ZENEX Ransomware Will Encrypt Victim Systems

During our examination of new malicious file samples, we identified ZENEX as ransomware associated with the Proton family. ZENEX is crafted to encrypt files, alter the filenames of encrypted files, display a ransom note titled "#Zenex-Help.txt," and modify the desktop wallpaper.

ZENEX modifies filenames by appending the email address decrypthelp0@gmail.com and adding the ".ZENEX" extension. For instance, it transforms "1.jpg" into "1.jpg.[decrypthelp0@gmail.com].ZENEX," and "2.png" becomes "2.png.[decrypthelp0@gmail.com].ZENEX," and so forth.

The ransom note notifies the victim that their files have been encrypted and taken, with no possibility of recovery without utilizing the decryption service offered by the attackers. The note highlights the financial motive behind the attack, promising decryption software and data deletion upon payment. To instill confidence, the attackers provide a guarantee by decrypting a small file as evidence of their capability.

Contact details are supplied through email addresses (decrypthelp0@gmail.com and cryptblack@mailfence.com), accompanied by a caution against seeking assistance from recovery companies, which the attackers claim are unreliable intermediaries. Urgency is stressed, encouraging prompt payment to secure a lower price, and a warning is issued against tampering with encrypted files to avoid complicating the decryption process.

ZENEX Ransom Note Uses Proton Template

The full text of the ZENEX ransom note reads as follows:

ZENEX
What happened?
We encrypted and stolen all of your files.
We use AES and ECC algorithms.
Nobody can recover your files without our decryption service.

How to recover?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.

What guarantees?
You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.

How to contact us?
Our email address: decrypthelp0@gmail.com
In case of no answer within 24 hours, contact to this email: cryptblack@mailfence.com
Write your personal ID in the subject of the email.

Your personal ID: -

Warnings!

Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.

Do not hesitate for a long time. The faster you pay, the lower the price.

Do not delete or modify encrypted files, it will lead to problems with decryption of files.

How Can Ransomware Like ZENEZ Infect Your System?

Ransomware like ZENEZ can infect your system through various methods, and understanding these entry points is crucial for implementing effective cybersecurity measures. Here are common ways ransomware can infiltrate a system:

Phishing Emails:
One of the most common methods is through phishing emails. Attackers may send emails containing malicious attachments or links. Once the user opens the attachment or clicks the link, the ransomware is executed.

Malicious Websites:
Visiting compromised or malicious websites can expose your system to drive-by downloads. These downloads may silently install ransomware on your computer without your knowledge.

Malvertising:
Malicious advertisements, or malvertisements, on legitimate websites can lead to ransomware infections. Clicking on these ads may trigger the download and execution of ransomware.

Exploit Kits:
Exploit kits target vulnerabilities in software or browsers. If your system has outdated software or unpatched vulnerabilities, ransomware can exploit these weaknesses to gain access.

Remote Desktop Protocol (RDP) Attacks:
If your system has an open and unsecured RDP port, attackers may use brute force attacks or exploit weak credentials to gain unauthorized access and deploy ransomware.

Social Engineering:
Cybercriminals may use social engineering tactics to trick users into downloading or executing malicious files. This can include enticing users with fake software updates, free downloads, or enticing messages.

Drive-by Downloads:
Drive-by downloads occur when malware is automatically downloaded and executed when a user visits a compromised website. This can happen without any user interaction.

Malicious Email Attachments:
Ransomware can be delivered through email attachments that appear harmless, such as PDFs or Office documents. Once the attachment is opened, the malware is activated.