Zeon Ransomware

Zeon Ransomware

Introduction: Zeon ransomware, first observed in late January 2022, is characterized as a low-sophistication and commodity-level ransomware. It is the predecessor to Royal ransomware and prompts victims to visit a TOR-based payment portal. Zeon victims are instructed to pay in XMR or BTC with a fee of 25% in case of the latter. The ransomware payloads are Python-based executables packaged via pyInstaller and further obfuscated via pyArmor.

Targets: Zeon ransomware is known to target small and medium-sized businesses (SMBs).

Propagation: Zeon ransomware targets victims through phishing emails and leverages exposed and vulnerable applications and services such as Remote Desktop Protocol (RDP) and third-party frameworks like Empire, Metasploit, and Cobalt Strike.

Technical Details:

  • Execution and Inhibition:
    • On execution, Zeon ransomware payloads attempt to stop services or processes that could inhibit the encryption process, including common backup processes and well-known security products (e.g., McAfee, Sophos, Kaspersky).
  • Persistence Mechanism:
    • Zeon achieves persistence via a Scheduled Task, generating and executing the task via cmd.exe.
  • File Encryption:
    • Encrypted files receive the .zeon extension, and the ransom note is dropped as “re_ad_me.html” on the Desktop.

Detection Strategies: EDR can detect and prevent malicious behaviors and artifacts associated with Zeon ransomware.

For those without EDR , here are ways to identify Zeon ransomware in your network:

  1. Security Tools:
    • Use anti-malware software or security tools capable of detecting and blocking known ransomware variants using signatures, heuristics, or machine learning algorithms.
  2. Network Traffic Monitoring:
    • Monitor network traffic for indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct regular security audits and assessments to identify vulnerabilities and ensure security controls are functioning properly.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices to recognize and report suspicious emails and threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in the event of an attack.

Mitigation Measures: For EDR customers, the EDR can prevent Zeon ransomware infections and, in case of infection, detect and prevent malicious behaviors and artifacts. The unique rollback capability allows the removal of infections.

For those without EDR , along with detection strategies, consider the following mitigation steps:

  1. Employee Education:
    • Educate employees on ransomware risks and train them to identify and avoid phishing emails and malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for all user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish and regularly test backup and disaster recovery processes to ensure quick data restoration.

Proactive security measures, employee awareness, and a comprehensive backup strategy are essential to mitigating the risk of Zeon ransomware attacks.

 

Back

Copyright © 2024 RASOC all rights reserved