Photo taken in Beijing, China

Onyx ransomware destroys files, and also the criminal circle of trust

Some ransomware authors seem to be whittling down their tenuous “circle of trust” style agreement with victims even further. Word has spread of an Onyx ransomware operation (a variant of Chaos ransomware) which is quite a bit more destructivethan those impacted would be hoping for. However, all is not quitewhat it seems in terms of intent.

The ransomware in question overwrites files larger than just 2MB (originally reported as 200MB.) Anything important is lost to the void forever, and only files smaller than this will be recovered should the victims pay up.

The initial suspicion was that this overwriting of files bigger than 200MB was a deliberate attempt to trash the biggest files available. However, given it’s actually more than 2MB it’s more likely this file overwriting is accidental. All the same: Whether by deliberate malice, or accidental coding mishap, this isn’t great. Significantly more files will be overwritten and lost due to the lower file size requirement, and there’s going to be a lot of very angry people at affected organisations.

Trending towards destruction

It used to be that ransomware authors tended to stick to somewhat peculiar honour among thieves style rules. If your ransomware operation gets a reputation for not decrypting files once payment has been made, people are less likely to pay up. Hand the files back, and you’ll get word of mouth spreading that you do, in fact, play fair—in a manner of speaking.

As ransomware operations evolved, more aspects have been added to what were once fairly straightforward acts. Regular attacks became “double threats”. That is to say, data is stolen before encryption takes place. If the company under fire refuses to pay a ransom, the ransomware authors come back and threaten to leak the stolen files.

This is a threat heaped upon a threat, but you’ve still got that code of honour rumbling away in the background. Pay up and they give the files back, right?

2020: We paid up and they did not give the files back

Ransomware gangs were already wavering on that whole “We’re still mostly trustworthy” thing back in 2020. Maze, Sodinokibi, Conti and many more started publishing stolen data even if the ransom had been paid out. As the article notes, there is a “fraying of promises” from ransomware groups to delete data once the payment takes place. Some folks used to argue that paying these groups was a last ditch resort, but a resort nonetheless and better than losing all of your data. Evidence strongly starts to suggest around this time that paying up offers little to no benefit, with no guarantees whatsoever.

2021: No guarantees whatsoever

It’s 2021, and we’ve already hit the “Only 8% of people who pay the ransom actually get their data back” part of this slide towards a realm where ransomware authors pretty much do what they feel like. The study explains that more organisations are deciding to pay up—despite data being returned to victims as good as flatlining. Whether you pay the original asking price, or negotiate down, or even pay by the first deadline date: It doesn’t seem to matter. The answer to “will my data be leaked anyway” may as well be viewed in a Magic 8 ball.

2022: Oh no, my circle of trust

In 2022, any pretence of expectations or trust from ransomware authors has sailed into the mist, never to return. Ransomware is now too big and too unwieldy, to make any real sense of expected operation. What we can expect is for extortion to continueeven after the ransom has been paid. As the article notes, a combination of RaaS (Ransomware as a Service) being fairly short lived and affiliates mostly doing their own thing regardless of main group expectations means it’s pretty much a free for all.

One eye-opening statistic is that 83% of successful attacks were double or triple threat attempts. When ransomware groups threaten to lock files forever, but also threaten to leak files already exfiltrated, and alsoclaim they’ll increase the ransom and tell all business affiliates if you don’t pay up: What doyou do in that situation?

Trust me, they say, as your files are lost forever

It’s very hard to believe at that point that a criminal enterprise with so many fingers in so many pies is simply going to leave you alone if you pay up. There’s too much data up for grabs, and too many more ways for them to profit from it. It’s reaching the stage where it simply does not matter if you pay at all, which naturally enough begs the question: Why pay?

You can’t plan your data recovery and incident negotiations around the toss of a coin, but that’s where we’re currently at. There’s no easy answer for this problem, but relying on ransomware authors to do the right thing continues to recede into the distance. Smash and grab tactics may well end up morphing into smash, with grabbing optional.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.