This ransomware right here is really dangerous and a little bit different from other ransomware infections we have discovered lately. While targeted mostly against companies and institutions in Japan, Oni can be used either as a ransomware or a wiper. Even though wipers are not really common nowadays, we have recorded a second wiper in two weeks, as two weeks ago we informed our users about Ordinypt ransomware which also can operate as a wiper.
Infection Process of Oni ransomware
Infection process of Oni ransomware is rather complicated. Usually viruses like this are spread with mal spam campaigns, but this time this are a bit different. First of all, computers are targeted with remote access trojan. If the infiltration of this trojan is successful, it automatically downloads and installs Oni ransomware on the system.
We have already mentioned that Oni ransomware is mostly targeted to Japanese market, thus obviously all phishing letters and ransomware text itself is written in Japanese. RAT (remote access trojan) is distributed as an attachment to the email letter, that is supposed to be a receipt inside the Word document, which should be accessed after opening attached zip file. If you fall for this trick an open the attachment – it’s game over, the trojan will automatically enter your computer.
We can provide you with such in-depth information due to the research performed by cyber security experts from Cybereason:
Once the attackers gained foothold in the victim’s environment, their next step was to compromise critical assets including file servers, application servers and the DC. The attackers managed to move laterally within the internal network through shared network drives and other techniques.
That means Oni ransomware can infect other computers on the same network and this feature only makes it more threatful. it is really confusing whether to call it ransomware or a wiper, because as for know, only cases of removing files from systems have been recorded, but it’s known that Oni can easily lock files by encrytping it. So basically there are two different versions of Oni – one is dedicated to removing files and destroying entire systems, while the other one targets sole users and makes money by encrypting files and demanding for a ransom. All processes of Oni ransomware are really similar to the ones we have seen with GlobeImposter virus. Once files are encrypted, this ransomware will add extension .oni to the end of each encrypted file and create file named “!!!README!!!.html” on every single folder that features encrypted files. Text in the given file is written in Japanese, but keep in mind that Oni ransowmare can attack users absed in other countries too, thus we provide you with the translated version as well:
All files are encrypted with RSA – 2048 and AES – 256 ciphers.
Do not worry, you can restore all the files.
We guarantee that all files can be safely restored quickly and safely.
For instructions on recovering files, contact us.
To prove reliability, you can decipher two files for free. Please send us the file and personal ID.
(File size less than 10 MB, no confidential information)
Original text in Japanese:
As usually, cyber criminals are trying to build confidence by suggesting to send them encrypted file so they could decrypt it and prove that they have the technology to perform it. You are also informed that your files are encrypted with strong RSA – 2048 and AES – 256 cryptographies and encouraged to contact them by email “[email protected]”.
We do not recommend to either contact cyber criminals or try to pay the ransom, because you simply can’t trust cyber criminals – this can easily result in losing your money and not receiving decryption key. Unfortunately, there is no way to decrypt those files encrypted by Oni at the moment, thus the only option to retrieve your files is to perform a system restore.
Finally, if you are looking to remove malicious files of Oni ransomware from your computer and protect your system from malware like this in the future, we recommend to scan it with trustworthy anti-malware application. You can use Spyhunter for this task – both of these applications should deal perfectly with infection like this. Please note that neither of those programs will be able to unlock your files, it’s not a decryptor.
Oni Ransomware quicklinks
Automatic Malware removal tools
How to recover Oni ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
for Windows 8 / 10
2.Restore System files and settings.
Step 2. Complete removal of Oni ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Oni ransomware. You can check other tools here.
Step 3. Restore Oni ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Oni ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.
a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Oni ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this: