It’s being reported this morning that a new ransomware attack called ONI that has targeted Japanese companies in a month-long campaign. It’s increasingly unclear whether this attack is being used in an attempt to wipe data, or as a traditional ransom. IT security experts commented below.
Christoper Littlejohns, EMEA Manager at Synopsys:
“The apparent use of ONI ransomware to destroy logs in order to cover tracks is quite fascinating as it poses questions on the psychology and motivations of the hacker. In this case the ransomware was introduced after an apparent 3-9 months of system access by the hackers. We may be reading too much into this, but why would they want to this after so much time and without apparent monetisation of the infiltration? One theory is that this may be a professional hacker team that is testing and honing some techniques in preparation for a wider and more lucrative attack in the future. Therefore the desire to destroy any evidence that may be used to understand and counter their techniques is quite likely to be high. It could also be just a smoke screen to make the company think they have been the victim of an ordinary ransomware attack with no further worries once they get their machines operational again. Corporate IT departments should make all reasonable efforts to secure their logs for forensic analysis to uncover root causes and potential impacts. This can be achieved by ensuring logs can only be modified and deleted by specific system accounts, but also to secure their logs off the systems to a centralised log indexing and management capability. From an application and system perspective all reasonable efforts should be put in place to reduce the risk of privilege escalation that may allow access to system resources that should be protected.”
Javvad Malik, Security Advocate at AlienVault:
“Given the rise in popularity of ransomware and high visibility cases, it is not surprising to see criminals using ransomware to hide true intentions. If a company suspects that it has been compromised with ransomware, it may not conduct any further investigation into what else may be occurring. It’s a similar distraction tactic that we’ve seen in the past whereby DDoS attacks have been launched against a company in order to exfiltrate data elsewhere.
Chris Doman, security researcher at AlienVault says: Ransomware, and more generally tools to destroy hard disks, have been used to make forensics harder in a number of sophisticated attacks. In particular, there are examples from attackers located out of Iran, Russia and North Korea.
In this case Cyberreason don’t provide any evidence for their suggestion that the ransomware was used to cover the tracks of other activity. The fact the attackers appear to have been on the network for some time may indicate that – but it’s not unknown for ransomware attackers to do that either.
The usage of DiskCryptor to perform the actual hard-disk encryption is quite amateur – the attackers may not even be able to recover your files due to the way it operates in some circumstances.”