Threat Research

Onyx Ransomware Report – CYFIRMA

Securonix

Onyx is a ransomware observed in April 2022 that encrypts files, appends the .ampkcz extension, and leaves a readme.txt ransom note. It uses several evasion, persistence, and exfiltration techniques, including process checks, startup-folder modifications, and onion-based data leakage to pressure victims.
Read more: #OnyxRansomware #ChaosRansomware #ContiRansomware #OnionSite

Keypoints

  • The Onyx ransomware activity was first observed in the second half of April 2022, with seven victims listed on its data leak page.
  • It encrypts files and then renames them by appending the .ampkcz extension, and drops a ransom note named readme.txt in every encrypted directory.
  • The malware is a 32-bit Windows PE sample written in .NET, with MD5, SHA1, and SHA256 hashes provided and a compilation time of Apr 20, 2022.
  • It enumerates running processes via GetProcess API and performs self-checks to avoid multiple concurrent instances.
  • Before encryption, it checks specific paths (like AppDataRoaming) and can copy or masquerade as svchost.exe to persist or evade detection.
  • If file sizes exceed 2 MB, it destroys files by creating junk data; if under 2 MB, it encrypts with AES+RSA and base64-encodes the content.
  • Onyx employs double-extortion tactics by threatening to publish stolen data on a leak site, and may leverage a Chaos ransomware builder for its encryption logic.

MITRE Techniques

  • [T1566] Phishing – The report suggests Onyx could be distributed by social engineering, phishing, spam email, or malicious attachments. ‘Onyx ransomware could be distributed by using tactics like social engineering, phishing, spam email, malicious attachment, etc.’
  • [T1106] Native API – The malware enumerates the list of processes running on the host by Getprocess API. ‘a method, which enumerates the list of processes running on the host by Getprocess API.’
  • [T1129] Shared Modules – The malware uses shared modules. ‘Shared Modules’.
  • [T1547.001] Boot or Logon Autostarts Execution: Registry Run Keys / Startup Folder – It modifies registry entries and startup folders (creating a shortcut) for persistence. ‘persistence techniques by modifying the registry entry and startup folder[creating shortcut].’
  • [T1027] Obfuscated Files or Information – The malware hardcodes lists and paths, including a hardcoded file path and file name usage. ‘hardcoded a specific list of the file location in their code’ (and related hardcoded artifacts).
  • [T1552.001] Unsecured Credentials: Credentials In Files – The analysis references credential-related techniques in the context of the sample’s behavior. ‘Credentials In Files’.
  • [T1057] Process Discovery – The malware enumerates processes to determine state before continuing. ‘Getprocess API’ based process list enumeration.
  • [T1082] System Information Discovery – The sample performs checks that reveal system information as part of its execution logic. ‘System Information Discovery’.
  • [T1083] File and Directory Discovery – It lists directory names/paths to locate files to encrypt. ‘lists several directory names and paths where it will look for files’
  • [T1486] Data Encrypted for Impact – It encrypts files with AES+RSA when under 2 MB. ‘encrypts the file using AES+RSA algorithms.’
  • [T1485] Data Destruction – If files exceed 2 MB, it destroys files by creating junk data. ‘destroying files (by randomly creating junk data) instead of encrypting them.’
  • [T1041] Exfiltration Over C2 Channel – It uses a data-leak approach to pressure victims (on onion sites). ‘leak site’ and data exfiltration pressure is described. ‘they threaten to publish the stolen data on their leak site.’
  • [T1562.001] Impair Defenses – It deletes volume shadow copies and backup catalogs and disables recovery, hindering recovery efforts. ‘delete volume shadow copies and backup catalogs then disable recovery.’

Indicators of Compromise

  • [MD5] context – CF6FF9E0403B8D89E42AE54701026C1F
  • [File location] context – C:UsersusernameAppDataRoamingsvchost.exe
  • [URL] context – hxxp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad[.]onion
  • [File name] context – amp.exe

Read more: https://www.cyfirma.com/outofband/onyx-ransomware-report/