MR.Z3B1 Ransomware

The MR.Z3B1 Ransomware is a variant of the Jigsaw Ransomware, a Saw movie-themed, file-locking Trojan. Besides encrypting your documents, etc., for locking them, the MR.Z3B1 Ransomware's family includes significant support for deleting files under different conditions. Users should respond to infections quickly and avoid unnecessary reboots while removing the MR.Z3B1 Ransomware with proper anti-malware tools, and keep backups for recovering their work.

A Puzzle of a Program Gets Blue Facepaint

The Jigsaw Ransomware is getting up to new tricks, thanks to an unknown threat actor. This new release, the MR.Z3B1 Ransomware, offers a different user-interface from the original program or even modern variants like the Anti-Capitalist Ransomware, the DeltaSEC Ransomware, the PC-FunHACKED! Ransomware or the YOLO Ransomware. The MR.Z3B1 Ransomware's enterprising coder, also, enhances the file-deleting portion of the payload, which is, by far, the most ill-famed aspect of the Jigsaw Ransomware family.

Malware experts aren't sure whether the MR.Z3B1 Ransomware is installing on live target systems, yet, but its executable is presenting a shallow disguise of being the Microsoft's Windows Explorer. As usual, the MR.Z3B1 Ransomware encrypts the victim's media files, such as Word documents, various pictures, and similar content, and adds an extension. In this case, the extension is long: it includes a full warning message, a bracketed ID and a 'locked' string.

Where the MR.Z3B1 Ransomware becomes unusual particularly is the pop-up that it shows after locking the media content. This window ditches the old movie references and replaces it with a blue background, possibly, for evoking memories of the Windows 'Blue Screen of Death' errors. It does, however, keep the Jigsaw Ransomware's countdown to deleting files and the Bitcoin-based ransoms. The threat actor's wallet is showing some activity that could imply the MR.Z3B1 Ransomware's campaign being live and profitable.

The Layers of Booby Traps in the Jigsaw Ransomware's Youngest Offspring

Like the majority of Trojans from the Jigsaw Ransomware family, the MR.Z3B1 Ransomware has features that can delete files when it restarts, which it can do after Windows reboots, as well as a second trigger for when the pop-up's timer reaches zero. Malware analysts, however, are seeing additions to this theme with the MR.Z3B1 Ransomware, which includes a 'booby trap' that deletes files after detecting the user's reading the program's source code, and a final trap that deletes files after an incorrect password. A comprehensive defense requires disabling the threat through Safe Mode or similar means immediately before continuing with a standard disinfection strategy.

Although the MR.Z3B1 Ransomware fakes being a part of Windows, at first, this technique may not have anything to do with its distribution exploits, directly. Threat actors are noted for their use of brute-force attacks against vulnerable servers for encrypting their contents, as well as sending spam e-mails with Trojans attached, or even seeding bad torrents. Anti-malware programs should, in most cases, delete the MR.Z3B1 Ransomware securely before it harms your files.

The MR.Z3B1 Ransomware is a creative update to a well-tread but still threatening, theme: erasing content as a secondary threat for supporting its encryption-oriented payload. Letting Trojans take your files hostage has severe consequences, unless, of course, you have backups allowing for a stressless escape