Onyx
Onyx is a ransomware operation first identified in mid-April 2022.
Profile source: Mallory opens in a new tabOnyx
Family profile
Onyx is a ransomware operation first identified in mid-April 2022. Reporting in the provided content describes it as a double-extortion group that exfiltrates victim data and then encrypts files, threatening to leak stolen data on its leak site if victims do not pay. Cyble reported that Onyx had 13 victims across six countries at the time of analysis, with more than 60% of listed victims in the United States. The group renamed its leak site from "ONYX NEWS" to "VSOP NEWS" after a period of inactivity.
Technically, the provided content describes Onyx ransomware as a .NET-based ransomware assessed to be based on Chaos ransomware. It uses AES and RSA, appends the ".ampkcz" extension to encrypted files, and drops a ransom note named "readme.txt." It targets common user directories and a broad set of file types, deletes volume shadow copies and backup catalogs to hinder recovery, modifies the Windows RunOnce registry key and creates a shortcut for persistence, and attempts to spread via mounted drives. A notable behavior reported in the content is that files smaller than 2 MB are encrypted, while files larger than 2 MB are overwritten with random data, rendering them unrecoverable and potentially reducing the attackers’ ability to provide working decryption.
The content also notes overlap between at least one victim listed by Onyx and one listed on the Conti leak site, which researchers said could indicate either repeated victimization or involvement by Conti affiliates or members as Conti was expected to shut down; this is presented only as researcher assessment, not confirmed attribution.
Separately, the provided content includes a Microsoft reference to "Onyx Sleet," which is a distinct North Korean government-linked actor naming convention and not the same entity as the Onyx ransomware operation described above.
Ransomware.live