Tuesday, May 13, 2025
Homecyber securityNew Zola Ransomware Using Multiple Tools to Disable Windows Defender

New Zola Ransomware Using Multiple Tools to Disable Windows Defender

Published on

SIEM as a Service

Follow Us on Google News

Seemingly new ransomware, Zola, is the newest version of the Proton family that appeared in March 2023. 

This rebranding highlights the unbroken trend of ransomware’s evolution. 

Cybersecurity researchers at Acronis identified and warned of the new Zola ransomware, which was found using multiple tools to disable Windows Defender.

- Advertisement - Google News

Zola Ransomware

During a cyber attack investigation, security analysts noticed the usage of current hacking tools on many linked PCs.

They were utilized for various purposes, such as privilege escalation, network reconnaissance, and credential theft. The latest Proton variant was the main payload, Zola ransomware.

The latter possessed some features that differentiated it from others in the same category like:-

  • A single mutex to block simultaneous execution.
  • Administrative rights verification.
  • Persian language-based kill switch, which could indicate its origin.

Generating victim IDs and encryption keys was part of the malware’s preparation stage. It also modified registry values, changed system wallpapers, disabled recovery options, and altered boot configurations.

Before encrypting any data, Zola killed 137 processes and 79 services designed to uninstall security programs and close off file-locking apps too.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This comprehensive approach demonstrates how far ransomware has evolved since its inception while underlining the importance of multi-layered cybersecurity defenses.

Zola Ransomware Encryption

Zola ransomware will initiate a multi-layered attack after completing all its preliminary operations.

It starts multiple threads for file encryption, encrypting files on both local and network-attached drives that have write permissions.

In September 2023, it switched to using the ChaCha20 algorithm for encryption instead of the AES-GCM used previously, and it relied on the Crypto++ library to implement cryptographic functions.

Evolution of the Proton family (Source - Acronis)
Evolution of the Proton family

At the same time, another thread is responsible for dropping ransom notes into every folder. However, these notes falsely claim that AES and ECC are the types of encryption used.

Example of the ransom note (Source - Acronis)
Example of the ransom note

Zola generates a custom BMP image and sets it as a desktop wallpaper as part of its visual approach.

A notable anti-forensics measure introduced in April 2024 includes creating a temporary file on C:\ drive, filling the whole disk with 500 kB chunks of uninitialized data, and then deleting this file.

This approach is likely aimed at overwriting slack space, making data recovery more difficult, if not impossible, and preventing investigators’ forensic examination efforts.

Such an all-encompassing approach demonstrates how the Proton ransomware family has evolved showing the integration between strong encryption techniques and methods that restrict the recovery and investigative processes.

This ransomware is available in both x86 and x64 versions, and it primarily targets a wide range of systems. 

Besides this, the new Zola ransomware retains most of Proton’s core functionality. 

The future variants are also expected to follow this pattern of rebranding with minimal substantial changes.

IoC

Indicators of compromise (Source - Acronis)
Indicators of compromise

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...