Nawadoln, Getty Images/iStockphoto
Ransomware is being used to hide an elaborate, targeted hacking campaign which went undetected for months before the attackers pulled the plug and encrypted hundreds of machines at once in an effort to remove stolen data while also covering their tracks.
The campaign targeted several Japanese organisations in attacks which lasted from three to nine before a ransomware attack used a wiper on compromised machines in an effort to hide the operation.
Forensic investigation of the infected machines by researchers at Cybereason has led them to the conclusion that the attacker made the attempt to wipe evidence of the operation and destroy any traces of attack.
The name of the ransomware comes from the .oni file extension of encrypted files as well as the email address in the ransom note, which translates to “Night of the Devil” – the name researchers have given to the operation. Researchers note that ONI shares much of its code with GlobeImposter ransomware.
Attacks using ONI ransomware have been carried out against Japanese targets for some time, but the investigation into the latest wave of attacks uncovered a new variant, MBR-ONI, a form of the ransomware which comes equipped with bootkit features.
The new bootkit ransomware is based on DiskCryptor, a legitimate disk encryption tool, the code of which has also been found in Bad Rabbit ransomware.
While MBR-ONI bootkit ransomware was used against a controlled set of targets, such as Active Directory server and other critical assets, ONI was used against the rest of the endpoints in an infected network.
The ONI-based attacks all begin in the same way, with spear-phishing emails distributing malicious Office documents which drops the Ammyy Admin remote access tool.
Once inside the system, attackers map the internal networks, harvesting credentials and moving laterally through the system – researchers suspect that the leaked NSA SMB exploit EternalBlue plays a role in enabling the attackers to spread through the network.
Ultimately compromise critical assets including the domain controller to gain full control of the network and the ability to exfiltrate any data deemed important.
Once the attackers are done with the infected network, ONI and MBR-ONI ransomware was run.
While ONI does provide a ransom note and the prospect of recovering encrypted data, researchers believe MBR-ONI is designed to never provide a decryption key, but rather as a wiper to cover the attackers’ footprints and conceal the true goals of the attack: espionage and removing data over a period of months.
During investigations of targeted organisations, it was found that some had been compromised since December 2016, indicating long-term planning and sophistication on behalf of the attackers.
While ONI and the newly discovered MBR-ONI exhibit all the characteristics of ransomware, our analysis strongly suggests that they might have actually been used as wipers to cover an elaborate scheme,” said Assaf Dahan, director of advanced security services at Cybereason
“The use of ransomware and/or wipers in targeted attacks is not a very common practice, but it is on the rise. We believe ‘The Night of the Devil’ attack is part of a concerning global trend in which threat actors use ransomware/wipers in targeted attacks,” he added.
Other known examples of campaigns using ransomware in destructive, targeted attacks include Mamba, Stonedrill, Shamoon – and most infamously, NotPetya, which wreaked global havoc earlier this year.
READ MORE ON CYBER CRIME