Onyx ransomware destroys files instead of encrypting them

Like most of today's ransomware operations, Onyx threat actors steal data from a network before encrypting devices. This data is then used in double-extortion schemes where they threaten to publicly release the data if a ransom is not paid. The ransomware gang has been reasonably successful so far, with six victims listed on their data leak page. The technical functionality of the Onyx ransomware was not known until today, when MalwareHunterTeam found a sample of the encryptor. What was found is concerning, as the ransomware will overwrite many files with random junk data rather than encrypting them. Onyx encrypts files smaller than 2MB in size. However, according to MalwareHunterteam, Onyx will overwrite any files larger than 2MB with junk data. As this is just randomly created data and not encrypted, there is no way to decrypt files larger than 2MB in size. Even if a victim pays, the decryptor can recover only the smaller encrypted files. As the destructive nature of the encryption routine is intentional rather than a bug, it is strongly advised that victims do not pay the ransom.