ZaLtOn Ransomware
The ZaLtOn Ransomware is a file-locking Trojan that's an update of the Xorist Ransomware. The ZaLtOn Ransomware can block the user's files with encryption, create Windows pop-up alerts, and leave ransom notes that ask for Bitcoin ransoms. Freeware decryption services and secure backups are effective against this threat's attacks, and nearly all anti-malware tools should delete the ZaLtOn Ransomware quickly.
A Xorist Ransomware Spin-Off that Leaves No Doubt about Its Identity
What malware researchers peg as another variant on the Xorist Ransomware family, akin to the AAC Ransomware, the CerBerSysLock Ransomware, the ZoNiSoNaL Ransomware or the Xorist-TAKA Ransomware, is active in the wild. The ZaLtOn Ransomware keeps the encryption, pop-up alerts, and other details typical to the Xorist Ransomware, along with highlighting its name for easy referencing. So far, its campaign has collected what seems like a ransom from at least one 'customer' to its wallet, although the victim's identity is unknown.
The Xorist Ransomware family comes from a Trojan-generating kit that threat actors can take advantage of without much programming experience. Accordingly, the ZaLtOn Ransomware variant has all the default features of this family, including XOR or TEA encryption, for locking the target's media files. Documents, pictures, music, spreadsheets, and databases are traditional targets in these attacks. The ZaLtOn Ransomware also adds its name into theirs as secondary extensions.
The ZaLtOn Ransomware includes a default TXT file with its ransom demands for the unlocking service and another copy in a Windows pop-up dialogue box. The campaign claims that it's targeting network-based entities and could use brute-force attacks against weak passwords or hijack RDP features for gaining access to Windows systems. The ZaLtOn Ransomware also is interesting for embedding part of its name into the ID strings for victims, which is an atypical approach for file-locker Trojans – but makes identifying the ZaLtOn Ransomware a little easier than usual.
Observing the Beginning of Extortionists at Work
The ZaLtOn Ransomware asks for a fraction of Bitcoins for its unlocking assistance, which converts to over one thousand USD. That malware researchers can confirm one such payment to its wallet both show that the Trojan is 'live' and that at least one victim is in its campaigning history. Paying doesn't guarantee any help from the threat actor necessarily, though, and surefire data recovery, generally, requires a safe backup.
The Xorist Ransomware is one of the few Trojans families with a free decryption solution on the Web, but enterprising threat actors may update encryption routines. As usual, attack prevention is even more valuable than recovering from them and should remain manageable for most Windows users. E-mail tactics such as attached, fake invoices, or Coronavirus news updates are typical examples of social engineering lures that trick users into opening threatening documents. Standard precautions such as avoiding enabling macros or browser scripts remain relevant.
Xorist Ransomware's family has no meaningful protection from most cyber-security products. Users may scan their PCs and remove the ZaLtOn Ransomware or depend on such services for blocking installation exploits at will.
Hopefully, the ZaLtOn Ransomware's singular victim attempted free decryption options before resorting to rewarding criminal activity. Still, it's not a substitute for a backup in a safe place, which is cheaper than any other data recovery solution against any Trojans.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.