Zenis – a new ransomware that not only encrypts files on a device or server, but intentionally targets and deletes backups has been uncovered.
First reported on 13 March by the MalwareHunterTeam, Zenis is a focus for our scam of the week as it is still slowly unravelling. It is unclear how Zenis is being distributed. Despite this, the ransomware has claimed a number of victims, BleepingComputer reports.
Soon after the encryption has taken place, a ransom note is sent, asking victims to join the ‘game’:
“I am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world.
A world in digital space that you are supposed to play the role of my toys. If you want to win in this game, you have to listen carefully to my instructions, otherwise, you will be caught up in a one-step game and you will become the mam loser of the story. My instructions are simple and clear.”
Like with all ransomware, victims are encouraged not to pay the demand to get their files back, as those responsible rarely hold up their end of the bargain. ‘Ransomware Hunter’ Michael Gillespie has managed to crack the code, and along with BleepingComputer advises victims to seek help from them. In the support forum, several victims are alleging to have been hit with the ransomware, with one claiming to have gotten the following response from Zenis, after paying the ransom note:
“We check all you 1206 help files with hashing them, unfortunately, we did not find any difference between them. That means your private key is 100% correct, but your files was damaged, One of the potential reasons is the use of public programs. They are trying to bring your files back to their original state, but because the content has been modified, this will damage your files. You are a good man, and making these words upset us. Unfortunately, all you can do. start first ( download link, AES ) zenis decryptor and start full decrypt to undamaged files will be returned, Also upgrade your server and keep string password use for it, Although it’s a pity for us, we are sadly saddened by this. Life goes on. Get up from the ground and continue with strength. Never forget the security of information. Our digital assets are not all our assets.”
Together, BleepingComputer MalwareHunterTeam and Michael Gillespie conducted a detailed analysis of Zenis, highlighting how it works. According to BleepingComputer, Zenis operates by finding associated backup files, overwriting them three times then deleting them, making it very difficult for the user to restore files from a backup. They stated themselves, they do not know yet how Zenis Ransomware is being distributed, but possibly via hacked remote desktop services.