A new form of ransomware detected in Japan is allegedly being used to cover up a previous hacking campaign, in a new twist on what would otherwise be just another ransomware attack story.

Dubbed “ONI,” the ransomware is targeting Japanese companies for the specific purpose of being a “wiper,” a form of attack used to cover up previous hacking. The code for the ransomware is said to be installed when the hacking first occurs but sits idle for months after the initial hacking before being activated.

ONI employs a modified version of a legitimate open-source disk encryption utility called DiskCryptor as its code base, the same code used by the Bad Rabbit ransomware that made headlines last month.

“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation,” security researchers at Cybereason Inc. said in a blog post. “These targeted attacks lasted between three to nine months and all ended with an attempt to encrypt hundreds of machines at once. Forensic artifacts found on the compromised machines show that the attackers made a significant attempt to cover their operation.”

Explaining the uniqueness of the ONI attack, Stephan Chenette, founder and chief executive officer at AttackIQ Inc., told SiliconANGLE that given that the attackers waited months after compromising these machines to activate the ransomware that those running cybersecurity at the affected firms “had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact.”

Chenette emphasized that the case highlights the need for organizations to have secondary detection and response controls in place after their prevention controls, saying that they should also “continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence.”

In terms of prevention, Manoj Asnani, vice president of product and design at Balbix Inc., agreed with Chenette, saying that to defend against these types of attacks, organizations must get ahead of the threat by using predictive technologies, not just reacting to data breaches.

“Predictive technologies could prevent an attack scenario like ONI by highlighting where the attack might start (which users, which assets) and whether there is proper segmentation in place to stop the lateral movement, while also providing visibility into which critical assets the adversaries might prioritize targeting,” Asnani added.

Photo: Duncan Riley