ZENIS: A mischievous boy who loves cryptography, hardware and programming.
Discovered one week ago by ‘MalwareHunterTeam’, ZENIS is the newest ransomware attack to threaten your backup files. According to an article written by Lawrence Abrams on bleepingcomputer.com, ZENIS will encrypt your files, but then delete them, even if the ransom was paid.
It is not currently known how ZENIS is distributed. The most likely explanation of how it is distributed from those affected by this attack is through Remote Desktop Services.
In Abram’s article, he determines that ZENIS needs to clarify two things when accessing a computer:
1)Is the file named ‘iis_agent32.exe?
2) Does a registry value exist called HKEY_CURRENT\SOFTWARE\ZenisService “Active”?
Once ZENIS reads the file, it determines whether or not it can encrypt the computer. Through multiple steps, it will setup a ransom note and send that to the affected person’s computer. To better understand how this happens, you can read Lawrence Abram’s article by clicking here.
There are a few ways to protect yourself from this kind of attack:
- Backups for your files.
- Do not open attachments from anyone if you do not know them.
- Scan attachments before opening them.
- Have Windows Updates install automatically, and keep programs updated like Java, Flash and Adobe Reader, as the older versions can be susceptible to ransomware.
- Have an Antivirus program that uses behavioral-based detections, rather than just signature-based detections.
- Determine more difficult passwords and never duplicate that same password for other programs/sites.
At this point, there is not a way to decrypt ZENIS encrytped files. Our best advice is to not pay the ransom and seek help from your IT provider.