RANSOMWARE OPERATION💰 FINANCIAL

onyx

Intelligence Profile

Onyx is a ransomware group first observed in April 2022, based on the Chaos ransomware builder, that is notably destructive — files larger than 2MB are overwritten with random data rather than encrypted, making recovery impossible even after ransom payment — claiming approximately 13 victims across six countries.

Threat Analysis

onyx is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like onyx prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Ransomware Victims (28)

CTIWATCH tracks 28 organizations claimed as victims by onyx on its data leak site, with attack dates, sectors and countries.

View full victims list →

Intelligence Reports Mentioning onyx

Quick Facts

TypeRansomware Operation
Motivation💰 financial

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.