An analysis of the Zenis ransomware by Quick Heal Security Labs

Quick Heal Security Labs has come across a new ransomware that goes by the name ‘Zenis’. The ransomware not only encrypts files but also intentionally deletes the infected system’s backup.

 

The behavior of Zenis ransomware

Upon inside a computer, the ransomware performs the following checks before it starts encrypting the user’s data.

• Whether the executed file’s name is ‘iis_agent32.exe’ (this check is not case sensitive)
• Looks for the registry and checks if its value is ‘Active’ and the registry value is ‘HKEY_CURRENT_USER\SOFTWARE\ZENISSERVICE’.

 

If either one of these checks is not fulfilled, the ransomware halts the process and does not proceed any further. On the other hand, if these checks are complete, Zenis fires the below commands to disable the Windows repair and backup option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive.

• cmd.exe /C vssadmin.exe delete shadows /all /Quiet
• cmd.exe /C WMIC.exe shadowcopy delete
• cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no
• cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• cmd.exe /C wevtutil.exe cl Application
• cmd.exe /C wevtutil.exe cl Security
• cmd.exe /C wevtutil.exe cl System

After executing the above commands, Zenis starts its encryption activity. Our analysis says that the ransomware basically encrypts non-PE files. Below are the extensions which the ransomware encrypted successfully during the scenario generated at Quick Heal Security Labs.

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

 

Zenis drops infection marker files and encrypted files which have the following pattern. Zenis-[2 random chars].[12 random chars].

For example, ‘example.txt’ would be encrypted and renamed with a pattern like ‘Zenis-4V.4V7sb2JRmLNs.’

Fig 1. Files encrypted by Zenis

While searching for the files to encrypt, if Zenis finds any backup files, it overwrites them three times and then deletes them. This makes it almost impossible for the affected user to restore their files from the backup.

 

Below are the extensions which the ransomware is programmed to delete:

 

.wbb,.qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm,.win,w01, .v2i, .trn, .tibkp, .sqb, .rbk

Zenis ransom note

Fig.2 Ransom Note by Zenis

How does Zenis spread?

The exact propagation technique used by the ransomware is not exactly known. But, some speculate that hacked desktop remote services may have spread it.

 

How Quick Heal protects its users from the Zenis ransomware

Apart from the static detection, Quick Heal’s Behaviour Detection and Anti-Ransomware successfully eliminate this threat.

Fig 3. Quick Heal Anti-Ransomware feature

 

Fig 4. Quick Heal Behavior Detection feature

Indicators of compromise

 

• MD5:

8CD8D46CD6C7E336D2BAA2F78D8D0AB4

 

• Dropped artifact:

Zenis-Instructions.HTML

 

• Registry key:

HKEY_CURRENT_USER\software\ZenisService “Active”

 

• Dropped artifact: –

Zenis-Instructions.HTML

 

How to stay away from ransomware

• Use a multi-layered antivirus that can stop real-time threats.
• Keep your antivirus up-to-date.
• Update your Operating System regularly as critical patches are released almost every day.
• Keep your software up-to-date. Older and outdated versions of software have vulnerabilities which are almost always exploited by attackers to infect a system with ransomware and other malware.
• Never directly connect remote systems to the Internet. Always use a VPN (Virtual Remote Network) to access a network remotely.
• Do not click on links or download attachments in emails received from unexpected or unknown sources.
• Take regular data backup and keep it in a secure location.

 

Subject Matter Expert

Priyanka Dhasade |Quick Heal Security Labs