Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Zenis Ransomware Encrypts Your Data & Deletes Your Backups
#1
Quote:A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.

When MalwareHunterTeam found the first sample, it was utilizing a custom encryption method when encrypting files. The latest version, and the one we will discuss in this article, utilizes AES encryption to encrypt the files.

At this time there is no way to decrypt Zenis encrypted files, but Michael Gillespie is analyzing the ransomware for weaknesses. Therefore, if you are infected with Zenis, do not pay the ransom. Instead you can receive help or discuss this ransomware in our dedicated Zenis Ransomware help & support topic.

Below is a brief decryption of how the Zenis ransomware encrypts a computer compiled from analysis by MalwareHunterTeam, Michael, and myself.

How Zenis Ransomware encrypts a computer
As previously stated, we do not know how the Zenis Ransomware is currently being distributed. Based on the elusiveness of the ransomware samples and comments from infected people, it could be distributed via hacked Remote Desktop services.

When executed, the current Zenis Ransomware variant will perform two checks to see if it should begin encrypting the comptuer. The first check is to see if the file that executed is named iis_agent32.exe, with this check being case insensitive. The other check is to see if a registry value exists called HKEY_CURRENT_USER\SOFTWARE\ZenisService "Active".

If the registry value exists or the file is not named iis_agent32.exe, it will terminate the process and not encrypt the computer.

Read the full article HERE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack mrtrout 0 7,668 06-20-2023 , 09:05 PM
Last Post: mrtrout
  Airplane maker Bombardier data posted on ransomware leak site following FTA hack Bjyda 0 5,447 02-24-2021 , 11:42 PM
Last Post: Bjyda
  Universities Face Double Threat of Ransomware, Data Breaches Bjyda 0 1,256 02-24-2021 , 11:35 PM
Last Post: Bjyda
  Worldwide Accellion data breaches linked to Clop ransomware gang Bjyda 0 756 02-22-2021 , 10:52 PM
Last Post: Bjyda
  Ransomware forces hosting provider Netgain to take down data centers mrtrout 0 889 12-09-2020 , 10:44 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)