ONI Ransomware

Posted: November 1, 2017
Threat Metric
Threat Level: 1/10
Infected PCs 756

ONI Ransomware Description

The ONI Ransomware is a Trojan that locks media-based formats of files with the AES and RSA ciphering methods and may deliver text messages asking the victims to pay for an unlocking solution. Malware experts associate the ONI Ransomware's campaign particularly heavily with targeted attacks against Japanese-based industries currently and warn that the Trojan may be installing itself along with other threats. Users dealing with infected systems should disable the Internet access until they can remove the ONI Ransomware and all other threatening software through appropriate security tools.

A Demon Thirsting for Asian Files

Threat actors with an especial interest in Japanese companies are starting a campaign that can both take data hostage and perform other ill effects, such as giving network control to a remote attacker. These attacks are loading through a variety of threats, including the ONI Ransomware, which is responsible for much (but not all) of the file-locking aspects of the operation. From the viewpoint of the crooks, the ONI Ransomware's ability to extort money is of lesser importance, compared to its ability to distract from other attacks.

Many campaigns with this degree of sophistication are employing custom-built Trojans, but malware researchers determine that the ONI Ransomware is an updated version of the copycat Globe Imposter Ransomware. The ONI Ransomware (and an optional variant, MBR-the ONI Ransomware, which has minor configuration differences) uses DiskCryptor-based features for enciphering and blocking different formats of data, including work media like documents. However, a wide range of Windows software-related directories is left intact. All files that the ONI Ransomware locks have their names appended with the '.oni' extension, which is the most significant English characteristic of the ONI Ransomware's payload.

Once it's done locking content, the ONI Ransomware creates a local Web page with a general encryption warning and demands to contact the threat actor over e-mail, along with the client-generated ID, to buy a decryptor. Note that even though most aspects of the ONI Ransomware, including the contact address, use Japanese references, the Trojan's internal code suggests that the campaign's threat actors are of Russian origin strongly.

The Ritual to Dispel a Digital Age's Oni

The ONI Ransomware's admins are deploying it using a multiple-threat strategy that leaves this file-locking program as the final stage in the attack, meaning that it may be covering up more serious attempts at collecting company data or creating security vulnerabilities. Malware experts relate the ONI Ransomware attacks to RATs and targeted infection attempts that may compromise network logins or give threat actors the ability to control various aspects of the PC's UI in an asymptomatic way particularly. Some sources also are speculating that the ONI Ransomware is acting as a 'disk wiper' that could erase any evidence of the above issues.

While the ONI Ransomware's overall family is well-analyzed reasonably, the decryption and recovery of any files that the ONI Ransomware locks may be impossible. Victims should try to recover through backups, if possible, or contact anti-malware researchers experienced with encryption-based Trojans to review their chances of decoding the ONI Ransomware's ciphers. Deleting the ONI Ransomware with appropriate anti-malware products always should include system scans of sufficient depth to detect all related threats.

Attacks for installing the ONI Ransomware are most likely using spam e-mails or brute-force hacking techniques, which businesses can protect themselves against with appropriate security software and password maintenance protocols. However, malware experts have much to determine about this Eastern Trojan, and whether the ONI Ransomware is just a convoluted extortion strategy, or something even worse than that.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to ONI Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.