Security Experts:

Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper

Earlier this year a new ransomware, dubbed ONI, was discovered in Japan. It is described as a sub-species of the GlobeImposter ransomware. Researchers blogged in July, "When it infects it, it encrypts the file, assigns the extension .oni to the filename, and asks for payment to decrypt it."

Cybereason now suggests that it is less ransomware, and more "a wiper to cover up an elaborate hacking operation." In a report published today, Cybereason researchers have tied the use of ONI to sophisticated attacks on Japanese industry. Unlike traditional ransomware attacks, these incursions lasted between three and nine months, and only culminated in the use of ransomware. The ransomware was, in effect, used to hide the purpose and effect of the hack.

In the same investigation, Cybereason discovered a new bootkit ransomware, MBR-ONI, which modifies the MBR and encrypts disk partitions. "We concluded that both ONI and MBR-ONI stem from the same threat actor since they were used in conjunction in the same targeted attacks and their ransom note contains the same email address," say the researchers.

The name ONI derives from the file extension of the encrypted files: '.oni'. It can mean 'devil' in Japanese. The term also appears in the contact email address used in the ransom notes: "Oninoy0ru", which can translate as Japanese for 'Night of the Devil'.

In the attack instances analyzed by Cybereason, a shared modus operandi was observed. This started with successful spear-phishing attacks leading to the introduction of the Ammyy Admin Rat. This was followed by a period of reconnaissance and credential theft, and lateral movement "ultimately compromising critical assets, including the domain controller (DC), to gain full control over the network."

The final stage of the attack is the use of log wipers and ONI distributed via a rogue group policy (GPO), in what Cybereason describes as a 'scorched earth policy'. The GPO would copy a batch script from the DC server, wiping clean the Windows' event logs to cover the attackers' tracks and avoid log-based detection. The batch file used the wevtutil command along with the "cl" flag, clearing events from more than 460 specified event logs. ONI would also be copied from the DC and executed, encrypting a large array of files.

The new MBR-ONI is used more sparingly against just a handful of the endpoints. These were the critical assets such as the AD server and file servers. Although both ONI and MBR-ONI could technically be decrypted (and can consequently be classified as ransomware rather than wipers), "We suspect," say the researchers, "that MBR-ONI was used as a wiper to conceal the operation's true motive."

The researchers also suspect that EternalBlue was used with other tools to spread through the networks. Although the log wiping and data corruption caused by the attacks makes this difficult to confirm with certainty, it was noted the EternalBlue patch had not been installed on the compromised machines, and the vulnerable SMBv1 was still enabled.

The ONI ransomware shares code with GlobeImposter, and shows Russian language traces. "While this type of evidence could have been left there on purpose by the attackers as decoy," say the researchers, "it can also suggest that the attacks were carried out by Russian speakers or, at the very least, that the ransomware was written by Russian speakers."

The MBR-ONI ransomware uses the same ransom message and ID for all infected machines (the ONI ransomware used a different ID for each encrypted system). A modified version of the open-source DiskCryptor tool was used for the encryption. Although this could be decrypted if the attackers supply the right key, "we suspect that the attackers never intended to provide recovery for the encrypted machines. Instead, the program was meant to be used as a wiper to cover the attackers' footprints and conceal the attack's motive."

The researchers believe it is highly unlikely that ransom extortion is the motive for these ONI attacks in Japan. Why would an attacker spend up to nine months -- at any point during which he could be detected and ejected -- before invoking the encryption?

"Until now the security community categorized ONI as ransomware. While ONI and the newly discovered MBR-ONI exhibit all the characteristics of ransomware, our analysis strongly suggests that they might have actually been used as wipers to cover an elaborate scheme," comments Assaf Dahan, director of advanced security services at Cybereason. "As someone who led red teams, I can tell you that taking over a network in order to mass-distribute ransomware can be achieved in a matter of a few hours or days. It doesn't make much sense to remain on the network for so long and risk exposure, unless they had other motives."

"We do not dismiss the possibility that financial gain was the motive behind these attacks," concludes Cybereason. "However, given the nature of the attacks and the profile of the targeted companies, other motives should not be dismissed lightly."

And while the researchers note that ONI is specific to Japan, they also point out that there are increasing reports of ransomware being used as a wiper by both cybercriminals and nation states in other parts of the world: PetWrap, Mamba, SamSam, NotPetya, Shamoon and Bad Rabbit are all possible examples. Such scorched earth tactics help to tie up incident responders in attempts to decrypt files, while making attribution to specific nation-state actors very difficult.

This is a tactic predicted by Carbon Black in a report in September 2017: Ransomware will increasingly be adopted by sophisticated groups who will use it in a targeted manner, often to augment or disguise other purposes – or simply as an obfuscated nation-state cyber weapon. 

Cybereason raised $100 million in Series D funding from Tokyo-based SoftBank Corp in June 2017. 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.