Onyx Active
Ransomware group first observed in 2016. Uses Certify for deployment.0
Total Victims
2016-12-01
First Seen
2026-01-27
Last Seen
10
Known TTPs
11.8d
Avg Delay
0
Negotiations
ONION URLS
mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion
TOOLS
Certify
TDSSKiller
WinSCP
FILE EXTENSIONS
.locked
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| No victims recorded | ||||
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1003.001 | LSASS Memory | Credential Access |
| T1003.003 | NTDS | Credential Access |
| T1552.001 | Credentials In Files | Credential Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1070.004 | File Deletion | Defense Evasion |
| T1218.011 | Rundll32 | Defense Evasion |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1486 | Data Encrypted for Impact | Impact |
| T1133 | External Remote Services | Initial Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
No YARA rules
No IoCs
No ransom notes