UPDATED 23:35 EST / NOVEMBER 01 2017

oniransomware INFRA

New form of ransomware used to hide previous hacking campaign

A new form of ransomware detected in Japan is allegedly being used to cover up a previous hacking campaign, in a new twist on what would otherwise be just another ransomware attack story.

Dubbed “ONI,” the ransomware is targeting Japanese companies for the specific purpose of being a “wiper,” a form of attack used to cover up previous hacking. The code for the ransomware is said to be installed when the hacking first occurs but sits idle for months after the initial hacking before being activated.

ONI employs a modified version of a legitimate open-source disk encryption utility called DiskCryptor as its code base, the same code used by the Bad Rabbit ransomware that made headlines last month.

“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation,” security researchers at Cybereason Inc. said in a blog post. “These targeted attacks lasted between three to nine months and all ended with an attempt to encrypt hundreds of machines at once. Forensic artifacts found on the compromised machines show that the attackers made a significant attempt to cover their operation.”

Explaining the uniqueness of the ONI attack, Stephan Chenette, founder and chief executive officer at AttackIQ Inc., told SiliconANGLE that given that the attackers waited months after compromising these machines to activate the ransomware that those running cybersecurity at the affected firms “had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact.”

Chenette emphasized that the case highlights the need for organizations to have secondary detection and response controls in place after their prevention controls, saying that they should also “continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence.”

In terms of prevention, Manoj Asnani, vice president of product and design at Balbix Inc., agreed with Chenette, saying that to defend against these types of attacks, organizations must get ahead of the threat by using predictive technologies, not just reacting to data breaches.

“Predictive technologies could prevent an attack scenario like ONI by highlighting where the attack might start (which users, which assets) and whether there is proper segmentation in place to stop the lateral movement, while also providing visibility into which critical assets the adversaries might prioritize targeting,” Asnani added.

Photo: Duncan Riley

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.