No C2 Required
Ransomware, something we at Firestorm Cyber called a pandemic two years ago, has evolved into a new highly effective and adaptable version that should cause serious concern for threat defenders.
Most crypto malware have to have connectivity or remote commands to execute their payloads, known commonly as Command-and-Control (C2). To simplify this, once a user at a target computer has clicked on a link or attachment to open a file that was delivered to them, usually by e-mail, the malware begins executing and calls home to a C2 server to get its "marching orders" or the encryption commands. The carnage begins after that as the malware identifies and encrypts files, documents, and so on, before throwing up the dreaded "Your files have been encrypted" page.
Zeoticus in its first version, like other ransomware, followed this scheme. Effective defense against this, if your endpoints aren't protected from crypto events, is to block all C2 traffic at the edge of your network. Most Unified Threat Management (UTM) appliances, configured correctly, have the ability to identify C2 traffic and prevent it from passing through the network to the Internet.
Zeoticus 2.0 is the new and terrifying upgrade. It's not only fast and effective, but...will fully execute OFFLINE and has no dependency on C2 servers. This new version has the ability to use fast encryption algorithms like Poly1305, XSalsa20, Curve25519. It can also use XChaCha20, a symmetric algorithm.
That's not its only upgrade. It can find and kill processes that can disrupt encryption, discover and infect remote drives, and lay waste to files and documents. 2.0 can also gather information about the network it's in using WMI queries. Encrypted files are modified with a 2020End extension after which the malware mounts a new drive/volume that has the ransom note. Interestingly, victims are instructed to contact the attacker via e-mail.
These new abilities should terrify anyone responsible for the security of networks and endpoints. If you don't have protection on your servers and endpoints that can detect encryption events and reverse the process; if you don't have a firewall that can effectively block C2 traffic; if your firewall can't directly collaborate with your endpoints to quarantine them, you should be terrified.
Ransomware has evolved. Your cybersecurity has to evolve.
Who created this? Well, I'll say that it's been designed not to attack systems in Russia, Kyrgyzstan, and Belarus, and leave it at that.
Learn more about how Firestorm Cyber can protect and defend your systems against Zeoticus 1.0, 2.0, and other ransomware. Contact us https://www.firestormcyber.com/contact
Experienced a cyber threat? Call us 24x7 for immediate help.