INFRA
INFRA
INFRA
New form of ransomware used to hide previous hacking campaign
A new form of ransomware detected in Japan is allegedly being used to cover up a previous hacking campaign, in a new twist on what would otherwise be just another ransomware attack story.
Dubbed “ONI,” the ransomware is targeting Japanese companies for the specific purpose of being a “wiper,” a form of attack used to cover up previous hacking. The code for the ransomware is said to be installed when the hacking first occurs but sits idle for months after the initial hacking before being activated.
ONI employs a modified version of a legitimate open-source disk encryption utility called DiskCryptor as its code base, the same code used by the Bad Rabbit ransomware that made headlines last month.
“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation,” security researchers at Cybereason Inc. said in a blog post. “These targeted attacks lasted between three to nine months and all ended with an attempt to encrypt hundreds of machines at once. Forensic artifacts found on the compromised machines show that the attackers made a significant attempt to cover their operation.”
Explaining the uniqueness of the ONI attack, Stephan Chenette, founder and chief executive officer at AttackIQ Inc., told SiliconANGLE that given that the attackers waited months after compromising these machines to activate the ransomware that those running cybersecurity at the affected firms “had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact.”
Chenette emphasized that the case highlights the need for organizations to have secondary detection and response controls in place after their prevention controls, saying that they should also “continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence.”
In terms of prevention, Manoj Asnani, vice president of product and design at Balbix Inc., agreed with Chenette, saying that to defend against these types of attacks, organizations must get ahead of the threat by using predictive technologies, not just reacting to data breaches.
“Predictive technologies could prevent an attack scenario like ONI by highlighting where the attack might start (which users, which assets) and whether there is proper segmentation in place to stop the lateral movement, while also providing visibility into which critical assets the adversaries might prioritize targeting,” Asnani added.
Photo: Duncan Riley
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
