Test subject – ONI ransomware
In October last year, many Japanese companies were under attack for as long as a few months, during which cybercriminals were exfiltrating, encrypting data and destroying mission-critical devices. One of the ransomware used in these attacks was ONI.
Almost a year later, last month, a new ONI ransomware was released. It is not yet determined if the two are related, but there are several indicators that they might be. The Russian (first) version attacked user files on non-critical computers but replaced the MBR on servers and other essential devices.
ONI ransomware test facts
Our new version attacks only files, regardless of the target device. Once executed, it will erase Windows backups, shadow copies, limiting recovery options. This process requires administrative privileges as ONI will not try to bypass UAC, but regardless of the user’s choice, the attack will not stop, encryption will shortly follow. ONI is relatively slow, as it took more than 15 minutes to encrypt all our “valuable” test files. It also altered the Windows registry, gaining access to some system resources. Slowly, but effectively, all our files were encrypted and renamed, also getting the new “oni” extension, making them completely unrecognizable. The slow encryption process had a positive effect on the resources, as it did not slow down the system, an indication that something is wrong. Might not raise any suspicions in many users, until it’s too late.
Once done, ONI will drop the same test file in all attacked folders, containing basic instructions on how to recover the lost files. As there is no specific amount mentioned in the note, the ransom might be negotiated, although we will never recommend paying.
ONI ransomware test results
TEMASOFT Ranstop detects ONI ransomware easily once it starts encrypting files. Upon detection, the user is alerted, and the ransomware process is blocked and quarantined. The affected files are automatically restored so that the user doesn’t lose her important documents.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.