Executive Summary
The continuous emergence of new ransomware families has become a concerning trend in recent years. While some variants quickly fade into obscurity, others establish a more persistent presence. Additionally, many ransomware strains evolve or rebrand, adopting new techniques while retaining their destructive intent.
Recent findings from the Acronis Threat Research Unit have uncovered a new ransomware variant named “Zola.” Initially identified as a distinct threat, further investigation revealed that Zola is, in fact, a rebranded version of the Proton family, which first appeared in March 2023.
Introduction to Zola
Zola ransomware is a C++ based malware that encrypts files, appends the .zola extension, and disables system recovery options. It targets both local and network files, utilizing multi-threaded encryption for increased efficiency. The ransomware demands payment for decryption, with instructions provided in a “#Read-for-recovery.txt” file.
Zola employs multithreaded encryption to target files across local and network storage, dropping ransom notes in each affected directory. The malware also changes the desktop wallpaper to display a ransom message and assigns a unique victim ID for communication with the attackers.
While removing Zola ransomware from an infected system halts further file encryption, it does not restore already encrypted data. Recovery of compromised files requires a backup stored in a separate, unaffected location. Zola, like other Proton ransomware variants, features a distinctive kill switch that terminates its processes if a Persian keyboard layout is detected, suggesting a possible connection to a Persian-speaking region, though conclusive evidence is lacking.
In cases where the kill switch is not activated, Zola ransomware escalates privileges by repeatedly prompting for administrative credentials if it encounters insufficient permissions.
Tactics, techniques and procedures (TTPs)
Analysis of the attacker's toolset revealed a reliance on common, off-the-shelf hacking utilities. These tools, often associated with less sophisticated threat actors, were used to elevate privileges, scan networks, and exfiltrate credentials. The use of older, less advanced tools indicates a focus on efficiency rather than stealth.
The attackers utilized the following tools:
- Mimikatz 2.2.0
- ProcessHacker 2.39
- Sysinternals Process Explorer 16.42
- Advanced IP Scanner 2.5.3850
- EMCO Unlock IT 7.0.1
The malware frequently drops tools designed to disable Windows Defender into the Downloads, Music, or 3D Objects directories on compromised systems.
Payload
The recovered Zola ransomware executable, a 1MB C++ application compiled on May 17, 2024, employs a unique mutex “4B991369-7C7C-47AA-A81E-EF6ED1F5E24C" for concurrent execution prevention. Like other Proton variants, Zola demands administrative privileges and repeatedly prompts users for elevation if needed. This malware's persistence and control mechanisms align with broader Proton family characteristics.
Initial Preparation (for Encryption)
Following the initial setup, Zola generates a unique victim ID and associated cryptographic keys. his information was stored in newly created registry values:
HKCU\Software\Proton\public
HKCU\Software\Proton\full
Zola initiates the encryption process by emptying the Recycle Bin and manipulating system restore points.
Zola utilizes the vssadmin command to erase all the shadow copies that are on the system to hinder recovery. The command "wmic SHADOWCOPY /nointeractive" is also executed. The "SHADOWCOPY" parameter was used to show the available shadow copies, but the option "/nointeractive" was invalid and reported an error.
In both these instances, the ShellExecute API was utilized to execute the commands with the help of a command prompt:
cmd /c vssadmin Delete Shadows /All /Quiet
cmd /c wmic SHADOWCOPY /nointeractive
Zola further compromised system resilience by modifying the boot configuration using BCDEdit.
The changes made required Windows to disregard any errors and carry on with the boot process, disabling automatic repair at that time:
cmd /c set {default} recoveryenabled No bcdedit
cmd /c bootsatuspolicy ingoreallfailures No bcdedit /set {default}
Before encryption, Zola copies itself to the user's Startup folder, using a victim-specific filename. Simultaneously, it attempts to terminate 137 processes and 79 services, including security software and applications that might interfere with the encryption process. This action is aimed to maximize the ransomware's impact by eliminating potential obstacles.
Encryption
After completing its preparation, Zola ransomware launches two threads: one for encryption and another for placing a ransom letter in each affected folder. The encryption process includes write access to network-attached drives.
Early Proton ransomware variants utilized a combination of curve25519 and AES-GCM for encryption, leveraging the Crypto++ library. However, in September 2023, the encryption algorithm was modified to use ChaCha20, while the ransom note continued to falsely claim the use of AES and ECC. This strategic change was likely intended to complicate forensic analysis and attribution.
While the encryption threads operate, the primary thread continues executing by creating a BMP image saved at "C:\ProgramData\<ID>.bmp", which is then set as the desktop wallpaper.
In April 2024, Proton ransomware variants introduced a destructive component designed to overwrite free disk space with random data. By filling available sectors, this feature aims to hinder data recovery efforts and complicate forensic investigations.
How does it infect an organization?
Malware, including ransomware, primarily spreads through phishing and social engineering tactics. Common distribution methods include loader or backdoor trojans, deceptive or stealthy drive-by downloads, online scams, malicious attachments or links in spam emails and messages, unreliable download sources such as freeware, third-party sites, or P2P networks, illegal software activation tools ("cracks"), and fake software updates.
Some malicious programs can also spread autonomously through local networks and removable storage devices, such as external hard drives and USB flash drives.
Malware is often concealed within or bundled with seemingly legitimate content. Infected files can take various forms, including archives (ZIP, RAR), executables (.exe, .run), documents (Microsoft Office, Microsoft OneNote, PDF), JavaScript, and more. The infection process begins as soon as the malicious file is executed, run, or opened.
Conclusion
The emergence of ransomware variants like Zola, which build upon previous iterations while adding new destructive capabilities, highlights the ever-evolving threat landscape. This evolution demands a proactive and adaptive approach to cybersecurity, compelling organizations to implement sophisticated defense strategies capable of countering the evolving tactics used by cybercriminals.
References
- https://www.acronis.com/en-eu/cyber-protection-center/posts/zola-ransomware-the-many-faces-of-the-proton-family/
- https://socprime.com/blog/zola-ransomware-detection-proton-family-evolves-with-a-new-ransomware-variant-featuring-a-kill-switch/
- https://www.broadcom.com/support/security-center/protection-bulletin/zola-a-new-proton-ransomware-variant
- https://www.pcrisk.com/removal-guides/30674-zola-ransomware
- https://www.scmagazine.com/news/proton-ransomware-continues-evolution-with-latest-zola-variant
- https://www.msspalert.com/brief/novel-proton-ransomware-variant-with-kill-switch-emerges
- https://cyberinsider.com/zola-ransomware-springs-to-action-as-latest-proton-variant/
- https://gbhackers.com/new-zola-ransomware-disable-windows-defender/
- https://www.broadcom.com/support/security-center/protection-bulletin/zola-a-new-proton-ransomware-variant
- https://tria.ge/240807-b6mqxsxdkn