{"id":21804,"date":"2022-05-02T19:25:05","date_gmt":"2022-05-02T19:25:05","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21804"},"modified":"2022-05-02T21:28:23","modified_gmt":"2022-05-02T21:28:23","slug":"onyx-ransomware-destroys-files","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/onyx-ransomware-destroys-files\/","title":{"rendered":"Onyx Ransomware Destroys Large Files Instead of Locking Them"},"content":{"rendered":"

Ransomware<\/a> just keeps getting worse, it seems. Cybersecurity researchers last week revealed that a new ransomware gang called Onyx is simply destroying larger files rather than encrypting them.<\/p>\n

As the MalwareHunterTeam noted in a Twitter thread<\/a>, “as the ransomware they are using is a trash skidware, it’s destroying a part of the victims’ files.”<\/p>\n

The team would recommend that “no company should pay to these idiots … but they are stealing files too.”<\/p>\n

Most threat actors have been focused on locking data, sometimes with innovative techniques to evade detection tools<\/a>. The idea is to force the victims to pay the ransom in return for the stolen data.<\/p>\n

The Onyx ransomware group doesn’t bother with encryption. Any file larger than 2MB, which is pretty common in enterprises, is simply destroyed. Unlike with other ransomware strains, you can\u2019t recover documents with a decryption key.<\/p>\n

Such a low size limit will include most files on the victims’ computers. Besides, if the motive is money, as you would expect from a ransomware group, then the approach seems questionable. Why would companies pay a ransom if they know they won\u2019t be able to recover most files?<\/p>\n

Coming the same week that the REvil ransomware group apparently returned<\/a>, these are tough times for cybersecurity pros.<\/p>\n

Also read: Best Backup Solutions for Ransomware Protection<\/a><\/p>\n

Analyst: Don’t Pay Onyx Ransom<\/strong><\/h2>\n

MalwareHunterTeam posted a code sample on Twitter:<\/p>\n

\"Onyx<\/p>\n

The hackers use the above .NET code to overwrite any file bigger than 2MB with junk data. Only small files lower than 2MB are encrypted. The rest of the files are overwritten with random trashed data, so there\u2019s no way to decrypt them after.<\/p>\n

It was a bit unclear whether this behavior was the initial plan or the result of a bug in the implementation, but Ji\u0159\u00ed Vinopal, Forensic and Malware Analyst, Reverse Engineer at CERT, tweeted<\/a> that the Onyx ransomware is likely based on the Chaos ransomware builder that systematically overwrites big files:<\/p>\n

“One note added by @malwrhunterteam and already confirmed that it works like this:<\/p>\n

1 – for small files.<\/p>\n

2 – for big files.<\/p>\n

3 – for between the two. In encrypt mode, small files encrypted, others overwritten. In overwrite mode, small files not touched-skipped, others overwritten.”<\/p>\n

Therefore, it\u2019s safe to assume it was intentional and the victims should not pay the ransom, as it won\u2019t solve the problem and the extortion might even continue after payment.<\/p>\n

Also read: Best Ransomware Removal Tools<\/a><\/p>\n

Similar to Conti Ransom Note<\/strong><\/h2>\n

Two years ago, the Conti ransomware group disclosed stolen data even if the victims paid the ransom.<\/p>\n

MalwareHunterTeam noticed the instructions left by Onyx for their victims are \u201cmostly a copy-paste of Conti’s note,\u201d sharing the following example:<\/p>\n

\"onyx<\/p>\n

The hackers offer to decrypt \u201ctwo random files completely free of charge\u201d to prove they \u201creally can get the data back.\u201d But unless you\u2019re doing some hunting and know what you\u2019re doing, don\u2019t visit their website with Tor and don\u2019t connect with the credentials they provide in the note. Otherwise, you might wind up with additional problems.<\/p>\n

The hackers describe their new strain as a \u201cmilitary-grade algorithm\u201d to impress their victims, but that\u2019s clearly not the case.<\/p>\n

\"\"<\/p>\n

However, MalwareHunterTeam found six other organizations pwned by Onyx on their onion website (section \u201cOnyx news\u201d), so despite the impossibility of data recovery, you should take the threat seriously.<\/p>\n

So far, the Onyx strategy remains unclear, and it’s possible that this destructive program is the only weapon the ransomware group has for now.<\/p>\n

The MalwareHunterTeam found that the hackers not only encrypt and destroy files, but they also steal data to threaten their victims with potential public disclosure. This tactic is not really surprising, as such \u201cdouble threats\u201d are now pretty common in ransomware attacks.<\/p>\n

Indeed, in case the ransomware fails to encrypt and lock data (or, in this case, destroy it) the attackers nonetheless can still threaten their target to get paid. The victims should expect some data leaks.<\/p>\n

Also read: How to Recover From a Ransomware Attack<\/a><\/p>\n

How to Protect Against Destructive Ransomware<\/strong><\/h2>\n

While it\u2019s pretty hard to determine all of the group\u2019s motives, their destructive approach could disrupt the threat landscape in 2022.<\/p>\n

While most victims of ransomware attacks never recover their data even when there\u2019s a so-called \u201cdecryptor\u201d in exchange for money, this attack could be the beginning of a new paradigm where using decryption keys as leverage does not make sense anymore for threat actors.<\/p>\n

Ransomware removals and security tools make ransomware attacks ever more difficult to achieve, which might explain, at least partly, why they prefer destroying files. Besides, it can be used to threaten companies with further attacks, so if they don\u2019t pay the ransom, they\u2019ll certainly lose more data – and have it publicly exposed.<\/p>\n

The only way to mitigate such devastating attacks is to prepare for post-exploitation techniques and lateral movements. This would require classic security hygiene and awareness<\/a>, endpoint monitoring<\/a>, network segmentation<\/a>, patch management<\/a> and regular backups, but only as a start.<\/p>\n

Companies should prepare for ransomware attacks with efficient backup routines<\/a> that will protect the data from ransomware attacks.<\/p>\n

Backups can be corrupted or deleted by the hackers, so you need penetration tests to emulate real attacks and fix any flawed procedure. Versioning and rollbacks are also strongly recommended.<\/p>\n

In addition, you might use specific software to distribute backups or use separate cloud accounts for each desktop to contain the destructive malware.<\/p>\n

Remember that ransomware is not just for big companies. Many small businesses have filed for bankruptcy after a ransomware attack. Even if the hacker knew the victims could neither pay the ransom nor lose the data, they still attacked without mercy.<\/p>\n

CISA has a website<\/a> devoted to fighting ransomware attacks. That’s a good place to start to assess your situation and prepare your organization for ransomware events.<\/p>\n

Read next: Best Ransomware Removal and Recovery Services<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n