Dzen Ransomware is Based on Phobos Code

Dzen, a type of ransomware associated with the Phobos family, was identified during our analysis of new malware samples. This variant encrypts files and alters their filenames, while also delivering two ransom notes named "info.txt" and "info.hta." Each encrypted file is marked with the victim's ID, an email address, and the ".dzen" extension.

For example, it changes "1.jpg" to "1.jpg.id[9ECFA84E-3536].[vinsulan@tutamail.com].dzen," and "2.png" to "2.png.id[9ECFA84E-3536].[vinsulan@tutamail.com].dzen," and so forth.

The ransom notes inform victims of the encryption and state that only the perpetrators' software can unlock the data. They discourage any attempts at independent decryption or the use of third-party tools, warning of permanent data loss.

Furthermore, the notes advise against involving intermediary or recovery services, citing potential deception or further data compromise. The criminals pledge confidentiality and promise to delete all downloaded data upon ransom payment, assuring that the victim's personal information will not be sold or exploited for future attacks.

However, they impose a two-day deadline for contacting them, threatening to share the data with interested parties if the deadline passes. Contact details are provided via two email addresses (vinsulan@tutamail.com and vinsulan@cock.li), with instructions to include a specific ID in the email subject.

Dzen Ransom Note Threatens Data Leaks

The full text of the Dzen ransom note reads as follows:

Your data is encrypted and downloaded!

Unlocking your data is possible only with our software.
Important! An attempt to decrypt it yourself or decrypt it with third-party software will result in the loss of your data forever.
Contacting intermediary companies, recovery companies will create the risk of losing your data forever or being deceived by these companies.
Being deceived is your responsibility! Learn the experience on the forums.

Downloaded data of your company.

Data leakage is a serious violation of the law. Don't worry, the incident will remain a secret, the data is protected.
After the transaction is completed, all data downloaded from you will be deleted from our resources. Government agencies, competitors, contractors and local media
not aware of the incident.
Also, we guarantee that your company's personal data will not be sold on DArkWeb resources and will not be used to attack your company, employees
and counterparties in the future.
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed.
Your data will be sent to all interested parties. This is your responsibility.

Contact us.

Write us to the e-mail:vinsulan@tutamail.com
In case of no answer in 24 hours write us to this e-mail:vinsulan@cock.li
Write this ID in the title of your message: -
If you have not contacted within 2 days from the moment of the incident, we will consider the transaction not completed.
Your data will be sent to all interested parties. This is your responsibility.

Do not rename encrypted files
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Can You Safeguard Your Sensitive Data Against Ransomware Attacks?

Protecting sensitive data against ransomware attacks requires a comprehensive approach that combines proactive measures with reactive strategies. Here are some steps to safeguard your sensitive data:

Regular Data Backups: Maintain regular backups of your sensitive data on separate storage devices or cloud services. Ensure these backups are stored offline or in a secure environment to prevent them from being compromised during an attack.

Update and Patch Systems: Keep your operating systems, software, and applications up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by ransomware attackers to gain access to your systems.

Implement Security Software: Install reputable antivirus and anti-malware software on all devices and networks. These tools can help detect and block ransomware threats before they can infect your systems.

Use Email and Web Filtering: Implement email and web filtering solutions to block malicious attachments, links, and websites commonly used by ransomware distributors to spread malware.

Educate Employees: Train employees on how to recognize phishing emails, suspicious links, and other social engineering tactics used by ransomware attackers. Encourage them to exercise caution when opening email attachments or clicking on links, especially from unknown senders.

Limit User Privileges: Restrict user privileges to only the necessary permissions required to perform their job duties. This can help prevent ransomware from spreading laterally across your network in the event of a successful infiltration.

Network Segmentation: Divide your network into separate segments with restricted access controls. This can contain the spread of ransomware and limit its impact on critical systems and data.

Enable Two-Factor Authentication (2FA): Implement two-factor authentication wherever possible to add an extra layer of security to your accounts and systems. This can help prevent unauthorized access even if login credentials are compromised.