Onyx Ransomware Overwrites Files Larger than 2MB Instead of Encrypting Them

As early as mid-April of 2022 was the first time researchers discovered the Onyx ransomware. The ransomware group uses the double extortion method of encrypting and exfiltrating data from a victim in order to extort money. 

There is a possibility that the threat actor will leak the victim’s data on their leak site if the victim cannot pay the ransom. So far, there have been 13 victims from six different countries that have been affected by this group. 


The cybersecurity analysts at Cyble affirmed that a large percentage of the victims of this attack comes from the United States, which accounts for over 60% of the entire victim’s list.

There is a connection between Onyx ransomware and Chaos ransomware since it’s based on Chaos. It is possible to recover files smaller than 2 MB but will not be able to recover files larger than 2 MB due to Onyx encryption.

Current Actions

Approximately seven victims had been disclosed on the leak site of the Onyx ransomware group by the end of April 2022. It took the Onyx group nearly two months following the announcement of seven victims in April before they published their leaked website after going silent. 

Towards the end of July, the Onyx group was once again active and ready for action. Here ‘ONYX NEWS’, the leak site for ONYX ransomware, has been renamed to ‘VSOP NEWS’, which replaces the onyx news.

There is not a new website that has been launched by the group but the existing website has been renamed with new information.

Also Read: Radically Simplifying Cybersecurity with Zero Trust Networking

Ransom Note

The Onyx ransomware was created using the .NET architecture. After being executed successfully, this ransomware encrypts the files, and drops a ransom note titled “readme.txt”, containing the instructions for decrypting them.

In this note, the threat actors describe the instructions to retrieve all the encrypted files as well as also mention the communication media used to communicate with them.

Targeted Directories

As part of the encryption process, the ransomware encrypts the following directories:-

  • Desktop
  • Links
  • Contacts
  • Documents
  • Downloads
  • Pictures
  • Music
  • OneDrive
  • Saved Games
  • Favorites
  • Searches
  • Videos

As of now, there has been no recent report of Onyx ransomware in the wild. The above assumptions, however, may also indicate that threat actors are likely to upgrade the executable of the ransomware as well.


Here below we have mentioned all the security measures recommended by the security analysts:-

  • An incident response program should be developed by victims’ organizations.
  • Ensure that you deploy the right combination of anti-virus software and internet security software.
  • The process of creating a backup should be defined and implemented.
  • You should keep your backup copies offline or on a separate network so that they are secure.
  • The password policy should be enforced so that passwords are changed regularly. 
  • Ensure that all remote access points on the network are protected by multi-factor authentication.
  • The Internet should not be accessed through any sensitive ports on the server.
  • Make sure that employees are aware of the importance of cybersecurity.
  • Create a process for managing vulnerabilities based on a risk-based approach.
  • It is important to inform users to avoid opening links or attachments from emails they do not trust.
  • It is recommended that you enable the features for automatic updates of your software.

Also, Download a Free Checklist for Securing Your Enterprise Network Here.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.