Barkly vs Malware
Jonathan Crowe
Mar 2018

Barkly vs. Backup-Deleting Zenis Ransomware

zenis-ransomware-deletes-backups

Zenis ransomware is a new strain of ransomware that not only encrypts victim files, but deletes their backups, as well.

Researchers have spotted a new ransomware variant making the rounds. Dubbed "Zenis," this new ransomware is still being actively researched and many details, including how it is being distributed, remain under investigation. One thing that is already clear, however, is that the attackers behind Zenis have gone out of their way to make it particularly destructive. That's because in addition to encrypting a victim's files, the ransomware is designed to seek out their backup files, overwrite them three times, then delete them. 

While we've seen previous ransomware variants take steps to make recovering encrypted files more difficult — such as deleting shadow volume copies — this is the first time we've seen this particular technique in action.

Such destructive measures are becoming more and more common in ransomware attacks as criminals attempt to figure out how to make their campaigns more profitable. Targeting backups makes these attacks more dangerous, and puts even more emphasis on preventing successful ransomware infections in the first place. We'll share tips for how to do that, plus a video showing how Barkly blocks Zenis ransomware before any files can be encrypted or any damage is done below.    

But first, here's more on what we know about Zenis so far.

How Zenis Ransomware Works

Delivery

While it's not immediately clear how Zenis is being distributed, there are two clues that suggest attackers may be launching it by first gaining access to exposed Remote Desktop Protocol (RDP) connections that are protected with weak or stolen credentials. 

First, researchers have pointed out similarities to a previous ransomware strain called Black Ruby.

Based on comments from victims, researchers believe Black Ruby is installed via RDP.  

Second, samples of Zenis have been relatively difficult to find. That supports the RDP theory, because, unlike ransomware campaigns that are distributed via spam campaigns or drive-by-downloads, with RDP infections there is no malicious email or website researchers can investigate in order to download copies of the ransomware, themselves. In RDP compromises, attackers typically install copies of the ransomware manually, and in many cases delete it once encryption is complete. 

Gaining access to servers via RDP is an increasingly popular attack vector. For tips on how to secure RDP, see this great write-up from UC Berkeley

Execution 

Once executed, Zenis conducts a check on the machine to see if a copy of itself is already running or if the following registry value exists: HKEY_CURRENT_USER\SOFTWARE\ZenisService "Active". 

If these checks are passed, the next steps are to prepare the ransom note and execute the following commands to preemptively make recovery more difficult:

cmd.exe /C vssadmin.exe delete shadows /all /Quiet
cmd.exe /C WMIC.exe shadowcopy delete 
cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no 
cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures 
cmd.exe /C wevtutil.exe cl Application 
cmd.exe /C wevtutil.exe cl Security 
cmd.exe /C wevtutil.exe cl System

In addition, Zenis searches for and terminates the following processes:

sql
taskmgr
regedit
backup

With those activities conducted, the stage is set for encryption. Zenis scans the system for a variety of file types (full list here), encrypts them, and changes the file names to Zenis-[2 random characters].[12 random characters]. Ex: Zenis-8C-8CmgCOPaxtEN. 

Ransom notes are created named Zenis.Instructions.html, explaining how to contact the attacker via email in order to regain access to the encrypted files. 

zenis-ransom-note.png

Zenis ransom note: Bleeping Computer

Rather than including a victim identification key in the ransom note, the authors behind Zenis have included it as a base64 encoded string hidden in the ransom note .html file. 

Deleting backup files

As mentioned above, Zenis also searches for backup files, targeting the following file types for overwriting and deletion: 

.win, .wbb, .w01, .v2i, .trn, .tibkp, .sqb, .rbk, .qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm

Victims: Do Not Pay the Ransom — Potential Way to Recover Encrypted Files 

Zenis is currently being investigated for weaknesses, and on March 18 researcher Michael Gillespie announced he can help victims who have had their files encrypted:

The implication is that he may have been able to crack the encryption, so the good news for victims is a decryption tool might be in the works. In the meantime, victims are encouraged not to pay the ransom and get in touch with Gillespie via Twitter @demonslay335, instead. 

Barkly Blocks Zenis Ransomware Before Files Are Encrypted 

Barkly-Blocks-Zenis-Ransomware.gif

Zenis is another example of how ransomware is constantly evolving. Attackers are continuously introducing new variants and adopting new techniques in order to make infections more damaging and stay one step ahead of security products. 

Barkly helps organizations stop playing whack-a-mole with these threats by leveraging smarter, stronger endpoint protection. Rather than relying on file signatures — which results in a constant lag in coverage — Barkly utilizes predictive machine learning models that are trained nightly against the latest malware samples. That enables Barkly to block new malware, even if it's never been seen before. 

In addition to file analysis, Barkly also blocks ransomware behaviors (ex: the attempted deletion of shadow volume copies), providing defense-in-depth that helps you rest easier knowing you're protected on multiple fronts.  

Learn more about how Barkly can protect your company from ransomware.

Additional Steps to Protect Your Company from Ransomware Like Zenis

In addition to utilizing strong endpoint protection, admins are strongly encouraged to:

 

Zenis hashes:

9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.