Zeta Ransomware
Posted: June 6, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 450 |
First Seen: | June 6, 2016 |
---|---|
Last Seen: | March 14, 2023 |
OS(es) Affected: | Windows |
The Zeta Ransomware is a Trojan that uses encryption technology to block and ransom, rather than protect, your data. Although the Zeta Ransomware's payload normally includes instructions for how to pay to decrypt the data, malware experts find such ransom methods frequently unreliable regarding delivering reliable recovery options. Most PC users are well-served by removing the Zeta Ransomware with their anti-malware programs and then recovering all encrypted content from a backup.
The A to the Zeta of the Zeta Ransomware Infections
While originality in threat authorship has its rewards of its own, many threat campaign administrators prefer to use programs based on already-available 'products' from the Web black market. The Zeta Ransomware is one of the newest extensions of such a work philosophy in action. This Trojan differs from past threats sufficiently to require updated security countermeasures, but not enough to make its payload any less reliable than previously.
Seemingly based on the same core of Rakhni code as Trojans like the Green_Ray Ransomware and countless others, the Zeta Ransomware conducts the same form of file encryption terrorism:
- The Zeta Ransomware scans for files matching pre-specified extensions, excluding any data required by your operating system and similarly essential programs. Typical targets for attack include text documents, spreadsheets, Web pages and entertainment media.
- These files then are encrypted with an algorithm standard that the Zeta Ransomware claims of being the RSA-2048, making it particularly uncrackable. Whether or not that claim is true (malware experts have not confirmed it), your encrypted content is unreadable.
- The Zeta Ransomware also adds new extensions to your files, with the new text referencing an ID number, an e-mail address (for ransom communications), and an additional cosmetic format: '.scl.' The latter is a minor divergence from past Rakhni Trojans, potentially showing that the Zeta Ransomware's configuration is in the hands of yet another threat actor.
The Zeta Ransomware's last act is to deposit its ransom messages, which ask for Bitcoin currency within a brief duration before prices rise. The Zeta Ransomware's perpetrators also authorize a free 'sample' of their decryption process for a single file, most likely as a social engineering technique for encouraging the victims' submission to payments.
The Zeta Ransomware does include Registry changes related to auto-start exploits, and malware experts recommend assuming that the Zeta Ransomware is launching with each unprotected system reboot.
Wiping the Ransom Problem from Your Hard Drive as Quick as a Flash
While the Zeta Ransomware's auto-start routine could put it in a position to attack your data before you can do anything about it, the Zeta Ransomware also provides samples of Registry entries potentially giving away its central distribution tactic. Evidence currently points to the Zeta Ransomware installing itself as a fake Flash update, which you may download through corrupted pop-up 'upgrade' prompts or from an exploit kit's attack. The latter hinges on the presence of software vulnerabilities, making security patches for all Web-browsing software especially important.
The con artists involved in threatening file encryption campaigns often behave erratically and dishonestly, and you shouldn't pay the Zeta Ransomware's ransom to reacquire your content. For confining the damages of a Zeta Ransomware infection, most PC users should find restoring from one or more backups to be a wholly adequate solution. However, you never should use local backups as your only strategy for data protection; many Trojans delete Windows backup content, such as the Shadow Copies automatically.
When protecting your hard drive from further attacks, malware experts suggest deleting the Zeta Ransomware and all other threats before overwriting or otherwise recovering other content. Well-designed anti-malware products should experience no issues with finding the Zeta Ransomware, which is based on a well-known source of code, and has no advanced self-preservation features.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 109.89 KB (109896 bytes)
MD5: 0403db9fcb37bd8ceec0afd6c3754314
Detection count: 90
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: October 1, 2020
cryptomix.exe
File name: cryptomix.exeSize: 89.08 KB (89088 bytes)
MD5: cacf78f42e19d6253351e97842d815da
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
%ALLUSERSPROFILE%\Application Data\FlashPlayerPlugin_9ddb30cf_c80c92f8.exe
File name: FlashPlayerPlugin_9ddb30cf_c80c92f8.exeSize: 84.48 KB (84480 bytes)
MD5: 0995230b95584a48f405c25e3d370482
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: May 3, 2017
%APPDATA%\AdobeFlashPlayer_8cd260f56cda739b.exe
File name: AdobeFlashPlayer_8cd260f56cda739b.exeSize: 100.86 KB (100864 bytes)
MD5: 6b67d8d65b3f0c63dac45e246fb5f1d6
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 3, 2017
%ALLUSERSPROFILE%\Application Data\FlashPlayerPlugin_cbf0290c_4c6ede02.exe
File name: FlashPlayerPlugin_cbf0290c_4c6ede02.exeSize: 83.45 KB (83456 bytes)
MD5: f26be6279ec6092515d9dae51563660c
Detection count: 37
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: May 3, 2017
%APPDATA%\AdobeFlashPlayer_7492a3418dfb7255.exe
File name: AdobeFlashPlayer_7492a3418dfb7255.exeSize: 95.74 KB (95744 bytes)
MD5: 0f43c5cf5f627ed0bc650fd61094d680
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 3, 2017
%APPDATA%\AdobeFlashPlayer_94e30973ab4e2d2.exe
File name: AdobeFlashPlayer_94e30973ab4e2d2.exeSize: 90.62 KB (90624 bytes)
MD5: 818a0a4a3843f7eb7166a807a597898a
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 3, 2017
%APPDATA%\AdobeFlashPlayer_b8a94cdf1330f5.exe
File name: AdobeFlashPlayer_b8a94cdf1330f5.exeSize: 96.76 KB (96768 bytes)
MD5: ad66f350d86b140201fa0885f5d09fe0
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 3, 2017
%ALLUSERSPROFILE%\BC001B7832.exe
File name: BC001B7832.exeSize: 208.38 KB (208384 bytes)
MD5: 7dca6ef84f0c99f34ca21fae124d4f1b
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 17, 2022
%APPDATA%\AdobeFlashPlayer_3207783b69ba0b7d.exe
File name: AdobeFlashPlayer_3207783b69ba0b7d.exeSize: 88.57 KB (88576 bytes)
MD5: 99f2ea85b58ed6b138a577d6782308a0
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 3, 2017
%APPDATA%\AdobeFlashPlayer_e82246b15d9a70f0.exe
File name: AdobeFlashPlayer_e82246b15d9a70f0.exeSize: 102.91 KB (102912 bytes)
MD5: 4ba02659f560b420d9f6dfe875e0e124
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 3, 2017
%ALLUSERSPROFILE%\Application Data\FlashPlayerPlugin_cb8b2ee_681b245c.exe
File name: FlashPlayerPlugin_cb8b2ee_681b245c.exeSize: 89.08 KB (89088 bytes)
MD5: ab352361300a6dbe645d332e838e5236
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: May 3, 2017
Registry Modifications
File name without pathHELP_DECRYPT_YOUR_FILES.TXTHKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayarPluginsSoftware\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPluginsSoftware\Microsoft\Windows\CurrentVersion\RunOnce\*FlashPlayersPluginSoftware\Microsoft\Windows\CurrentVersion\RunOnce\*FleshPlayarPluginsSoftware\Microsoft\Windows\CurrentVersion\Shell\FlashPlayarsPluginK