Threat Database Ransomware ONI Ransomware

ONI Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 6,280
Threat Level: 10 % (Normal)
Infected Computers: 2,219
First Seen: November 1, 2017
Last Seen: February 12, 2023
OS(es) Affected: Windows

The ONI Ransomware is a Trojan that is used to attack computer users, often in association with threats designed to collect online banking credentials related to Japanese banks. The ONI Ransomware carries out a highly effective encryption ransomware attack that wipes the Master Boot Record (MBR) on the victim's computer. The ONI Ransomware and several related threats have been active since late Spring of 2017, with the ONI Ransomware itself appearing in early November 2017. The ONI Ransomware will be used to take the victim's files hostage in exchange for a ransom payment. The ONI Ransomware also can be used to wipe the victim's hard drives, causing catastrophic data loss.

This Time the Cybercrooks Used a Japanese Demon to Name Their Ransomware

The ONI Ransomware is being distributed through a corrupted email campaign that uses targeted phishing emails to deliver compromised ZIP files to victims. These ZIP files contain damaged Microsoft Word documents that include corrupted macro scripts, which downloads and installs the ONI Ransomware and other threats onto the victim's computer. The ONI Ransomware has been associated with a RAT that is designed to install keyloggers and other threats into the victim's computers. The people associated with the ONI Ransomware have been using this RAT to delete all traces of their attack from the victims' computers to prevent law enforcement and PC security researchers from keeping track of the ONI Ransomware attack, as well as the people related to this infection.

The ONI Ransomware will encrypt victims' files using a competent encryption algorithm, changing the victim's files name to add the file extension '.oni' to the end of each affected files' names. The ONI Ransomware uses a combination of the RSA 2048 and AES 256 encryptions to make the victim's files inaccessible permanently. The ONI Ransomware will deliver a ransom note named '!!!README!!!.html,' which is dropped on the infected computer's desktop in its attack, once the files have been infected. The full text of the ONI Ransomware's ransom note, in Japanese, reads as follows:


The translation into English of the above message reads:

'Important information!
All files are encrypted using RSA-2048 and AES-256 encryption.
Do not worry, you can restore all the files.
We guarantee that all files can be safely restored quickly and safely.
For instructions on how to recover files, please contact us.
To prove reliability, you can decrypt two files for free. Send us a file and a personal identifier.
(File size is less than 10 MB, without confidential information)
Contact address'

The Novelty Included by the ONI Ransomware in Its Infection

This threat also carries out a more sophisticated attack that encrypts the victim's full drive (as mentioned before, there are several variants of this ransomware Trojan). When this happens, the victim's operating system will refuse to load, and the following message will appear in the BIOS:

'Your data is ENCRYPTED!
You will not decrypt it without our help? Your id: ***
Contact us: oninoy0ru@***

Related Posts


Most Viewed