Ransomware test subject – OnyxLocker
Lately, we’ve been writing about ransomware, which exploited weak systems and networks, so this time, we’re focusing on malware, which exploits the user and its awareness.
Today’s ransomware is called OnyxLocker, and it targets Russian speakers. It is actively distributed using malware campaigns, emails containing malicious attachments, accompanied by text which tries to trick the user into opening them.
The attached file contains a specially crafted office document, which, once opened, bypasses most of Word’s built-in protection, then downloads and executes the payload. It does so after displaying an error message, apparently legitimate. The purpose of this dialog is to force the user to click on the ‘OK’ button, which triggers the encryption process.
OnyxLocker ransomware – test findings
The ransomware itself is not very sophisticated, but nonetheless, dangerous, as it managed to encrypt most of our test files. While encrypting, it also reads some sensitive data stored by apps like browsers and file transfer tools. With this variant, the data read by the ransomware process is not pushed to any command and control servers, but this will likely change in future versions.
The encrypted files are renamed, the ‘.onx’ extension is added to each of them, and ransom notes are dropped on the desktop and other folders. Possibly because of some bugs in the code, the ransom notes were also encrypted during the attack, and we were unable to read them in the first part of our test (as you can see in the video). However, we were able to read them in the second part, where we executed the ransomware with Ranstop’s protection enabled. The note is in Russian and it is basic, containing some instructions on how to recover the files. The ransom demand is unusually low, only $100 worth of Bitcoins.
OnyxLocker ransomware vs Ranstop – test results
TEMASOFT Ranstop detects this version of OnyxLocker ransomware soon after it starts encrypting files. Upon detection, alerts are triggered, and the malware process is stopped and quarantined. The affected files are automatically restored so that the user doesn’t lose any important document.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.