National Cyber Warfare Foundation (NCWF) Forums


New Zola Ransomware Using Multiple Tools to Disable Windows Defender


0 user ratings
2024-08-07 09:39:06
milo
Red Team (CNA)

 - archive -- 

Seemingly new ransomware, Zola, is the newest version of the Proton family that appeared in March 2023.  This rebranding highlights the unbroken trend of ransomware’s evolution.  Cybersecurity researchers at Acronis identified and warned of the new Zola ransomware, which was found using multiple tools to disable Windows Defender. Zola Ransomware During a cyber attack investigation, […]


The post New Zola Ransomware Using Multiple Tools to Disable Windows Defender appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Seemingly new ransomware, Zola, is the newest version of the Proton family that appeared in March 2023. 





This rebranding highlights the unbroken trend of ransomware’s evolution. 





Cybersecurity researchers at Acronis identified and warned of the new Zola ransomware, which was found using multiple tools to disable Windows Defender.





Zola Ransomware





During a cyber attack investigation, security analysts noticed the usage of current hacking tools on many linked PCs.





They were utilized for various purposes, such as privilege escalation, network reconnaissance, and credential theft. The latest Proton variant was the main payload, Zola ransomware.





The latter possessed some features that differentiated it from others in the same category like:-






  • A single mutex to block simultaneous execution.




  • Administrative rights verification.




  • Persian language-based kill switch, which could indicate its origin.





Generating victim IDs and encryption keys was part of the malware’s preparation stage. It also modified registry values, changed system wallpapers, disabled recovery options, and altered boot configurations.





Before encrypting any data, Zola killed 137 processes and 79 services designed to uninstall security programs and close off file-locking apps too.





How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide





This comprehensive approach demonstrates how far ransomware has evolved since its inception while underlining the importance of multi-layered cybersecurity defenses.







Zola Ransomware Encryption




Zola ransomware will initiate a multi-layered attack after completing all its preliminary operations.





It starts multiple threads for file encryption, encrypting files on both local and network-attached drives that have write permissions.





In September 2023, it switched to using the ChaCha20 algorithm for encryption instead of the AES-GCM used previously, and it relied on the Crypto++ library to implement cryptographic functions.





Evolution of the Proton family (Source - Acronis)
Evolution of the Proton family



At the same time, another thread is responsible for dropping ransom notes into every folder. However, these notes falsely claim that AES and ECC are the types of encryption used.





Example of the ransom note (Source - Acronis)
Example of the ransom note




Zola generates a custom BMP image and sets it as a desktop wallpaper as part of its visual approach.





A notable anti-forensics measure introduced in April 2024 includes creating a temporary file on C:\ drive, filling the whole disk with 500 kB chunks of uninitialized data, and then deleting this file.





This approach is likely aimed at overwriting slack space, making data recovery more difficult, if not impossible, and preventing investigators’ forensic examination efforts.





Such an all-encompassing approach demonstrates how the Proton ransomware family has evolved showing the integration between strong encryption techniques and methods that restrict the recovery and investigative processes.





This ransomware is available in both x86 and x64 versions, and it primarily targets a wide range of systems. 





Besides this, the new Zola ransomware retains most of Proton’s core functionality. 





The future variants are also expected to follow this pattern of rebranding with minimal substantial changes.





IoC





Indicators of compromise (Source - Acronis)
Indicators of compromise




Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access


The post New Zola Ransomware Using Multiple Tools to Disable Windows Defender appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/new-zola-ransomware-disable-windows-defender/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.