ONI Ransomware
Posted: November 1, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 7,458 |
|---|---|
| Threat Level: | 1/10 |
| Infected PCs: | 5,387 |
| First Seen: | November 1, 2017 |
|---|---|
| Last Seen: | September 23, 2023 |
| OS(es) Affected: | Windows |
The ONI Ransomware is a Trojan that locks media-based formats of files with the AES and RSA ciphering methods and may deliver text messages asking the victims to pay for an unlocking solution. Malware experts associate the ONI Ransomware's campaign particularly heavily with targeted attacks against Japanese-based industries currently and warn that the Trojan may be installing itself along with other threats. Users dealing with infected systems should disable the Internet access until they can remove the ONI Ransomware and all other threatening software through appropriate security tools.
A Demon Thirsting for Asian Files
Threat actors with an especial interest in Japanese companies are starting a campaign that can both take data hostage and perform other ill effects, such as giving network control to a remote attacker. These attacks are loading through a variety of threats, including the ONI Ransomware, which is responsible for much (but not all) of the file-locking aspects of the operation. From the viewpoint of the crooks, the ONI Ransomware's ability to extort money is of lesser importance, compared to its ability to distract from other attacks.
Many campaigns with this degree of sophistication are employing custom-built Trojans, but malware researchers determine that the ONI Ransomware is an updated version of the copycat Globe Imposter Ransomware. The ONI Ransomware (and an optional variant, MBR-the ONI Ransomware, which has minor configuration differences) uses DiskCryptor-based features for enciphering and blocking different formats of data, including work media like documents. However, a wide range of Windows software-related directories is left intact. All files that the ONI Ransomware locks have their names appended with the '.oni' extension, which is the most significant English characteristic of the ONI Ransomware's payload.
Once it's done locking content, the ONI Ransomware creates a local Web page with a general encryption warning and demands to contact the threat actor over e-mail, along with the client-generated ID, to buy a decryptor. Note that even though most aspects of the ONI Ransomware, including the contact address, use Japanese references, the Trojan's internal code suggests that the campaign's threat actors are of Russian origin strongly.
The Ritual to Dispel a Digital Age's Oni
The ONI Ransomware's admins are deploying it using a multiple-threat strategy that leaves this file-locking program as the final stage in the attack, meaning that it may be covering up more serious attempts at collecting company data or creating security vulnerabilities. Malware experts relate the ONI Ransomware attacks to RATs and targeted infection attempts that may compromise network logins or give threat actors the ability to control various aspects of the PC's UI in an asymptomatic way particularly. Some sources also are speculating that the ONI Ransomware is acting as a 'disk wiper' that could erase any evidence of the above issues.
While the ONI Ransomware's overall family is well-analyzed reasonably, the decryption and recovery of any files that the ONI Ransomware locks may be impossible. Victims should try to recover through backups, if possible, or contact anti-malware researchers experienced with encryption-based Trojans to review their chances of decoding the ONI Ransomware's ciphers. Deleting the ONI Ransomware with appropriate anti-malware products always should include system scans of sufficient depth to detect all related threats.
Attacks for installing the ONI Ransomware are most likely using spam e-mails or brute-force hacking techniques, which businesses can protect themselves against with appropriate security software and password maintenance protocols. However, malware experts have much to determine about this Eastern Trojan, and whether the ONI Ransomware is just a convoluted extortion strategy, or something even worse than that.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.