A new ransomware attack may really be intended to cover other, targeted attacks against Japanese companies, the cybersecurity firm Cybereason says in a new report.

Ransomware ostensibly prevents systems from operating properly until a victim pays a ransom, but it has been used in the past to divert attention from the real purpose of an attack.

In a Tuesday write up about the ONI ransomware and a new variant of ONI known as MBR-ONI, Cybereason notes that the attackers spent between three and nine months within systems before triggering the ransomware — a process that should not take that long.

The issue is important because there is at least anecdotal evidence that ransomware is being used more frequently as cover for other attacks by attackers of all stripes.

Earlier this year, many security experts believed Russia used NotPetya — malfunctioning ransomware only useful to render a hard drive useless — in an attack meant to target Ukraine. There is no evidence that ONI is lead by any government.

ADVERTISEMENT

Most ransomware encrypts files or critical systems data and charges for the decryption key. Cybereason notes that the new MBR variant does not provide an individual identifier for each machine, making it impossible for attackers to know which victims have paid. This makes it appear as though there is no intent to actually unlock the system.

While the generic ONI ransomware only encrypted files, MBR encrypts data needed to launch systems. MBR appears to have only been installed on systems that could be used to follow whatever else hackers might be doing. MBR may be intended, therefore, to help cover a hackers tracks.

Both generic ONI and MBR-ONI are installed on the same network’s systems through the course of an attack.

ONI seems to be a targeted attack that begins with a personalized phishing attack containing malware-laced Microsoft Office files.

Targets appear to be confined to Japan.