New Zola Ransomware Using Multiple Tools to Disable Windows Defender

Seemingly new ransomware, Zola, is the newest version of the Proton family that appeared in March 2023. 

This rebranding highlights the unbroken trend of ransomware’s evolution. 

Cybersecurity researchers at Acronis identified and warned of the new Zola ransomware, which was found using multiple tools to disable Windows Defender.

Zola Ransomware

During a cyber attack investigation, security analysts noticed the usage of current hacking tools on many linked PCs.

They were utilized for various purposes, such as privilege escalation, network reconnaissance, and credential theft. The latest Proton variant was the main payload, Zola ransomware.

The latter possessed some features that differentiated it from others in the same category like:-

• A single mutex to block simultaneous execution.
• Administrative rights verification.
• Persian language-based kill switch, which could indicate its origin.

Generating victim IDs and encryption keys was part of the malware’s preparation stage. It also modified registry values, changed system wallpapers, disabled recovery options, and altered boot configurations.

Before encrypting any data, Zola killed 137 processes and 79 services designed to uninstall security programs and close off file-locking apps too.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

This comprehensive approach demonstrates how far ransomware has evolved since its inception while underlining the importance of multi-layered cybersecurity defenses.

Zola ransomware will initiate a multi-layered attack after completing all its preliminary operations.

It starts multiple threads for file encryption, encrypting files on both local and network-attached drives that have write permissions.

In September 2023, it switched to using the ChaCha20 algorithm for encryption instead of the AES-GCM used previously, and it relied on the Crypto++ library to implement cryptographic functions.

At the same time, another thread is responsible for dropping ransom notes into every folder. However, these notes falsely claim that AES and ECC are the types of encryption used.

Zola generates a custom BMP image and sets it as a desktop wallpaper as part of its visual approach.

A notable anti-forensics measure introduced in April 2024 includes creating a temporary file on C:\ drive, filling the whole disk with 500 kB chunks of uninitialized data, and then deleting this file.

This approach is likely aimed at overwriting slack space, making data recovery more difficult, if not impossible, and preventing investigators’ forensic examination efforts.

Such an all-encompassing approach demonstrates how the Proton ransomware family has evolved showing the integration between strong encryption techniques and methods that restrict the recovery and investigative processes.

This ransomware is available in both x86 and x64 versions, and it primarily targets a wide range of systems. 

Besides this, the new Zola ransomware retains most of Proton’s core functionality. 

The future variants are also expected to follow this pattern of rebranding with minimal substantial changes.

IoC

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access