Zenis ransomware encrypts files and deletes backups

The game of Zenis ransomware: encrypted files, deleted backups and Bitcoins demanded

Recently emerged Zenis ransomware^[1] is quite a unique example of crypto-malware. Researchers still cannot figure out how ransomware gets into the system. However, it’s pretty sure that author of ransomware loves programming and playing games with victims. Malware not only encrypts files but deletes backups too.

According to the current information, the virus affected devices by exploiting Remote Desktop services. Once inside, it begins data encryption procedure using AES cryptography. During data encryption, Zenis ransomware renames files and appends Zenis-<2_chars>. file extension. The final name of the encoded file might even 64 characters name.

Following the encryption, the malware also performs these tasks:

• deletes shadow volume copies;
• disable startup repair;
• clear event logs.

In this way, malware makes harder for victims to recover encoded files. However, it’s not the only difficulty ransomware makes. During the encryption procedure, the virus also searches for files that are associated with backups. Once it finds them, it overwrites them three times and finally deletes them.

Nevertheless, data decryption seems impossible; there’s no need to follow the instructions provided in Zenis-Instructions.html file where crooks ask to contact them and pay the ransom in Bitcoins. Malware researcher Michael Gillespie managed to crack malware’s code and can explain to victims how to decrypt files without paying the ransom.^[2]

Author of Zenis ransomware loves playing games too

The ransom note of Zenis virus is quite unique. Typically, hackers create standard ransom notes were victims are asked to obtain cryptocurrency, transfer it to the provided address, and wait for the decryptor. However, the latter point might never happen.

The ransom note, delivered soon after the encryption, starts with the lines asking victims to join the game^[3] in order not to lose their files:

I am ZENIS. A mischievous boy who loves cryptography, hardware and programming. My world is full of unanswered questions and puzzles half and half, and I'm coming to discover a new world.
A world in digital space that you are supposed to play the role of my toys.

If you want to win in this game, you have to listen carefully to my instructions, otherwise, you will be caught up in a one-step game and you will become the mam loser of the story.
My instructions are simple and clear.

However, we have already revealed that there’s no need to join this game. There’s a chance to recover files without Zenis Decryptor provided by malware developer.

Ransomware attacks are growing; however, you can avoid them

Currently, the only known way how Zenis ransomware gets into the machines is Remote Desktop services.^[4] Therefore, it’s important to set strong passwords, make sure that it’s not connected to the Internet directly and use VPN instead.

However, there are numerous ransomware-type cyber threats that are searching for a way to infiltrate machines. These malicious programs might also enter the system via infected document attached to a phishing email.^[5]

Some malware might sneak into the system by exploiting security vulnerabilities or tricking users into installing bogus software or its updates. Therefore, users are advised to be critical when browsing the web and do not rush clicking, opening or installing any content without thinking twice.

It is also recommended to keep the computer protected with anti-malware software. However, any program cannot fully protect your PC. Thus, you need to be careful yourself, and of course, create data backups.