DefenseCybersecurity

Inside the Onyx C2 Ransomware Business Model

Techstrong TV (DevOps.com)
Techstrong TV (DevOps.com)Jun 12, 2026

Why It Matters

Onyx C2 turns ransomware into a low‑cost subscription service, expanding the threat pool, while Blackfog’s ADX highlights the urgent need for data‑exfiltration monitoring to safeguard business continuity.

Key Takeaways

  • Blackfog’s ADX technology blocks data exfiltration, not just ransomware detection.
  • Onyx C2 offers ransomware‑as‑a‑service for $250/month, lowering entry barriers.
  • Subscription model provides ready‑made RAT, keylogger, and credential‑stealing tools.
  • Session cookies and MFA tokens let attackers persist despite system reimaging.
  • Monitoring outbound data flows is essential to detect back‑door exfiltration.

Summary

The Techstrong TV interview spotlights Blackfog’s evolution from a privacy‑focused startup to a leader in anti‑data‑exfiltration (ADX) technology, and introduces the newly identified Onyx C2 ransomware‑as‑a‑service model.\n\nDarren Williams explains that traditional defenses target the “front door” of attacks, while ADX blocks the “back door” by preventing data from leaving the endpoint. Onyx C2 commoditizes ransomware operations: for $250 a month subscribers receive a ready‑made remote access trojan, keylogger, and credential‑stealing suite, dramatically lowering the skill barrier for cyber‑criminals.\n\nWilliams notes the service’s effectiveness—reporting 99.9% success in stopping conventional EDR tools—and cites real‑world deployment, with the FBI observing at least 254 active instances. He emphasizes that stolen session cookies and MFA tokens enable attackers to regain access even after victims reimage compromised machines.\n\nThe discussion underscores a shift toward resilience: organizations must monitor outbound traffic and protect data exfiltration pathways rather than relying solely on detection. Ignoring the back‑door vector leaves enterprises vulnerable to persistent, subscription‑based ransomware threats.

Original Description

For $250 a month, anyone with zero skill can now run a ransomware operation — keylogging, RATs, session cookie theft, and full attacker support included. Dr. Darren Williams, Founder and CEO of BlackFog, returns to TechStrong TV with Alan Shimel to unpack Onyx C2, the new ransomware-as-a-service model his team has tracked actively in the wild 254 times and counting. Drawing on his PhD in pharmacology and 25+ years of building category-defining tech, Darren explains why every cybersecurity strategy that focuses only on the front door is destined to fail — and why anti data exfiltration (ADX), pioneered by BlackFog, has become the resiliency layer modern enterprises can't ignore. He and Alan also dig into why reimaging a compromised endpoint no longer works when session cookies and MFA keys have already been stolen, and what a holistic, biology-inspired approach to security really looks like.
In this conversation, Dr. and Alan cover:
• Onyx C2 — the $250/month ransomware-as-a-service kit with RAT, keylogging, and cookie theft
• Why every modern ransomware attack is really a data exfiltration attack
• ADX (anti data exfiltration) — the resiliency layer most stacks are missing
• Why reimaging a compromised endpoint no longer saves you when MFA keys are gone
• A pharmacology PhD's case for holistic, biology-inspired cybersecurity
• 10 years of building BlackFog and the lessons from prior exits to Quest and Absolute
Chapters:
00:00 Welcome back to TechStrong TV
00:30 The BlackFog origin story and ADX
02:00 From Funnel Web to LiveTime Software to BlackFog
04:30 Watching front doors vs watching back doors
06:30 Why every ransomware attack is about data, not hardware
09:00 The shift from prevention to resilience
10:30 A holistic, pharmacology-inspired view of cyber defense
12:00 Introducing Onyx C2 — ransomware as a business
14:00 Session cookies, MFA keys, and the end of reimaging
16:00 How to detect data leaving the building
17:00 Where to learn more about BlackFog
Guest: Dr. Darren Williams, Founder and CEO, BlackFog — https://www.blackfog.com
Host: Alan Shimel, TechStrong Group
Subscribe to TechStrong TV for more interviews with the leaders shaping enterprise tech.
#Ransomware #Cybersecurity #BlackFog #DataExfiltration #TechStrongTV

Comments

Want to join the conversation?

Loading comments...