I spoke too soon…Zenis Ransomware Strikes

Yesterday I posted about ransomware cutting a rather low key figure so far in 2018, and then today Zenis strikes! Perfect timing as always! The attack surface is not known yet, researchers came across this and its not clear how it is being distributed to targets.

This is a new strain of ransomware discovered this week and at present there is no way to decrypt Zenis, but it does standout from other ransomware in that it also is deleting backups, not uncommon for sophisticated ransomware such as Cryptowall4 and Cerber 6 for example. It of course is deleting shadow copies but actively hunting for a range of backup files locally and on the network (see below). It is at present thought to be distributed via remote desktop services but research and investigation is still on going.

This is what we know so far:

When executed, the current Zenis Ransomware variant will perform two checks to see if it should begin encrypting the computer. The first check is to see if the file that executed is named iis_agent32.exe, with this check being case insensitive. The other check is to see if a registry value exists called HKEY_CURRENT_USER\SOFTWARE\ZenisService “Active”.

If the registry value exists or the file is not named iis_agent32.exe, it will terminate the process and not encrypt the computer.

If it passes the checks, it will then begin to get the ransom note ready by filling in some information, such as emails and encrypted data.

After that is completed it will execute the following commands to delete the shadow volume copies, disable startup repair, and clear event logs.

cmd.exe /C vssadmin.exe delete shadows /all /Quiet
cmd.exe /C WMIC.exe shadowcopy delete 
cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no 
cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures 
cmd.exe /C wevtutil.exe cl Application 
cmd.exe /C wevtutil.exe cl Security 
cmd.exe /C wevtutil.exe cl System"

Zenis will then search for various processes and terminate them. The processes terminated are:

sql
taskmgr
regedit
backup

Now that it has prepared the system to its liking, it will begin encrypting the files on the computer. It does this by scanning the drives on the computer for files with certain extensions. If it finds a file that matches one of the following extensions, it will encrypt it using a different AES key for each file.

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

When encrypting a file it will change the file name to the following format. Zenis-[2 random chars].[12 random chars]. For example, test.jpg would be encrypted and renamed to something like Zenis-4Q.4QDV9txVRGh4.  The original file name and the AES key use to encrypt the file will be encrypted and saved to end of the file.

When looking for files to encrypt, if it finds files associated with backup files, it will overwrite them three times and then delete them. This is to make it more difficult for the victim to restore files from a backup.

The list of extensions targeted for deletion are:

.win, .wbb, .w01, .v2i, .trn, .tibkp, .sqb, .rbk, .qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm

While encrypting, it will also create ransom notes named Zenis-Instructions.html in every file that it traverses. This ransom note contains instructions on how to contact the ransomware developer in order to get their files back. The current email addresses included in the ransom notes are TheZenis@Tutanota.com, TheZenis@MailFence.com, TheZenis@Protonmail.com, and TheZenis@Mail2Tor.com.

The reason they ask for the ransom note is because it contains a hidden base64 encoded string that can be decrypted using the private RSA key that only the ransomware developer has possession of. When this data is decrypted, the ransomware developer can decrypt the sample file sent to them or create a decryptor.

So far that is what is known, backup, backup, backup! Do not rely on local backup’s!