Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2018

How to remove ONI ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

ONI ransomware – dangerous virus using several versions in attacks against Japanese companies

Oni ransomware virus

ONI ransomware is a malicious file-encoding virus that is mainly used in cyber attacks against Japanese companies. It shares similarities with the infamous Globe Imposter virus. Once installed, the malware also infects the system with a Remote Access Trojan (RAT) that is used to take full control of the victim’s computer system. Researchers suggest that the malware has been developed by the same threat actors who created MBR-ONI bootkit ransomware. Once there, the virus encrypts files and appends .ONI file extension. The ransom note used by ONI cryptovirus is RESTORE_ONI_FILES.txt.

Name Oni ransomware
Category Cryptovirus
Danger level High. Mostly attacks Japanese company networks and ordinary PC users
The file extension used .ONI
Ransom note RESTORE_ONI_FILES.txt; !!!README!!!.html
The email address used to contact victims hyakunoonigayoru@yahoo.co.jp
Encryption algorithms RSA-2048 and AES-256 ciphers
Removal  To delete ONI ransomware, use FortectIntego 

As soon as cybercriminals get remote access to the target computer network, they start trying to hack domain administrator’s account and servers. Firstly, hackers steal valuable data, and then they upload the ransomware on the target computers. The initial ransomware variant encrypts files and adds .oni extensions to them[1].

It appears that there are two variants of the described ransomware – ONI ransomware and MBR-ONI ransomware. As the name of the second virus suggests, it meddles with compromised computer’s Master Boot Record (a technique used by NotPetya and Bad Rabbit ransomware viruses).

Once installed, ONI virus drops its malicious payload, restarts the computer and then displays the following message on the victim’s computer screen:

Your data is ENCRYPTED!
You will not decrypt it without our help! Your ID:
Contact us:
Password:

The ONI ransomware displays a slightly different ransom note called !!!README!!!.html. It addresses the victim in the Japanese language. The ransomware also asks to write to hyakunoonigayoru@yahoo.co.jp to get details regarding data recovery. It also claims that data was corrupted using RSA-2048 and AES-256 ciphers. Besides, this malware variant adds .oni file extensions to encrypted files.

Researchers from Cybereason say[2] that hackers used MBR-ONI virus as a wiper to hide their hacking operation. The hacking attacks lasted from three to nine months and ended with attempts to encode data on hundreds of compromised computers (fraudsters wanted to lock data on all machines at the same time).

No matter which version affected your computer, an immediate ONI ransomware removal is required, says Dieviren.de team[3]. We strongly recommend using instructions added at the end of this article and anti-malware software like FortectIntego to kill the ransomware as soon as possible.

Users who attempt to remove ONI virus manually often encounter problems and cause even more damage to the system, so we do not recommend making the same mistake. 

Two versions of ONI ransomware

In-detail description of targeted attacks using ransomware

  • Research by Cybereason suggests that fraudsters distributed Ammyy Admit RATs using forged Office documents. These documents are distributed via spear-phishing emails.
  • Next, fraudsters employed the RAT to map out internal systems of the compromised computer networks and steal valuable credentials. Later on, they gained 100% control of the network.
  • Researchers suggest that in the next attack stage the attackers create fake GPO (group policy) and push it through the entire organization. With the help of an autorun persistence, the fake GPO finds a batch script from DC server.
  • Finally, Windows event logs get deleted to hide cybercriminals’ activities. Finally, ONI ransomware binary gets executed and encrypts data on the compromised computers.
  • Also, it seems that fraudsters employed MBR-ONI version only on specific computers, while ONI was executed on almost all of them. Malware analysts guess that the MBR malware was used as a wiper to hide real motives of the operation.
  • It must be said that virus’ version that replaces Master Boot Record also used DiskCryptor program (employed in Bad Rabbit and Petya cyber attacks).

Remove ONI today and secure your system

If your files were encrypted by the described ransomware variant, please do not think about manual ONI ransomware removal. The malware has to be wiped from your computer professionally, so we strongly suggest using anti-malware software recommended by our team.

You can find some suggestions in the article bellow. However, you will need to follow certain instructions to perform clean boot so that you could remove ONI ransomware from the system.

Be the first to comment

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.