Zimba Ransomware

The Zimba Ransomware is a file-locking Trojan that's part of the Dharma Ransomware family. The Zimba Ransomware can remove local backups while encrypting the user's media files, including documents and a broad range of other formats, and hold them for a ransom. Users with non-local backups can recover without paying, and most anti-malware services will catch and delete the Zimba Ransomware.

Mixed Signals with a Trojan's Nationalities

Springing up from the well-known and long-time-active family of the Dharma Ransomware, the Ransomware-as-a-Service campaign of the Zimba Ransomware offers mixed messages on where it's coming from or going. Besides its nationalism identity crisis, malware experts see few issues with the Zimba Ransomware, which carries a payload of data disruption similar to its ancestors. The Trojan is a Windows-based threat representing a data-blocking barricade to any PC users, wherever they're living.

Most of the Zimba Ransomware's features are archetypal parts of the RaaS business that calls itself both Dharma Ransomware and the Crysis Ransomware. Like the Chuk Ransomware, the Fresh Ransomware, the MUST Ransomware, or the 'pain@onefinedstay.com' Ransomware – also familial members – it blocks media files by encrypting them with an RSA-secured AES algorithm. Victims can identify sabotaged files by their extensions, including the 'zimba' string, an ID, and the campaign's e-mail for ransom negotiations.

The e-mail, which the Zimba Ransomware advertises further in its HTA ransom window, is of some interest. The Zimba Ransomware themes the address after the Zimbabwe nation, but no other details in its payload suggest a Zimbabwean origin or targeting preferences for victims. Canny readers might also notice that the Zimba Ransomware uses a Soviet Union domain, which remains semi-active among Russian users.

However, the Zimba Ransomware isn't necessarily Russian, either. The SU domain has some advantages to threat actors, such as outdated TOU policies. The criminals running the Zimba Ransomware's campaign, like those of most Ransomware-as-a-Service variants, might live anywhere – and attack Windows users globally.

Cutting to the Gist of Cross-Country Trojan Attacks

The Zimba Ransomware's campaign is likely to make more money off of vulnerable businesses' networks or servers and may harm home users' files. All Windows users at risk from attacks should have backups that they save to other devices and avoid depending solely on non-backed up files or weakly-protected backups like default Restore Points. The Zimba Ransomware's family includes a Restore Point-deleting feature that is usually effective, although advanced the Shadow Volume Copy recovery software may provide some limited data retrieval.

Some executable files dropping the Zimba Ransomware include Russian-suggestive names, but malware experts lack hard confirmation of any attacks in particular regions of the world. Most Windows users should behave as if they're at risk from the Zimba Ransomware and similar encryption-based threats. Web surfers who globally enable scripts, download unofficial updates, click on suspicious e-mail attachments, or use poor passwords are very likely to encounter a drive-by-download exploit or another infection vector.

As long as users don't engage in the above behaviors and protect their PCs with appropriate anti-malware solutions, the Zimba Ransomware is unlikely to be able to block any files before it's blocked itself. Most security products for Windows will remove the Zimba Ransomware as of the latest detection rates.

From Russia or anywhere else, the Zimba Ransomware isn't good news to those seeing it. Any Ransomware-as-a-Service Trojan is trouble that's better off being avoided whether the PC's owner lives in a first-world country or a third-world one.