos ransomware, which includes the same damaging encryption routine.


    As the destructive nature of the encryption routine is intentional rather than a bug, it is strongly advised that victims do not pay the ransom.


    4/28/22: Corrected that it's files greater than 2MB that are destroyed and that this is a variant of the Chaos ransomware.



    Beware: Onyx ransomware destroys files instead of encrypting them

    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...