Table of Contents

Zenis: The Ransomware That Deletes Backup Files After Encryption
Ransomware /

Zenis: The Ransomware That Deletes Backup Files After Encryption

As the threats and security breaches are increasing day by day, a new ransomware “Zenis” was found. It was discovered by MalwareHunterTeam this week. The distribution of the ransomware Zenis is still unknown, but many victims are already under attack.

Zenis does not only encrypt your files, but also removes and deletes your backed-up files.

When the discoverers found the first plot of Zenis, actors were using the custom encryption method for encrypting files. MalwareHunterTeam is still looking for the solution for the attack.

Let’s have a look at how this ransomware Zenis works and is used to encrypt files and delete backup.

Also Read : 5 Best Ransomware Protection Tools For Windows

How Zenis Works?

As said earlier, research is still on for how this ransomware is being distributed. By the samples of attack and by the current scenario, it looks like it can be distributed through the Remote Desktop Services (RDS).

Remote desktop services are a part of Windows Server 2008. These services allow users to access other desktops virtually. This means that we can use other systems by using the main system through RDS.

Zenis uses a two-step check for encrypting. First check is for the file execution and second one is for checking if the registry value exists.

And if the registry HKEY_CURRENT_USER\SOFTWARE\ZenisService “Active” does not exist or the file named iis_agent32.exe also isn’t available, then the process will be terminated and will not be able to encrypt the system.

If Zenis passes the 2-step check, the process will begin and system will get the ransom note for payment by emails or by encrypted files.

Once it has sent a ransom note on your system, it starts to give commands given below to delete the volume copies and will disable the startup repair followed by clearing of event logs.

  • exe /C vssadmin.exe delete shadows /all /Quiet
  • exe /C WMIC.exe shadowcopy delete
  • exe /C Bcdedit.exe /set {default} recoveryenabled no
  • exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • exe /C wevtutil.exe cl Application
  • exe /C wevtutil.exe cl Security
  • exe /C wevtutil.exe cl System”

After commands are given, Zenis will terminate several processes on your system that include:

  • sql
  • taskmgr
  • regedit
  • backup

As soon as the system gets compatible according to Zenis, it starts encrypting the files present on the system. It will scan system drivers and will look for certain extensions for encrypting. According to researchers, it uses AES encryption method by using files extensions. Some of the file extension Zenis uses for encryption are:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, etc.

After encryption, the file format of the encrypted file will be changed to Zenis-[2 random chars].[12 random chars]. This format will be saved at the end of the file.

If the backup of the files is associated with the files encrypted, Zenis will overwrite the file three times and will delete it, making it impossible for the user to recover it. There is a specific list of extensions that are being targeted for deletion by actors that include:

.win, .wbb, .w01, .v2i, .trn, .tibkp, .sqb, .rbk, .qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm, etc.

In the process of encryption, it will also generate the ransom note file named ‘Zenis-Instructions.html’ asking for ransom in return for the files encrypted. This file states the contacts of the ransomware generator to get the files back.


Must Read : All About Spider Ransomware

How to Stay Protected?

  • Firstly, users should have a reliable source to backup and restore data. So that in case of emergency or ransomware attack, the data can be restored again if needed.
  • Stop using Remote Desktop Services and block the requests as they can get into the system through RDS as well.
  • Or you can use the ransomware protection tool for preventing your system from ransomware like Zenis. Some of the ransomware protection tools also back up your existing data in case of future attacks.

If you find this helpful please let us know. Give us your feedback in the comment box below.

Leave a Reply

Your email address will not be published. Required fields are marked *