Chris Swagler | May 5th, 2022

The prevailing logic for ransomware groups is that if they don’t keep their half of the bargain by decrypting files after payment, companies will refuse to pay ransom moving forward. The new Onyx ransomware group is designed to not uphold its end of the bargain. According to researchers, after a ransomware attack, Onyx is incapable of decrypting files over 2MB and effectively deletes files of that size. The researchers have no answer as to why the ransomware group designed its software that way. A chief executive officer from a threat intelligence company with a ransomware negotiation practice explains that the group disincentives victims to work with them.

Ransomware operators are not only dishonest, they’re also self-serving. The vast majority of victims that pay for ransomware decryptors with negotiators get their files restored. This is partly due to negotiators’ ability to screen out known bad threat actors. The amount of money a ransomware group receives is influenced by its reputation. One of the first statements to an actor with a bad reputation will be, “Well, you’ve done this amount of damage. You’ve done a certain amount of damage to the files that can’t be recovered, so they’re not worth any money to us anymore. But then, there’s also a cost to us to repair or restore or rebuild that we’re now going to incur that comes out of your total.”

Even though Onyx engages in double extortion, encrypting files and threatening to post stolen information to a leak site, the group’s reputation for recovering files may affect the victim’s trust in the group not leaking files. It’s unclear whether Onyx set out to create malicious ransomware. However, after numerous victims, Onyx is likely to know what its product is and isn’t doing. According to a ransomware expert, if the group is aware of it and hasn’t changed it yet, then its intention is to dupe its victims.

Onyx is attempting to recruit affiliates who will utilize its ransomware in attacks in exchange for a commission. Currently, the only operators using the ransomware are the developers. It’s unlikely to change in the near future. According to a source in criminal forum chatter, ransomware affiliates are sensitive to the reputations and successes of ransomware products. Even though the ransomware world has been led by two or three main brands, the ransomware economy will see more fragmentation into small groups, further decentralizing risks. Smaller groups may use whatever tools they can get their hands on and use them to create a new product.

Onyx’s goods are based on the Chaos ransomware builders, whose latest version is still in development and features the two-megabyte glitch. It has a significant impact on the landscape. Cybercriminals make money from ransomware; therefore, they end up providing victims with the decryption keys because it makes financial sense. With Onyx ransomware, this model was abandoned.

With new ransomware groups emerging playing by their own different set of rules when it comes to double-extortion tactics, it’s critical for companies to always remain alert to the current threat landscape and regularly backup their data networks to avoid operational disruptions. At SpearTip, our advisory services allow our certified engineers to engage with companies’ people, processes, and technology to truly measure the maturity of the technical environment. With extensive experience gained through responding to thousands of security incidents, SpearTip improves partners’ operational, procedural, and technical control gaps based on security standards.

The ShadowSpear Platform evaluates the effectiveness of current technical controls and allows SpearTip’s Security Operations Center (SOC) to hunt for and identify advanced ransomware. Our tabletop exercises are custom designed to strengthen the collaboration among business leaders and promote a common understanding of how leadership teams respond to an incident. The exercises are based on the most current tactics, techniques, and procedures employed by threat actors, as well as perceived gaps in your current IR plan.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.