Ransomware is being used to hide an elaborate, targeted hacking campaign which went undetected for months before the attackers pulled the plug and encrypted hundreds of machines at once in an effort to remove stolen data while also covering their tracks.
The campaign targeted several Japanese organisations in attacks which lasted from three to nine before a ransomware attack used a wiper on compromised machines in an effort to hide the operation.
Forensic investigation of the infected machines by researchers at Cybereason has led them to the conclusion that the attacker made the attempt to wipe evidence of the operation and destroy any traces of attack.
The name of the ransomware comes from the .oni file extension of encrypted files as well as the email address in the ransom note, which translates to “Night of the Devil” – the name researchers have given to the operation. Researchers note that ONI shares much of its code with GlobeImposter ransomware.
Attacks using ONI ransomware have been carried out against Japanese targets for some time, but the investigation into the latest wave of attacks uncovered a new variant, MBR-ONI, a form of the ransomware which comes equipped with bootkit features.
The new bootkit ransomware is based on DiskCryptor, a legitimate disk encryption tool, the code of which has also been found in Bad Rabbit ransomware.
While MBR-ONI bootkit ransomware was used against a controlled set of targets, such as Active Directory server and other critical assets, ONI was used against the rest of the endpoints in an infected network.
The ONI-based attacks all begin in the same way, with spear-phishing emails distributing malicious Office documents which drops the Ammyy Admin remote access tool.
Once inside the system, attackers map the internal networks, harvesting credentials and moving laterally through the system – researchers suspect that the leaked NSA SMB exploit EternalBlue plays a role in enabling the attackers to spread through the network.
Ultimately compromise critical assets including the domain controller to gain full control of the network and the ability to exfiltrate any data deemed important.
Once the attackers are done with the infected network, ONI and MBR-ONI ransomware was run.
While ONI does provide a ransom note and the prospect of recovering encrypted data, researchers believe MBR-ONI is designed to never provide a decryption key, but rather as a wiper to cover the attackers’ footprints and conceal the true goals of the attack: espionage and removing data over a period of months.
During investigations of targeted organisations, it was found that some had been compromised since December 2016, indicating long-term planning and sophistication on behalf of the attackers.
While ONI and the newly discovered MBR-ONI exhibit all the characteristics of ransomware, our analysis strongly suggests that they might have actually been used as wipers to cover an elaborate scheme,” said Assaf Dahan, director of advanced security services at Cybereason
“The use of ransomware and/or wipers in targeted attacks is not a very common practice, but it is on the rise. We believe ‘The Night of the Devil’ attack is part of a concerning global trend in which threat actors use ransomware/wipers in targeted attacks,” he added.
Researchers haven’t been able to comprehensively conclude who is behind the campaign and Russian language in the code could provide a clue or a diversion in equal measure.
“The question of attribution is a tricky one. The Russian language traces found in the binary files could suggest that there is a Russian threat actor behind the attack. That being said, this kinda of data can also be easily manipulated by the attackers to throw researchers off track,” Dahan told ZDNet.