Onyx is a ransomware operation first identified in mid-April 2022. Reporting in the provided content describes it as a double-extortion group that exfiltrates victim data and then encrypts files, threatening to leak stolen data on its leak site if victims do not pay. Cyble reported that Onyx had 13 victims across six countries at the time of analysis, with more than 60% of listed victims in the United States. The group renamed its leak site from "ONYX NEWS" to "VSOP NEWS" after a period of inactivity. Technically, the provided content describes Onyx ransomware as a .NET-based ransomware assessed to be based on Chaos ransomware. It uses AES and RSA, appends the ".ampkcz" extension to encrypted files, and drops a ransom note named "readme.txt." It targets common user directories and a broad set of file types, deletes volume shadow copies and backup catalogs to hinder recovery, modifies the Windows RunOnce registry key and creates a shortcut for persistence, and attempts to spread via mounted drives. A notable behavior reported in the content is that files smaller than 2 MB are encrypted, while files larger than 2 MB are overwritten with random data, rendering them unrecoverable and potentially reducing the attackers’ ability to provide working decryption. The content also notes overlap between at least one victim listed by Onyx and one listed on the Conti leak site, which researchers said could indicate either repeated victimization or involvement by Conti affiliates or members as Conti was expected to shut down; this is presented only as researcher assessment, not confirmed attribution. Separately, the provided content includes a Microsoft reference to "Onyx Sleet," which is a distinct North Korean government-linked actor naming convention and not the same entity as the Onyx ransomware operation described above.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
North Korea-linked activity leveraging TeamCity RCE (CVE-2023-42793) consistent with software/supply-chain targeting.
Ransomware operations using double extortion, including data exfiltration, file encryption, leak-site operations, and later rebranding its leak site from 'ONYX NEWS' to 'VSOP NEWS'. The content also notes Onyx is based on Chaos ransomware and that it may have resumed activity after a period of inactivity.
Named ransomware operation noted for overwriting large files, preventing recovery even if a decryptor were obtained.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.