Story image

Japanese firms face 'Night of the Devil' after ransom wiper attacks

06 Nov 17

It has been the ‘Night of the Devil’ for some Japanese companies that have been targeted by hacks and a ransom wiper designed to destroy all traces of the attacks.

Cybersecurity data analytics firm Cybereason has been following the attacks, which took place over a period of three to nine months. The attacks targeted Japanese organisations in different industries.

The attacks used the bootkit MBR-ONI ransomware, which may have been modified to work as a wiper to cover up the attacks. The wiper is based on DiskCryptor, a genuine encryption utility.

The attack generally begins with spear phishing emails that deliver weaponized Microsoft Office documents containing the Ammyy Admin RAT.

Attackers use the Trojan to map networks and ultimately gain full control. They then distribute ONI ransomware through a rogue Group Policy, wipe event logs and avoid detection. The new ransomware, MBR-ONI, is then used on a ‘handful’ of endpoints including critical assets.

Cybereason’s director of advanced security services Assaf Dahan says previously ONI was categorized as ransomware.

“While ONI and the newly discovered MBR-ONI exhibit all the characteristics of ransomware, our analysis strongly suggests that they might have actually been used as wipers to cover an elaborate scheme,” Dahan continues.

The ONI-based attacks against the Japanese firms all share common characteristics:

  • Penetration vector: Spear-phishing emails carrying weaponized Office documents, which ultimately drop Ammyy Admin (Remote Administration Tool) 
  • Reconnaissance, credential harvesting and lateral movement 
  • Scorched earth policy: Robust log deletion and distribution of ONI via rogue GPO

According to Cybereason, the word ‘ONI’ can mean ‘devil’ in Japanese. In addition, the email address provided in the ransom note is Oninoy0ru, or ‘Night of the Devil’.

“As someone who led red teams, I can tell you that taking over a network in order to mass-distribute ransomware can be achieved in a matter of a few hours or days. It doesn't make much sense to remain on the network for so long and risk exposure, unless they had other motives,” Dahan continues.

Other motives such as financial gain may have been behind the attacks, Dahan speculates.

While these attacks specifically targeted Japanese firms, ransomware and wipers are becoming more common.

“The use of ransomware and/or wipers in targeted attacks is not a very common practice, but it is on the rise. We believe ‘The Night of the Devil’ attack is part of a concerning global trend in which threat actors use ransomware/wipers in targeted attacks,” Dahan concludes.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.