Onyx is an emerging ransomware gang making headlines recently due to its dangerous ransomware that actually destroys data rather than encrypting it. Security research suggests Onyx ransomware operators are trying to recruit affiliates to use its ransomware in exchange for a commission fee. The problem for cybercriminals who may want to utilize Onyx ransomware is that it destroys all files larger than 2 MB, and there is no way to decrypt or restore large files even if the ransom is paid by the victim.

A key ingredient in the success of the billion dollar ransomware industry thus far is that ransomware operators in most cases will hold up their end of the bargain and decrypt hijacked data once payment is made. Not because ransomware gangs are trustworthy, but because otherwise there would be no reason for businesses and other entities to continue paying huge sums of money when hit with ransomware attacks. So if turning a profit is the primary objective, what is the motive behind destroying data instead of encrypting it?

According to source code analysis by MalwareHunterteam, Onyx ransomware displays a unique technical functionality that may be intentional or it may be a malware bug. Based on Chaos and Conti ransomware, Onyx differs from its predecessors in a major way. It only encrypts small data files less than 2 MB in size. Any file larger than 2 MB, Onyx ransomware will permanently overwrite with junk data. Of course, there is no honor among thieves, but destroying data without the option of being able to restore it effectively undermines the whole ransomware extortion business model. Why would a victim pay if they know there is no way to get their data back? Considering this question adds weight to the theory that this malware behavior is a bug that threatens the success of ransomware as a business for other cybercriminal syndicates. However, if the destructive nature of Onyx ransomware is actually a bug, the developers of this nasty strain have not demonstrated any intent to resolve the issue since it was first discovered in the wild.

At this point, many security researchers and cybersecurity analysts investigating Onyx believe the malware is functioning as intended, and therefore the motive is not financial gain but rather to create havoc and cause maximum destruction to targeted businesses. This changes the cyberthreat landscape by introducing an insidious new ransomware variant designed to damage and terrorize targeted organizations and little else.

So whether this dangerous malware behavior is by design or a faulty bug that has not been resolved, if your organization is infected with Onyx ransomware, do not pay the ransom because the majority of your data has already been irrevocably destroyed by this malware. The best defense against any type of ransomware attack is to protect your data by maintaining secure offline, encrypted backups and to keep your network secure with a multilayered approach to cybersecurity.