Content, Breach, Ransomware

ONI Attacks: How Should MSSPs Handle Wipers, Ransomware or both?


In late October, in the wake of the (very) Bad Rabbit ransomware outbreak that hit organizations in Russia and Ukraine, security researchers (Kaspersky, Comae) confirmed ties between it and this summer’s ExPetr/NotPetya attacks. Bad Rabbit was similarly a wiper/sabotage attack, they said. Master boot records (MBR) were overwritten forever, files couldn’t be decrypted, hence no ransom -- what’s done is done. Moreover, unraveling the malware would be challenging.

Prepare for impact: Now we have more linkage. Late last week, security researchers figured out that the ONI ransomware -- with similar characteristics to Bad Rabbit but containing a malevolent wrinkle -- had been hitting Japanese organizations in undetected targeted attacks for up to nine months. Not only did each attack conclude by attempts to simultaneously encrypt hundreds of computers, the invaders apparently also tried to cover their tracks, suggesting a more sinister inspiration.

“We suspect that the ONI ransomware was used as a wiper to cover up an elaborate hacking operation,” Cybereason researcher Assaf Dahan wrote in a blog post. Indeed, in its postmortem the security provider found MBR-ONI, which uses a legitimate disk encryption tool (also used by the Bad Rabbit folks) to alter system MBR and encrypt hard drives.

While Cybereason researchers didn’t outright dismiss the possibility the attackers meant ONI to extort money, they nevertheless figured the “nature of the attacks and the profile of the targeted companies” pointed to other motives. That's intriguing: Ransomware but not really.

“There’s enough evidence to suggest that ONI and MBR-ONI worked more like wiper attempting to cover up an ongoing hacking operation by destroying data instead of a ransomware attack that encrypted files,” Dahan wrote. The attackers cleared hundreds of Windows event logs to destroy evidence that they’d been there, he said, questioning why they’d spend up to “nine months in the environment without a sure plan to make money.”

That modus operandi makes ONI/MBR-ONI unusual. Using ransomware in targeted hacks is atypical compared to the growing incidence of ransomware alone but the number of reports about ransomware and wipers deployed in targeted attacks is growing, said Dahan. NotPetya and Bad Rabbit are obvious examples.

Ultimately, with hacks we always come around to the same questions: What about cyber defense and data protection? Where should MSSPs focus their attention to combat the threat? But in this instance there are important distinctions: What's the attackers' true motivation? In the assault's immediate aftermath, experts weighed in with some clues to the puzzle:

“Most attacks, including ONI ransomware, rely on users clicking on a malicious payload, which allows attackers to propagate through the network and compromise critical assets. To defend against these types of attacks, organizations must get ahead of the threat by using predictive technologies, rather than reacting to data breaches.” -- Manoj Asnani, Balbix VP product and design.

"In the latest case of ONI ransomware, attackers waited a month after compromising these machines to activate the ransomware that had been installed. Defenders had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact. To avoid mass system compromises, organizations need to have secondary detection and response controls in place after their prevention controls.” -- Stephan Chenette, Attack IQ founder and CEO.

“Put yourself in the shoes of a threat hunter. You often are looking at myriad systems and combing all the data together to look (hunt) for indications of compromise. However, if the systems supplying the data are cloaked, you cannot get a full picture of what is happening. Without data confidence, you just can’t be sure you have a compromised system.” -- Josh Mayfield, Firemon director (via Information Security Buzz).

In criminal law, uncovering the accused's motivation is central to making a substantive case for the prosecution. What ONI may have given us of value is a brighter investigative light on the next wave of cyber attacks.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.