MBR-ONI is a new ransomware that is being used for targeted attacks in Japan
MBR-ONI is a new ransomware that is being used for targeted attacks in Japan, it is a bootkit ransomware that uses a modified version of the legitimate open-source disk encryption utility DiskCryptor to encrypt the file.
DiskCryptor is the same utility that was used by the recently discovered Bad Rabbit ransomware that targeted systems worldwide, mostly in Russia and Ukraine.
MBR-ONI malware has been used as wipers delete any track of targeted attacks against Japanese organisations.
The MBR-ONI was used by attackers in conjunction with ONI, that appears to be an earlier strain of ransomware developed by the same threat actors.
While ONI was used against most of the computers on targeted networks, MBR-ONI was used on only a limited number of endpoints. These endpoints were critical assets (Active Directory server, file servers, etc).
In the recent years, other wipers were used in targeted attacks including NotPetya, Mamba, SamSam, Shamoon and Bad Rabbit.
In the string of attacks against Japanese organisations, attackers leveraged on spear-phishing emails carrying weaponised Office documents that were used to deliver the Ammyy Admin RAT.
All the attacks that involved the ONI ransomware against Japanese companies across different industries shared the same pattern.
“The penetration vector used in the observed attacks consisted of spear-phishing emails that carried password-protected zip files containing weaponised Office documents.” continues the analysis.
“Once the victims extracted the zip file and opened the document, they were lured into enabling a macro. That launched a VBScript that downloaded and executed the Ammyy Admin RAT.”
Experts observed Ammyy Admin RAT installs on the compromised environment dated from December 2016 to September 2017, a circumstance that suggests that the attacks were carried over a period at least nine months.
Once the attackers penetrated the target’s environment, they will try to spread compromising critical assets such file servers, application servers and the domain controller (DC).
Researchers suspect that the threat actor used the NSA-leaked exploit EternalBlue, in conjunction with other tools to spread throughout the network.
ONI appears to share code with GlobeImposter ransomware, some routines are identical, while MBR-ONI shares a large portion of its code from DiskCryptor.