Cybereason Researchers Discover Hacking Operation

Cybereason today released new research that sheds light on an elaborate hacking campaign against Japanese companies. Dubbed “Night of the Devil” the targeted attacks lasted from three-to-nine months and ended using ONI ransomware believed to be a wiper to cover up the operation and destroy all traces of the attack.

During Cybereason’s investigation researchers also discovered a new bootkit ransomware dubbed “MBR-ONI” used by the same threat actor in conjunction with ONI. This bootkit ransomware is based on DiskCryptor, a legitimate disk encryption utility, the very same tool whose code is found in the recently discovered “BadRabbit” ransomware. In these attacks MBR-ONI was used only against a limited set of targets, including Active Directory server and other critical assets, while ONI was used against the rest of the endpoints.

For several months Cybereason researchers followed the concerning rise of “ONI,” a family of ransomware involved in targeted attacks against Japanese companies from different industries. After examining the full life cycle of the attacks, the researchers suspect that ONI ransomware was being used as a destructive wiper to cover up for an advanced hacking operation which lasted for months.

The ONI-based targeted attacks against Japanese companies all shared a very similar modus operandi:

Penetration vector: Spear-phishing emails carrying weaponized Office documents, which ultimately drop Ammyy Admin (Remote Administration Tool) 
Reconnaissance, credential harvesting and lateral movement 
Scorched earth policy: Robust log deletion and distribution of ONI via rogue GPO

“Until now the security community categorized ONI as ransomware. While ONI and the newly discovered MBR-ONI exhibit all the characteristics of ransomware, our analysis strongly suggests that they might have actually been used as wipers to cover an elaborate scheme,” said Assaf Dahan, director of advanced security services at Cybereason. “As someone who led red teams, I can tell you that taking over a network in order to mass-distribute ransomware can be achieved in a matter of a few hours or days. It doesn't make much sense to remain on the network for so long and risk exposure, unless they had other motives.”

The name ONI can mean “devil” in Japanese, and stems from the “.oni” file extension as well as the email address found in its ransom note. “Oninoy0ru” is the email’s username and it translates into “Night of the Devil” in Japanese.

“The use of ransomware and/or wipers in targeted attacks is not a very common practice, but it is on the rise. We believe ‘The Night of the Devil’ attack is part of a concerning global trend in which threat actors use ransomware/wipers in targeted attacks,” added Dahan.

Mamba is an example of ransomware that was used in targeted attacks, and similarly to MBR-ONI, is also partially based on the open source code of the DiskCryptor utility. In addition, destructive wipers were used by nation-state actors, such as the Shamoon, NotPetya and possibly even BadRabbit attacks, which is suspected to have links to the threat actor behind NotPetya.

The full research that evaluates the entire life cycle is available here: Night of the Devil: Ransomware or wiper?

About Cybereason 
Cybereason, creators of the leading cybersecurity data analytics platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services, all powered by its proprietary data analytics platform. The Cybereason suite of products provides unmatched visibility, increases analyst efficiency and effectiveness, and reduces security risk. Cybereason is privately held, having raised $189 million from top-tier VCs, and is headquartered in Boston, with offices in London, Tel Aviv and Tokyo.

Media Contact: 
Bill Keeler 
Director, Public Relations 
Cybereason 
bill.keeler@cybereason.com 
(929) 259-3261