Onyx ransomware destroys files, and also the criminal circle of trust

Some ransomware authors seem to be further whittling down their tenuous circle of trust style agreement with victims even further. Word has spread of a new Onyx ransomware operation which is quite a bit more destructive than those impacted would be hoping for.

The ransomware in question overwrites files larger than 200MB. Anything important is lost to the void forever, and only files smaller than this will be recovered should the victims pay up. This is not only very bad, but could also inspire other groups to do much the same thing. The message is loud and clear: ransomware authors simply don’t care about playing “fair” anymore.

Trending towards destruction

It used to be that ransomware authors tended to stick to somewhat peculiar honour among thieves style rules. If your ransomware operation gets a reputation for not decrypting files once payment has been made, people are less likely to pay up. Hand the files back, and you’ll get word of mouth spreading that you do, in fact, play fair – in a manner of speaking.

As ransomware operations evolved, more aspects have been added to what were once fairly straightforward acts. Regular attacks became “double threats”. That is to say, data is stolen before encryption takes place. If the company under fire refuses to pay a ransom, the ransomware authors come back and threaten to leak the stolen files.

This is a threat heaped upon a threat, but you’ve still got that code of honour rumbling away in the background. Pay up and they give the files back, right?

2020: We paid up and they did not give the files back

Ransomware gangs were already wavering on that whole “We’re still mostly trustworthy” thing back in 2020. Maze, Sodinokibi, Conti and many more started publishing stolen data even if the ransom had been paid out. As the article notes, there is a “fraying of promises” from ransomware groups to delete data once the payment takes place. Some folks used to argue that paying these groups was a last ditch resort, but a resort nonetheless and better than losing all of your data. Evidence strongly starts to suggest around this time that paying up offers little to no benefit, with no guarantees whatsoever.

2021: No guarantees whatsoever

It’s 2021, and we’ve already hit the “Only 8% of people who pay the ransom actually get their data back” part of this slide towards a realm where ransomware authors pretty much do what they feel like. The study explains that more organisations are deciding to pay up – despite data being returned to victims as good as flatlining. Whether you pay the original asking price, or negotiate down, or even pay by the first deadline date: it doesn’t seem to matter. The answer to “will my data be leaked anyway” may as well be viewed in a Magic 8 ball.

2022: Oh no, my circle of trust

In 2022, any pretence of expectations or trust from ransomware authors has sailed into the mist, never to return. Ransomware is now too big and too unwieldy, to make any real sense of expected operation. What we can expect is for extortion to continue even after the ransom has been paid. As the article notes, a combination of RaaS (Ransomware as a Service) being fairly short lived and affiliates mostly doing their own thing regardless of main group expectations means it’s pretty much a free for all.

One eye-opening statistic is that 83% of successful attacks were double or triple threat attempts. When ransomware groups threaten to lock files forever, but also threaten to leak files already exfiltrated, and also claim they’ll increase the ransom and tell all business affiliates if you don’t pay up: what do you do in that situation?

Trust me, they say, as they disintegrate your files

It’s very hard to believe at that point that a criminal enterprise with so many fingers in so many pies is simply going to leave you alone if you pay up. There’s too much data up for grabs, and too many more ways for them to profit from it. It’s reaching the stage where it simply does not matter if you pay at all, which naturally enough begs the question: Why do it?

You can’t plan your data recovery and incident negotiations around the toss of a coin, but that’s where we’re currently at. There’s no easy answer for this problem, but relying on ransomware authors to do the right thing continues to recede into the distance. Smash and grab tactics may well end up morphing into smash, with grabbing optional.

The post Onyx ransomware destroys files, and also the criminal circle of trust appeared first on Malwarebytes Labs.

Article Link: Onyx ransomware destroys files, and also the criminal circle of trust | Malwarebytes Labs