Malware, Ransomware

ONI ransomware used to cover track in long-term attacks against Japanese firms

In an analysis carried out by IT security company Cybereason, the firm discovered a new bootkit ransomware dubbed “MBR-ONI” used by the same threat actor in conjunction with ONI. This bootkit ransomware is based on DiskCryptor, a legitimate disk encryption utility, the very same tool whose code was found in the recently discovered Bad Rabbit ransomware. 

“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation. These targeted attacks lasted between three to nine months and all ended with an attempt to encrypt hundreds of machines at once. Forensic artefacts found on the compromised machines show that the attackers made a significant attempt to cover their operation,” said researchers in a blog post.

Researchers concluded that both ONI and MBR-ONI stem from the same threat actor since they were used in conjunction in the same targeted attacks and their ransom note contains the same email address.

In analysis, the attacks on Japanese companies across different industries share a very similar modus operandi, the firm said. Phishing emails are sent to victims that contain a zip attachment with a malicious Word document inside it. 

When the document is opened and macros enabled, a VBScript script is launched that downloads and installs a copy of the Ammyy Admin RAT onto the infected computer. Hackers use this legitimate tool to gain access to the system.

It then carries out a “scorched earth” policy, according to researchers. There is log deletion and distribution of ONI via rogue Windows group policy. These are pushed out across an organisation.

“Using autorun persistence, the group policy would fetch a batch script from the DC server, which would wipe Windows' event logs clean in attempt to cover the attackers' tracks and avoid log-based detection. In addition, the ONI binary file was also copied from the DC and executed, encrypting a large array of files,” said researchers.

While ONI was used against most of the endpoints, MBR-ONI was used on only a handful of endpoints. “These endpoints were critical assets such as an AD server and file servers. We suspect that MBR-ONI was used as a wiper to conceal the operation's true motive,” researchers said.

The attacks on Japanese firms lasted at least nine months between December 2016 (or possibly earlier) and September 2017.

“While both ONI and MBR-ONI clearly exhibit all the characteristics of ransomware, we provided arguments that support our suspicion that the attackers might have intended to use them as wipers rather than ransomware. We do not dismiss the possibility that financial gain was the motive behind these attacks. However, given the nature of the attacks and the profile of the targeted companies, other motives should not be dismissed lightly,” said researchers.

Chris Doman, security researcher at AlienVault, told SC Media UK that ransomware, and more generally tools to destroy hard disks, have been used to make forensics harder in a number of sophisticated attacks. In particular, there are examples from attackers located out of Iran, Russia and North Korea.

“In this case Cybereason don't provide any evidence for their suggestion that the ransomware was used to cover the tracks of other activity. The fact the attackers appear to have been on the network for some time may indicate that - but it's not unknown for ransomware attackers to do that either,” he said.

“The usage of DiskCryptor to perform the actual hard-disk encryption is quite amateur - the attackers may not even be able to recover your files due to the way it operates in some circumstances.”

Christopher Littlejohns, EMEA manager at Synopsys, told SC Media UK that Corporate IT departments should make all reasonable efforts to secure their logs for forensic analysis to uncover root causes and potential impacts.

“This can be achieved by ensuring logs can only be modified and deleted by specific system accounts, but also to secure their logs off the systems to a centralised log indexing and management capability. From an application and system perspective all reasonable efforts should be put in place to reduce the risk of privilege escalation that may allow access to system resources that should be protected,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.