Upon inside a computer, the ransomware performs the following checks before it starts encrypting the user\u2019s data.<\/p>\n
- \n
- Whether the executed file\u2019s name is \u2018iis_agent32.exe\u2019 (this check is not case sensitive)<\/li>\n
- Looks for the registry and checks if its value is \u2018Active\u2019 and the registry value is \u2018HKEY_CURRENT_USER\\SOFTWARE\\ZENISSERVICE\u2019.<\/li>\n<\/ul>\n
<\/p>\n
If either one of these checks is not fulfilled, the ransomware halts the process and does not proceed any further. On the other hand, if these checks are complete, Zenis fires the below commands to disable the Windows repair and backup<\/strong> option using Vssadmin.exe. Vssadmin.exe is used to create and manage shadow volume copies on the drive.<\/em><\/p>\n
- \n
- cmd.exe \/C vssadmin.exe delete shadows \/all \/Quiet<\/li>\n
- cmd.exe \/C WMIC.exe shadowcopy delete<\/li>\n
- cmd.exe \/C Bcdedit.exe \/set {default} recoveryenabled no<\/li>\n
- cmd.exe \/C Bcdedit.exe \/set {default} bootstatuspolicy ignoreallfailures<\/li>\n
- cmd.exe \/C wevtutil.exe cl Application<\/li>\n
- cmd.exe \/C wevtutil.exe cl Security<\/li>\n
- cmd.exe \/C wevtutil.exe cl System<\/li>\n<\/ul>\n
After executing the above commands, Zenis starts its encryption activity. Our analysis says that the ransomware basically encrypts non-PE files. Below are the extensions which the ransomware encrypted successfully during the scenario generated at Quick Heal Security Labs.<\/p>\n
.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt<\/p><\/blockquote>\n
<\/p>\n
Zenis drops infection marker files and encrypted files which have the following pattern. Z<\/em>enis-[2 random chars].[12 random chars].<\/em><\/p>\n
For example, \u2018example.txt\u2019 would be encrypted and renamed with a pattern like \u2018Zenis-4V.4V7sb2JRmLNs.\u2019<\/p>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/1.jpg\")
<\/p>\nFig 1. Files encrypted by Zenis<\/p>\n
While searching for the files to encrypt, if Zenis finds any backup files, it overwrites them three times and then deletes them. This makes it almost impossible for the affected user to restore their files from the backup.<\/p>\n
<\/p>\n
Below are the extensions which the ransomware is programmed to delete:<\/strong><\/p>\n
<\/p>\n
.wbb,.qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm,.win,w01, .v2i, .trn, .tibkp, .sqb, .rbk<\/p><\/blockquote>\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/2.jpg\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/3.jpg\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/4.jpg\")
<\/p>\n