Zenis Ransomware Encrypts Your Data & Deletes Your Backups

A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.

When MalwareHunterTeam found the first sample, it was utilizing a custom encryption method when encrypting files. The latest version, and the one we will discuss in this article, utilizes AES encryption to encrypt the files.

At this time there is no way to decrypt Zenis encrypted files, but Michael Gillespie is analyzing the ransomware for weaknesses. Therefore, if you are infected with Zenis, do not pay the ransom. Instead you can receive help or discuss this ransomware in our dedicated Zenis Ransomware help & support topic.

Below is a brief decryption of how the Zenis ransomware encrypts a computer compiled from analysis by MalwareHunterTeam, Michael, and myself.

How Zenis Ransomware encrypts a computer

As previously stated, we do not know how the Zenis Ransomware is currently being distributed. Based on the elusiveness of the ransomware samples and comments from infected people, it could be distributed via hacked Remote Desktop services.

When executed, the current Zenis Ransomware variant will perform two checks to see if it should begin encrypting the comptuer. The first check is to see if the file that executed is named iis_agent32.exe, with this check being case insensitive. The other check is to see if a registry value exists called HKEY_CURRENT_USER\SOFTWARE\ZenisService “Active”.

If the registry value exists or the file is not named iis_agent32.exe, it will terminate the process and not encrypt the computer.

If it passes the checks, it will then begin to get the ransom note ready by filling in some information, such as emails and encrypted data.

After that is completed it will execute the following commands to delete the shadow volume copies, disable startup repair, and clear event logs.

cmd.exe /C vssadmin.exe delete shadows /all /Quiet cmd.exe /C WMIC.exe shadowcopy delete cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures cmd.exe /C wevtutil.exe cl Application cmd.exe /C wevtutil.exe cl Security cmd.exe /C wevtutil.exe cl System"

MPLS explained

The thing about MPLS is that it’s a technique, not a service — so it can deliver anything from IP VPNs to metro Ethernet. It’s expensive, so with the advent of SD-WAN enterprises are trying to figure how to optimize its use vs. less expensive connections like the internet.

The Cost of GDPR Non-Compliance 

General Data Protection Regulation (GDPR) requires additional steps that data processors and data controllers must take to protect personal data, and disclose any data security breach to the public, GDPR regulators can impose large, monetary fines for those in non-compliance. Additional penalties that can occur may not be monetary, but can carry a large consequence. 

Here’s Why Blake Lively Still Doesn’t Have a Stylist

Blake Lively is one of the rare Hollywood celebrities who doesn’t hire a stylist. She pulls all the clothes for her press tours and their outfit marathons (she tried 256 outfits for her Age of Adaline one in 2015, for example). What, like it’s hard dressing yourself? Lively told WWD last night when its reporter asked if it was difficult being a major actress and her own stylist. “It’s a lot of work [but] I mean, it’s not hard in that we all dress ourselves every morning,” she started.

Identifying Security Blind Spots For You And Your Customers

The security landscape is a minefield for small businesses, and their service providers. After a year of high-profile cybersecurity stories – from WannaCry to Equifax to Spectre and Meltdown – providers are facing difficult conversations with their clients about their preparedness against attacks.

Suspicious likes lead to researcher lighting up a 22,000-strong botnet on Twitter

Botnets are fascinating to me. Who creates them? What are they for? And why doesn’t someone delete them? The answers are probably less interesting than I hope, but in the meantime I like to cheer when large populations of bots are exposed. That’s what security outfit F-Secure’s Andy Patel did this week after having his curiosity piqued by a handful of strange likes on Twitter.

Walmart-Amazon Rivalry Turns Into Food Fight

Walmart on Wednesday said it would expand its Online Grocery Delivery service, currently available in six markets, to more than 100 metro areas across the United States. Its plans call for covering more than 40 percent of U.S. households by the end of the year.