Ransomware has been the hot topic of security world for quite a few months. This is a type of attack that encrypts a system’s file and asks for a ransom to the victim for the unlocking password. Recently, we’ve seen a new ransomware infecting systems – Zenis. Discovered by MalwareHunterTeam, this ransomware deletes your file backups on purpose!

Zenis

When MalwareHunterTeam discovered the ransomware, it was using an unidentified method of file encryption. However, the latest edition of the malware is using the AES encryption method for encrypting files. Once encrypted, there’s no way to decrypt the files, but Michael Gillespie, a security researcher, is analyzing the malware for any weakness.

It’s still unknown how this ransomware is getting across devices, but the scenarios indicate that it’s using Remote Desktop services to infect other systems.

The working method of Zenis

The current variation of the ransomware performs 2 steps to see if it should encrypt the current system.

A process (iis_agent32.exe) is running

A registry key (HKEY_CURRENT_USER\SOFTWARE\ZenisService “Active”) is present in the system.

If the steps return NO, then it won’t encrypt the system. If the answer is YES, it will start its preparation to encrypt the system. Here’s the ransom note from Zenis.

The key point is, the creator of this ransomware holds the private RSA key required to decrypt the base64 encoded files. That’s why the note. However, the ransomware is under analysis, so don’t pay the ransom until it’s completely analyzed.

How to stay protected

First of all, it’s unknown how this ransomware is getting distributed into networks, so you have to follow caution while operating your system. Moreover, good usage habits are more important than anything to prevent any such attack. Here’s a short list of what to do and what not.