Zhen Ransomware
The Zhen Ransomware is a file-locking Trojan that keeps digital media files, such as documents, as hostages while it demands a ransom. This Trojan includes an unusually sophisticated pop-up with features such as a payment tracker, scrolling text, and a wallet address-copying button. If possible, users should ignore ransoms, have a trusted anti-malware product removing the Zhen Ransomware, and recover any files from an unaffected backup.
Chinese Trojans can be Everyone's Problem
Bucking the standards of more-typical Ransomware-as-a-Services or Hidden Tear spin-offs, some file-locking Trojans of independent origins are more in-depth or colorful with their payloads. With various Chinese etymology names, the Zhen Ransomware is targeting Windows systems with both a by-the-numbers encryption routine and more for snatching ransoms. Although this Trojan's goals aren't very different from its competing Trojans, its means of getting to them has a few, atypical swerves.
The Zhen Ransomware's executable is a larger-than-usual file of just over seven megabytes, contrasting with the sub-megabyte sizes of most Trojans of this kind. Malware experts also point out UPX packing as a possible code-obfuscating measure that might help the Trojan's evasion rates. Its names vary, including 'zhang' (another Chinese name), and some samples with fake TXT and DAT extensions. The Trojan targets Windows, like a majority of file-locker Trojans.
Many parts of the Zhen Ransomware's payload are standard, such as using encryption for blocking media files like documents, and the addition of the Trojan's string of 'zhen' as extensions to their names. However, its pop-up alert is semi-unique. This interactive window includes additional support for the ransoming procedure for buying a file-unlocking tool from the threat actor. The text is in English, with no Chinese variant, but is a copy of previous warning messages from other campaigns.
The Sky-High Expenses on Underestimating Trojans
The larger file size might give a victim more time to intercept a Zhen Ransomware download and notice a drive-by-download attack, but the infection consequences are still deadly. The Zhen Ransomware can block most files on Windows systems and asks for over three thousand USD in Bitcoins. For now, its campaign's wallet has no ransoms, but even one, sufficiently-submissive victim would make the threat actor's efforts profitable.
Users can protect files on their computers by creating backups that Trojans with file-locking features can't encrypt or delete. Removable devices and cloud services are the typical solutions to these attacks. Malware analysts also encourage practicing general-purpose security habits that will prevent most Trojan installation attempts, such as:
- Disabling macros in documents and spreadsheets
- Updating software (especially word-processing products and server management tools)
- Disabling Flash, Java and JavaScript while Web-browsing
- Using credentials that aren't weak against dictionary 'guessing' attacks
Although UPX packing provides more detection evasion than nothing, at all, certified anti-malware applications should identify this Trojan's current samples. Under the protection of these products, users can remove the Zhen Ransomware before the locking of any files even happens.
The Zhen Ransomware may target China or anywhere else in the world, but its encryption is just as much of a data-blocking barrier, wherever users find it. Since the expense of allowing an attack is higher than most users can afford, a little backup-based precaution is in order, both at home and in the workplace.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.