2017-11-03 15:20

Early November was marked in Japan by the appearance of a new encryptor, which, based on the name of the encrypted files, was called ONI.

We must give credit to the malware creators’ humor – ONI in Japanese means “The devil’s night”. And the title proved itself. 

The networks of companies that protected themselves with traditional AV solutions were unable to counter this "new" threat and the computers of the affected companies were encrypted.

In this case, it's interesting to note that the attackers conducted an internal network exploration at first, gathered data from infected computers most likely in order to sale commercial information or to subsequently blackmail companies with the found damaging materials. And only after, a formed botnet was commanded to encrypt the files. The work of a well-trained team was clearly seen but not of separate hackers, grouped for one-time earnings.

What concerns our product - ROMAD EDR, we detected this botnet and blocked it from encrypting files as we described the family of so called GlobImposter back in 2016.

Here are analysed samples of the ONI encryptor: