{ "id": "8548c467-186e-4d15-806b-b99704769678", "created_at": "2026-04-06T00:06:07.655176Z", "updated_at": "2026-04-10T03:24:29.404168Z", "deleted_at": null, "sha1_hash": "ac8dc6df3d39c246d7d661fcc0223f3f69c8a5a2", "title": "ONI Ransomware Used in Month-Long Attacks Against Japanese Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 797159, "plain_text": "ONI Ransomware Used in Month-Long Attacks Against Japanese\r\nCompanies\r\nBy Lawrence Abrams\r\nPublished: 2017-10-31 · Archived: 2026-04-05 22:00:46 UTC\r\nAs more and more ransomware outbreaks are discovered, the line has become blurred in whether they are being utilized as a\r\nwiper or an actual ransomware. Such is the case with a new ransomware attack called ONI that has been used in targeted\r\nmonth long attacks against Japanese companies.\r\nONI goes phishing\r\nIt all started when security firm Cybereason analyzed some computers that were infected with a ransomware called\r\nONI. This ransomware has been analyzed before, but it was not understood how the ONI victims were being infected. After\r\nanalysis by Cybereason researchers, it was discovered that the infected computers had also been previously targeted by a\r\nspear phishing campaign that installs a RAT, or Remote Access Trojan, on the victim's computer.\r\nThese phishing emails pretend to be receipts that contain a zip attachment with a malicious Word document inside it. When\r\na user opens the document and enables macros, a VBScript script will be launched that downloads and install a copy of the\r\nAmmyy Admin RAT onto the infected computer.\r\nSpear Phishing Email\r\nSource: Cybereason\r\nWhile Ammyy Admin is a legitimate remote administration tool, in this case it is being used by the attackers to gain full\r\naccess to the system. According to Cybereason, they have found instances of this RAT being installed as far back as\r\nDecember 2016 and as recently as September 2017.\r\nhttps://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nCybereason has told BleepingComputer that all of the targets were medium-large companies and there have not been any\r\nreports of government related incidents.\r\nCovering their tracks\r\nOnce the attackers were able to gain access to a network, they further worked on gaining access to the domain administrator\r\naccount and servers. Unfortunately, at this point it becomes a bit fuzzy as to what the attackers were doing during their three\r\nto nine month access to the hacked network.\r\nCybereason has told BleepingComputer that \"it's safe to assume that sensitive data was exfiltrated during those months of\r\nactive hacking operation\".\r\nWhen the attackers were finished with their hacking operation, ONI Ransomware would come into play. As the attackers\r\nhad access to the domain servers, they would utilize Group Policy Scripts to execute a batch file that cleaned up over 460\r\ndifferent event logs in order to cover their activities.\r\nClearing Event Logs\r\nSource: Cybereason\r\nThis same script would also deploy the ONI ransomware on computers in order to encrypt files and to possibly further\r\nobfuscate the activities of the attackers.\r\nONI Ransomware: A Ransomware or a Wiper?\r\nAn interesting aspect of this attack was that the attackers used two different versions of the ONI Ransomware. One version,\r\nwhich was used to mostly target non-critical computers, is a GlobeImposter variant that acts as a user mode encryptor.\r\nWhen installed, ONI Ransomware would encrypt the computer's files and append the .oni extension to encrypted files as\r\nshown below.\r\nhttps://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nPage 3 of 6\n\nEncrypted Folder\r\nWhen done, victims would then find a ransom note named !!!README!!!!.html located in folders where files were\r\nencrypted. These ransom notes contain basic information on what happened to the victim's files and an email that can be\r\nused to contact the attackers for payment instructions.\r\nONI Ransom Note\r\nThis is all standard procedure for GlobeImposter ransomware variants.\r\nIt gets more interesting, though, when Cybereason discovered that the attackers were also using another ransomware on\r\ncertain computers. This ransomware is being called MBR-ONI because it encrypts the actual as it encrypts the actual file\r\nsystem and then replaces the MBR, or Master Boot Record, with a password protected lock screen that is displayed before\r\nWindows boots.\r\nIt does this by utilizing the legitimate DiskCryptor program, which was recently used by the Bad Rabbit Ransomware attack,\r\nto encrypt the file system and requires a password to make it accessible again.\r\nhttps://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nPage 4 of 6\n\nMBR-ONI Lock Screen\r\nSource: Cybereason\r\nAccording to Cybereason, MBR-ONI was only deployed on active directory servers or \"critical assets\".\r\nUnlike the NotPetya attack which would not allow decryption of the file system, ONI and MBR-ONI are legitimate\r\nransomware infections that can be decrypted if the victim acquires the decryption key. While Cybereason has told\r\nBleepingComputer that there have been no reports of victim's paying the ransom or even contacting the attackers, the way\r\nthese ransomware were used is not commonly done.\r\nThe question remains as to whether the attackers were using ONI to earn some extra money after they finished their attack,\r\nto make computers and files inaccessible to cover their traces, or maybe even both. Only time will tell.\r\n \r\nIOCs\r\nHashes:\r\nSHA256: 9bba34947b9b2f9d52aeb45b342637ce93d6683bbf8e352da53dae053da37ae6 (GlobeImposter Variant)\r\nFiles associated with ONI:\r\n!!!README!!!.html\r\nONI Ransom Note (Japanese):\r\n重要な情報!\r\nすべてのファイルは、RSA-2048およびAES-256暗号で暗号化されています。\r\n心配しないで、すべてのファイルを元に戻すことができます。\r\nすべてのファイルを素早く安全に復元できることを保証します。\r\nファイルを回復する手順については、お問い合わせ。\r\n信頼性を証明するために、2ファイルを無料で解読できます。ファイルと個人IDを私たちにお送りください。\r\n(ファイルサイズ10MB未満、機密情報なし)\r\n連絡先\r\nhyakunoonigayoru@yahoo.co.jp\r\nONI Ransom Note (English Translation):\r\nImportant information!\r\nAll files are encrypted with RSA - 2048 and AES - 256 ciphers.\r\nDo not worry, you can restore all the files.\r\nWe guarantee that all files can be safely restored quickly and safely.\r\nFor instructions on recovering files, contact us.\r\nTo prove reliability, you can decipher two files for free. Please send us the file and personal ID.\r\n(File size less than 10 MB, no confidential information)\r\nhttps://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nPage 5 of 6\n\ncontact information\r\nhyakunoonigayoru@yahoo.co.jp\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nhttps://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/" ], "report_names": [ "oni-ransomware-used-in-month-long-attacks-against-japanese-companies" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433967, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac8dc6df3d39c246d7d661fcc0223f3f69c8a5a2.pdf", "text": "https://archive.orkl.eu/ac8dc6df3d39c246d7d661fcc0223f3f69c8a5a2.txt", "img": "https://archive.orkl.eu/ac8dc6df3d39c246d7d661fcc0223f3f69c8a5a2.jpg" } }