Last year, when WannaCry and NotPetya striked worldwide, many businesses and governments were put on high alert. At the time those ransomware attacks were considered dangerous because they were able to move across networks “laterally” due to the EternalBlue exploit stolen from the NSA. NotPetya was scary for many businesses because it deleted files. Well now is the time to introduce the next terrifying ransomware infecting servers, Zenis. This new ransomware intentionally seeks to not just encrypt files on a server or device but it deletes them and their backups as well. This is one of the first strains of ransomware that intentionally seeks out and destroys backups in addition to the main files.

Zenis was first reported on March 13 by the MalwareHunterTeam. BleepingComputer, MalwareHunterTeam, and Michael Gillespie worked togerher to provide a detailed analysis of Zenis. Till this day it is unknown how Zenis is being distributed, however in the report by the team they found that Zenis has at least one known means of spreading, through Remote Desktop services. Zenis’ ransom note instructs victims to send the ransomnote itself and one file to prove decryption is possible. Some victims have tried to pay to have their files decrypted, one even got the following response from the ransomware developer:

“We check all you 1206 help files with hashing them, unfortunately, we did not find any difference between them. That means your private key is 100% correct, but your files was damaged, One of the potential reasons is the use of public programs. They are trying to bring your files back to their original state, but because the content has been modified, this will damage your files. You are a good man, and making these words upset us. Unfortunately, all you can do. start first ( download link, AES ) zenis decryptor and start full decrypt to undamaged files will be returned, Also upgrade your server and keep string password use for it, Although it’s a pity for us, we are sadly saddened by this. Life goes on. Get up from the ground and continue with strength. Never forget the security of information. Our digital assets are not all our assets.”

This response demonstrates that the ability or willingness to decrypt all affected files on a device is not real. Most security experts will tell you not to pay the ransom when it comes to ransomware because the developers rarely hold up their end. In this message, it seems the developers were even being sarcastic with the victim. The security researcher Michael Gillespie aka @Demonslay335 seems to have found a way to decrypt the files. As a result, he has informed the affected victims to not pay the ransom as they can find support through the team that has done the analysis of this Ransomware on BleepingComputer’s Zenis Ransomware Help & Support.

Defending Against Zenis Ransomware

This year you can expect an increase in ransomware attacks. Zenis will not be the last ransomware we see news headlines about. To stay safe it is important to always keep your hardware, operating system, and software up to date. When Wannacry struck it was only able to infect machines running out-of-date Windows OS. Windows XP users were the most significantly impacted. While it is not known how Zenis is spreading, it is important to at least take this precautionary step. The next tip is to not open anything from unfamiliar sources. If you see an email attachment from an email address that is not normally in contact with you, don’t open it.

As more developments come out about Zenis IT Security Central will keep you updated.

Insider Threat Detection