ONI Ransomware

The ONI Ransomware is a Trojan that is used to attack computer users, often in association with threats designed to collect online banking credentials related to Japanese banks. The ONI Ransomware carries out a highly effective encryption ransomware attack that wipes the Master Boot Record (MBR) on the victim's computer. The ONI Ransomware and several related threats have been active since late Spring of 2017, with the ONI Ransomware itself appearing in early November 2017. The ONI Ransomware will be used to take the victim's files hostage in exchange for a ransom payment. The ONI Ransomware also can be used to wipe the victim's hard drives, causing catastrophic data loss.

This Time the Cybercrooks Used a Japanese Demon to Name Their Ransomware

The ONI Ransomware is being distributed through a corrupted email campaign that uses targeted phishing emails to deliver compromised ZIP files to victims. These ZIP files contain damaged Microsoft Word documents that include corrupted macro scripts, which downloads and installs the ONI Ransomware and other threats onto the victim's computer. The ONI Ransomware has been associated with a RAT that is designed to install keyloggers and other threats into the victim's computers. The people associated with the ONI Ransomware have been using this RAT to delete all traces of their attack from the victims' computers to prevent law enforcement and PC security researchers from keeping track of the ONI Ransomware attack, as well as the people related to this infection.

The ONI Ransomware will encrypt victims' files using a competent encryption algorithm, changing the victim's files name to add the file extension '.oni' to the end of each affected files' names. The ONI Ransomware uses a combination of the RSA 2048 and AES 256 encryptions to make the victim's files inaccessible permanently. The ONI Ransomware will deliver a ransom note named '!!!README!!!.html,' which is dropped on the infected computer's desktop in its attack, once the files have been infected. The full text of the ONI Ransomware's ransom note, in Japanese, reads as follows:

'重要な情報!
すべてのファイルは、RSA-2048およびAES-256暗号で暗号化されています。
心配しないで、すべてのファイルを元に戻すことができます。
すべてのファイルを素早く安全に復元できることを保証します。
ファイルを回復する手順については、お問い合わせ。
信頼性を証明するために、2ファイルを無料で解読できます。ファイルと個人IDを私たちにお送りください。
(ファイルサイズ10MB未満、機密情報なし)
連絡先
hyakunoonigayoru@yahoo.co.jp'

The translation into English of the above message reads:

'Important information!
All files are encrypted using RSA-2048 and AES-256 encryption.
Do not worry, you can restore all the files.
We guarantee that all files can be safely restored quickly and safely.
For instructions on how to recover files, please contact us.
To prove reliability, you can decrypt two files for free. Send us a file and a personal identifier.
(File size is less than 10 MB, without confidential information)
Contact address
hyakunoonigayoru@yahoo.co.jp'

The Novelty Included by the ONI Ransomware in Its Infection

This threat also carries out a more sophisticated attack that encrypts the victim's full drive (as mentioned before, there are several variants of this ransomware Trojan). When this happens, the victim's operating system will refuse to load, and the following message will appear in the BIOS:

'Your data is ENCRYPTED!
You will not decrypt it without our help? Your id: ***
Contact us: oninoy0ru@***
PASSWORD: _'