This spiteful new ransomware strain is even more dangerous than usual

By Sead Fadilpašić
published

File larger than 200MB? You won't be needing those...

Lock on Laptop Screen
(Image credit: Future)

As if ransomware (opens in new tab) wasn’t dangerous enough, a new strain has been discovered that’s even more spiteful than usual.

Cybersecurity researchers from MalwareHunterTeam recently identified Onyx, a ransomware strain that doesn’t bother to encrypt large files, it just ruins them.

As reported by BleepingComputer, Onyx was discovered overwriting files larger than 200MB with gibberish. Files that are smaller in size get encrypted and theoretically could be salvaged with the decryption key.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

A feature, not a bug

Usually, ransomware operators sneak into the target network via a malware-compromised endpoint, map out the network, exfiltrate sensitive data, and then encrypt everything.

Then, they typically demand payment in exchange for the decryption key and a promise not to leak the stolen data on the web.

However, the decryption process never really works flawlessly. Cybersecurity researchers have often warned that data recovery is unreliable, with certain databases being only partially saved. 

In this case, however, the destruction of some files is a feature of the malicious software, not a bug.

Read more

> The number of ransomware attacks continues to skyrocket - but that's not even the worst part (opens in new tab)

> Ransomware attacks saw a huge rise in 2021 (opens in new tab)

> FBI sounds the alarm over virulent new ransomware strain (opens in new tab)

MalwareHunterTeam managed to obtain a sample of the encryptor and found that destroying large files was always the plan. Therefore, paying the ransom to Onyx’s operators is no guarantee the data will be restored.

Before obtaining the sample, the team found the group’s ransom note, which it says is “mostly a copy-paste of Conti's note”.

Conti is a Russian-based ransomware operator that has been compromised itself, with internal chats and source code leaking all over the web.

The Onyx group has managed to successfully attack six victims so far, the security researchers found.

Via BleepingComputer (opens in new tab)

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news