Black-Rabbit Ransomware Strikes Japan
Imagine hackers using the wiper to cover up their operations when they target their victims, Well, it has happened and it’s a new kind of ransomware called ONI, found in Japan. The Japanese companies are at the mercy of this latest member of the ransomware family.
In Japan the term ODI means devil, and it lives up to the reputation of its name. It is quite visible in the email address of the ransom note. Cyber Security say they have seen the virus is quite capable to encrypt hundred of the system at once. It can go further where it can encrypt files on the external media or drives. Living up to its name, ODI is here to wreak havoc and destroy data.
The ransomware ODI comes in the form of an email, as part of a phishing email. This carries an office document, and when downloaded the document unleashes the AmmyAdmin RAT and other hacking tools. The attacker uses this medium to get around the network environment, and learn the internal network, harvested credentials, and getting other critical information including domain controller. He thus gets completed control of the network. The wiper conceals the true intention of the hacker.
Assaf Dahan, a security researcher with Cybereason, in an analysis said: “During our investigation, Cybereason discovered a new boot kit ransomware dubbed MBR-ONI used by the same threat actor in conjunction with ONI.” He further said, “This bootkit ransomware is based on DiskCryptor, a legitimate disk encryption utility, the very same tool whose code was found in the recently discovered Bad Rabbit ransomware.”
“It is very unlikely that an attacker would not be interested in distinguishing between infected machines,” Dahan said. “That also supports our suspicion that there was never an intention to recover the encrypted disk partitions.”
Also, why spend three to nine months in the environment without a sure monetization plan?
“From a cost-effectiveness perspective, there is no guarantee the attacker will be rewarded with a ransom payment at the end of this long operation, despite sustaining an active operation and risking detection,” said Dahan. “We do not dismiss the possibility that financial gain was the motive behind these attacks. However, given the nature of the attacks and the profile of the targeted companies, other motives should not be dismissed lightly. “
While the ONI attacks are specific to Japan, Cybereason also believes they point to a concerning global trend.
“Using ransomware in targeted hacking operations is still quite uncommon compared to the popularity of ransomware in the overall cyber threat landscape,” said Dahan. “In recent years, though, there have been increased reports about ransomware and wipers used in targeted attacks carried out by cyber-criminals and nation-states [including] Bad Rabbit].”
The three- to nine-month infection window does point out the need for secondary defenses, according to Stephan Chenette, founder, and CEO, AttackIQ.
“In the latest case of ONI ransomware, attackers waited a month after compromising these machines to activate the ransomware that had been installed. The defenders had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact. To avoid mass system compromises, organizations need to have secondary detection and response controls in place after their prevention controls. They should continually test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics, and procedures. Anything else is pure negligence.”