Hentai Oniichan belongs to the Chimera ransomware family. Hentai Oniichan is designed to rename all encrypted files by adding “.hor” extension. and so on. Like most Ransomwares it provides victims with a ransom message. It also places the text file “HELP_ME_RECOVER_MY_FILES.txt” in each folder that contains encrypted data.
The ransom message “HELP_ME_RECOVER_MY_FILES.txt” indicates that victims can get their files back for 30 Bitcoins. They are urged to carry out the transaction using the provided BTC wallet and send an email to hentai.onichan.key@protonmail.ch with proof of payment and a unique identification key. Then they must wait for a decryption tool and a key. Ransomware-type programs encrypt files with strong encryption algorithms, and it is usually impossible to decrypt them without specific tools that only the cybercriminals who designed the ransomware have.
Something that we must bear in mind is that, it is not safe that your files are returned to you, do not confess that the criminals will return it to you, by paying them you are only increasing their income and with that you help them to improve the threats.
Cybercriminals typically spread ransomware (and other malware) through other such programs, such as Trojans, spam campaigns, fake updates, unofficial activation tools (“cracking”), and rogue software download channels. Trojans are malicious programs that often cause chain infections and when installed in the operating system, they install other malicious programs in addition, spam campaigns send emails containing malicious attachments.
Initially, This ransomware starts listing running processes in an attempt to kill all processes that match its internal list, once it finishes listing the process, This threat tries to shut down the services responsible for backups, the monitoring or anything that might prevent you from encrypting files. Hentai Oniichan runs multiple Powershell commands during its execution. To make sure this is possible, try adjusting certain settings and preferences. After that, you also adjust the preferences for Windows Defender, such as disabling real-time monitoring and behavior monitoring.
The ransomware transmits the username, computer name and key of the client to an external server by sending an email. It uses Powershell to build it and send it through Gmail’s SMTP server, so the script contains the simple login credentials.
Hentai Oniichan makes recovery difficult by deleting backup files. Usually the ransomware targets the recovery feature provided by Microsoft Windows. They disable recovery mode, delete snapshots and backup catalog. While most ransomware stops at this point, Hentai Onichan goes the extra mile trying to remove potential backup and disk image files.
Check also:
Conti Ransomware targeting corporate networks
Tox is a tool used to create ransomware
