Tricky Ransomware Encrypts Small Data But Overwrites Large Data

The MalwareHunterTeam recently discovered a new ransomware operation that is particularly nasty.  Called Onyx, outwardly, the operation does what most ransomware campaigns do.  It gets inside a corporate network, exfiltrates the data that it wants, then seems to encrypt the rest, and then threatens to release the files to the broader public unless their demands for payment are met.

An additional fee is demanded to unlock the encrypted files, but there’s a catch in this instance.

Any file larger than 2MB in size is deleted and then overwritten before encryption to make it appear that the file is still intact.  Unfortunately, when victims pay the fee to have their files decrypted, they discover that the file is garbage and the actual file they wanted has been deleted.

This is not a flaw in the malicious code but rather an intentional design decision. It is implemented to inflict maximal pain on companies that fall victim to their attack.

The discovery was only recently made. So it’s quite likely that at least some companies have paid the demanded ransom in hopes of getting their files back, only to have those hopes dashed.

Given this fact, if you are hit with an Onyx attack, don’t pay the ransom.  It won’t do you any good, except where your smaller files are concerned.  Your only hope is to restore those files from backup, and you certainly don’t need to pay the ransom to do that.

Malware attacks in general and particularly ransomware attacks are an unfortunate part of corporate life these days.  Whether due to poor planning, faulty backups, or something else, some companies feel the need to pay the ransom and get on with the business of their business. However, in this case, the Onyx campaign proves that there is no honor among thieves.  Be careful out there.