Wednesday, December 11, 2024
Homecyber securityNew Zola Ransomware Using Multiple Tools to Disable Windows Defender

New Zola Ransomware Using Multiple Tools to Disable Windows Defender

Published on

SIEM as a Service

Seemingly new ransomware, Zola, is the newest version of the Proton family that appeared in March 2023. 

This rebranding highlights the unbroken trend of ransomware’s evolution. 

Cybersecurity researchers at Acronis identified and warned of the new Zola ransomware, which was found using multiple tools to disable Windows Defender.

- Advertisement - SIEM as a Service

Zola Ransomware

During a cyber attack investigation, security analysts noticed the usage of current hacking tools on many linked PCs.

They were utilized for various purposes, such as privilege escalation, network reconnaissance, and credential theft. The latest Proton variant was the main payload, Zola ransomware.

The latter possessed some features that differentiated it from others in the same category like:-

  • A single mutex to block simultaneous execution.
  • Administrative rights verification.
  • Persian language-based kill switch, which could indicate its origin.

Generating victim IDs and encryption keys was part of the malware’s preparation stage. It also modified registry values, changed system wallpapers, disabled recovery options, and altered boot configurations.

Before encrypting any data, Zola killed 137 processes and 79 services designed to uninstall security programs and close off file-locking apps too.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This comprehensive approach demonstrates how far ransomware has evolved since its inception while underlining the importance of multi-layered cybersecurity defenses.

Zola Ransomware Encryption

Zola ransomware will initiate a multi-layered attack after completing all its preliminary operations.

It starts multiple threads for file encryption, encrypting files on both local and network-attached drives that have write permissions.

In September 2023, it switched to using the ChaCha20 algorithm for encryption instead of the AES-GCM used previously, and it relied on the Crypto++ library to implement cryptographic functions.

Evolution of the Proton family (Source - Acronis)
Evolution of the Proton family

At the same time, another thread is responsible for dropping ransom notes into every folder. However, these notes falsely claim that AES and ECC are the types of encryption used.

Example of the ransom note (Source - Acronis)
Example of the ransom note

Zola generates a custom BMP image and sets it as a desktop wallpaper as part of its visual approach.

A notable anti-forensics measure introduced in April 2024 includes creating a temporary file on C:\ drive, filling the whole disk with 500 kB chunks of uninitialized data, and then deleting this file.

This approach is likely aimed at overwriting slack space, making data recovery more difficult, if not impossible, and preventing investigators’ forensic examination efforts.

Such an all-encompassing approach demonstrates how the Proton ransomware family has evolved showing the integration between strong encryption techniques and methods that restrict the recovery and investigative processes.

This ransomware is available in both x86 and x64 versions, and it primarily targets a wide range of systems. 

Besides this, the new Zola ransomware retains most of Proton’s core functionality. 

The future variants are also expected to follow this pattern of rebranding with minimal substantial changes.

IoC

Indicators of compromise (Source - Acronis)
Indicators of compromise

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center...

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and...

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet

DMD Diamond - one of the oldest blockchain projects in the space has announced the...