A new family of ransomware, dubbed ONI, has been discovered being used as a wiper to cover up an elaborate hacking operation in targeted attacks against Japanese companies.
The name ONI, can mean “devil” in Japanese, and it also appears in the email address found in its ransom note. Attacks observed by Cybereason suggest that the malware lives up to its name. They generally to date have lasted between three to nine months, and all ended with an attempt to encrypt hundreds of machines at once. Aside from encrypting files on the infected machines, ONI can encrypt files on removable media and network drives—and there’s evidence that the true purpose of the attack is to exfiltrate and destroy data.
Cybereason said that the attacks started with spear-phishing emails carrying weaponized Office documents, which ultimately dropped the Ammyy Admin RAT. Using the Ammyy Admin RAT and other hacking tools, the attackers then mapped out the internal networks, harvested credentials and moved laterally, ultimately compromising critical assets, including the domain controller (DC), to gain full control over the network. From there the ONI ransomware was deployed to encrypt a large array of files, while the bootkit MBR-ONI was used on critical assets such as an AD server and file servers, and likely used as a wiper to conceal the operation’s true motive.
The MBR-ONI bootkit has technological ties to the recently discovered Bad Rabbit ransomware.
“During our investigation, Cybereason discovered a new bootkit ransomware dubbed MBR-ONI used by the same threat actor in conjunction with ONI,” said Assaf Dahan, a security researcher with Cybereason, in an analysis. “This bootkit ransomware is based on DiskCryptor, a legitimate disk encryption utility, the very same tool whose code was found in the recently discovered Bad Rabbit ransomware.”
But classifying ONI and MBR-ONI merely as ransomware leaves some open questions regarding the observed attacks.
“It is very unlikely that an attacker would not be interested in distinguishing between infected machines,” Dahan said. “That also supports our suspicion that there was never an intention to recover the encrypted disk partitions.”
Also, why spend three to nine months in the environment without a sure monetization plan?
“From a cost-effectiveness perspective, there is no guarantee the attacker will be rewarded with a ransom payment at the end of this long operation, despite sustaining an active operation and risking detection,” said Dahan. “We do not dismiss the possibility that financial gain was the motive behind these attacks. However, given the nature of the attacks and the profile of the targeted companies, other motives should not be dismissed lightly. “
While the ONI attacks are specific to Japan, Cybereason also believes they point to a concerning global trend.
“Using ransomware in targeted hacking operations is still quite uncommon compared to the popularity of ransomware in the overall cyber threat landscape,” said Dahan. “In recent years, though, there have been increased reports about ransomware and wipers used in targeted attacks carried out by cyber-criminals and nation-states [including] Bad Rabbit].”
The three- to nine-month infection window does point out the need for secondary defenses, according to Stephan Chenette, founder and CEO, AttackIQ.
"In the latest case of ONI ransomware, attackers waited a month after compromising these machines to activate the ransomware that had been installed. Defenders had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact. To avoid mass system compromises, organizations need to have secondary detection and response controls in place after their prevention controls. They should continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence."