“Your data is ENCRYPTED!” Oni Virus – Remove + Restore .oni Files

“Your data is ENCRYPTED!” Oni Virus – How to Remove + Restore .oni Files


This article aims to help you by showing you how to remove Oni Ransomware virus and restore .oni encrypted files as well as access to your drive.

The latest outbreak, hitting Japanese Companies primarily, called Oni ransomware has appeared in the wild. The ransomware virus is very similar to the BAD RABBIT ransomware in that is uses a similar DiskCryptor approach to encrypt the MBR of a computer and lock it on boot, displaying the image above. The ransomware infection additionally encrypts the files on the victim’s computer or server adding the .oni file extension and leaves behind instructions for victims. They lead to a TOR-based website written In Japanese, which demands a hefty ransom fee to be paid by victims in order to restore files that have been encrypted. If you or your organization has been hit by the “Your data is ENCRYPTED!” virus, we advise you to read the following article.

Threat Summary

Name"Your data is ENCRYPTED!" Virus
TypeRansomware, Cryptovirus
Short DescriptionLocks your hard drive and encrypts your files, asking you to pay ansom to get them back.
SymptomsLocks the computer on boot, displaying the “Your data is ENCRYPTED!” message. Files are encrypted with an added .oni file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by "Your data is ENCRYPTED!" Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss "Your data is ENCRYPTED!" Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

“Your data is ENCRYPTED!” Ransomware – Distribution

In order for this ransomware virus to be widespread, the primary technique used to distribute it is via phishing spam. Messages are sent with .zip archives as e-mail attachments in them, pretending to be legitimate files, however are malicious Microsoft Word documents. The e-mails look like the following:

After the victim opens the malicious document, it cannot be read and there is a message asking to click on “Enable Content” to enable the macros of the Word Document to read what is in it. The bad news is once the content is enabled a malicious macro infection is triggered in the following activities commence:

Once the hackers have infected one device in a larger network, tey begin to use unknown for the moment techniques to spread the “Your data is ENCRYPTED!” virus to other computers in the network as well in order to infect as many devices as possible.

“Your data is ENCRYPTED!” Virus – Malicious Activity

Once the “Your data is ENCRYPTED!” ransomware has infected a given system, it triggers multiple malicious instructions that drop it’s payload files. They are reported to be the ones of a previously detected GlobeImposter ransomware variant.

Once this has been done, the ransomware also drops it’s read me file, called !!!README!!!.html. It leads victims to the following ransom note with instructions on how to pay ransom in order to recover your files:

But this virus does not stop there. If you have a more central computer, the malware uses code and scripts from another ransomware, known as MBR-ONI, with MBR being the Master Boot Record of the victim’s computer. Since the other ransomware is using the same DiskCryptor program, using in many other viruses, like the Mamba ransomware and recently detected BAD RABBIT ransomware, it immediately attacks the MBR of the storage components of the infected PC. This means that if you have SSD or hard drive, the virus overwrites it’s MBR, making the drive no longer accessible. This has led many researchers in the field, likee the experts at Cybereason to believe that this threat may evolve in wiper on some specific computers, like enterprise machines belonging to organizations. After the “Your data is ENCRYPTED!” ransomware overwrites the MBR of your computer, the virus immediately displays a message after it halts the Windows boot process:

Oni Ransomware – Encryption

The encryption of this virus consists of two stages. The first stage attacks the files on your computer, leaving them to be encrypted with a unique decryption key generated to recover them, but it may only be known to the hackers behind this virus. The ransomware targets only specific files, such as:

  • Database files.
  • Important files to servers.
  • Images.
  • Different types of documents.

After the files are encrypted, the “Your data is ENCRYPTED!” virus add the .oni file extension to the encrypted files. This makes them begin to appear like the following:

The other stage of encryption overwrites the Master Boot Record of the computer. This eventually results in the ransomware virus locking the drive of your PC. Researchers, however do believe that this could be reverted after a master decryption password is discovered which can decrypt the drive by entering it on boot.

Remove “Your data is ENCRYPTED!” Ransomware and Get Your Files Back

Since the “Your data is ENCRYPTED!” ransomware is not like your typical ransomware viruses, it is strongly advisable to focus on restoring your files via different approach. Below, we have designed several instructions that may help you restore as many files as possible without directly having to risk damaging your drive. The methods may not be 100% effective, since they are purely theoretical, but may help in recovering most of your encrypted files.

  • A screwdriver, corresponding to your desktop/laptop.
  • A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
  • Patience.

First of all, you should choose the safe computer from which to scan your files to be a powerful Windows machine which is also secured. This is why we recommend following these steps to secure it:

1. Download an ransomware and malware protection program.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
2. Download a relevant ransomware protection program.
3. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected. For more information you can also check another methods to safely store your data here.

After securing the test PC, you should prepare it for the decryption process which will most likely be lengthy. This is why we recommend changing the power settings so that your decryption computer does not automatically hibernate or sleep while left decrypting the drive.

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on Save Changes and close it.

Recovery Phase

For the recovery process, we have outlined several often-met drive migration scenarios which can be possible between different computers:

  • From Laptop to Laptop with no extra components.
  • From Desktop to Desktop with no extra components.
  • From Laptop to Desktop with a SATA cable converter.
  • From Desktop to Laptop with a SATA cable converter.

To simplify the process, we recommend you to choose machines that do not require any extra cables or components for the drive to run on them. In case you do not have such possibility, we recommend using an external SATA-USB adapter.

Step 1: Remove battery and power from your laptop. For desktop computers, please remove eliminate the power from the contact.

Step 2: Using the screwdriver, unscrew the case which carries the hard drive. For laptops, you should follow these steps:

sensorstechforum-laptop-remove-bolts-sensorstechforum

Step 3: Remove the hard drive again with the screwdriver. It will look similar to the one on the picture below:

hard-drive-removal-sensorstechforum

Step 4: Plug-in the hard drive on a secure computer which has an internet connection and Windows installed and screw it in firmly. If connected directly, the hard drive should be detected by the OS as a separate partition, similar to the picture below:

1-hard-drive-detected-sensorstechforum-petya-ransowmare

Step 5: After you have connected the drive, you will likely not be able to open it, because it’s sectors are encrypted. However, because only some of the sectors are encrypted, enough to render the drive no longer openable, you may have a chance if you use a data recovery software to recover the files from the drive as you were scanning a lost partition. Most data recovery programs have support for scanning broken partitions, but we recommend you to try the following:

Stellar Phoenix Windows Data Recovery

Conclusion and Protection Tips Against Oni Ransomware Infections

We will continue to monitor the situation with Oni ransomware and update with every new variant coming out as we did with previous ransomware variants. Follow this web page or our blog news letter by e-mail for more information to come soon. In the meantime, we strongly advise you to update your Windows systems and secure them properly against malware. To learn more about security your PC and data in the future, we recommend reading the following materials:

Related:Ransomware Protection Tips

Related:Safely Store Your Important Files and Protect Them from Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...