Threat Research

Cyble – Onyx Ransomware Renames Its Leak Site To “VSOP”

Securonix

Cyble Research Labs analyzes Onyx ransomware, a .NET-based threat that uses double extortion, exfiltrating data before encryption and renaming its leak site to VSOP NEWS after a period of inactivity. The analysis highlights its encryption methods (.ampkcz extension), the 2MB file-size rule, possible ties to Conti affiliates, and practical defender recommendations. #OnyxRansomware #VSOPNews

Keypoints

  • Onyx ransomware operates using a double extortion model: exfiltrating data and then encrypting it, with data leaks if the victim pays nothing.
  • It is described as a .NET-based ransomware that encrypts files and drops a ransom note named “readme.txt.”
  • The malware encrypts files with the “.ampkcz” extension; files larger than 2MB are overwritten and effectively unrecoverable.
  • Onyx targets a wide set of user directories (Desktop, Documents, Downloads, Pictures, etc.) and an extensive list of file extensions.
  • Hardcoded strings include the ransom note name and the encrypted-file extension; the malware also overwrites files and deletes backups, while attempting persistence via RunOnce registry keys and shortcuts.
  • Recent activity links Onyx to Conti-related operations, with leak-site renaming from ONYX NEWS to VSOP NEWS and a restart of activity after a lull.
  • Defensive recommendations emphasize incident response, strong backups, MFA, limiting exposed ports, user awareness, vulnerability management, and keeping software up to date.

MITRE Techniques

  • [T1106] Native API – Onyx is described as a .NET-based ransomware used to perform encryption and related actions. “Onyx is a .NET-based ransomware.”
  • [T1547.001] Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder – The ransomware modifies the registry’s RunOnce key and creates a shortcut file to establish persistence. “modifies the registry’s RunOnce key and creates a shortcut file to establish persistence.”
  • [T1082] System Information Discovery – The ransomware targets the following directories for encryption: Desktop, Links, Contacts, Documents, Downloads, Pictures, etc. “The ransomware targets the following directories for encryption:”
  • [T1083] File and Directory Discovery – The ransomware targets and enumerates user directories for encryption, aligning with discovery of file locations. “The ransomware targets the following directories for encryption:”
  • [T1486] Data Encrypted for Impact – It encrypts files with the “.ampkcz” extension and, if certain conditions apply, overwrites them with random data to render them inaccessible. “encrypts the files with the “.ampkcz” extension” and “If the size of files … is larger than 2MB, the ransomware destroys the files by overwriting them with random data.”

Indicators of Compromise

  • [MD5] Ransomware payload – cf6ff9e0403b8d89e42ae54701026c1f
  • [SHA-1] Ransomware payload – a4f5cb11b9340f80a89022131fb525b888aa8bc6
  • [SHA-256] Ransomware payload – a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b

Read more: https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/