Back to Back Issues Page
Watch For Scams Newsletter. Onyx Ransomware
May 15, 2022

Onyx Ransomware

Watch For Scams is dedicated to helping you avoid becoming a victim of fraud.

If you like this ezine, do a friend a big favor and forward this to them. If a friend forwarded this to you, and if you like what you read, please subscribe by visiting the link below:

Subscribe Here

Onyx Ransomware

Onyx ransomware destroys files, and also the criminal circle of trust.

Word has spread of an Onyx ransomware operation (a variant of Chaos ransomware) which is quite a bit more destructive than those impacted would be hoping for.

The ransomware in question overwrites files larger than just 2MB (originally reported as 200MB.) Anything important is lost to the void forever, and only files smaller than this will be recovered should the victims pay up.

It used to be that ransomware authors tended to stick to a somewhat peculiar honour among thieves style rules. If your ransomware operation gets a reputation for not decrypting files once payment has been made, people are less likely to pay up. Hand the files back, and you’ll get word of mouth spreading that you do, in fact, play fair—in a manner of speaking.

As ransomware operations evolved, more aspects have been added to what were once fairly straightforward acts. Regular attacks became “double threats”. That is to say, data is stolen before encryption takes place. If the company under fire refuses to pay a ransom, the ransomware authors come back and threaten to leak the stolen files.

This is a threat heaped upon a threat, but you’ve still got that code of honour rumbling away in the background. Pay up and they give the files back, right?

2020: A lot of companies paid up and they did not give the files back. Ransomware gangs started publishing stolen data even if the ransom had been paid out. There was a “fraying of promises” from ransomware groups to delete data once the payment took place. Evidence strongly starts to suggest that paying up offers little to no benefit, with no guarantees whatsoever.

2021: No guarantees whatsoever. It’s 2021, and only 8% of people who paid the ransom actually got their data back as ransomware authors pretty much do what they feel like. Whether you pay the original asking price, or negotiate down, or even pay by the first deadline date, it doesn’t seem to matter. The answer to “will my data be leaked anyway” may as well be viewed in a Magic 8 ball.

2022: In 2022, any pretence of expectations or trust from ransomware authors has sailed into the mist, never to return. Ransomware is now too big and too unwieldy, to make any real sense of expected operation.

What we can expect is for extortion to continue even after the ransom has been paid as it’s pretty much a free for all.

One eye-opening statistic is that 83% of successful attacks were double or triple threat attempts. When ransomware groups threaten to lock files forever, but also threaten to leak files already exfiltrated, and also claim they’ll increase the ransom and tell all business affiliates if you don’t pay up: What do you do in that situation?

It’s very hard to believe at that point that a criminal enterprise with so many fingers in so many pies is simply going to leave you alone if you pay up. There’s too much data up for grabs, and too many more ways for them to profit from it. It’s reaching the stage where it simply does not matter if you pay at all, which naturally enough begs the question: Why pay?

You can’t plan your data recovery and incident negotiations around the toss of a coin, but that’s where we’re currently at. There’s no easy answer for this problem, but relying on ransomware authors to do the right thing continues to recede into the distance.

Smash and grab tactics may well end up morphing into smash, with grabbing optional.

If you believe you have been a victim of this type of scam you should promptly report it to the IC3's website at The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Remember - always watch for scams!


Back to Back Issues Page