An analysis of the Zenis ransomware by Quick Heal Security Labs
Credit to Author: Shriram Munde| Date: Mon, 19 Mar 2018 12:56:40 +0000
Quick Heal Security Labs has come across a new ransomware that goes by the name ‘Zenis’. The ransomware not only encrypts files but also intentionally deletes the infected system’s backup. The behavior of Zenis ransomware Upon inside a computer, the ransomware performs the following checks before it starts encrypting the user’s data. Whether the executed file’s name is ‘iis_agent32.exe’ (this check is not case sensitive) Looks for the registry and checks if its value is ‘Active’ and the registry value is ‘HKEY_CURRENT_USERSOFTWAREZENISSERVICE’. If either one of these checks is not fulfilled, the ransomware halts the process and does not proceed any further. On the other hand, if these checks are complete, Zenis fires the below commands to disable the Windows repair and backup option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive. cmd.exe /C vssadmin.exe delete shadows /all /Quiet cmd.exe /C WMIC.exe shadowcopy delete cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures cmd.exe /C wevtutil.exe cl Application cmd.exe /C wevtutil.exe cl Security cmd.exe /C wevtutil.exe cl System After executing the above commands, Zenis starts its encryption activity. Our analysis says that the ransomware basically encrypts non-PE files. Below are the extensions which the ransomware encrypted successfully during the scenario generated at Quick Heal Security Labs. .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt Zenis drops infection marker files and encrypted files which have the following pattern. Zenis-[2 random chars].[12 random chars]. For example, ‘example.txt’ would be encrypted and renamed with a pattern like ‘Zenis-4V.4V7sb2JRmLNs.’ Fig 1. Files encrypted by Zenis While searching for the files to encrypt, if Zenis finds any backup files, it overwrites them three times and then deletes them. This makes it almost impossible for the affected user to restore their files from the backup. Below are the extensions which the ransomware is programmed to delete: .wbb,.qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm,.win,w01, .v2i, .trn, .tibkp, .sqb, .rbk Zenis ransom note Fig.2 Ransom Note by Zenis How does Zenis spread? The exact propagation technique used by the ransomware is not exactly known. But, some speculate that hacked desktop remote services may have spread it. How Quick Heal protects its users from the Zenis ransomware Apart from the static detection, Quick Heal’s Behaviour Detection and Anti-Ransomware successfully eliminate this threat. Fig 3. Quick Heal Anti-Ransomware feature Fig 4. Quick Heal Behavior Detection feature Indicators of compromise MD5: 8CD8D46CD6C7E336D2BAA2F78D8D0AB4 Dropped artifact: Zenis-Instructions.HTML Registry key: HKEY_CURRENT_USERsoftwareZenisService “Active” Dropped artifact: – Zenis-Instructions.HTML How to stay away from ransomware Use a multi-layered antivirus that can stop real-time threats. Keep your antivirus up-to-date. Update your Operating System regularly as critical patches are released almost every day. Keep your software up-to-date. Older and outdated versions of software have vulnerabilities which are almost always exploited by attackers to infect a system with ransomware and other malware. Never directly connect remote systems to the Internet. Always use a…
http://blogs.quickheal.com/feed/