The prevailing logic for ransomware has been that if criminals do not hold up their end of the bargain by decrypting files after payment, enterprises will stop paying ransom. The new Onyx ransomware group does not hold up its end of the bargain. What happens now?
Research from Jiří Vinopal and MalwareHunterTeam earlier this week document that after a ransomware attack, Onyx is incapable of decrypting files over two megabytes. The ransomware effectively deletes files of that size.
"The honest answer is I have no idea why they would do that. Because it seems like it would disincentive the victim to work with them," said Kurtis Minder, chief executive officer of GroupSense, a threat intelligence firm with a ransomware negotiation practice.
How to define trust with ransomware gangs
Ransomware operators are not honest, but they are self-serving. The overwhelming majority of victims with negotiators who pay for ransomware decryptors get their files back. In part, that is due to negotiators being able to weed out known bad-faith actors. The reputation of a group impacts the amount of money they can receive.
"One of our first statements [to an actor with a bad reputation] will be 'Well, you've done this amount of damage," said Minder. "You've done a certain amount of damage to the files that can't be recovered, so they're not worth any money to us anymore. But, then, there's also a cost to us to repair or restore or rebuild that we're now going to incur that comes out of your total."
While the group engages in double extortion, both encrypting files and threatening to post stolen documents to a leak site, Onyx's reputation for recovering files may ultimately affect victim's trust in the group not leaking files.
It is currently unclear whether Onyx set out to design faulty ransomware. But after several victims, there are good odds Onyx knows what its product is and is not doing.
"If they were aware of it, and they haven't changed it yet, then this is obviously their intention is to screw people over," said Allan Liska, a ransomware expert with Recorded Future.
A future for faulty ransomware?
Onyx is trying to recruit affiliates to use its ransomware in attacks for a commission. As of now, said Liska, the only people using the ransomware appear to be its developers.
That might not change anytime soon. Liska noted that in criminal forum chatter, ransomware affiliates are sensitive to the reputations and effectiveness of ransomware products.
Recorded future is tracking 16 new ransomware variants in the last six months. While the ransomware world has traditionally been led by a two or three major brands, Liska believes that the ransomware economy may see more fragmentation into small groups, further decentralizing risks.
Those smaller groups may grab whatever tools they can wrap their hands around to base new a new product around. Vinopal wrote that Onyx based its wares on Chaos ransomware builder, whose latest version is under construction and has the two-megabyte glitch.
"It changes the landscape somewhat radically. Ransomware has been a financially driven business for cybercriminals, and they wind up giving you the decryption keys because it made financial sense," said Nasser Fattah, North America steering committee chair for the threat sharing group Shared Assessments. "That model was kind of thrown out the window."