The Proton ransomware household has undergone a number of iterations because it first emerged in March 2023, with the newest variant Zola together with privilege escalation measures, a disk overwriting operate and a keyboard language-based kill swap.
The Acronis Risk Analysis Unit lately encountered the brand new Zola variant throughout an incident response and carried out an in-depth evaluation revealed Monday. This newest model demonstrates the ransomware household’s sample of fixed code tweaks and rebranding.
“The looks of latest ransomware households each month has grow to be an unlucky norm lately. Whereas some will seem as shortly as they fade out of existence, some set up an prolonged keep, and others merely change their digital garments,” the Acronis researchers wrote.
Zola kicks off assault with kill swap, admin privilege checks
The Zola variant of the Proton ransomware was first found by Acronis in Could and bears similarities to a different variant, known as Ripa, that appeared on April 30.
The researchers famous that the Proton household makes use of commonplace hacking instruments amongst ransomware actors, similar to Mimikatz, ProcessHacker and varied instruments for disabling Home windows Defender. The malware usually drops these instruments within the Downloads, Music or 3D Objects directories on the goal machine.
One other similarity between Zola and its predecessors is the creation of a mutex upon execution, which avoids concurrent executions; this hardcoded mutex remained unchanged between variants.
A novel characteristic of Zola and different current variants is the presence of a kill swap that checks for a Persian keyboard format and halts processes if this format is recognized.
“This kill swap is perhaps indicative of the Proton household’s origins, however no additional proof was discovered to strengthen this assumption,” the researchers wrote.
If the kill swap isn’t triggered, the malware proceeds to verify for admin privileges, and repeatedly prompts the person to run the executable as an administrator if the verify fails.
This admin checking characteristic was additionally current within the authentic Proton pattern, though a sub-family often known as Shinra, noticed in early April, lacks this performance, suggesting that Zola represents a separate department in Proton’s evolution.
Previous to encrypting information, Zola makes further preparations, together with technology of a singular sufferer ID and key data, emptying of the Recycle Bin, modification of boot configuration and deletion of shadow copies to stop restoration.
Shadow copies are deleted utilizing the vssadmin command by way of the ShellExecute API and the BCDEdit Home windows instrument was used to disable automated restore pressure Home windows to disregard all failures throughout the boot course of.
Proton ransomware modifications encryption scheme, lacks ransom word modifications
The unique Proton ransomware used elliptic-curve cryptography (ECC) and Superior Encryption Customary (AES) in Galois/Counter Mode (GCM) to encrypt information, however an replace in September 2023 switched to the ChaCha20 encryption scheme, which stays the case for the Zola variant.
Nevertheless, the Zola ransom word stays largely unchanged from the unique Proton ransom word, as seen on PCrisk’s removing information, other than a change in touch data. Notably, the ransom word nonetheless claims the usage of AES and ECC, deceptive the sufferer.
Previous to encryption, the malware makes an attempt to kill 137 processes and 79 companies listed in its binary, together with varied safety software program and different functions that will stop encryption by locking a number of information.
Zola runs a number of encryption threads to encrypt information, together with in network-attached drives with write entry, and drops the ransom word below every encrypted folder. In the meantime, the malware additionally modifications the desktop wallpaper to a message instructing the sufferer to electronic mail the risk actor, together with sufferer’s distinctive ID.
Zola additionally retains a operate that emerged amongst Proton variants in early April 2024, which spawns a short lived file below C: and fills up the disk by constantly writing uninitialized information in 500 KB chunks. This overwriting of slack area on the disk is suspected to function a strategy to make digital forensics and information restoration tougher.
To not be confused with PrOToN/Xorist ransomware
Whereas the Proton ransomware household has spawned a number of variants and no less than one subfamily, it isn’t to be confused with a equally named ransomware often known as PrOToN, which is a part of the Xorist, or EnCiPhErEd, household.
PrOToN is described by PCrisk as a “ransomware-type program,” which first emerged round August 2023. Variations between the 2 “Proton” ransomware embody variations within the encrypted file extension (.Proton or .kigatsu versus .PrOToN), ransom word format and risk actor contact data.
PrOToN additionally triggers an “Error” pop-up window displaying the ransom word textual content, which is a characteristic that isn’t current with Zola and different Proton variants.
A Xorist decryptor is offered from Emsisoft, however this decryptor isn’t identified to work towards the PrOToN variant, in response to PCrisk.
No identified decryptor instrument is offered for the Proton household studied by Acronis.
