GLOBAL IMPOSTOR

GLOBAL IMPOSTOR #1
2017-11-03 15:20

Early November was marked in Japan by the appearance of a new encryptor, which, based on the name of the encrypted files, was called ONI.

We must give credit to the malware creators’ humor – ONI in Japanese means “The devil’s night”. And the title proved itself. 

The networks of companies that protected themselves with traditional AV solutions were unable to counter this "new" threat and the computers of the affected companies were encrypted.

In this case, it's interesting to note that the attackers conducted an internal network exploration at first, gathered data from infected computers most likely in order to sale commercial information or to subsequently blackmail companies with the found damaging materials. And only after, a formed botnet was commanded to encrypt the files. The work of a well-trained team was clearly seen but not of separate hackers, grouped for one-time earnings.

What concerns our product - ROMAD EDR, we detected this botnet and blocked it from encrypting files as we described the family of so called GlobImposter back in 2016.

Here are analysed samples of the ONI encryptor:    

SHA1

b7d33751d118fab6aedabfdf6a4ddf627e6cab02

4a850136af93b9918fb4290a2bf665c4f28201d1