ONI ransomware virus

September 13, 2018

What is ONI ransomware

Oni ransomware – dangerous cryptovirus which has been actively attacks Japanese networks.

ONI ransomware is a malicious file-encoding virus that is mainly used in cyber attacks against Japanese companies. It shares similarities with the infamous Globe Imposter virus. Once installed, the malware also infects the system with a Remote Access Trojan (RAT) that is used to take full control of the victim’s computer system. Researchers suggest that the malware has been developed by the same threat actors who created MBR-ONI bootkit ransomware. Once there, the virus encrypts files and appends .ONI file extension. The ransom note used by ONI cryptovirus is RESTORE_ONI_FILES.txt.

ONI ransomware virus

As soon as cybercriminals get remote access to the target computer network, they start trying to hack domain administrator’s account and servers. Firstly, hackers steal valuable data, and then they upload the ransomware on the target computers. The initial ransomware variant encrypts files and adds .oni extensions to them.

Download Removal Toolto remove ONI ransomware

It appears that there are two variants of the described ransomware – ONI ransomware and MBR-ONI ransomware. As the name of the second virus suggests, it meddles with compromised computer’s Master Boot Record (a technique used by NotPetya and Bad Rabbit ransomware viruses).

Once installed, ONI virus drops its malicious payload, restarts the computer and then displays the following message on the victim’s computer screen:

The ONI ransomware displays a slightly different ransom note called !!!README!!!.html. It addresses the victim in the Japanese language. The ransomware also asks to write to hyakunoonigayoru@yahoo.co.jp to get details regarding data recovery. It also claims that data was corrupted using RSA-2048 and AES-256 ciphers. Besides, this malware variant adds .oni file extensions to encrypted files.

Researchers from Cybereason say that hackers used MBR-ONI virus as a wiper to hide their hacking operation. The hacking attacks lasted from three to nine months and ended with attempts to encode data on hundreds of compromised computers (fraudsters wanted to lock data on all machines at the same time).

No matter which version affected your computer, an immediate ONI ransomware removal is required, says team. We strongly recommend using instructions added at the end of this article and anti-malware software like to kill the ransomware as soon as possible.

Users who attempt to remove ONI virus manually often encounter problems and cause even more damage to the system, so we do not recommend making the same mistake.

How does ONI ransomware works

Research by Cybereason suggests that fraudsters distributed Ammyy Admit RATs using forged Office documents. These documents are distributed via spear-phishing emails. Next, fraudsters employed the RAT to map out internal systems of the compromised computer networks and steal valuable credentials. Later on, they gained 100% control of the network. Researchers suggest that in the next attack stage the attackers create fake GPO (group policy) and push it through the entire organization. With the help of an autorun persistence, the fake GPO finds a batch script from DC server. Finally, Windows event logs get deleted to hide cybercriminals’ activities. Finally, ONI ransomware binary gets executed and encrypts data on the compromised computers. Also, it seems that fraudsters employed MBR-ONI version only on specific computers, while ONI was executed on almost all of them. Malware analysts guess that the MBR malware was used as a wiper to hide real motives of the operation. It must be said that virus’ version that replaces Master Boot Record also used DiskCryptor program (employed in Bad Rabbit and Petya cyber attacks).
Download Removal Toolto remove ONI ransomware

How to delete ONI ransomware

If your files were encrypted by the described ransomware variant, please do not think about manual ONI ransomware removal. The malware has to be wiped from your computer professionally, so we strongly suggest using anti-malware software recommended by our team.

You can find some suggestions in the article bellow. However, you will need to follow certain instructions to perform clean boot so that you could remove ONI ransomware from the system.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to ONI ransomware. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove ONI ransomware Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for ONI ransomware or anything related to it, and once you find it, press ‘Remove’.

Uninstall ONI ransomware Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for ONI ransomware or anything related to it, and once you find it, press ‘Remove’.

Delete ONI ransomware Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for ONI ransomware or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If ONI ransomware.safariextz appears on the list, select it and press ‘Clear’.

Remove ONI ransomware Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for ONI ransomware or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that ONI ransomware is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the ONI ransomware program.
  7. Select ONI ransomware or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from ONI ransomware

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Use Chrome Clean Up Tool to Delete ONI ransomware

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect ONI ransomware, go back to the Clean up computer and reset settings.

Reset Mozilla Firefox to Default

If you still find ONI ransomware in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *