ONI Outbrake: Ransomware or a Wiper?

Delaware, USA – November 1, 2017 – Cybereason shared the results of their current investigation, which reports on the next use of the Ransomware as a Wiper. Unknown threat actors performed attacks on medium and large Japanese organizations since December 2016. Using macros in malicious documents, they installed Ammy Admin RAT and got full access to victim’s systems. Further, attackers stole admin credentials and gained access to servers with sensitive data. Researchers have not yet established what data was stolen. After the operation was completed, attackers spread ONI Ransomware on the networks to hide their activities. ONI is based on Globeimposter Ransomware code and can encrypt files not only on the infected assets but also on shared network drives or removable drives. To encrypt whole file systems on the most critical servers, Adversaries used another version of Ransomware, the so-called MBR-ONI, which used the modified version of DiskCryptor tool.

Over the past two months, this is the third episode of the use of Ransomware to cover their tracks after the operation was completed. More and more often hackers use this tactic, and security researchers warn that soon such a practice can gain a foothold in the arsenal of sophisticated threat actors. Ransomware Hunter Advanced is developed for ArcSight, QRadar and Splunk, and it allows SIEM to determine the most vulnerable assets based on the analysis of all gathered security events and to warn about a possible Ransomware attack.