As if ransomware (opens in new tab) wasn’t dangerous enough, a new strain has been discovered that’s even more spiteful than usual.
Cybersecurity researchers from MalwareHunterTeam recently identified Onyx, a ransomware strain that doesn’t bother to encrypt large files, it just ruins them.
As reported by BleepingComputer, Onyx was discovered overwriting files larger than 200MB with gibberish. Files that are smaller in size get encrypted and theoretically could be salvaged with the decryption key.
A feature, not a bug
Usually, ransomware operators sneak into the target network via a malware-compromised endpoint, map out the network, exfiltrate sensitive data, and then encrypt everything.
Then, they typically demand payment in exchange for the decryption key and a promise not to leak the stolen data on the web.
However, the decryption process never really works flawlessly. Cybersecurity researchers have often warned that data recovery is unreliable, with certain databases being only partially saved.
In this case, however, the destruction of some files is a feature of the malicious software, not a bug.
> The number of ransomware attacks continues to skyrocket - but that's not even the worst part (opens in new tab)
> Ransomware attacks saw a huge rise in 2021 (opens in new tab)
> FBI sounds the alarm over virulent new ransomware strain (opens in new tab)
MalwareHunterTeam managed to obtain a sample of the encryptor and found that destroying large files was always the plan. Therefore, paying the ransom to Onyx’s operators is no guarantee the data will be restored.
Before obtaining the sample, the team found the group’s ransom note, which it says is “mostly a copy-paste of Conti's note”.
Conti is a Russian-based ransomware operator that has been compromised itself, with internal chats and source code leaking all over the web.
The Onyx group has managed to successfully attack six victims so far, the security researchers found.
- No digital environment is safe without the best antivirus solutions around (opens in new tab)
Via BleepingComputer (opens in new tab)