Yesterday I posted about ransomware cutting a rather low key figure so far in 2018, and then today Zenis strikes! Perfect timing as always! The attack surface is not known yet, researchers came across this and its not clear how it is being distributed to targets.
This is a new strain of ransomware discovered this week and at present there is no way to decrypt Zenis, but it does standout from other ransomware in that it also is deleting backups, not uncommon for sophisticated ransomware such as Cryptowall4 and Cerber 6 for example. It of course is deleting shadow copies but actively hunting for a range of backup files locally and on the network (see below). It is at present thought to be distributed via remote desktop services but research and investigation is still on going.
This is what we know so far:
When executed, the current Zenis Ransomware variant will perform two checks to see if it should begin encrypting the computer. The first check is to see if the file that executed is named iis_agent32.exe, with this check being case insensitive. The other check is to see if a registry value exists called HKEY_CURRENT_USER\SOFTWARE\ZenisService “Active”.
If the registry value exists or the file is not named iis_agent32.exe, it will terminate the process and not encrypt the computer.

If it passes the checks, it will then begin to get the ransom note ready by filling in some information, such as emails and encrypted data.

After that is completed it will execute the following commands to delete the shadow volume copies, disable startup repair, and clear event logs.
cmd.exe /C vssadmin.exe delete shadows /all /Quiet
cmd.exe /C WMIC.exe shadowcopy delete
cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no
cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmd.exe /C wevtutil.exe cl Application
cmd.exe /C wevtutil.exe cl Security
cmd.exe /C wevtutil.exe cl System"
Zenis will then search for various processes and terminate them. The processes terminated are:
sql
taskmgr
regedit
backup
Now that it has prepared the system to its liking, it will begin encrypting the files on the computer. It does this by scanning the drives on the computer for files with certain extensions. If it finds a file that matches one of the following extensions, it will encrypt it using a different AES key for each file.
.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
When encrypting a file it will change the file name to the following format. Zenis-[2 random chars].[12 random chars]. For example, test.jpg would be encrypted and renamed to something like Zenis-4Q.4QDV9txVRGh4. The original file name and the AES key use to encrypt the file will be encrypted and saved to end of the file.

When looking for files to encrypt, if it finds files associated with backup files, it will overwrite them three times and then delete them. This is to make it more difficult for the victim to restore files from a backup.

The list of extensions targeted for deletion are:
.win, .wbb, .w01, .v2i, .trn, .tibkp, .sqb, .rbk, .qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm
While encrypting, it will also create ransom notes named Zenis-Instructions.html in every file that it traverses. This ransom note contains instructions on how to contact the ransomware developer in order to get their files back. The current email addresses included in the ransom notes are TheZenis@Tutanota.com, TheZenis@MailFence.com, TheZenis@Protonmail.com, and TheZenis@Mail2Tor.com.

The reason they ask for the ransom note is because it contains a hidden base64 encoded string that can be decrypted using the private RSA key that only the ransomware developer has possession of. When this data is decrypted, the ransomware developer can decrypt the sample file sent to them or create a decryptor.

So far that is what is known, backup, backup, backup! Do not rely on local backup’s!
It’s enormous that you are getting ideas from this post as well as from our dialogue made at this time.
LikeLiked by 1 person
Thanks , I have just been searching for information approximately this subject
for a long time and yours is the best I’ve discovered till now.
But, what in regards to the bottom line? Are you certain in regards to the supply?
LikeLiked by 1 person
It’s always difficult to measure, you can take rough calculations such as RPO / RTO, so in effect how much data you can lose along with how long you can afford to be down. Ransomware is normally calculated rather basically, i.e. cost of application being offline, cost of recovery. What they do not take in to account is post incident, i.e. analysis or RCA along with preventive measures again such as better end point security AI / ML to detect future attacks
LikeLike