This spiteful new ransomware strain is even more dangerous than usual

Lock on Laptop Screen
(Image credit: Future)

As if ransomware wasn’t dangerous enough, a new strain has been discovered that’s even more spiteful than usual.

Cybersecurity researchers from MalwareHunterTeam recently identified Onyx, a ransomware strain that doesn’t bother to encrypt large files, it just ruins them.

As reported by BleepingComputer, Onyx was discovered overwriting files larger than 200MB with gibberish. Files that are smaller in size get encrypted and theoretically could be salvaged with the decryption key.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

A feature, not a bug

Usually, ransomware operators sneak into the target network via a malware-compromised endpoint, map out the network, exfiltrate sensitive data, and then encrypt everything.

Then, they typically demand payment in exchange for the decryption key and a promise not to leak the stolen data on the web.

However, the decryption process never really works flawlessly. Cybersecurity researchers have often warned that data recovery is unreliable, with certain databases being only partially saved. 

In this case, however, the destruction of some files is a feature of the malicious software, not a bug.

MalwareHunterTeam managed to obtain a sample of the encryptor and found that destroying large files was always the plan. Therefore, paying the ransom to Onyx’s operators is no guarantee the data will be restored.

Before obtaining the sample, the team found the group’s ransom note, which it says is “mostly a copy-paste of Conti's note”.

Conti is a Russian-based ransomware operator that has been compromised itself, with internal chats and source code leaking all over the web.

The Onyx group has managed to successfully attack six victims so far, the security researchers found.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.