NotPetya has shown the way for attackers who want use ransomware as a cover for a deeper incursion.
The latest example is a wave of wiper attacks hitting organizations in Japan for possibly as long as the last nine months. Researchers at Cybereason this week said they had detected targeted attacks against Japanese enterprises leaving behind ONI ransomware which was used as part of an operation to encrypt hundreds of machines inside these organizations.
“Forensic artifacts found on the compromised machines show that the attackers made a significant attempt to cover their operation,” Cybereason said in its report.
A new bootkit was also found during these attacks called MBR-ONI used by the same attackers. The bootkit borrowed a page from the recent Bad Rabbit attacks and built its ransomware around the DiskCryptor disk encryption utility. The researchers believe MBR-ONI comes from the same attackers behind ONI given the two pieces of malware were used in the same attacks and the ransomware note contains the same email address.
The attackers are gaining a foothold via spear-phishing emails spreading malicious Office documents that drop a remote access Trojan called Ammyy Admin. The RAT enables the attackers to steal credentials and gain lateral movement on a target’s network.
“Using the Ammyy Admin RAT and other hacking tools, the attackers mapped out the internal networks, harvested credentials and moved laterally, ultimately compromising critical assets, including the domain controller (DC), to gain full control over the network,” Cybereason said.
The final stage of these attacks involves the distribution of ONI via an inserted Group Policy Object, as well as the widespread deletion of logs.
“Using autorun persistence, the group policy would fetch a batch script from the [domain controller] server, which would wipe Windows’ event logs clean in attempt to cover the attackers’ tracks and avoid log-based detection,” Cybereason said. “In addition, the ONI binary file was also copied from the DC and executed, encrypting a large array of files.”
The attackers were sparse in their use of the master boot record bootkit, saving it for Active Directory and file servers.
“We suspect that MBR-ONI was used as a wiper to conceal the operation’s true motive,” Cybereason said.
ONI translates to “devil” in Japanese and is the file extension appended to encrypted files. It’s also in the email address found in the ransomware note. The ONI string is found in other ransom notes and email addresses throughout these campaigns.
Making these attacks were desperate is the attackers’ apparent use of the leaked NSA exploit EternalBlue for lateral movement. The exploit was made public by the ShadowBrokers earlier this year and used by WannaCry to spread to machines worldwide.
“Due to the data corruption and robust log wiping, it cannot be confirmed with absolute certainty, however, it was found that the MS17-010 security update (released in March 2017) was not installed on the compromised machines at the time that attacks took place (July-September 2017),” Cybereason said, adding that the compromised environments had SMBv1 enabled globally.
NotPetya, which hit organizations in the Ukraine primarily starting in June, was a similar attack which spread wiper malware under the guise of ransomware. Cybereason said the MBR-ONI malware makes it impossible to recover an encrypted disk, unlike NotPetya.
“We suspect that the attackers never intended to provide recovery for the encrypted machines. Instead, the program was meant to be used as a wiper to cover the attackers’ footprints and conceal the attack’s motive,” Cybereason said.