ZeroLocker - Most destructive ransomware yet

ZeroLocker - Most destructive ransomware yet

A new destructive encrypting ransomware, which, like its predecessors, such as CryptoLocker, malware encrypts files on infected machines with a strong encryption algorithm. The attackers then demand the victim pay a sum of money in order to buy the decryption key. HOWEVER, unlike other encrypting malware, this infection pretends to be a helper tool that had discovered the encrypted files and is trying to “help” you. In reality, though, this could be one of the more destructive ransomware we have seen to date.
What happens?
Once your system has been encrypted by this ransom, you will be asked to pay $300 to release and decrypt your data, if you fail to pay in 5 days the fee will be $600 and in 10 days its $1000, and of course we suggest you NEVER pay these cyber criminals any money.
How to protect your systems
ZeroLocker can be spread a number of ways, by e-mail attachments, hacked web sites, fake Java installers etc. We therefore suggest that you limit access to unauthorised websites and do not download anything to your PC without authorisation from your IT provider. Beware of emails from unsolicited addresses and beware of those that are dressed to look like they come from official sources such as eBay, Facebook , High Street Banks, Couriers etc

  • “Your Facebook account has been compromised”
  • “HMRC has detected you paid too much tax”
  • “Your bank account is on stop please click here to login and change your password”
  • "Undelivered parcel waiting for you”

Ensure EVERYONE in your organisation including remote branches follows these guidelines.

1.
 DO NOT, UNDER ANY CIRCUMSTANCES open any link or attachment  from an email unless you were 100% expecting to receive it.  These emails can look like they came from people you know or have dealt with in the past.  It’s better to miss an email than take the risk of infecting your system.  If you are suspicious of an email pick up the phone and confirm it.

2.
BAN the use of personal email accounts (e.g. Hotmail, Gmail etc.) on the system at any time.

3.
 Make sure that ALL user accounts have a secure password which should not be shared with other users.

4.
If anything suspicious is encountered notify us IMMEDIATELY.  We have had instances where a user realises they’ve done something bad and just walked away hoping they won’t be found out.  The Crypto locker ransom will appear on the machine which originally downloaded the infection so it will be easy to identify the culprit.

5.
Make sure backups are running and tested regularly and the media is swapped on a regular basis.

6.
 Make sure that your antivirus software is running and up to date.

7.
Make sure your operating system is updated with any patches which Microsoft has issued.

 
How does Zero Locker Work
"ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe,"
Any files that are encrypted, will have .encrypted appended to their filename. When it has finished encrypting your files, it will then run the C:\Windows\System32\cipher.exe /w:C:\ command, which will overwrite all deleted data on your C:\ drive. This makes it so you are unable to use file recovery tools to restore your files. It will create the C:\ZeroLocker folder and store various files and the decryptor executable called ZeroRescue.exe. This file will be set to start automatically via Registry entry when you login to your computer.
The main issue, though, is when ZeroLocker uploads your decryption key to the Command & Control server. If the C2 server was properly configured, when the private key was uploaded it would respond with a HTTP 200 status code that means that a web page was successfully accessed. Unfortunately when ZeroLocker attempts to upload its private key it receives a 404 status code because the requested web page does not exist on the server.
What to do if you are infected
There is, though, some light at the end of the tunnel. This infection does not delete the Windows System Restore points so there is the possibility that your files can be restored.
Our message is simple: Update your operating system, run your back-ups and make this a regular occurrence, update your security software and use it and, think twice before clicking on links or attachments in unsolicited emails.

53 Moss Road, Banbridge, County Down, Northern Ireland, BT32 3NZ, Tel: +44 (0)28 4065 1009. Copyright EOS IT Solutions 2016.