Beware of Shiny Objects: New Onyx Ransomware Makes Large Files Unrecoverable

A publicly available sample of Onyx ransomware was tested against BluVector’s patented Machine Learning Engine (MLE) and was detected. Regression testing of this sample shows that BluVector would have detected it 97 months prior to its release.

What Is Onyx Ransomware?

Recently security researcher @MalwareHunterTeam on Twitter described a new ransomware strain named Onyx. Aspects of Onyx’s functionality suggest it may have been designed with the primary objective of executing quickly, giving victims no time to respond once infected. However, one of these aspects will cause additional angst for victims, particularly those without comprehensive backups. This is due to the fact that Onyx ransomware will only encrypt files which are up to just over 2MB in size, any files larger than this are overwritten with random data. The implication of this is obvious, even if a victim pays the ransom, only the files under about 2MB will be able to be decrypted.

In addition, the ransom note makes it clear the Onyx attackers will publish data stolen from the victim on their dark web site, following the double extortion approach popular with many ransomware operators. The ransom note also advises victims that if they contact the FBI or a third-party negotiator, their data will be released immediately due to the “hostile intent” of those actions. Login credentials and a dark web URL are also included in ransom note so that victims can obtain additional instructions from members of Onyx’s “team.” Finally, the ransom note states they will only speak to a senior, authorized individual from the victim organization and urges all other employees not to contact them. The following screenshots show the login screen of the so-called “Recovery” system, and what is displayed after successfully logging on.

Figure 1: Onyx Recovery Login Page

Figure 2: Onyx Recovery Conversations Page

From a technical perspective, the Onyx ransomware sample analyzed for this Threat Report, is an unencrypted, complicated .NET executable. The sample contains configuration settings stored in the code, as is a hardcoded list of 266 file extensions it will encrypt.

Figure 3: Hardcoded file extensions to encrypt

The choice to have Onyx only encrypt files under 2MB and overwrite larger files may be a deliberate decision to destroy those larger files, or it may have been for performance reasons. Similarly, the list of which directories are encrypted appears to have been limited so that the encryption process completes as quickly as possible, leaving victims no time to adequately respond.

The Onyx sample also contains a function named “spreadIt”, which as the name suggests is designed to propagate the sample. A configuration option determines if this function is activated, which it is in the sample analyzed here. However, this function is ineffectual. Firstly, it simply copies itself to the root directory of all attached drives as amp.exe, which will result in it executing only if a curious user double clicks on it. Secondly, it only does this after the encryption process has run and encrypted all attached drives. The authors of this Onyx sample also made another error. They attempt to obtain persistence on an infected system by creating a shortcut to the sample in the user’s startup directory. However, that shortcut is then encrypted when the encryption process runs. These errors indicate that Onyx ransomware is under active development, and future variants will likely have these errors corrected, in addition to extended functionality.

It is worth keeping in mind, that despite the errors and relative lack of sophistication of this Onyx ransomware sample, it still has the potential to pose a threat to under-prepared organizations. By overwriting, rather than encrypting, files larger than 2MB, victim organizations without complete backup coverage, could potentially lose a significant amount of data. This is especially true, as most victims wouldn’t be aware that even if they pay the ransom, many of their files will not be recovered.

How Does It Propagate?

The Onyx ransomware sample analyzed for this Threat Report contains an ineffectual propagation routine in its code. No specific attack vector is currently known, however the most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

A publicly available sample of Onyx ransomware was tested against BluVector’s patented Machine Learning Engine (MLE) and was detected. Regression testing of this sample shows that BluVector would have detected it 97 months prior to its release.