A research carried out by Cybersecurity Firm Cybereason reveals that a new kind of ransomware titled ONI is targeting companies operating in Japan these days. Furthermore, the research says that the attack stands out from previous ransomware variants. As it not only prevents systems from functioning normally until the victim pays a ransom but also wipes off the data if the victim fails to pay the demanded sum in specified time frame.
A source reporting to Cybersecurity Insiders threw light on some of the interesting aspects of the attack. She said that the attackers used two different versions of the ONI ransomware to launch the attack.
The first was a usual one where computer files on the victims PC would get encrypted and a file containing a ransom note and email ID to contact for payment instructions will be made available.
In the second attack which impacted few computers of large companies operating in Japan, the hackers used another ransomware called MBR-ONI. The said malware first encrypts the actual file system and then replaces the MBR, or Master Boot Record, with a password protected lock screen that is displayed before Windows boots. The ransomware does this by using the legitimate copy of DiskCryptor Program, which was used in the recent BadRabbit Ransomware attack.
The source adds that MBR-ONI was deployed on active directory servers or critical assets of some manufactures which include those involved in automobile and electronics manufacturing.
Boston based Cybereason’s security report released on this note says that hackers spent 3 to 9 months launching a cyber attack campaign dubbed as “Night of the devil” and ONI is believed to be a wiper to cover up the operation & destroy all traces of the previous attacks.
Security experts from Cybereason say that the attack started by a spear phishing campaign that installs a RAT, or Remote Access Trojan, on the victim’s computer. Experts believe that the RAT campaign started back in December 2016 and was active until September 2017.
In early October of this year, the said malware developers launched ONI Ransomware attack which not only encrypted databases of some Japanese companies but also wiped out data after two weeks of the attack launch.
The report clarifies that the attack targets have so far been private entities and no government organization was disrupted by the cyber attack campaign.