What is Zeoticus Ransomware?
Zeoticus ransomware was first spotted for sale in various underground markets and forums in early 2020. It is a ransomware that targets all versions of Microsoft Windows Operating Systems without any dependence on a C2 (Command & Control), what this means is that there are no requirements of connectivity for the payloads to be executed.
The vendor of this ransomware has continued to maintain and offer updates on the Zeoticus service. Samples of the new and improved Zeoticus 2.0 were observed in the in late December 2020 and since multiple researchers and vendors began to analyze these updated samples. Most updates of this ransomware are focused on speed and efficiency. Encryption algorithms, both asymmetric (Poly1305, XSalsa20 and Curve25519) and symmetric (XChaCha20), have been used based on their speed. The latest version of this ransomware is able to also discover and terminate encryption disrupting processes.
Some antivirus software are able to detect Zeoticus 2.0 with varying detection names. For the detection names, kindly follow this URL:
Method of Infection
There are two (2) ways in which you can be infected with Zeoticus 2.0 - email spam and trojans. A user might come across messages in their email stating that they need to pay a utility bill or uplift a parcel from FedEx but these messages are sent from unknown or unfamiliar email addresses not matching the official email addresses of these companies. These spam messages contain an attached file which is used to infect systems with the ransomware if opened.
In the case of trojans, a user would be asked to download a software update for something like Chrome or Adobe reader which in reality is the ransomware being offered as an important update.
How it Works
Once executed this ransomware identifies files based on their extension. Zeoticus 2.0 has a customizable encrytable-extension list which is controlled by the attacker. When Launched the Ransomware makes copies of itself in different locations on the user’s system. Following this, the ransomware stops a number of running processes using taskkill.exe. These processes are as follows:
Zeoticus then facilitates the deletion of its own binaries, it achieves this by using the ping command to redirect the output of the command > nul & del. The ransomware then uses a WMI query to gather Information about the local environment and creates a Registry Run key which helps achieve persistence. The ransomware then proceeds to use asymmetric and symmetric encryption to encrypt files. Encrypted files are modified with extensions which include the attackers contact email along with the string “2020END.” Zeoticus mounts a new volume which contains the ransom note with the name “README.html”
Removing Zeoticus 2.0 Ransomware
There are steps that are necessary to be taken when it is suspected that a system is infected with ransomware:
STEP 1. Isolate the infected device(s):
- Log out of all cloud storage.
- Disconnect the infected device from the network and the internet. You may even go as far as disabling all Network Interface Cards.
- Disconnect all External Storage devices
STEP 2. Reimage the infected device(s)
STEP 3. Restore clean copy of files from backups. It is advised to always have multiple backups of critical data and at least one backup should be kept offline.
Virustotal.com (2021, February 22). Retrieved from Virus Total:
Meskauskas, Tomas (2020, December 30). How to uninstall Zeoticus 2.0 ransomware? Retrieved from PC Risk: https://www.pcrisk.com/removal-guides/19675-zeoticus-2-0-ransomware
Walter, Jim (2021, February 3). Zeoticus 2.0 Ransomware with no C2 required. Retrieved from Sentinel Labs: https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/