What is ZILLA (Dharma) Ransomware?
ZILLA is a ransomware strain belonging to the notorious Dharma family. Upon infecting a system, ZILLA encrypts files, renames them, and leaves ransom notes in a pop-up and a text file named "ZILLA-INFO.txt."
Table of Contents
How ZILLA Renames Files
The ransomware renames files by adding the victim's ID, the email address filezilla@cock.li, and the ".ZILLA" extension. For instance, "1.jpg" becomes "1.jpg.id-9ECFA84E.[filezilla@cock.li].ZILLA," and "2.png" changes to "2.png.id-9ECFA84E.[filezilla@cock.li].ZILLA."
ZILLA Ransom Note Overview
Instructions in the Ransom Note
The ransom note directs victims to email filezilla@cock.li, including their ID in the message. If there is no response within 12 hours, an alternative email (filezilla@cyberfear.com) is provided. Victims are offered the chance to decrypt up to three files (less than 3MB each) for free before payment.
The ZILLA ransom note reads like the following:
ZILLA
Don't worry, you can return all your files!
If you want to restore them, write to the mail: filezilla@cock.li YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:filezilla@cyberfear.com
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain BitcoinsAlso you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Warnings and Recommendations
The note cautions against renaming encrypted files or using third-party decryption tools, warning that such actions could lead to permanent data loss or additional costs.
More Details About Ransomware
Trust Issues with Cybercriminals
Only the cybercriminals behind ransomware attacks generally possess the decryption tools necessary for file recovery. However, they often do not provide these tools even after payment. Therefore, paying the ransom is highly discouraged to avoid losing both data and money.
Potential for Recovery Without Paying
Victims might recover files without paying the ransom if they have backups or can locate third-party decryption tools. It is also crucial to remove ransomware to prevent further encryptions and to stop the malware from spreading over a local network.
Characteristics of Dharma Family Ransomware
System Impact and Persistence
Dharma ransomware encrypts local and network-shared files, disables firewalls, and deletes Volume Shadow Copies. It ensures persistence by copying itself to the "%LOCALAPPDATA%" path and registering with specific Run keys. Additionally, it gathers location data and can exclude certain predetermined locations.
Ransomware in General
Ransomware Definition and Function
Ransomware is a type of malware that cybercriminals use to demand payment in exchange for decryption tools. Victims cannot access their files without paying unless they have backups or third-party decryption tools. Storing important files on a remote server or offline storage device is advisable to protect against ransomware attacks.
Examples of Ransomware Variants
Other examples of ransomware variants include LostInfo, GameCrypt, and RADAR.
How Did Ransomware Infect My Computer?
Infection Methods
Threat actors use various methods to trick users into infecting their computers. These methods include hiding ransomware in pirated software, crack tools, and key generators, sending fraudulent emails with malicious attachments or links, exploiting vulnerabilities in outdated software or operating systems, and creating malicious advertisements.
Additional Infection Channels
Cybercriminals also utilize P2P networks, third-party downloaders, compromised or deceptive websites, technical support scams, free file hosting sites, and similar channels to trick users into downloading and executing malware. Dharma family ransomware often infects systems through vulnerable RDP services, using brute force or dictionary attacks on poorly managed credentials.
How to Protect Yourself from Ransomware Infections
Preventive Measures
To avoid ransomware infections, be cautious with files and links in unexpected emails from unknown senders. Refrain from interacting with ads, pop-ups, buttons, links, or other content on suspicious sites. Avoid downloading pirated software or tools meant to bypass activation, and always obtain software and files from official websites and reputable app stores.
System Maintenance and Protection
Regularly scan your system for threats using a reliable security tool, and keep your operating system and all software up to date. If your computer is already infected with ZILLA, run a scan with an anti-malware application to automatically eliminate the ransomware.
