T2021_04 Zeoticus 2.0 Ransomware (25th February 2021)

What is Zeoticus Ransomware?

Zeoticus ransomware was first spotted for sale in various underground markets and forums in early 2020. It is a ransomware that targets all versions of Microsoft Windows Operating Systems without any dependence on a C2 (Command & Control), what this means is that there are no requirements of connectivity for the payloads to be executed.

The vendor of this ransomware has continued to maintain and offer updates on the Zeoticus service. Samples of the new and improved Zeoticus 2.0 were observed in the in late December 2020 and since multiple researchers and vendors began to analyze these updated samples. Most updates of this ransomware are focused on speed and efficiency. Encryption algorithms, both asymmetric (Poly1305, XSalsa20 and Curve25519) and symmetric (XChaCha20), have been used based on their speed. The latest version of this ransomware is able to also discover and terminate encryption disrupting processes.

Detection Names

Some antivirus software are able to detect Zeoticus 2.0 with varying detection names. For the detection names, kindly follow this URL:

https://www.virustotal.com/gui/file/279d73e673463e42a1f37199a30b3deff6b201b8a7edf94f9d6fb5ce2f9f7f34/detection

Method of Infection

There are two (2) ways in which you can be infected with Zeoticus 2.0 - email spam and trojans. A user might come across messages in their email stating that they need to pay a utility bill or uplift a parcel from FedEx but these messages are sent from unknown or unfamiliar email addresses not matching the official email addresses of these companies. These spam messages contain an attached file which is used to infect systems with the ransomware if opened.

In the case of trojans, a user would be asked to download a software update for something like Chrome or Adobe reader which in reality is the ransomware being offered as an important update.

How it Works

Once executed this ransomware identifies files based on their extension. Zeoticus 2.0 has a customizable encrytable-extension list which is controlled by the attacker. When Launched the Ransomware makes copies of itself in different locations on the user’s system. Following this, the ransomware stops a number of running processes using taskkill.exe. These processes are as follows:

  1. sqlagent.exe
  2. sqlbrowser.exe
  3. sqlservr.exe
  4. sqlwriter.exe
  5. oracle.exe
  6. ocssd.exe
  7. dbsnmp.exe
  8. synctime.exe
  9. mydesktopqos.exe
  10. agntsvc.exe
  11. isqlplussvc.exe
  12. xfssvccon.exe
  13. mydesktopservice.exe
  14. ocautoupds.exe
  15. agntsvc.exe
  16. agntsvc.exe
  17. agntsvc.exe
  18. encsvc.exe
  19. firefoxconfig.exe
  20. tbirdconfig.exe
  21. ocomm.exe
  22. mysqld.exe
  23. mysqld-nt.exe
  24. mysqld-opt.exe
  25. dbeng50.exes
  26. qbcoreservice.exe
  27. excel.exe
  28. infopath.exe
  29. msaccess.exe
  30. mspub.exe
  31. onenote.exe
  32. outlook.exe
  33. powerpnt.exe
  34. sqlservr.exe
  35. thebat64.exe
  36. thunderbird.exe
  37. winword.exe
  38. Wordpad.exe

Zeoticus then facilitates the deletion of its own binaries, it achieves this by using the ping command to redirect the output of the command > nul & del. The ransomware then uses a WMI query to gather Information about the local environment and creates a Registry Run key which helps achieve persistence. The ransomware then proceeds to use asymmetric and symmetric encryption to encrypt files. Encrypted files are modified with extensions which include the attackers contact email along with the string “2020END.” Zeoticus mounts a new volume which contains the ransom note with the name “README.html”

Removing Zeoticus 2.0 Ransomware

There are steps that are necessary to be taken when it is suspected that a system is infected with ransomware:

STEP 1. Isolate the infected device(s):

  1. Log out of all cloud storage.
  2. Disconnect the infected device from the network and the internet. You may even go as far as disabling all Network Interface Cards.
  3. Disconnect all External Storage devices

STEP 2. Reimage the infected device(s)

STEP 3. Restore clean copy of files from backups. It is advised to always have multiple backups of critical data and at least one backup should be kept offline.

Reference

Virustotal.com (2021, February 22). Retrieved from Virus Total:

https://www.virustotal.com/gui/file/279d73e673463e42a1f37199a30b3deff6b201b8a7edf94f9d6fb5ce2f9f7f34/detection

Meskauskas, Tomas (2020, December 30). How to uninstall Zeoticus 2.0 ransomware? Retrieved from PC Risk: https://www.pcrisk.com/removal-guides/19675-zeoticus-2-0-ransomware

Walter, Jim (2021, February 3). Zeoticus 2.0 Ransomware with no C2 required. Retrieved from Sentinel Labs: https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/