The Zenis Ransomware Variant Goes the Extra Mile

Overview

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer or files.  A subset of ransomware called crypto ransomware (or crypto virus) has seen a dramatic rise in use over the last few years.  Crypto ransomware’s modus operandi involves encrypting popular and common file types on a compromised system and then demanding a ransom from the user for a key that can then be used to decrypt the files.

In Q3 2017, according to Malwarebytes, a company is hit with ransomware every 40 seconds.  This was an increase of 3x over Q1.  “While attacks against consumers are still more prevalent, this acceleration in attacks against businesses indicates criminals are developing targeted campaigns and setting their sights on bigger scores”[1]

When a particular type of malware proves to be effective (and profitable) many variants inevitably arise.  A recently discovered ransomware-type variant titled Zenis is one of the new breed.  Not only does Zenis encrypts files on a compromised system, it also disables the Windows repair and backup option and deletes shadow volume copies on the system.

Zenis is currently in the wild and the exact distribution method is unknown at this time.  Initial analysis suggests compromised Remote Desktop Services could be used.

Ransomware Behavior

After Zenis is installed on a target system it executes the following processes:

  • Runs a check to verify that it’s executed file name is “iis_agent32.exe”
  • Runs a check to verify an “Active” registry value exists named KEY_CURRENT_USER\SOFTWARE\ZenisService.
    • If these two conditions are met then it proceeds to create a ransom note and proceeds with its next steps
  • Deletion of shadow volume copies
  • Disable startup repair
  • Clear event logs
  • Termination of Processes
    • sql
    • taskmgr
    • regedit
    • backup
  • Encrypts Files

 Protect Yourself

Following good computing habits and utilization of security software is important in protecting your systems from ransomware.  Some best practices are as follows:

  • Backup your system and store backup data off-site
  • Do not open attachments if you do not know who sent them.
  • After verifying that an attachment has come from a known source, scan the attachment
  • Make sure all Windows updates are installed as soon as they are released.  Also, make sure you update all programs, especially Java, Flash, and Adobe Reader.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology.
  • Use strong passwords and do not reuse passwords on multiple sites.

 

Some additional guidance you can reference to hardening your system against ransomware can be found here:  https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/ .

 

[1] Barkly https://blog.barkly.com/ransomware-statistics-2017